[webkit-dev] Request for position: COEP: credentialless
Arthur Sonzogni
arthursonzogni at chromium.org
Thu Jun 10 04:33:37 PDT 2021
Hi webkit-dev, <webkit-dev at lists.webkit.org>
This is a request for Webkit's position on
Cross-Origin-Embedder-Policy:credentialless
*Summary:*
Credentialless is a Cross-Origin-Embedder-Policy (COEP) variant. Similarly
to require-corp, it can be used to enable cross-origin-isolation.
COEP:credentialless causes no-cors cross-origin requests not to include
credentials (cookies, client certificates, etc...)
*Motivation:*
Sites that wish to continue using SharedArrayBuffer must opt-into
cross-origin isolation. Among other things, cross-origin isolation will
block the use of cross-origin resources and documents unless those
resources opt-into inclusion via either CORS or CORP. This behavior ships
today in Firefox, and Chrome aims to ship it as well in 2021.
The opt-in requirement is generally positive, as it ensures that developers
have the opportunity to adequately evaluate the rewards of being included
cross-site against the risks of potential data leakage via Spectre. It
poses adoption challenges, however, as it does require developers to adjust
their servers to send an explicit opt-in. This is challenging in cases
where there’s not a single developer involved, but many third parties. It
would be ideal if we could find an approach that provided robust-enough
protection against accidental cross-process leakage without requiring an
explicit opt-in.
*Explainer*:
https://github.com/mikewest/credentiallessness/blob/main/explainer.md
*Specification:*
https://htmlpreview.github.io/?https://github.com/mikewest/credentiallessness/blob/main/index.html
*W3C TAG thread:*
https://github.com/w3ctag/design-reviews/issues/582
*WICG proposal.*
https://github.com/WICG/proposals/issues/31
*ChromeStatus:*
https://www.chromestatus.com/features/4918234241302528
Please let us know if you have any feedback!
Thanks,
Arthur @arthursonzogni
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20210610/d5eb47bc/attachment.htm>
More information about the webkit-dev
mailing list