[webkit-dev] Request for position: COEP: credentialless
arthursonzogni at chromium.org
Thu Jun 10 04:33:37 PDT 2021
Hi webkit-dev, <webkit-dev at lists.webkit.org>
This is a request for Webkit's position on
Credentialless is a Cross-Origin-Embedder-Policy (COEP) variant. Similarly
to require-corp, it can be used to enable cross-origin-isolation.
COEP:credentialless causes no-cors cross-origin requests not to include
credentials (cookies, client certificates, etc...)
Sites that wish to continue using SharedArrayBuffer must opt-into
cross-origin isolation. Among other things, cross-origin isolation will
block the use of cross-origin resources and documents unless those
resources opt-into inclusion via either CORS or CORP. This behavior ships
today in Firefox, and Chrome aims to ship it as well in 2021.
The opt-in requirement is generally positive, as it ensures that developers
have the opportunity to adequately evaluate the rewards of being included
cross-site against the risks of potential data leakage via Spectre. It
poses adoption challenges, however, as it does require developers to adjust
their servers to send an explicit opt-in. This is challenging in cases
where there’s not a single developer involved, but many third parties. It
would be ideal if we could find an approach that provided robust-enough
protection against accidental cross-process leakage without requiring an
*W3C TAG thread:*
Please let us know if you have any feedback!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the webkit-dev