Contact emailsarthursonzo...@chromium.org, cl...@chromium.org, mk...@chromium.org
Explainerhttps://github.com/WICG/credentiallessness Specificationhttps://wicg.github.io/credentiallessness/ Design docs https://github.com/WICG/credentiallessness https://docs.google.com/document/d/1U1pDzS_WJpfkq6QqOeqgmXmba_I4tIbUR-5C1AHzI9o/edit# Summary Introduce Cross-Origin-Embedder-Policy: credentialless. This causes cross-origin no-cors requests to omit credentials (cookies, client certificates, etc). Similarly to COEP:require-corp, it can enable cross-origin isolation. Blink componentBlink>SecurityFeature <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature> Search tagscoep <https://chromestatus.com/features#tags:coep>, credentialless <https://chromestatus.com/features#tags:credentialless>, coop <https://chromestatus.com/features#tags:coop>, crossoriginisolation <https://chromestatus.com/features#tags:crossoriginisolation>, crossOriginisolated <https://chromestatus.com/features#tags:crossOriginisolated> TAG reviewhttps://github.com/w3ctag/design-reviews/issues/582 TAG review statusPending Link to origin trial feedback summary https://docs.google.com/document/d/1Rcho9z8obW0A7aeM3Zz1QR3fN7KcmTHgjdF_mKEXiRQ Risks Interoperability and Compatibility Compatibility risk: This is an opt-in new feature, so there are no compatibility risks. Interoperability risk: New feature. Risk is failing to become an interoperable part of the web platform. Gecko: Worth prototyping ( https://github.com/mozilla/standards-positions/issues/539#issuecomment-867473836 ) Worth prototyping, but concerns are about the timing in between shipping: COEP:credentialless, Private Network Access (PNA), ORB. See https://github.com/mozilla/standards-positions/issues/539#issuecomment-914418485 WebKit: No signal ( https://lists.webkit.org/pipermail/webkit-dev/2021-June/031898.html) No official replies yet. Safari is currently implementing COOP/COEP, but have no plan yet about COEP:credentialless variant: https://twitter.com/mikewest/status/1434878018191826948< Web developers: Positive ( https://github.com/WICG/proposals/issues/31#issuecomment-858822619) Google Earth, Twitter, Zoom, etc... are positive. Ergonomics Similarly to the existing COEP:require-corp, it will also be often used in tandem with Cross-Origin-Opener-Policy: same-origin (COOP) Activation This is an HTTP header. Developers need to be able to configure their server. This is hard for them when hosting their page on servers they don't really own, like https://github.io pages. Debuggability The same devtool features as for COEP:require-corp: 1. Display COEP policy: Devtool > Application > Frames > top > Security & Isolation > Cross-Origin Embedder Policy. 2. Devtool issues: https://source.chromium.org/search?q=file:devtools-frontend%2Fsrc%2Ffront_end%2Fmodels%2Fissues_manager%2Fdescriptions%2FCoep*&ss=chromium <https://source.chromium.org/search?q=file%3Adevtools-frontend%2Fsrc%2Ffront_end%2Fmodels%2Fissues_manager%2Fdescriptions%2FCoep%2A&ss=chromium> Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> ?Yes Flag namechrome://flags/#cross-origin-embedder-policy-credentialless Requires code in //chrome?False Tracking bughttps://crbug.com/1175099 Launch bughttps://bugs.chromium.org/p/chromium/issues/detail?id=1218896 Measurementhttps://chromestatus.com/metrics/feature/timeline/popularity/3881 Sample links http://coep-credentialless.glitch.me/ Estimated milestones OriginTrial desktop last 95 OriginTrial desktop first 93 DevTrial on desktop 93 OriginTrial android last 95 OriginTrial android first 93 DevTrial on android 93 DevTrial on Webview 93 Link to entry on the Chrome Platform Status https://chromestatus.com/feature/4918234241302528 Links to previous Intent discussionsIntent to prototype: https://groups.google.com/a/chromium.org/g/blink-dev/c/DOtU6R4TuAY/m/kPbID-LAAQAJ Intent to Experiment: https://groups.google.com/a/chromium.org/g/blink-dev/c/Sdc0G1bvKr0/m/YHR8RuWyAAAJ This intent message was generated by Chrome Platform Status <https://www.chromestatus.com/>. Arthur @arthursonzogni -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAAzos5GX5UpU_8V5faX0KzvWG9y5FT8BvCDJ5LUQ929LWM3%3DPA%40mail.gmail.com.