Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cross-Origin-Embedder-Policy: credentialless #6637

Closed
ArthurSonzogni opened this issue Apr 30, 2021 · 6 comments
Closed

Cross-Origin-Embedder-Policy: credentialless #6637

ArthurSonzogni opened this issue Apr 30, 2021 · 6 comments
Labels
topic: cross-origin-embedder-policy Issues and ideas around the new "require CORP for subresource requests and frames and etc" proposal.

Comments

@ArthurSonzogni
Copy link
Member

Specify the behavior of Cross-Origin-Embedder-Policy: cors-or-credentialless,
Originally described in: https://github.com/mikewest/credentiallessness

cors-or-credentialless and require-corp are similar. One or the other is a requirements for the window.crossOriginIsolated capability. They both share the same set of checks.
They differ mostly in the fetch specification. require-corp requires a CORP header for cross-origin no-cors responses. cors-or-credentialless doesn't, but omits credentials (Cookies, clients certificates, etc...) in exchange.

I am opening this bug to reference several PR against the HTML, Fetch and ServiceWorker spec. So they can be discussed more widely.

Some tentative tests have been written into the wpt repository:
https://wpt.fyi/results/html/cross-origin-embedder-policy/credentialless/cors-or-credentialless?label=master&label=experimental&aligned&q=cors-or-credentialless
@ArthurSonzogni ArthurSonzogni mentioned this issue Apr 30, 2021
Merged
3 tasks
@annevk
Copy link
Member

annevk commented Apr 30, 2021

Why would cors be part of the name?

Also, I still stand by w3ctag/design-reviews#582 (comment).

@annevk
Copy link
Member

annevk commented Apr 30, 2021

Also had a question about how this works for navigations. It seems to me that if the parent document has cors-or-credentialless, the child can have either that or require-corp. But if the parent has require-corp, the child shouldn't be allowed to have cors-or-credentialless perhaps as that's weaker? (Especially once most things cross-origin are without credentials anyway.)

@ArthurSonzogni
Copy link
Member Author

ArthurSonzogni commented Apr 30, 2021
edited
Loading

Thanks @annevk!

Why would cors be part of the name?

Either the request is sent via CORS with credentials, and you must get explicit opt-in from the cross-origin server. Or it is sent in no-cors mode without credentials => cors-or-credentialless.
What do you think?

Also, I still stand by w3ctag/design-reviews#582 (comment).

The main issues we had was:

  • Defining a solution for <iframe>. @camillelamy is preparing an explainer about this to share. Maybe next week.
  • Private Network Access is needed. Yes this is a required dependency.
  • https://github.com/annevk/orb is needed. I agree.

Also had a question about how this works for navigations. It seems to me that if the parent document has cors-or-credentialless, the child can have either that or require-corp. But if the parent has require-corp, the child shouldn't be allowed to have cors-or-credentialless perhaps as that's weaker? (Especially once most things cross-origin are without credentials anyway.)

For now, the HTML spec PR and tentative test puts require-corp and cors-or-credentialless at the same level. One can embed the other and vice-versa. I initially thought require-corp couldn't embed cors-or-credentialless, because I felt one was weaker than than other. However, I couldn't really tell what was the threat this would protect us from. If you can find any potential reason to restrict this, feel free to share.

@annevk
Copy link
Member

annevk commented May 3, 2021

require-corp also offers CORS as alternative without explicitly mentioning it. So I think it would be nicer to be consistent with that, naming-wise.

I think require-corp is stricter as there are less resources it would end up embedding and there's a class of IP-authenticated resources we know credentialless cannot protect. However, like you, I cannot come up with a credible threat. (I'm a bit surprised that above you say there is no solution for iframe yet. It seems that is somewhat critical and also relevant to this issue.)

@ArthurSonzogni
Copy link
Member Author

require-corp also offers CORS as alternative without explicitly mentioning it. So I think it would be nicer to be consistent with that, naming-wise.

I understand this argument. cors-or-credentialless would be easier to understand for users, but this would have required require-corp to be for instance cors-or-corp, for consistency.
I don't have a strong opinion for one or the other. If others have different opinions, free to discuss this here or open a different issue. Otherwise, I guess we can switch toward COEP:credentialless.

I'm a bit surprised that above you say there is no solution for iframe yet. It seems that is somewhat critical and also relevant to this issue.

COEP:credentialless, doesn't relax <iframe> over the status co. They are still blocked if they don't use require-corp or credentialless.

@camillelamy will soon release an explainer for a potential solution to the deployment of <iframe> you don't control. The way it is built make it independent of COEP:credentialless.

ArthurSonzogni added a commit to ArthurSonzogni/fetch that referenced this issue May 3, 2021
@ArthurSonzogni
(Draft)
22a9fea 
Specify the behavior of `Cross-Origin-Embedder-Policy: cors-or-credentialless`,
Originally described in: https://github.com/mikewest/credentiallessness

`cors-or-credentialless` and `require-corp` are similar. One or the other is a requirements for the `window.crossOriginIsolated` capability.
They differ mostly in the fetch specification. `require-corp` requires a CORP header for cross-origin no-cors responses. `cors-or-credentialless` doesn't, but omits credentials (Cookies, clients certificates, etc...) in no-cors cross-origin requests.

* HTML (whatwg/html#6638)
  * Define how to parse the `cors-or-credentialless` value.
  * From the HTML spec point of view, `cors-or-credentialless` and `require-corp` are equivalent. They have been grouped into `compatible with crossOriginIsolation` and the HTML spec rewritten to use this concept.

* Fetch: (This PR)
  * Define "Cross-Origin-Embedder-Policy allows credentials".
  * Omit credentials for no-cors, cross-origin, COEP:credentialless requests.
  * Check CORP for navigational COEP:credentialless response.

* ServiceWorker: XXX
  * Integration with `Cache.matchAll `algorithm.
  * XXX

See: whatwg/html#6637

----

- [ ] At least two implementers are interested (and none opposed):
   * Chrome: https://chromestatus.com/feature/4918234241302528#details
   * Firefox: XXX
   * Safari: XXX

- [X] [Tests](https://github.com/web-platform-tests/wpt) are written and can be reviewed and commented upon at:
   * https://wpt.fyi/results/html/cross-origin-embedder-policy/credentialless/cors-or-credentialless

- [ ] [Implementation bugs](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) are filed:
   * Chrome: https://crbug.com/1175099
   * Firefox: XXX
   * Safari: XXX

(See [WHATWG Working Mode: Changes](https://whatwg.org/working-mode#changes) for more details.)

----

See: whatwg/html#6637
ArthurSonzogni added a commit to ArthurSonzogni/fetch that referenced this issue May 3, 2021
@ArthurSonzogni
(Draft)
c2fe607 
Specify the behavior of `Cross-Origin-Embedder-Policy: cors-or-credentialless`,
Originally described in: https://github.com/mikewest/credentiallessness

`cors-or-credentialless` and `require-corp` are similar. One or the other is a requirements for the `window.crossOriginIsolated` capability.
They differ mostly in the fetch specification. `require-corp` requires a CORP header for cross-origin no-cors responses. `cors-or-credentialless` doesn't, but omits credentials (Cookies, clients certificates, etc...) in no-cors cross-origin requests.

* HTML (whatwg/html#6638)
  * Define how to parse the `cors-or-credentialless` value.
  * From the HTML spec point of view, `cors-or-credentialless` and `require-corp` are equivalent. They have been grouped into `compatible with crossOriginIsolation` and the HTML spec rewritten to use this concept.

* Fetch: (This PR)
  * Define "Cross-Origin-Embedder-Policy allows credentials".
  * Omit credentials for no-cors, cross-origin, COEP:credentialless requests.
  * Check CORP for navigational COEP:credentialless response.

* ServiceWorker: XXX
  * Integration with `Cache.matchAll `algorithm.
  * XXX

See: whatwg/html#6637

----

- [ ] At least two implementers are interested (and none opposed):
   * Chrome: https://chromestatus.com/feature/4918234241302528#details
   * Firefox: XXX
   * Safari: XXX

- [X] [Tests](https://github.com/web-platform-tests/wpt) are written and can be reviewed and commented upon at:
   * https://wpt.fyi/results/html/cross-origin-embedder-policy/credentialless/cors-or-credentialless

- [ ] [Implementation bugs](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) are filed:
   * Chrome: https://crbug.com/1175099
   * Firefox: XXX
   * Safari: XXX

(See [WHATWG Working Mode: Changes](https://whatwg.org/working-mode#changes) for more details.)

----

See: whatwg/html#6637
ArthurSonzogni added a commit to ArthurSonzogni/fetch that referenced this issue May 3, 2021
@ArthurSonzogni
(Draft)
c36539d 
Specify the behavior of `Cross-Origin-Embedder-Policy: cors-or-credentialless`,
Originally described in: https://github.com/mikewest/credentiallessness

`cors-or-credentialless` and `require-corp` are similar. One or the other is a requirements for the `window.crossOriginIsolated` capability.
They differ mostly in the fetch specification. `require-corp` requires a CORP header for cross-origin no-cors responses. `cors-or-credentialless` doesn't, but omits credentials (Cookies, clients certificates, etc...) in no-cors cross-origin requests.

* HTML (whatwg/html#6638)
  * Define how to parse the `cors-or-credentialless` value.
  * From the HTML spec point of view, `cors-or-credentialless` and `require-corp` are equivalent. They have been grouped into `compatible with crossOriginIsolation` and the HTML spec rewritten to use this concept.

* Fetch: (This PR)
  * Define "Cross-Origin-Embedder-Policy allows credentials".
  * Omit credentials for no-cors, cross-origin, COEP:credentialless requests.
  * Check CORP for navigational COEP:credentialless response.

* ServiceWorker: XXX
  * Integration with `Cache.matchAll `algorithm.
  * XXX

See: whatwg/html#6637

----

- [ ] At least two implementers are interested (and none opposed):
   * Chrome: https://chromestatus.com/feature/4918234241302528#details
   * Firefox: XXX
   * Safari: XXX

- [X] [Tests](https://github.com/web-platform-tests/wpt) are written and can be reviewed and commented upon at:
   * https://wpt.fyi/results/html/cross-origin-embedder-policy/credentialless/cors-or-credentialless

- [ ] [Implementation bugs](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) are filed:
   * Chrome: https://crbug.com/1175099
   * Firefox: XXX
   * Safari: XXX

(See [WHATWG Working Mode: Changes](https://whatwg.org/working-mode#changes) for more details.)

----

See: whatwg/html#6637
ArthurSonzogni added a commit to ArthurSonzogni/fetch that referenced this issue May 3, 2021
@ArthurSonzogni
Specify the behavior of COEP: credentialless,
f60b8b4 
(Draft)

Originally described in: https://github.com/mikewest/credentiallessness

`credentialless` and `require-corp` are similar. One or the other is a requirements for the `window.crossOriginIsolated` capability.
They differ mostly in the fetch specification. `require-corp` requires a CORP header for cross-origin no-cors responses. `credentialless` doesn't, but omits credentials (Cookies, clients certificates, etc...) in no-cors cross-origin requests.

* HTML (whatwg/html#6638)
  * Define how to parse the `credentialless` value.
  * From the HTML spec point of view, `credentialless` and `require-corp` are equivalent. They have been grouped into `compatible with crossOriginIsolation` and the HTML spec rewritten to use this concept.

* Fetch: (This PR)
  * Define "Cross-Origin-Embedder-Policy allows credentials".
  * Omit credentials for no-cors, cross-origin, COEP:credentialless requests.
  * Check CORP for navigational COEP:credentialless response.

* ServiceWorker: XXX
  * Integration with `Cache.matchAll `algorithm.
  * XXX

See: whatwg/html#6637

----

- [ ] At least two implementers are interested (and none opposed):
   * Chrome: https://chromestatus.com/feature/4918234241302528#details
   * Firefox: XXX
   * Safari: XXX

- [X] [Tests](https://github.com/web-platform-tests/wpt) are written and can be reviewed and commented upon at:
   * https://wpt.fyi/results/html/cross-origin-embedder-policy/credentialless/credentialless

- [ ] [Implementation bugs](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) are filed:
   * Chrome: https://crbug.com/1175099
   * Firefox: XXX
   * Safari: XXX

(See [WHATWG Working Mode: Changes](https://whatwg.org/working-mode#changes) for more details.)

----

See: whatwg/html#6637
@ArthurSonzogni ArthurSonzogni mentioned this issue May 3, 2021
Merged
3 tasks
ArthurSonzogni added a commit to ArthurSonzogni/fetch that referenced this issue May 4, 2021
@ArthurSonzogni
Specify the behavior of COEP: credentialless,
43d078a 
(Draft)

Originally described in: https://github.com/mikewest/credentiallessness

`credentialless` and `require-corp` are similar. One or the other is a requirements for the `window.crossOriginIsolated` capability.
They differ mostly in the fetch specification. `require-corp` requires a CORP header for cross-origin no-cors responses. `credentialless` doesn't, but omits credentials (Cookies, clients certificates, etc...) in no-cors cross-origin requests.

* HTML (whatwg/html#6638)
  * Define how to parse the `credentialless` value.
  * From the HTML spec point of view, `credentialless` and `require-corp` are equivalent. They have been grouped into `compatible with crossOriginIsolation` and the HTML spec rewritten to use this concept.

* Fetch: (This PR)
  * Define "Cross-Origin-Embedder-Policy allows credentials".
  * Omit credentials for no-cors, cross-origin, COEP:credentialless requests.
  * Check CORP for navigational COEP:credentialless response.

* ServiceWorker: XXX
  * Integration with `Cache.matchAll `algorithm.
  * XXX

See: whatwg/html#6637

----

- [ ] At least two implementers are interested (and none opposed):
   * Chrome: https://chromestatus.com/feature/4918234241302528#details
   * Firefox: XXX
   * Safari: XXX

- [X] [Tests](https://github.com/web-platform-tests/wpt) are written and can be reviewed and commented upon at:
   * https://wpt.fyi/results/html/cross-origin-embedder-policy/credentialless/credentialless

- [ ] [Implementation bugs](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) are filed:
   * Chrome: https://crbug.com/1175099
   * Firefox: XXX
   * Safari: XXX

(See [WHATWG Working Mode: Changes](https://whatwg.org/working-mode#changes) for more details.)

----

See: whatwg/html#6637
ArthurSonzogni added a commit to ArthurSonzogni/fetch that referenced this issue May 4, 2021
@ArthurSonzogni
Specify the behavior of COEP: credentialless,
40674cd 
(Draft)

Originally described in: https://github.com/mikewest/credentiallessness

`credentialless` and `require-corp` are similar. One or the other is a requirements for the `window.crossOriginIsolated` capability.
They differ mostly in the fetch specification. `require-corp` requires a CORP header for cross-origin no-cors responses. `credentialless` doesn't, but omits credentials (Cookies, clients certificates, etc...) in no-cors cross-origin requests.

* HTML (whatwg/html#6638)
  * Define how to parse the `credentialless` value.
  * From the HTML spec point of view, `credentialless` and `require-corp` are equivalent. They have been grouped into `compatible with crossOriginIsolation` and the HTML spec rewritten to use this concept.

* Fetch: (This PR)
  * Define "Cross-Origin-Embedder-Policy allows credentials".
  * Omit credentials for no-cors, cross-origin, COEP:credentialless requests.
  * Check CORP for navigational COEP:credentialless response.

* ServiceWorker: XXX
  * Integration with `Cache.matchAll `algorithm.
  * XXX

See: whatwg/html#6637

----

- [ ] At least two implementers are interested (and none opposed):
   * Chrome: https://chromestatus.com/feature/4918234241302528#details
   * Firefox: XXX
   * Safari: XXX

- [X] [Tests](https://github.com/web-platform-tests/wpt) are written and can be reviewed and commented upon at:
   * https://wpt.fyi/results/html/cross-origin-embedder-policy/credentialless/credentialless

- [ ] [Implementation bugs](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) are filed:
   * Chrome: https://crbug.com/1175099
   * Firefox: XXX
   * Safari: XXX

(See [WHATWG Working Mode: Changes](https://whatwg.org/working-mode#changes) for more details.)

----

See: whatwg/html#6637
Merged
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this issue May 5, 2021
@ArthurSonzogni @chromium-wpt-export-bot
Rename COEP:{cors-or-credentialless => credentialless}
aee8ccf 
This was discussed here:
whatwg/html#6637 (comment)

This patch renames "cors-or-credentialless" into "credentialless".

The WPT test directory:
- html/cross-origin-embedder-policy/credentialless/cors-or-credentialess/
- html/cross-origin-embedder-policy/credentialless/full-credentialless/
are renamed:
- html/cross-origin-embedder-policy/cors-or-credentialess/
- html/cross-origin-embedder-policy/anonymous-iframe/

Bug:1175099
Change-Id: Iba052a2b3fbf4b45607c48807622d5ced202d583
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this issue May 5, 2021
@ArthurSonzogni @chromium-wpt-export-bot
Rename COEP:{cors-or-credentialless => credentialless}
228ee6e 
This was discussed here:
whatwg/html#6637 (comment)

This patch renames "cors-or-credentialless" into "credentialless".

The WPT test directory:
- html/cross-origin-embedder-policy/credentialless/cors-or-credentialess/
- html/cross-origin-embedder-policy/credentialless/full-credentialless/
are renamed:
- html/cross-origin-embedder-policy/cors-or-credentialess/
- html/cross-origin-embedder-policy/anonymous-iframe/

Bug:1175099
Change-Id: Iba052a2b3fbf4b45607c48807622d5ced202d583
@ArthurSonzogni ArthurSonzogni mentioned this issue May 5, 2021
Closed
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this issue May 7, 2021
@ArthurSonzogni @chromium-wpt-export-bot
Rename COEP:{cors-or-credentialless => credentialless}
974515d 
This was discussed here:
whatwg/html#6637 (comment)

This patch renames "cors-or-credentialless" into "credentialless".

The WPT test directory:
- html/cross-origin-embedder-policy/credentialless/cors-or-credentialess/
- html/cross-origin-embedder-policy/credentialless/full-credentialless/
are renamed:
- html/cross-origin-embedder-policy/cors-or-credentialess/
- html/cross-origin-embedder-policy/anonymous-iframe/

Bug:1175099
Change-Id: Iba052a2b3fbf4b45607c48807622d5ced202d583
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this issue May 7, 2021
@ArthurSonzogni @chromium-wpt-export-bot
Rename COEP:{cors-or-credentialless => credentialless}
c107aab 
This was discussed here:
whatwg/html#6637 (comment)

This patch renames "cors-or-credentialless" into "credentialless".

The WPT test directory:
- html/cross-origin-embedder-policy/credentialless/cors-or-credentialess/
- html/cross-origin-embedder-policy/credentialless/full-credentialless/
are renamed:
- html/cross-origin-embedder-policy/cors-or-credentialess/
- html/cross-origin-embedder-policy/anonymous-iframe/

Bug:1175099
Change-Id: Iba052a2b3fbf4b45607c48807622d5ced202d583
@camillelamy
Copy link
Member

So for iframes, we propose a separate solution via an iframe attribute. I have put together an explainer detailing the solution. This is separate from COEP: credentialless. We envision COEP: credentialless as an easy way to deploy COEP on first party frames that embed a lot of unpersonalized cross-origin subresources (e.g. images from a CDN).

chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this issue May 7, 2021
@ArthurSonzogni @chromium-wpt-export-bot
Rename COEP:{cors-or-credentialless => credentialless}
239adcd 
This was discussed here:
whatwg/html#6637 (comment)

This patch renames "cors-or-credentialless" into "credentialless".

The WPT test directory:
- html/cross-origin-embedder-policy/credentialless/cors-or-credentialess/
- html/cross-origin-embedder-policy/credentialless/full-credentialless/
are renamed:
- html/cross-origin-embedder-policy/cors-or-credentialess/
- html/cross-origin-embedder-policy/anonymous-iframe/

Bug: 1175099
Change-Id: Iba052a2b3fbf4b45607c48807622d5ced202d583
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2867588
Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org>
Reviewed-by: Camille Lamy <clamy@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Owners-Override: Kinuko Yasuda <kinuko@chromium.org>
Cr-Commit-Position: refs/heads/master@{#880359}
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this issue May 7, 2021
@ArthurSonzogni @chromium-wpt-export-bot
Rename COEP:{cors-or-credentialless => credentialless}
27ac2ec 
This was discussed here:
whatwg/html#6637 (comment)

This patch renames "cors-or-credentialless" into "credentialless".

The WPT test directory:
- html/cross-origin-embedder-policy/credentialless/cors-or-credentialess/
- html/cross-origin-embedder-policy/credentialless/full-credentialless/
are renamed:
- html/cross-origin-embedder-policy/cors-or-credentialess/
- html/cross-origin-embedder-policy/anonymous-iframe/

Bug: 1175099
Change-Id: Iba052a2b3fbf4b45607c48807622d5ced202d583
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2867588
Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org>
Reviewed-by: Camille Lamy <clamy@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Owners-Override: Kinuko Yasuda <kinuko@chromium.org>
Cr-Commit-Position: refs/heads/master@{#880359}
blueboxd pushed a commit to blueboxd/chromium-legacy that referenced this issue May 7, 2021
@ArthurSonzogni
Rename COEP:{cors-or-credentialless => credentialless}
69edb0b 
This was discussed here:
whatwg/html#6637 (comment)

This patch renames "cors-or-credentialless" into "credentialless".

The WPT test directory:
- html/cross-origin-embedder-policy/credentialless/cors-or-credentialess/
- html/cross-origin-embedder-policy/credentialless/full-credentialless/
are renamed:
- html/cross-origin-embedder-policy/cors-or-credentialess/
- html/cross-origin-embedder-policy/anonymous-iframe/

Bug: 1175099
Change-Id: Iba052a2b3fbf4b45607c48807622d5ced202d583
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2867588
Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org>
Reviewed-by: Camille Lamy <clamy@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Owners-Override: Kinuko Yasuda <kinuko@chromium.org>
Cr-Commit-Position: refs/heads/master@{#880359}
moz-v2v-gh pushed a commit to mozilla/gecko-dev that referenced this issue May 9, 2021
@ArthurSonzogni @moz-wptsync-bot
Bug 1709610 [wpt PR 28838] - Rename COEP:{cors-or-credentialless => c…
7d9ee2d 
…redentialless}, a=testonly

Automatic update from web-platform-tests
Rename COEP:{cors-or-credentialless => credentialless}

This was discussed here:
whatwg/html#6637 (comment)

This patch renames "cors-or-credentialless" into "credentialless".

The WPT test directory:
- html/cross-origin-embedder-policy/credentialless/cors-or-credentialess/
- html/cross-origin-embedder-policy/credentialless/full-credentialless/
are renamed:
- html/cross-origin-embedder-policy/cors-or-credentialess/
- html/cross-origin-embedder-policy/anonymous-iframe/

Bug: 1175099
Change-Id: Iba052a2b3fbf4b45607c48807622d5ced202d583
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2867588
Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org>
Reviewed-by: Camille Lamy <clamy@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Owners-Override: Kinuko Yasuda <kinuko@chromium.org>
Cr-Commit-Position: refs/heads/master@{#880359}

--

wpt-commits: 27ac2ec45f72f4785951cf3e2b9302b740f6372e
wpt-pr: 28838
ArthurSonzogni added a commit to ArthurSonzogni/fetch that referenced this issue May 30, 2021
@ArthurSonzogni
Specify the behavior of COEP: credentialless,
2b03205 
(Draft)

Originally described in: https://github.com/mikewest/credentiallessness

`credentialless` and `require-corp` are similar. One or the other is a requirements for the `window.crossOriginIsolated` capability.
They differ mostly in the fetch specification. `require-corp` requires a CORP header for cross-origin no-cors responses. `credentialless` doesn't, but omits credentials (Cookies, clients certificates, etc...) in no-cors cross-origin requests.

* HTML (whatwg/html#6638)
  * Define how to parse the `credentialless` value.
  * From the HTML spec point of view, `credentialless` and `require-corp` are equivalent. They have been grouped into `compatible with crossOriginIsolation` and the HTML spec rewritten to use this concept.

* Fetch: (This PR)
  * Define "Cross-Origin-Embedder-Policy allows credentials".
  * Omit credentials for no-cors, cross-origin, COEP:credentialless requests.
  * Check CORP for navigational COEP:credentialless response.

* ServiceWorker: XXX
  * Integration with `Cache.matchAll `algorithm.
  * XXX

See: whatwg/html#6637

----

- [ ] At least two implementers are interested (and none opposed):
   * Chrome: https://chromestatus.com/feature/4918234241302528#details
   * Firefox: XXX
   * Safari: XXX

- [X] [Tests](https://github.com/web-platform-tests/wpt) are written and can be reviewed and commented upon at:
   * https://wpt.fyi/results/html/cross-origin-embedder-policy/credentialless/credentialless

- [ ] [Implementation bugs](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) are filed:
   * Chrome: https://crbug.com/1175099
   * Firefox: XXX
   * Safari: XXX

(See [WHATWG Working Mode: Changes](https://whatwg.org/working-mode#changes) for more details.)

----

See: whatwg/html#6637
ArthurSonzogni added a commit to ArthurSonzogni/fetch that referenced this issue May 30, 2021
@ArthurSonzogni
Specify the behavior of COEP: credentialless,
6b301ae 
(Draft)

Originally described in: https://github.com/mikewest/credentiallessness

`credentialless` and `require-corp` are similar. One or the other is a requirements for the `window.crossOriginIsolated` capability.
They differ mostly in the fetch specification. `require-corp` requires a CORP header for cross-origin no-cors responses. `credentialless` doesn't, but omits credentials (Cookies, clients certificates, etc...) in no-cors cross-origin requests.

* HTML (whatwg/html#6638)
  * Define how to parse the `credentialless` value.
  * From the HTML spec point of view, `credentialless` and `require-corp` are equivalent. They have been grouped into `compatible with crossOriginIsolation` and the HTML spec rewritten to use this concept.

* Fetch: (This PR)
  * Define "Cross-Origin-Embedder-Policy allows credentials".
  * Omit credentials for no-cors, cross-origin, COEP:credentialless requests.
  * Check CORP for navigational COEP:credentialless response.

* ServiceWorker: XXX
  * Integration with `Cache.matchAll `algorithm.
  * XXX

See: whatwg/html#6637

----

- [ ] At least two implementers are interested (and none opposed):
   * Chrome: https://chromestatus.com/feature/4918234241302528#details
   * Firefox: XXX
   * Safari: XXX

- [X] [Tests](https://github.com/web-platform-tests/wpt) are written and can be reviewed and commented upon at:
   * https://wpt.fyi/results/html/cross-origin-embedder-policy/credentialless/credentialless

- [ ] [Implementation bugs](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) are filed:
   * Chrome: https://crbug.com/1175099
   * Firefox: XXX
   * Safari: XXX

(See [WHATWG Working Mode: Changes](https://whatwg.org/working-mode#changes) for more details.)

----

See: whatwg/html#6637
@ArthurSonzogni ArthurSonzogni changed the title Cross-Origin-Embedder-Policy: cors-or-credentialless Cross-Origin-Embedder-Policy: credentialless Jun 1, 2021
@ArthurSonzogni ArthurSonzogni mentioned this issue Jun 3, 2021
Closed
@zcorpan zcorpan added the topic: cross-origin-embedder-policy Issues and ideas around the new "require CORP for subresource requests and frames and etc" proposal. label Jul 1, 2021
ArthurSonzogni added a commit to ArthurSonzogni/fetch that referenced this issue Sep 21, 2021
@ArthurSonzogni
Specify the behavior of COEP: credentialless,
8406e47 
(Draft)

Originally described in: https://github.com/mikewest/credentiallessness

`credentialless` and `require-corp` are similar. One or the other is a requirements for the `window.crossOriginIsolated` capability.
They differ mostly in the fetch specification. `require-corp` requires a CORP header for cross-origin no-cors responses. `credentialless` doesn't, but omits credentials (Cookies, clients certificates, etc...) in no-cors cross-origin requests.

* HTML (whatwg/html#6638)
  * Define how to parse the `credentialless` value.
  * From the HTML spec point of view, `credentialless` and `require-corp` are equivalent. They have been grouped into `compatible with crossOriginIsolation` and the HTML spec rewritten to use this concept.

* Fetch: (This PR)
  * Define "Cross-Origin-Embedder-Policy allows credentials".
  * Omit credentials for no-cors, cross-origin, COEP:credentialless requests.
  * Check CORP for navigational COEP:credentialless response.

* ServiceWorker: XXX
  * Integration with `Cache.matchAll `algorithm.
  * XXX

See: whatwg/html#6637

----

- [ ] At least two implementers are interested (and none opposed):
   * Chrome: https://chromestatus.com/feature/4918234241302528#details
   * Firefox: XXX
   * Safari: XXX

- [X] [Tests](https://github.com/web-platform-tests/wpt) are written and can be reviewed and commented upon at:
   * https://wpt.fyi/results/html/cross-origin-embedder-policy/credentialless/credentialless

- [ ] [Implementation bugs](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) are filed:
   * Chrome: https://crbug.com/1175099
   * Firefox: XXX
   * Safari: XXX

(See [WHATWG Working Mode: Changes](https://whatwg.org/working-mode#changes) for more details.)

----

See: whatwg/html#6637
ArthurSonzogni added a commit to ArthurSonzogni/html that referenced this issue Oct 20, 2021
@ArthurSonzogni
Rebase
9485456 
Define COEP:credentialless

Originally described in: https://github.com/mikewest/credentiallessness

`credentialless` and `require-corp` are similar. One or the other is a requirements for the `window.crossOriginIsolated` capability.
They differ mostly in the fetch specification. `require-corp` requires a CORP header for cross-origin no-cors responses. `credentialless` doesn't, but omits credentials (Cookies, clients certificates, etc...) in the request.

* HTML (whatwg#6638)
  * Define how to parse the `credentialless` value.
  * From the HTML spec point of view, `credentialless` and `require-corp` are equivalent. They have been grouped into `compatible with cross-origin isolation` and the HTML spec rewritten to use this concept.

* Fetch: (whatwg/fetch#1229)
  * Define `Cross-Origin-Embedder-Policy allows credentials` algorithm. It omit credentials for no-cors, cross-origin, COEP:credentialless requests.
  * Define `response's` `request-include-credentials` flag.
  * In the `Cross-Origin-Resource-Policy check`, if `embedderPolicy` is `credentialless`, require CORP for navigational responses, and opaque responses with `request-include-credentials`.

See: whatwg#6637

----

- [ ] At least two implementers are interested (and none opposed):
   * Chrome: https://chromestatus.com/feature/4918234241302528#details
   * Firefox: mozilla/standards-positions#539  (worth prototyping)
   * Safari: https://lists.webkit.org/pipermail/webkit-dev/2021-June/031898.html (pending)

- [X] [Tests](https://github.com/web-platform-tests/wpt) are written and can be reviewed and commented upon at:
   * https://wpt.fyi/results/html/cross-origin-embedder-policy/credentialless

- [X] [Implementation bugs](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) are filed:
   * Chrome: https://crbug.com/1175099
   * Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1731778
   * Safari: https://bugs.webkit.org/show_bug.cgi?id=230550

(See [WHATWG Working Mode: Changes](https://whatwg.org/working-mode#changes) for more details.)
@annevk annevk closed this as completed in 311934b Nov 2, 2021
dandclark pushed a commit to dandclark/html that referenced this issue Dec 4, 2021
@ArthurSonzogni @dandclark
Add credentialless value to COEP
ac8f1c0 
This defines Cross-Origin-Embedder-Policy: credentialless. The credentialless and require-corp values are similar. One or the other is a requirements for the cross-origin isolated capability. They differ mostly in terms of fetching. require-corp requires a Cross-Origin-Resource-Policy header for cross-origin opaque responses. credentialless doesn't, but omits credentials (cookies, client certificates, etc.) in cross-origin "no-cors" requests.

See https://github.com/WICG/credentiallessness for additional context.

Fetch PR: whatwg/fetch#1229.

Tests: WPT html/cross-origin-embedder-policy/credentialless.

Closes whatwg#6637.
mfreed7 pushed a commit to mfreed7/html that referenced this issue Jun 3, 2022
@ArthurSonzogni
Add credentialless value to COEP
c449a3d 
This defines Cross-Origin-Embedder-Policy: credentialless. The credentialless and require-corp values are similar. One or the other is a requirements for the cross-origin isolated capability. They differ mostly in terms of fetching. require-corp requires a Cross-Origin-Resource-Policy header for cross-origin opaque responses. credentialless doesn't, but omits credentials (cookies, client certificates, etc.) in cross-origin "no-cors" requests.

See https://github.com/WICG/credentiallessness for additional context.

Fetch PR: whatwg/fetch#1229.

Tests: WPT html/cross-origin-embedder-policy/credentialless.

Closes whatwg#6637.
mjfroman pushed a commit to mjfroman/moz-libwebrtc-third-party that referenced this issue Oct 14, 2022
@ArthurSonzogni
Rename COEP:{cors-or-credentialless => credentialless}
8e4e2c8 
This was discussed here:
whatwg/html#6637 (comment)

This patch renames "cors-or-credentialless" into "credentialless".

The WPT test directory:
- html/cross-origin-embedder-policy/credentialless/cors-or-credentialess/
- html/cross-origin-embedder-policy/credentialless/full-credentialless/
are renamed:
- html/cross-origin-embedder-policy/cors-or-credentialess/
- html/cross-origin-embedder-policy/anonymous-iframe/

Bug: 1175099
Change-Id: Iba052a2b3fbf4b45607c48807622d5ced202d583
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2867588
Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org>
Reviewed-by: Camille Lamy <clamy@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Owners-Override: Kinuko Yasuda <kinuko@chromium.org>
Cr-Commit-Position: refs/heads/master@{#880359}
NOKEYCHECK=True
GitOrigin-RevId: 69edb0b007920f77a4e9f57c20b9520438c7a4a6
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
topic: cross-origin-embedder-policy Issues and ideas around the new "require CORP for subresource requests and frames and etc" proposal.
Milestone
No milestone
Development

No branches or pull requests
4 participants
@zcorpan @annevk @ArthurSonzogni @camillelamy