Thanks for working on this! This seems like a great addition to the CrossOriginIsolation story, and will help developers make their users safer in the face of non-cooperative third parties.
On Fri, Sep 10, 2021 at 1:17 PM 'Arthur Sonzogni' via blink-dev < [email protected]> wrote: > Contact [email protected], [email protected], > [email protected] > > Explainerhttps://github.com/WICG/credentiallessness > > Specificationhttps://wicg.github.io/credentiallessness/ > > Design docs > https://github.com/WICG/credentiallessness > > https://docs.google.com/document/d/1U1pDzS_WJpfkq6QqOeqgmXmba_I4tIbUR-5C1AHzI9o/edit# > > Summary > > Introduce Cross-Origin-Embedder-Policy: credentialless. This causes > cross-origin no-cors requests to omit credentials (cookies, client > certificates, etc). Similarly to COEP:require-corp, it can enable > cross-origin isolation. > > > Blink componentBlink>SecurityFeature > <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature> > > Search tagscoep <https://chromestatus.com/features#tags:coep>, > credentialless <https://chromestatus.com/features#tags:credentialless>, > coop <https://chromestatus.com/features#tags:coop>, crossoriginisolation > <https://chromestatus.com/features#tags:crossoriginisolation>, > crossOriginisolated > <https://chromestatus.com/features#tags:crossOriginisolated> > > TAG reviewhttps://github.com/w3ctag/design-reviews/issues/582 > > TAG review statusPending > > Link to origin trial feedback summary > https://docs.google.com/document/d/1Rcho9z8obW0A7aeM3Zz1QR3fN7KcmTHgjdF_mKEXiRQ > > Risks > > > Interoperability and Compatibility > > Compatibility risk: This is an opt-in new feature, so there are no > compatibility risks. Interoperability risk: New feature. Risk is failing to > become an interoperable part of the web platform. > > > Gecko: Worth prototyping ( > https://github.com/mozilla/standards-positions/issues/539#issuecomment-867473836 > ) > Worth prototyping, but concerns are about the timing in between shipping: > COEP:credentialless, Private Network Access (PNA), ORB. See > https://github.com/mozilla/standards-positions/issues/539#issuecomment-914418485 > Anne's argument is that shipping this before shipping PNA protections would put private resources at extra risk, because the documents including them would be considered COI, and therefore would have access to high precision timers. Our argument is that the reverse OT for SAB access without COI already enables that in Chrome. That makes sense, but maybe there's a way for us to combine this and the recent PNA intent <https://groups.google.com/a/chromium.org/g/blink-dev/c/PrB0xnNxaHs/m/jeoxvNjXCAAJ> and be more bold there only in the case of a COEP: credentialless embedder? For example, avoid waiting 2 milestones/letting folks opt-out for 4 more milestones if the embedder opted-in to credentialless? I'm not sure if it makes sense to block on this (or at all), but it could be a middle ground that'd timebox those concerns. > > WebKit: No signal ( > https://lists.webkit.org/pipermail/webkit-dev/2021-June/031898.html) > No official replies yet. Safari is currently implementing COOP/COEP, but > have no plan yet about COEP:credentialless variant: > https://twitter.com/mikewest/status/1434878018191826948< > > Web developers: Positive ( > https://github.com/WICG/proposals/issues/31#issuecomment-858822619) > Google Earth, Twitter, Zoom, etc... are positive. > > Ergonomics > > Similarly to the existing COEP:require-corp, it will also be often used in > tandem with Cross-Origin-Opener-Policy: same-origin (COOP) > > > Activation > > This is an HTTP header. Developers need to be able to configure their > server. This is hard for them when hosting their page on servers they don't > really own, like https://github.io pages. > Aside, but maybe our friends at Microsoft know people on the GH side that can help fix that? This is a recurrent issue, and it'd be good to solve it at some point. /cc +Alex Russell <[email protected]> +Eric Lawrence <[email protected]> > > > Debuggability > > The same devtool features as for COEP:require-corp: 1. Display COEP > policy: Devtool > Application > Frames > top > Security & Isolation > > Cross-Origin Embedder Policy. 2. Devtool issues: > https://source.chromium.org/search?q=file:devtools-frontend%2Fsrc%2Ffront_end%2Fmodels%2Fissues_manager%2Fdescriptions%2FCoep*&ss=chromium > <https://source.chromium.org/search?q=file%3Adevtools-frontend%2Fsrc%2Ffront_end%2Fmodels%2Fissues_manager%2Fdescriptions%2FCoep%2A&ss=chromium> > > > Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> > ?Yes > > Flag namechrome://flags/#cross-origin-embedder-policy-credentialless > > Requires code in //chrome?False > > Tracking bughttps://crbug.com/1175099 > > Launch bughttps://bugs.chromium.org/p/chromium/issues/detail?id=1218896 > > Measurement > https://chromestatus.com/metrics/feature/timeline/popularity/3881 > > Sample links > http://coep-credentialless.glitch.me/ > > Estimated milestones > OriginTrial desktop last 95 > OriginTrial desktop first 93 > DevTrial on desktop 93 > OriginTrial android last 95 > OriginTrial android first 93 > DevTrial on android 93 > DevTrial on Webview 93 > > Link to entry on the Chrome Platform Status > https://chromestatus.com/feature/4918234241302528 > > Links to previous Intent discussionsIntent to prototype: > https://groups.google.com/a/chromium.org/g/blink-dev/c/DOtU6R4TuAY/m/kPbID-LAAQAJ > Intent to Experiment: > https://groups.google.com/a/chromium.org/g/blink-dev/c/Sdc0G1bvKr0/m/YHR8RuWyAAAJ > > > This intent message was generated by Chrome Platform Status > <https://www.chromestatus.com/>. > Arthur @arthursonzogni > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAAzos5GX5UpU_8V5faX0KzvWG9y5FT8BvCDJ5LUQ929LWM3%3DPA%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAAzos5GX5UpU_8V5faX0KzvWG9y5FT8BvCDJ5LUQ929LWM3%3DPA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfVe%2B2E4%3Dm3K0h7%3D5UE2m6fOf5J0WR8mmG6PZczota6nfw%40mail.gmail.com.
