Add credentialless value to COEP (HTML spec)

[ArthurSonzogni]

Originally described in: https://github.com/mikewest/credentiallessness

credentialless and require-corp are similar. One or the other is a requirements for the window.crossOriginIsolated capability.
They differ mostly in the fetch specification. require-corp requires a CORP header for cross-origin no-cors responses. credentialless doesn't, but omits credentials (Cookies, clients certificates, etc...) in the request.

• HTML (Add credentialless value to COEP (HTML spec) #6638)

  • Define how to parse the credentialless value.
  • From the HTML spec point of view, credentialless and require-corp are equivalent. They have been grouped into compatible with cross-origin isolation and the HTML spec rewritten to use this concept.

• Fetch: (Specify the behavior of COEP: credentialless, fetch#1229)

  • Define Cross-Origin-Embedder-Policy allows credentials algorithm. It omit credentials for no-cors, cross-origin, COEP:credentialless requests.
  • Define response's request-include-credentials flag.
  • In the Cross-Origin-Resource-Policy check, if embedderPolicy is credentialless, require CORP for navigational responses, and opaque responses with request-include-credentials.

See: #6637

---

• At least two implementers are interested (and none opposed):

  • Chrome: https://chromestatus.com/feature/4918234241302528#details
  • Firefox: Request for position: COEP: credentialless mozilla/standards-positions#539 (worth prototyping)
  • Safari: https://lists.webkit.org/pipermail/webkit-dev/2021-June/031898.html (pending)

• Tests are written and can be reviewed and commented upon at:

  • https://wpt.fyi/results/html/cross-origin-embedder-policy/credentialless

• Implementation bugs are filed:

  • Chrome: https://crbug.com/1175099
  • Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1731778
  • Safari: https://bugs.webkit.org/show_bug.cgi?id=230550

(See WHATWG Working Mode: Changes for more details.)

---

See: #6637

---

/browsers.html ( diff )
/origin.html ( diff )
/workers.html ( diff )

[ArthurSonzogni]

This is still work in progress.

I still need write PR for fetch and ServiceWorker. Those will be more interesting.
Happy to get early feedback if you have in the meantime nevertheless.

@whatwg/cross-origin-isolation @antosart @mikewest @camillelamy @iVanlIsh

[ArthurSonzogni]

I am happy with the spec.
I wrote page gathering the two PR in a single page if you want to have a broader view:
https://htmlpreview.github.io/?https://github.com/mikewest/credentiallessness/blob/master/index.html

Would you have some suggestion?

[domenic]

Normatively this is looking good! A number of style and clarity suggestions:

[domenic]

Maybe this should be more general and talk about explicit server permission, to cover CORS as well (like the next bullet pointed does)?

[ArthurSonzogni]

Maybe sometime like:

When this value is used, fetching cross-origin no-CORS resources omits credentials and don't require an explicit `Cross-Origin-Resource-Policy` header. The other requests sent with credentials requires the server's explicit permission through the CORS protocol or the `Cross-Origin-Resource-Policy` header.

?

[domenic]

Sounds good, although "The Other" requests seems a bit confusing. Maybe

Other requests are sent with credentials, and require the server's....

?

[domenic]

Colon before </p>, and follow the previous pattern for how the <p> is linebreaked and positioned relative to the <li>

[ArthurSonzogni]

I believe I addressed this comment, but it wasn't fully clear to me. Please double check.

[domenic]

Indentation is off for both the <p> and <ol> here

[ArthurSonzogni]

Do you meant going from two space to one, right?

[domenic]

No. You have written

<li><p>...

<ol>
 ...
</ol>

whereas the prevailing style is

<li>
 <p>...</p>

 <ol>
  ...
 </ol>
</li>

I will push this in my fix.

[domenic]

Also I'm a bit confused on whether we landed on credentialless or cors-or-credentialless...

[ArthurSonzogni]

Thanks you Domenic,
I addressed your comments below:

[ArthurSonzogni]

Maybe sometime like:

When this value is used, fetching cross-origin no-CORS resources omits credentials and don't require an explicit `Cross-Origin-Resource-Policy` header. The other requests sent with credentials requires the server's explicit permission through the CORS protocol or the `Cross-Origin-Resource-Policy` header.

?

[ArthurSonzogni]

I believe I addressed this comment, but it wasn't fully clear to me. Please double check.

[ArthurSonzogni]

Do you meant going from two space to one, right?

[domenic]

I pushed a commit with the whitespace fixes; please take a look for next time. Overall this LGTM modulo our discussion on the phrasing of how "credentialless" is explained.

[domenic]

More line-breaking and whitespace problems. Note how adding a newline and spaces before Cross makes a visible space in the output, which is undesirable. The same for adding a newline and space before </p>.

This reoccurs several times in the PR.

I will push a commit fixing this and other such problems, but please take a look at the diff I upload so that it's clearer in the future how to avoid such problems in the output.

[ArthurSonzogni]

Hmm, my editor (vim) is able to correctly insert new lines to the right locations, including in the location you fixed if I remove the additional spaces. There must be some unknown (yet) cause to this in my editor. Next time I should stop relying on tooling and verify manually every new lines are correct. I didn't realized this. Thanks for the fix!

[domenic]

Sounds good, although "The Other" requests seems a bit confusing. Maybe

Other requests are sent with credentials, and require the server's....

?

[domenic]

No. You have written

<li><p>...

<ol>
 ...
</ol>

whereas the prevailing style is

<li>
 <p>...</p>

 <ol>
  ...
 </ol>
</li>

I will push this in my fix.

[ArthurSonzogni]

Thank you!

Sounds good, although "The Other" requests seems a bit confusing. Maybe

Fixed in f04b0dc

[ArthurSonzogni]

At the moment, we are evaluating shipping it in Chrome M96 based on the feedback we've got so far. Please let me know if you have any objections.

Until a second web browser is interested implementing it, this will have to stay as two indefinitely open PRs for fetch and HTML + one monkey-patch summarizing the two.

[annevk]

I'm not sure how many other changes are contemplated in this area, but I would be okay with landing this to ease maintenance. However, I do think we should add an implementer warning alongside this value that PNA and ORB are strongly encouraged to be supported in some form.

[ArthurSonzogni]

I rebased without conflict, and added in the latest commit the warning:

I'm not sure how many other changes are contemplated in this area, but I would be okay with landing this to ease maintenance.

This would encompass this change and the one in Fetch:

• Add credentialless value to COEP (HTML spec) #6638
• Specify the behavior of COEP: credentialless, fetch#1229

[annevk]

That looks good to me. I have some concerns about the Fetch PR (noted there). The Fetch PR also notes the need for a SW PR which I recall discussing at some point. Is that ready?

[ArthurSonzogni]

Thanks @annevk . I will take a look at the Fetch PR.

The Fetch PR also notes the need for a SW PR which I recall discussing at some point. Is that ready?

At the end, there was no SW PR. It was resolved in Fetch only.

See:
w3c/ServiceWorker#1592
The issue was about sending responses using CacheStorage/SW in between two environments with different COEP policies.

The resolution was modifying the CORP check in the Fetch specification.
When the client is using COEP:credentialless, we require CORP when:

• Request made with credentials (<- the important part)
• Navigation requests.

[cdumez]

So Mozilla committed to implement this?
This adds quite a bit of complexity to another already very complex feature.

[annevk]

Yeah agreed. We are reluctant and it's conditional upon ORB/PNA working out, but this would ease adoption quite a bit. I do think more pressure could be put on sites to adopt COOP/COEP as-is though.

[cdumez]

Even though we recently implemented COOP/COEP in WebKit, I have no plan to add support for credentialless at the moment. It adds too much complexity and seems to have quite a few dependencies.

[ArthurSonzogni]

This adds quite a bit of complexity.

COEP:credentialless on its own is very lightweight. It can be implemented quickly in 3 steps:

• Conditionally set to false includeCredential boolean in the fetch algorithm.
• Add a case in the CORP check. Useful when moving a response in between two environment with different COEP policy.
• In most places, replace "COEP == require-corp" into "COEP == (require-corp | credentialless)".

However, implementing the dependencies: Private Network Access and ORB is indeed not trivial.

Note that it works independently from anonymous iframe, which doesn't really exist yet. I don't count this as a dependency. I added a comment on the webkit bug I opened today.

[arturjanc]

The argument about added complexity is reasonable, but I just wanted to note that there are substantial adoption benefits associated with COEP:credentiallless. Namely, while applications can in principle use COEP require-corp to enable cross-origin isolation, the requirement to ensure that every loaded resource explicitly opts in (via CORP or CORS) results in a large number of blocking issues that prevent developers from using COEP in most non-trivial applications.

For WebKit specifically, I wonder if the fact that it disables 3p cookies is an advantage in this context. As in, WebKit already sends cross-site requests as effectively credentialless, which aligns very well with the goal here -- this significantly reduces the risk associated with not implementing PNA/ORB. (Though note that same-site requests can still be a concern.)

[annevk]

No, it does not reduce the risk. The risk was never with CORS requests. The risk of credentialless without PNA/ORB is entirely about resources behind firewalls of sorts.

[annevk]

Overall this looks solid, but I found a number of typos and also have some suggestions for light refactoring.

[annevk]

Can we use compatible with cross-origin isolation here? Perhaps we should not have "embedder policy value" as a type? And just make it a string. That would also help with the next step.

[ArthurSonzogni]

I feel using "compatible with cross-origin isolation" here would be a misfit, since its goal is to discriminate the COEP values bringing (potentially) the COI capability from the other. Here, this is a parser and we just want to filter valid string value.

Yes, for now, they both correspond to the same set (% string vs enum). If you don't feel too strongly about this, I would prefer not to change this.

[annevk]

If I were to refactor this I'd do away with the dedicated "embedder policy value" and reuse "compatible" here (it being a simple list of things) as I'm not really convinced it helps to have to maintain that list in multiple places.

Also, in the very next step you give up on the pretense that there is some distinction by setting the policy value directly to the parsed value.

That second thing especially makes me think the current setup isn't sound and just making everything be strings would be easier.

What do you think?

[ArthurSonzogni]

I feel I am not fully understanding your previous comment. Also, I am not fully sure how you would like me to make COEP's value to be of string type.
I gave it a try in:
815311b
Is it what you wanted?

[ArthurSonzogni]

Thanks @annevk! I addressed the suggestions from your last review (+ one unresolved). Sorry for the delay, I didn't see your review immediately.

[annevk]

Sorry, I thought we were done, but upon rereading I found more nits and including somewhat substantive nits.

[annevk]

If I were to refactor this I'd do away with the dedicated "embedder policy value" and reuse "compatible" here (it being a simple list of things) as I'm not really convinced it helps to have to maintain that list in multiple places.

Also, in the very next step you give up on the pretense that there is some distinction by setting the policy value directly to the parsed value.

That second thing especially makes me think the current setup isn't sound and just making everything be strings would be easier.

What do you think?

[ArthurSonzogni]

Thanks Anne!
I addressed you comment with the latest 2 additional commit.

[ArthurSonzogni]

I feel I am not fully understanding your previous comment. Also, I am not fully sure how you would like me to make COEP's value to be of string type.
I gave it a try in:
815311b
Is it what you wanted?

[ArthurSonzogni]

Self suggestion: This has nothing to do with COEP. Revert this part.

[annevk]

Apologies, I was thinking we could do away with "embedder policy value" as a concept altogether, but it seems we need it as two members take it, so it's useful to have as an abstraction.

I'd appreciate it if @domenic or someone else can take another look as well given the back-and-forth thus far. Makes it easy to overlook something.

[annevk]

1. The header name should end with ` not '.
2. The header name should not xref embedder policy.
3. When you talk about the header value it should not xref embedder policy value either. You can reference the value definition for header in Fetch, but I don't think that's really needed.

[ArthurSonzogni]

• 1: Done in 0bb1a99.
• 2 & 3: Done in 0bb1a99. I removed the data-x for both the header name and value. However I have no idea when we should and we shouldn't I naively thought adding it every time was best. I will follow you blindly here, but if you can explain why, that would allow me to do it better next time.

[annevk]

It might be easier if you could join https://whatwg.org/chat so we can discuss this more synchronously as I'm not entirely sure where the confusion lies. The problem with the data-x value that you added here is that it's not for the definition of the header or the definition of a header's value member. The header links just fine without a data-x and word "value" would have to link to https://fetch.spec.whatwg.org/#concept-header-value if anything.

[annevk]

Similar comments applicable here.

[ArthurSonzogni]

Done in 0bb1a99.
However, I don't really understand why we do this for COEP and not for COOP on the same sentence.

[annevk]

Well, you're not changing COOP but also for COOP we can list the header-value construct as a single thing (and have done so), but that's no longer possible for COEP as multiple values are okay now.

Hope that helps.

[ArthurSonzogni]

Thanks Anne! I addressed your comments in 0bb1a99.
Now looking for @domenic for additional comments.

[domenic]

LGTM. Should we merge before or after whatwg/fetch#1229 ?

[ArthurSonzogni]

Thanks!

LGTM. Should we merge before or after whatwg/fetch#1229 ?

The fetch specification uses the exported credentialless value defined in the HTML specification. As a result, this one should be merged first.