layout | title | description | subhead | date | authors | tags | |||
---|---|---|---|---|---|---|---|---|---|
layouts/blog-post.njk |
Anonymous iframe origin trial: Easily embed iframes in COEP environments |
Developers using COEP can now embed third party iframes that do not use COEP themselves. Anonymous iframe origin trial is available for testing in Chrome from version 106 to 108.
|
Developers using COEP can now embed third party iframes that do not use COEP themselves.
|
2022-09-01 |
|
|
{% Aside %} Anonymous iframe has been renamed to iframe credentialless. It is enabled by default starting from Chrome version 110. You can see the announcement for further details.
<iframe anonymous></iframe>
is renamed <iframe credentialless></iframe>
.
window.isAnonymouslyFramed
is renamed window.credentialless
.
{% endAside %}
Some web APIs increase the risk of side-channel attacks such as
Spectre. To
mitigate that risk, browsers offer an opt-in-based isolated environment called
cross-origin isolation, which, among other things,
requires deploying COEP. This allows websites to use privileged features
including
SharedArrayBuffer
,
performance.measureUserAgentSpecificMemory()
,
and
high-precision timers with better resolution.
To enable cross-origin isolation, websites must send the following two HTTP headers:
{% Aside %}
The header value require-corp
below is not a typo. COEP does require CORP for third-party resources to opt-in.
{% endAside %}
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
{% Aside %}
COEP:credentialless
can also be used as an alternative to require-corp
.
{% endAside %}
While cross-origin isolation brings webpages better security and the ability to enable powerful features, deploying COEP can be difficult. One of the biggest challenges is that all cross-origin iframes must also deploy COEP and CORP. Iframes without those headers will not be loaded by the browser.
The iframes are usually served by a third party for whom it may not be easy to deploy COEP.
That's where anonymous iframe comes in. By adding the anonymous
attribute to
the <iframe>
element, the iframe is loaded from a different, ephemeral storage
partition and it isn't subject to COEP restrictions anymore.
Example:
<iframe anonymous src="https://example.com">
Iframe is created in a new ephemeral context and doesn't have access to any of
the cookies associated with the top level website. It starts from an empty
cookie jar. Likewise, storage APIs such as
LocalStorage
,
CacheStorage
,
IndexedDB
, and so
on, are loading and storing data in the new ephemeral partition. The partition
is scoped to the current top-level document and origin of the iframe. Storage
will be cleared once the top-level document is unloaded.
Anonymous iframes are not subject to COEP embedding rules. This is still secure, because they are loaded from a new empty context everytime. They will be loaded without their data being personalized. They contain only public data, which is not valuable to an attacker.
You can check out an anonymous iframe at: https://anonymous-iframe.glitch.me/
To ensure that Anonymous iframes are helping developers adopt cross origin isolation, we are making them available in Chrome from version 106 to 108 as an origin trial.
Register for the origin trial to enable your website to use Anonymous iframes:
- Request a token for your origin.
- Use the token in one of the following ways:
- In your HTML:
<meta http-equiv="Origin-Trial" content="TOKEN_GOES_HERE">
- In your Javascript:
const meta = document.createElement('meta'); meta.httpEquiv = 'Origin-Trial'; meta.content = 'TOKEN_GOES_HERE'; document.head.append(meta);
- In the HTTP headers:
Origin-Trial: TOKEN_GOES_HERE
- In your HTML:
- Add an anonymous iframe to your page:
<iframe anonymous src="https://example.com">
If you have any feedback on this feature, file an issue in the GitHub repository.
The origin trial is also available to third party scripts. It means it can be enabled by scripts embedded on the page.
Leran more about how to register for a third-party origin trial.
- Mozilla Request for position: Pending
- Webkit Request for position: No signal
- W3C TAG Request for position: satisfied
Yes. It is inherited. Once an iframe is anonymous, that applies to all iframes
in the whole subtree even without an anonymous
attribute.
Pop-ups are opened as if noopener
was set. They are created from a new
regular top-level context and are not anonymous. They can't communicate with the
anonymous iframe.
- Making your website "cross-origin isolated" using COOP and COEP
- Why you need "cross-origin isolated" for powerful features
- A guide to enable cross-origin isolation
- SharedArrayBuffer updates in Android Chrome 88 and Desktop Chrome 92
- Load cross-origin resources without CORP headers using
COEP: credentialless