← Back to release summary

Cross-Origin-Embedder-Policy: credentialless

Category

Security

Type

New or changed feature

Status

Enabled by default (Chrome 96)

Intent stage

Shipped

Summary

Introduce Cross-Origin-Embedder-Policy: credentialless. This causes cross-origin no-cors requests to omit credentials (cookies, client certificates, etc). Similarly to COEP:require-corp, it can enable cross-origin isolation.

Motivation

Sites that wish to continue using SharedArrayBuffer must opt-into cross-origin isolation. Today, COEP: require-corp exists, and is used to enable cross-origin isolation. It is functional and solid, but turns out to be difficult to deploy at scale, as it requires all subresources to explicitly opt-in. This is fine for some sites, but creates dependency problems for sites that gather content from users (Google Earth, social media generally, forums, etc). With COEP: credentialless, we want to find a robust-enough protection against accidental cross-process leakage, without requiring an explicit opt-in from every subresource.

Standards & signals

• Specification: https://wicg.github.io/credentiallessness/
• Firefox: Positive — Worth prototyping, but concerns are about the timing in between shipping: COEP:credentialless, Private Network Access (PNA), ORB. See https://github.com/mozilla/standards-positions/issues/539#issuecomment-914418485
• Safari: No signal — No official replies yet. Safari is currently implementing COOP/COEP, but have no plan yet about COEP:credentialless variant. https://twitter.com/mikewest/status/1434878018191826948<
• Web developers: Positive — Google Earth, Twitter, Zoom, etc... are positive.
• Tracking bug: https://crbug.com/1175099

Docs: https://github.com/WICG/credentiallessness https://docs.google.com/document/d/1U1pDzS_WJpfkq6QqOeqgmXmba_I4tIbUR-5C1AHzI9o/edit#

Samples: http://coep-credentialless.glitch.me/

Explainers: https://github.com/WICG/credentiallessness

View on chromestatus.com