> Is there any word on follow-up work to make this mode available from, e.g., `fetch()`?
Some APIs like fetch(), <img>, <script>, <style>, etc... allows on a per-request basis to control request.mode or request.credentials. Some APIs don't integrate with these yet. For instance, every CSS properties like "background-img" <https://twitter.com/CharlieCroom/status/1430536447258472451>. However, COEP:credentialless is a bit orthogonal. It is a global property (per document/workers) affecting every APIs. It guarantees that every cross-origin resources loaded will either get an explicit opt-in being embedded via CORS, or will be requested anonymously. For cross-origin 'no-cors' requests, this forces the requests to be sent without credentials. This is a saner a behavior saner than the current default COEP:unsafe-none, with regards to Spectre <https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)> attacks. On Thursday, September 16, 2021 at 9:15:33 PM UTC+2 Alex Russell wrote: > LGTM3. This is important work and I'm glad to see it happening. > > Is there any word on follow-up work to make this mode available from, > e.g., `fetch()`? > > Best Regards, > > Alex > > On Thursday, September 16, 2021 at 12:13:47 PM UTC-7 Chris Harrelson wrote: > >> LGTM2 >> >> On Fri, Sep 10, 2021 at 9:57 AM Domenic Denicola <[email protected]> >> wrote: >> >>> >>> >>> On Fri, Sep 10, 2021 at 7:17 AM 'Arthur Sonzogni' via blink-dev < >>> [email protected]> wrote: >>> >>>> Contact [email protected], [email protected], >>>> [email protected] >>>> >>>> Explainerhttps://github.com/WICG/credentiallessness >>>> >>>> Specificationhttps://wicg.github.io/credentiallessness/ >>>> >>> >>> Note also that Arthur has done the right thing here and submitted PRs to >>> upstream the monkeypatch spec into HTML and Fetch: >>> >>> - https://github.com/whatwg/html/pull/6638 >>> - https://github.com/whatwg/fetch/pull/1229 >>> >>> Both have gotten pretty thorough reviews, which increases my confidence >>> we're trying to ship something interoperably implementable. Yay! >>> >>> >>>> >>>> Design docs >>>> https://github.com/WICG/credentiallessness >>>> >>>> https://docs.google.com/document/d/1U1pDzS_WJpfkq6QqOeqgmXmba_I4tIbUR-5C1AHzI9o/edit# >>>> >>>> Summary >>>> >>>> Introduce Cross-Origin-Embedder-Policy: credentialless. This causes >>>> cross-origin no-cors requests to omit credentials (cookies, client >>>> certificates, etc). Similarly to COEP:require-corp, it can enable >>>> cross-origin isolation. >>>> >>>> >>>> Blink componentBlink>SecurityFeature >>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature> >>>> >>>> Search tagscoep <https://chromestatus.com/features#tags:coep>, >>>> credentialless <https://chromestatus.com/features#tags:credentialless> >>>> , coop <https://chromestatus.com/features#tags:coop>, >>>> crossoriginisolation >>>> <https://chromestatus.com/features#tags:crossoriginisolation>, >>>> crossOriginisolated >>>> <https://chromestatus.com/features#tags:crossOriginisolated> >>>> >>>> TAG reviewhttps://github.com/w3ctag/design-reviews/issues/582 >>>> >>>> TAG review statusPending >>>> >>>> Link to origin trial feedback summary >>>> https://docs.google.com/document/d/1Rcho9z8obW0A7aeM3Zz1QR3fN7KcmTHgjdF_mKEXiRQ >>>> >>>> Risks >>>> >>>> >>>> Interoperability and Compatibility >>>> >>>> Compatibility risk: This is an opt-in new feature, so there are no >>>> compatibility risks. Interoperability risk: New feature. Risk is failing >>>> to >>>> become an interoperable part of the web platform. >>>> >>>> >>>> Gecko: Worth prototyping ( >>>> https://github.com/mozilla/standards-positions/issues/539#issuecomment-867473836 >>>> ) >>>> Worth prototyping, but concerns are about the timing in between >>>> shipping: COEP:credentialless, Private Network Access (PNA), ORB. See >>>> https://github.com/mozilla/standards-positions/issues/539#issuecomment-914418485 >>>> >>>> WebKit: No signal ( >>>> https://lists.webkit.org/pipermail/webkit-dev/2021-June/031898.html) >>>> No official replies yet. Safari is currently implementing COOP/COEP, >>>> but have no plan yet about COEP:credentialless variant: >>>> https://twitter.com/mikewest/status/1434878018191826948< >>>> >>>> Web developers: Positive ( >>>> https://github.com/WICG/proposals/issues/31#issuecomment-858822619) >>>> Google Earth, Twitter, Zoom, etc... are positive. >>>> >>>> Ergonomics >>>> >>>> Similarly to the existing COEP:require-corp, it will also be often used >>>> in tandem with Cross-Origin-Opener-Policy: same-origin (COOP) >>>> >>>> >>>> Activation >>>> >>>> This is an HTTP header. Developers need to be able to configure their >>>> server. This is hard for them when hosting their page on servers they >>>> don't >>>> really own, like https://github.io pages. >>>> >>>> >>>> Debuggability >>>> >>>> The same devtool features as for COEP:require-corp: 1. Display COEP >>>> policy: Devtool > Application > Frames > top > Security & Isolation > >>>> Cross-Origin Embedder Policy. 2. Devtool issues: >>>> https://source.chromium.org/search?q=file:devtools-frontend%2Fsrc%2Ffront_end%2Fmodels%2Fissues_manager%2Fdescriptions%2FCoep*&ss=chromium >>>> >>>> <https://source.chromium.org/search?q=file%3Adevtools-frontend%2Fsrc%2Ffront_end%2Fmodels%2Fissues_manager%2Fdescriptions%2FCoep%2A&ss=chromium> >>>> >>>> >>>> Is this feature fully tested by web-platform-tests >>>> <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> >>>> ?Yes >>>> >>>> Flag namechrome://flags/#cross-origin-embedder-policy-credentialless >>>> >>>> Requires code in //chrome?False >>>> >>>> Tracking bughttps://crbug.com/1175099 >>>> >>>> Launch bughttps://bugs.chromium.org/p/chromium/issues/detail?id=1218896 >>>> >>>> Measurement >>>> https://chromestatus.com/metrics/feature/timeline/popularity/3881 >>>> >>>> Sample links >>>> http://coep-credentialless.glitch.me/ >>>> >>>> Estimated milestones >>>> OriginTrial desktop last 95 >>>> OriginTrial desktop first 93 >>>> DevTrial on desktop 93 >>>> OriginTrial android last 95 >>>> OriginTrial android first 93 >>>> DevTrial on android 93 >>>> DevTrial on Webview 93 >>>> >>>> Link to entry on the Chrome Platform Status >>>> https://chromestatus.com/feature/4918234241302528 >>>> >>>> Links to previous Intent discussionsIntent to prototype: >>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/DOtU6R4TuAY/m/kPbID-LAAQAJ >>>> Intent to Experiment: >>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/Sdc0G1bvKr0/m/YHR8RuWyAAAJ >>>> >>>> >>>> This intent message was generated by Chrome Platform Status >>>> <https://www.chromestatus.com/>. >>>> Arthur @arthursonzogni >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "blink-dev" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAAzos5GX5UpU_8V5faX0KzvWG9y5FT8BvCDJ5LUQ929LWM3%3DPA%40mail.gmail.com >>>> >>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAAzos5GX5UpU_8V5faX0KzvWG9y5FT8BvCDJ5LUQ929LWM3%3DPA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> >> To view this discussion on the web visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM0wra8f4jkc_RtVBvjJpuz-0%2BiC7p8KKhBc--PuUQ3zjUbOgg%40mail.gmail.com >>> >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM0wra8f4jkc_RtVBvjJpuz-0%2BiC7p8KKhBc--PuUQ3zjUbOgg%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/f4bae359-61a2-4cb8-b71f-63244345c2fbn%40chromium.org.
