On Fri, Sep 10, 2021 at 7:17 AM 'Arthur Sonzogni' via blink-dev < blink-dev@chromium.org> wrote:
> Contact emailsarthursonzo...@chromium.org, cl...@chromium.org, > mk...@chromium.org > > Explainerhttps://github.com/WICG/credentiallessness > > Specificationhttps://wicg.github.io/credentiallessness/ > Note also that Arthur has done the right thing here and submitted PRs to upstream the monkeypatch spec into HTML and Fetch: - https://github.com/whatwg/html/pull/6638 - https://github.com/whatwg/fetch/pull/1229 Both have gotten pretty thorough reviews, which increases my confidence we're trying to ship something interoperably implementable. Yay! > > Design docs > https://github.com/WICG/credentiallessness > > https://docs.google.com/document/d/1U1pDzS_WJpfkq6QqOeqgmXmba_I4tIbUR-5C1AHzI9o/edit# > > Summary > > Introduce Cross-Origin-Embedder-Policy: credentialless. This causes > cross-origin no-cors requests to omit credentials (cookies, client > certificates, etc). Similarly to COEP:require-corp, it can enable > cross-origin isolation. > > > Blink componentBlink>SecurityFeature > <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature> > > Search tagscoep <https://chromestatus.com/features#tags:coep>, > credentialless <https://chromestatus.com/features#tags:credentialless>, > coop <https://chromestatus.com/features#tags:coop>, crossoriginisolation > <https://chromestatus.com/features#tags:crossoriginisolation>, > crossOriginisolated > <https://chromestatus.com/features#tags:crossOriginisolated> > > TAG reviewhttps://github.com/w3ctag/design-reviews/issues/582 > > TAG review statusPending > > Link to origin trial feedback summary > https://docs.google.com/document/d/1Rcho9z8obW0A7aeM3Zz1QR3fN7KcmTHgjdF_mKEXiRQ > > Risks > > > Interoperability and Compatibility > > Compatibility risk: This is an opt-in new feature, so there are no > compatibility risks. Interoperability risk: New feature. Risk is failing to > become an interoperable part of the web platform. > > > Gecko: Worth prototyping ( > https://github.com/mozilla/standards-positions/issues/539#issuecomment-867473836 > ) > Worth prototyping, but concerns are about the timing in between shipping: > COEP:credentialless, Private Network Access (PNA), ORB. See > https://github.com/mozilla/standards-positions/issues/539#issuecomment-914418485 > > WebKit: No signal ( > https://lists.webkit.org/pipermail/webkit-dev/2021-June/031898.html) > No official replies yet. Safari is currently implementing COOP/COEP, but > have no plan yet about COEP:credentialless variant: > https://twitter.com/mikewest/status/1434878018191826948< > > Web developers: Positive ( > https://github.com/WICG/proposals/issues/31#issuecomment-858822619) > Google Earth, Twitter, Zoom, etc... are positive. > > Ergonomics > > Similarly to the existing COEP:require-corp, it will also be often used in > tandem with Cross-Origin-Opener-Policy: same-origin (COOP) > > > Activation > > This is an HTTP header. Developers need to be able to configure their > server. This is hard for them when hosting their page on servers they don't > really own, like https://github.io pages. > > > Debuggability > > The same devtool features as for COEP:require-corp: 1. Display COEP > policy: Devtool > Application > Frames > top > Security & Isolation > > Cross-Origin Embedder Policy. 2. Devtool issues: > https://source.chromium.org/search?q=file:devtools-frontend%2Fsrc%2Ffront_end%2Fmodels%2Fissues_manager%2Fdescriptions%2FCoep*&ss=chromium > <https://source.chromium.org/search?q=file%3Adevtools-frontend%2Fsrc%2Ffront_end%2Fmodels%2Fissues_manager%2Fdescriptions%2FCoep%2A&ss=chromium> > > > Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> > ?Yes > > Flag namechrome://flags/#cross-origin-embedder-policy-credentialless > > Requires code in //chrome?False > > Tracking bughttps://crbug.com/1175099 > > Launch bughttps://bugs.chromium.org/p/chromium/issues/detail?id=1218896 > > Measurement > https://chromestatus.com/metrics/feature/timeline/popularity/3881 > > Sample links > http://coep-credentialless.glitch.me/ > > Estimated milestones > OriginTrial desktop last 95 > OriginTrial desktop first 93 > DevTrial on desktop 93 > OriginTrial android last 95 > OriginTrial android first 93 > DevTrial on android 93 > DevTrial on Webview 93 > > Link to entry on the Chrome Platform Status > https://chromestatus.com/feature/4918234241302528 > > Links to previous Intent discussionsIntent to prototype: > https://groups.google.com/a/chromium.org/g/blink-dev/c/DOtU6R4TuAY/m/kPbID-LAAQAJ > Intent to Experiment: > https://groups.google.com/a/chromium.org/g/blink-dev/c/Sdc0G1bvKr0/m/YHR8RuWyAAAJ > > > This intent message was generated by Chrome Platform Status > <https://www.chromestatus.com/>. > Arthur @arthursonzogni > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAAzos5GX5UpU_8V5faX0KzvWG9y5FT8BvCDJ5LUQ929LWM3%3DPA%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAAzos5GX5UpU_8V5faX0KzvWG9y5FT8BvCDJ5LUQ929LWM3%3DPA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM0wra8f4jkc_RtVBvjJpuz-0%2BiC7p8KKhBc--PuUQ3zjUbOgg%40mail.gmail.com.
