← Back to release summary

Iframe credentialless

Category

Security

Type

New or changed feature

Status

Enabled by default (Chrome 110)

Intent stage

Prepare to ship

Summary

Iframe credentialless give developers a way to load documents in third party iframes using new and ephemeral contexts. Iframe credentialless are a generalization of COEP credentialless to support 3rd party iframes that may not deploy COEP. Like with COEP credentialless, we replace the opt-in of cross-origin subresources by avoiding to load non-public resources. This will remove the constraint that 3rd party iframes must support COEP in order to be embedded in a COEP page and will unblock developers looking to adopt cross-origin-isolation. This way, developers using COEP can now embed third party iframes that do not.

Motivation

Sites that wish to continue using SharedArrayBuffer must opt-into cross-origin isolation. Among other things, cross-origin isolation will block the use of cross-origin resources and documents unless those resources opt-into inclusion via either CORS or CORP. This behavior shipped in Chrome, Firefox and Safari. The opt-in requirement is generally positive, as it ensures that developers have the opportunity to adequately evaluate the rewards of being included cross-site against the risks of potential data leakage via those environments. It poses adoption challenges, however, as it does require developers to adjust their servers to send an explicit opt-in. This is challenging in cases where there's not a single developer involved, but many. Google Ads, for example, includes third-party content, and it seems somewhat unlikely that they'll be able to ensure that all the ads creators will do the work to opt-into being loadable. It seems clear that adoption of any opt-in mechanism is going to be limited. From a deployment perspective (especially with an eye towards changing default behaviors), it would be ideal if we could find an approach that provided robust-enough protection against accidental cross-process leakage without requiring an explicit opt-in.

Standards & signals

• Specification: https://wicg.github.io/anonymous-iframe/#specification
• Firefox: No signal — They do like the concept of credentialless/anonymous iframes. However they are suggesting alternative ways of activating the feature. Instead of the `credentialless` attribute, it could potentially be split into 3 new sandbox flags for instance. One about allowing partitioned storage, one about allowing no-opener popups, and one about disabling autofill. This combination would allow a non-COEP iframe to be embedded. It is not clear exactly how it would behave with regards to sandbox inheritance, or if developers would understand. As a result, it feels unclear if iframe credentialless will be standardized.
• Safari: No signal — Second request on github: https://github.com/WebKit/standards-positions/issues/45
• Web developers: Positive — Zoom, Google Display Ads, StackBlitz are supportive. Several other developer also expressed their need to get iframe credentialless to embed 3rd party iframes inside crossOriginIsolated contexts.
• Tracking bug: https://bugs.chromium.org/p/chromium/issues/detail?id=1211800

Docs: https://docs.google.com/document/d/1poI75BaQ9aqcMGJn_K01-QHsQQbEOwRWvg3Af4VWTmY/edit

Samples: https://anonymous-iframe.glitch.me

Explainers: https://github.com/WICG/anonymous-iframe

View on chromestatus.com