Cross-Origin-Embedder-Policy: credentialless #31
Description
The problem
Sites that wish to continue using SharedArrayBuffer must opt-into cross-origin isolation. Among other things, cross-origin isolation will block the use of cross-origin resources and documents unless those resources opt-into inclusion via either CORS or CORP. This behavior ships today in Firefox, and Chrome aims to ship it as well in 2021.
The opt-in requirement is generally positive, as it ensures that developers have the opportunity to adequately evaluate the rewards of being included cross-site against the risks of potential data leakage via Spectre. It poses adoption challenges, however, as it does require developers to adjust their servers to send an explicit opt-in. This is challenging in cases where there’s not a single developer involved, but many. Google Earth, for example, includes user-generated content in sandboxed frames, and it seems somewhat unlikely that they’ll be able to ensure that all the resources typed in by all their users over the years will do the work to opt-into being loadable.
Cases like Earth are, likely, outliers. Still, it seems clear that adoption of any opt-in mechanism is going to be limited (metrics). From a deployment perspective (especially with an eye towards changing default behaviors), it would be ideal if we could find an approach that provided robust-enough protection against accidental cross-process leakage without requiring an explicit opt-in.
The proposal
The goal of the existing opt-in is to block interesting data that an attacker wouldn’t otherwise have access to from flowing into a process they control. It might be possible to obtain a similar result by minimizing the risk that outgoing requests will generate responses personalized to a specific user by extending COEP to support a new credentialless mode which strips credentials (cookies, client certs, etc) by default for no-cors subresource requests.
Read the complete Explainer & Proposed specification
See also:
- "credentialless" embedder policy. w3ctag/design-reviews#582
- Cross-Origin-Embedder-Policy: credentialless whatwg/html#6637
CacheStorage&COEP:credentiallessw3c/ServiceWorker#1592
Feedback
I welcome feedback in this thread, but encourage you to file bugs against:
HTML spec. topic: coep-credentialless
+CC @mikewest @camillelamy @annevk @whatwg/cross-origin-isolation