[webkit-dev] Request for position: COEP: credentialless

Arthur Sonzogni arthursonzogni at chromium.org
Thu Jun 10 04:33:37 PDT 2021

Hi webkit-dev, <webkit-dev at lists.webkit.org>
This is a request for Webkit's position on

Credentialless is a Cross-Origin-Embedder-Policy (COEP) variant. Similarly
to require-corp, it can be used to enable cross-origin-isolation.
COEP:credentialless causes no-cors cross-origin requests not to include
credentials (cookies, client certificates, etc...)

Sites that wish to continue using SharedArrayBuffer must opt-into
cross-origin isolation. Among other things, cross-origin isolation will
block the use of cross-origin resources and documents unless those
resources opt-into inclusion via either CORS or CORP. This behavior ships
today in Firefox, and Chrome aims to ship it as well in 2021.

The opt-in requirement is generally positive, as it ensures that developers
have the opportunity to adequately evaluate the rewards of being included
cross-site against the risks of potential data leakage via Spectre. It
poses adoption challenges, however, as it does require developers to adjust
their servers to send an explicit opt-in. This is challenging in cases
where there’s not a single developer involved, but many third parties. It
would be ideal if we could find an approach that provided robust-enough
protection against accidental cross-process leakage without requiring an
explicit opt-in.



*W3C TAG thread:*

*WICG proposal.*


Please let us know if you have any feedback!

Arthur @arthursonzogni
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20210610/d5eb47bc/attachment.htm>

More information about the webkit-dev mailing list