Rebase

Define COEP:credentialless Originally described in: https://github.com/mikewest/credentiallessness `credentialless` and `require-corp` are similar. One or the other is a requirements for the `window.crossOriginIsolated` capability. They differ mostly in the fetch specification. `require-corp` requires a CORP header for cross-origin no-cors responses. `credentialless` doesn't, but omits credentials (Cookies, clients certificates, etc...) in the request. * HTML (#6638) * Define how to parse the `credentialless` value. * From the HTML spec point of view, `credentialless` and `require-corp` are equivalent. They have been grouped into `compatible with cross-origin isolation` and the HTML spec rewritten to use this concept. * Fetch: (whatwg/fetch#1229) * Define `Cross-Origin-Embedder-Policy allows credentials` algorithm. It omit credentials for no-cors, cross-origin, COEP:credentialless requests. * Define `response's` `request-include-credentials` flag. * In the `Cross-Origin-Resource-Policy check`, if `embedderPolicy` is `credentialless`, require CORP for navigational responses, and opaque responses with `request-include-credentials`. See: #6637 ---- - [ ] At least two implementers are interested (and none opposed): * Chrome: https://chromestatus.com/feature/4918234241302528#details * Firefox: mozilla/standards-positions#539 (worth prototyping) * Safari: https://lists.webkit.org/pipermail/webkit-dev/2021-June/031898.html (pending) - [X] [Tests](https://github.com/web-platform-tests/wpt) are written and can be reviewed and commented upon at: * https://wpt.fyi/results/html/cross-origin-embedder-policy/credentialless - [X] [Implementation bugs](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) are filed: * Chrome: https://crbug.com/1175099 * Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1731778 * Safari: https://bugs.webkit.org/show_bug.cgi?id=230550 (See [WHATWG Working Mode: Changes](https://whatwg.org/working-mode#changes) for more details.)
whatwg · Oct 20, 2021 · 9485456 · 9485456
1 parent db2d279
commit 9485456
Showing 1 changed file with 76 additions and 49 deletions.
diff --git a/source b/source
@@ -79911,9 +79911,10 @@ console.assert(iframeWindow.frameElement === null);
     data-x="http-cross-origin-opener-policy">Cross-Origin-Opener-Policy</span>: <span
     data-x="coop-same-origin">same-origin</span></code>`, and</p></li>
 
-    <li><p>every <span>Document</span> has `<code
-    data-x=""><span>Cross-Origin-Embedder-Policy</span>: <span
-    data-x="coep-require-corp">require-corp</span></code>`.</p></li>
+    <li><p>every <span>Document</span> has a `<code data-x="embedder policy
+    value">Cross-Origin-Embedder-Policy</code>' header whose <span
+    data-x="embedder-policy-value">value</span> is <span>compatible with cross-origin
+    isolation</span>.</p></li>
    </ul>
 
    <p>On some platforms, it is difficult to provide the security properties required to grant safe
@@ -82893,8 +82894,10 @@ interface <dfn interface>BarProp</dfn> {
     data-x="http-cross-origin-opener-policy">Cross-Origin-Opener-Policy</code>` header, but results
     from a combination of setting both `<code data-x=""><span
     data-x="http-cross-origin-opener-policy">Cross-Origin-Opener-Policy</span>: <span
-    data-x="coop-same-origin">same-origin</span></code>` and `<code
-    data-x=""><span>Cross-Origin-Embedder-Policy</span>: require-corp</code>` together.</p>
+    data-x="coop-same-origin">same-origin</span></code>` and a `<code data-x="embedder policy
+    value">Cross-Origin-Embedder-Policy</code>` whose <span
+    data-x="embedder-policy-value">value</span> is <span>compatible with cross-origin
+    isolation</span> together.<p>
    </dd>
   </dl>
 
@@ -82983,8 +82986,8 @@ interface <dfn interface>BarProp</dfn> {
        policy">obtaining a cross-origin embedder policy</span> from <var>response</var> and
        <var>reservedEnvironment</var>.</p></li>
 
-       <li><p>If <var>coep</var>'s <span data-x="embedder-policy-value">value</span> is "<code
-       data-x="coep-require-corp">require-corp</code>", then set <var>policy</var>'s <span
+       <li><p>If <var>coep</var>'s <span data-x="embedder-policy-value">value</span> is
+       <span>compatible with cross-origin isolation</span>, then set <var>policy</var>'s <span
        data-x="coop-struct-value">value</span> to "<code
        data-x="coop-same-origin-plus-COEP">same-origin-plus-COEP</code>".</p></li>
 
@@ -83025,10 +83028,10 @@ interface <dfn interface>BarProp</dfn> {
        <var>reservedEnvironment</var>.</p></li>
 
        <li>
-        <p>If <var>coep</var>'s <span data-x="embedder-policy-value">value</span> is "<code
-        data-x="coep-require-corp">require-corp</code>" or <var>coep</var>'s <span
-        data-x="embedder-policy-report-only-value">report-only value</span> is "<code
-        data-x="coep-require-corp">require-corp</code>", then set <var>policy</var>'s <span
+        <p>If <var>coep</var>'s <span data-x="embedder-policy-value">value</span> is
+        <span>compatible with cross-origin isolation</span> or <var>coep</var>'s <span
+        data-x="embedder-policy-report-only-value">report-only value</span> is <span>compatible with
+        cross-origin isolation</span>, then set <var>policy</var>'s <span
         data-x="coop-struct-report-only-value">report-only value</span> to "<code
         data-x="coop-same-origin-plus-COEP">same-origin-plus-COEP</code>".</p>
 
@@ -84042,7 +84045,7 @@ interface <dfn interface>BarProp</dfn> {
   <h3 id="coep">Cross-origin embedder policies</h3>
 
   <p>An <dfn export>embedder policy value</dfn> controls the fetching of cross-origin resources
-  without explicit permission from resource owners. There are two such values:</p>
+  without explicit permission from resource owners. There are three such string values:</p>
 
   <dl>
    <dt>"<dfn data-x="coep-unsafe-none" export for="embedder policy value"><code
@@ -84056,8 +84059,32 @@ interface <dfn interface>BarProp</dfn> {
    <dd><p>When this value is used, fetching cross-origin resources requires the server's
    explicit permission through the <span>CORS protocol</span> or the
    `<code>Cross-Origin-Resource-Policy</code>` header.</p></dd>
+
+   <dt>"<dfn data-x="coep-credentialless" export for="embedder policy value"><code
+   data-x="">credentialless</code></dfn>"</dt>
+   <dd><p>When this value is used, fetching cross-origin no-CORS resources omits credentials. In
+   exchange, an explicit `<code>Cross-Origin-Resource-Policy</code>` header is not required. Other
+   requests sent with credentials require the server's explicit permission through the <span>CORS
+   protocol</span> or the `<code>Cross-Origin-Resource-Policy</code>` header.</p></dd>
   </dl>
 
+  <div class="warning">
+   <p>Before supporting "<code data-x="coep-credentialless">credentialless</code>", implementers are
+   strongly encouraged to support both:
+   <ul>
+    <li><a href="https://wicg.github.io/private-network-access/">Private Network Access</a>.
+    <li><a href="https://github.com/annevk/orb">Opaque Response Blocking</a>.
+   </ul>
+   <p>Otherwise, it would allow attackers to leverage the client's network position to read non
+   public resources, using the <span
+   data-x="concept-settings-object-cross-origin-isolated-capability">cross-origin isolated
+   capability</span>.</p>
+  </div>
+
+  <p>An <span>embedder policy value</span> is <dfn>compatible with cross-origin isolation</dfn> if
+  it is "<code data-x="coep-credentialless">credentialless</code>" or "<code
+  data-x="coep-require-corp">require-corp</code>".</p>
+
   <p>An <dfn export>embedder policy</dfn> consists of:</p>
 
   <ul>
@@ -84162,17 +84189,17 @@ interface <dfn interface>BarProp</dfn> {
    <var>response</var>'s <span data-x="concept-response-header-list">header list</span>.</p></li>
 
    <li>
-    <p>If <var>parsedItem</var> is non-null and <var>parsedItem</var>[0] is "<code
-    data-x="">require-corp</code>":</p>
+    <p>If <var>parsedItem</var> is non-null and <var>parsedItem</var>[0] is <span>compatible with
+    cross-origin isolation</span>:</p>
 
     <ol>
-     <li><p>Set <var>policy</var>'s <span data-x="embedder-policy-value">value</span> to "<code
-     data-x="coep-require-corp">require-corp</code>".</p></li>.
+     <li><p>Set <var>policy</var>'s <span data-x="embedder-policy-value">value</span> to
+     <var>parsedItem</var>[0].</p></li>
 
      <li><p>If <var>parsedItem</var>[1]["<code data-x="coep-report-to">report-to</code>"] <span
      data-x="map exists">exists</span>, then set <var>policy</var>'s <span
-     data-x="embedder-policy-reporting-endpoint">endpoint</span> to <var>parsedItem</var>[1]["<code
-     data-x="coep-report-to">report-to</code>"].</p></li>
+     data-x="embedder-policy-reporting-endpoint">endpoint</span> to <var>parsedItem</var>
+     [1]["<code data-x="coep-report-to">report-to</code>"].</p></li>
     </ol>
    </li>
 
@@ -84182,17 +84209,17 @@ interface <dfn interface>BarProp</dfn> {
    list</span>.</p></li>
 
    <li>
-    <p>If <var>parsedItem</var> is non-null and <var>parsedItem</var>[0] is "<code
-    data-x="">require-corp</code>":</p>
+    <p>If <var>parsedItem</var> is non-null and <var>parsedItem</var>[0] is <span>compatible with
+    cross-origin isolation</span>:</p>
 
     <ol>
-     <li><p>Set <var>policy</var>'s <span data-x="embedder-policy-report-only-value">report-only
-     value</span> to "<code data-x="coep-require-corp">require-corp</code>".</p></li>.
+     <li><p>Set <var>policy</var>'s <span
+     data-x="embedder-policy-report-only-value">value</span> to <var>parsedItem</var>[0].</p></li>
 
      <li><p>If <var>parsedItem</var>[1]["<code data-x="coep-report-to">report-to</code>"] <span
-     data-x="map exists">exists</span>,  then set <var>policy</var>'s <span
-     data-x="embedder-policy-report-only-reporting-endpoint">report-only reporting endpoint</span>
-     to <var>parsedItem</var>[1]["<code data-x="coep-report-to">report-to</code>"].</p></li>
+     data-x="map exists">exists</span>, then set <var>policy</var>'s <span
+     data-x="embedder-policy-report-only-reporting-endpoint">endpoint</span> to
+     <var>parsedItem</var>[1]["<code data-x="coep-report-to">report-to</code>"].</p></li>
     </ol>
    </li>
 
@@ -84215,19 +84242,19 @@ interface <dfn interface>BarProp</dfn> {
    data-x="policy-container-embedder-policy">embedder policy</span>.</p></li>
 
    <li><p>If <var>parentPolicy</var>'s <span data-x="embedder-policy-report-only-value">report-only
-   value</span> is "<code data-x="coep-require-corp">require-corp</code>" and
-   <var>responsePolicy</var>'s <span data-x="embedder-policy-value">value</span> is "<code
-   data-x="coep-unsafe-none">unsafe-none</code>", then <span>queue a cross-origin embedder policy
-   inheritance violation</span> with <var>response</var>, "<code data-x="">navigation</code>",
-   <var>parentPolicy</var>'s <span data-x="embedder-policy-report-only-reporting-endpoint">report
-   only reporting endpoint</span>, "<code data-x="">reporting</code>", and <var>target</var>'s <span
+   value</span> is <span>compatible with cross-origin isolation</span> and
+   <var>responsePolicy</var>'s <span data-x="embedder-policy-value">value</span> is not, then
+   <span>queue a cross-origin embedder policy inheritance violation</span> with <var>response</var>,
+   "<code data-x="">navigation</code>", <var>parentPolicy</var>'s <span
+   data-x="embedder-policy-report-only-reporting-endpoint">report only reporting endpoint</span>,
+   "<code data-x="">reporting</code>", and <var>target</var>'s <span
    data-x="bc-container-document">container document</span>'s <span>relevant settings
    object</span>.</p></li>
 
-   <li><p>If <var>parentPolicy</var>'s <span data-x="embedder-policy-value">value</span> is "<code
-   data-x="coep-unsafe-none">unsafe-none</code>" or <var>responsePolicy</var>'s <span
-   data-x="embedder-policy-value">value</span> is "<code
-   data-x="coep-require-corp">require-corp</code>", then return true.</p></li>
+   <li><p>If <var>parentPolicy</var>'s <span data-x="embedder-policy-value">value</span> is not
+   <span>compatible with cross-origin isolation</span> or <var>responsePolicy</var>'s <span
+   data-x="embedder-policy-value">value</span> is <span>compatible with cross-origin
+   isolation</span>, then return true.</p></li>
 
    <li><p><span>Queue a cross-origin embedder policy inheritance violation</span> with
    <var>response</var>, "<code data-x="">navigation</code>", <var>parentPolicy</var>'s <span
@@ -84255,18 +84282,18 @@ interface <dfn interface>BarProp</dfn> {
    data-x="policy-container-embedder-policy">embedder policy</span>.
 
    <li><p>If <var>ownerPolicy</var>'s <span data-x="embedder-policy-report-only-value">report-only
-   value</span> is "<code data-x="coep-require-corp">require-corp</code>" and <var>policy</var>'s
-   <span data-x="embedder-policy-value">value</span> is "<code
-   data-x="coep-unsafe-none">unsafe-none</code>", then <span>queue a cross-origin embedder policy
-   inheritance violation</span> with <var>response</var>, "<code data-x="">worker
+   value</span> is <span>compatible with cross-origin isolation</span> and <var>policy</var>'s
+   <span data-x="embedder-policy-value">value</span> is not, then <span>queue a cross-origin
+   embedder policy inheritance violation</span> with <var>response</var>, "<code data-x="">worker
    initialization</code>", <var>owner's policy</var>'s <span
    data-x="embedder-policy-report-only-reporting-endpoint">report only reporting endpoint</span>,
-   "<code data-x="">reporting</code>", and <var>owner</var>.</p></li>
+   "<code data-x="">reporting</code>", and
+   <var>owner</var>.</p></li>
 
-   <li><p>If <var>ownerPolicy</var>'s <span data-x="embedder-policy-value">value</span> is "<code
-   data-x="coep-unsafe-none">unsafe-none</code>" or <var>policy</var>'s <span
-   data-x="embedder-policy-value">value</span> is "<code
-   data-x="coep-require-corp">require-corp</code>", then return true.</p></li>
+   <li><p>If <var>ownerPolicy</var>'s <span data-x="embedder-policy-value">value</span> not
+   <span>compatible with cross-origin isolation</span> or <var>policy</var>'s <span
+   data-x="embedder-policy-value">value</span> is <span>compatible with cross-origin
+   isolation</span>, then return true.</p></li>
 
    <li><p><span>Queue a cross-origin embedder policy inheritance violation</span> with
    <var>response</var>, "<code data-x="">worker initialization</code>", <var>owner's policy</var>'s
@@ -102139,11 +102166,11 @@ interface <dfn interface>SharedWorkerGlobalScope</dfn> : <span>WorkerGlobalScope
 
      <li>
       <p>If <var>worker global scope</var>'s <span
-      data-x="concept-WorkerGlobalScope-embedder-policy">embedder policy</span> is "<code
-      data-x="coep-require-corp">require-corp</code>" and <var>is shared</var> is true, then set
-      <var>agent</var>'s <span>agent cluster</span>'s <span
-      data-x="agent-cluster-cross-origin-isolation">cross-origin isolation mode</span> to "<code
-      data-x="cross-origin-isolation-logical">logical</code>" or "<code
+      data-x="concept-WorkerGlobalScope-embedder-policy">embedder policy</span>'s <span
+      data-x="embedder-policy-value">value</span> is <span>compatible with cross-origin
+      isolation</span> and <var>is shared</var> is true, then set <var>agent</var>'s <span>agent
+      cluster</span>'s <span data-x="agent-cluster-cross-origin-isolation">cross-origin isolation
+      mode</span> to "<code data-x="cross-origin-isolation-logical">logical</code>" or "<code
       data-x="cross-origin-isolation-concrete">concrete</code>". The one chosen is
       <span>implementation-defined</span>.</p>