Hi webkit-dev, <webkit-dev@lists.webkit.org> This is a request for Webkit's position on Cross-Origin-Embedder-Policy:credentialless
*Summary:* Credentialless is a Cross-Origin-Embedder-Policy (COEP) variant. Similarly to require-corp, it can be used to enable cross-origin-isolation. COEP:credentialless causes no-cors cross-origin requests not to include credentials (cookies, client certificates, etc...) *Motivation:* Sites that wish to continue using SharedArrayBuffer must opt-into cross-origin isolation. Among other things, cross-origin isolation will block the use of cross-origin resources and documents unless those resources opt-into inclusion via either CORS or CORP. This behavior ships today in Firefox, and Chrome aims to ship it as well in 2021. The opt-in requirement is generally positive, as it ensures that developers have the opportunity to adequately evaluate the rewards of being included cross-site against the risks of potential data leakage via Spectre. It poses adoption challenges, however, as it does require developers to adjust their servers to send an explicit opt-in. This is challenging in cases where there’s not a single developer involved, but many third parties. It would be ideal if we could find an approach that provided robust-enough protection against accidental cross-process leakage without requiring an explicit opt-in. *Explainer*: https://github.com/mikewest/credentiallessness/blob/main/explainer.md *Specification:* https://htmlpreview.github.io/?https://github.com/mikewest/credentiallessness/blob/main/index.html *W3C TAG thread:* https://github.com/w3ctag/design-reviews/issues/582 *WICG proposal.* https://github.com/WICG/proposals/issues/31 *ChromeStatus:* https://www.chromestatus.com/features/4918234241302528 Please let us know if you have any feedback! Thanks, Arthur @arthursonzogni
_______________________________________________ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev