Skip to content

Commit

Permalink
Specify the behavior of COEP: credentialless,
Browse files Browse the repository at this point in the history
(Draft)

Originally described in: https://github.com/mikewest/credentiallessness

`credentialless` and `require-corp` are similar. One or the other is a requirements for the `window.crossOriginIsolated` capability.
They differ mostly in the fetch specification. `require-corp` requires a CORP header for cross-origin no-cors responses. `credentialless` doesn't, but omits credentials (Cookies, clients certificates, etc...) in no-cors cross-origin requests.

* HTML (whatwg/html#6638)
  * Define how to parse the `credentialless` value.
  * From the HTML spec point of view, `credentialless` and `require-corp` are equivalent. They have been grouped into `compatible with crossOriginIsolation` and the HTML spec rewritten to use this concept.

* Fetch: (This PR)
  * Define "Cross-Origin-Embedder-Policy allows credentials".
  * Omit credentials for no-cors, cross-origin, COEP:credentialless requests.
  * Check CORP for navigational COEP:credentialless response.

* ServiceWorker: XXX
  * Integration with `Cache.matchAll `algorithm.
  * XXX

See: whatwg/html#6637

----

- [ ] At least two implementers are interested (and none opposed):
   * Chrome: https://chromestatus.com/feature/4918234241302528#details
   * Firefox: XXX
   * Safari: XXX

- [X] [Tests](https://github.com/web-platform-tests/wpt) are written and can be reviewed and commented upon at:
   * https://wpt.fyi/results/html/cross-origin-embedder-policy/credentialless/credentialless

- [ ] [Implementation bugs](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) are filed:
   * Chrome: https://crbug.com/1175099
   * Firefox: XXX
   * Safari: XXX

(See [WHATWG Working Mode: Changes](https://whatwg.org/working-mode#changes) for more details.)

----

See: whatwg/html#6637
  • Loading branch information
ArthurSonzogni committed Sep 21, 2021
1 parent b2f04e2 commit 8406e47
Showing 1 changed file with 47 additions and 3 deletions.
50 changes: 47 additions & 3 deletions fetch.bs
Original file line number Diff line number Diff line change
Expand Up @@ -1892,6 +1892,25 @@ source of security bugs. Please seek security review for features that deal with
<a for="URL serializer"><i>exclude fragment</i></a> set to true.
</ol>

<p>To check <dfn export>Cross-Origin-Embedder-Policy allows credentials</dfn>, given a
<a for=/>request</a> <var>request</var>, run theses steps:

<ol>
<li><p>If <var>request</var>'s <a for=request>mode</a> is not <code>no-cors</code>", return
true.</p>

<li><p>If <var>request</var>'s <a for=request>client</a> is null, return true.</p>

<li><p>If <var>request</var>'s <a for=request>client</a>'s <a for="environment settings
object">embedder policy</a> is not
"<code><a for="embedder policy value">credentialless</a></code>", return true.</p>

<li><p>If <var>request</var>'s <a for=request>origin</a> is not <a>same origin</a> with
<var>request</var>'s <a for=request>client</a>'s <a for="environment settings object">origin</a>,
return true.</p>

<li><p>Return false.</p>
</ol>

<h4 id=responses>Responses</h4>

Expand Down Expand Up @@ -1978,6 +1997,10 @@ initially unset.
being provided to an API that didn't make a range request. See the flag's usage for a detailed
description of the attack.

<p>A <a for=/>response</a> has an associated <dfn for=response
id=concept-response-request-include-credentials>request-include-credentials</dfn>, which is
initially set.

<p>A <a for=/>response</a> has an associated
<dfn for=response id=concept-response-timing-allow-passed>timing allow passed flag</dfn>, which is
initially unset.
Expand Down Expand Up @@ -3507,9 +3530,22 @@ Cross-Origin-Resource-Policy = %s"same-origin" / %s"same-site" / %s"cross-or
<li><p>If <var>policy</var> is neither `<code>same-origin</code>`, `<code>same-site</code>`, nor
`<code>cross-origin</code>`, then set <var>policy</var> to null.

<li><p>If <var>policy</var> is null and <var>embedderPolicyValue</var> is
"<code><a for="embedder policy value">require-corp</a></code>", then set <var>policy</var> to
`<code>same-origin</code>`.
<li><p>If <var>policy</var> is null, switch on <var>embedderPolicyValue</var>:
<dl class=switch>
<dt>`<a for="embedder policy value">unsafe-none</a>`
<dt>`<a for="embedder policy value">credentialless</a>`
<dd> Set <var>policy</var> to `<code>same-origin</code>` if one of the
following is true:
<ul>
<li><var>response</var>'s <a for="response">request-include-credentials</a> is true and
<var>response</var>'s <a for="response">type</a> is "<code>opaque</code>".
<li><var>forNavigation</var> is true.
</ul>

<dt>`<a for="embedder policy value">require-corp</a>`
<dd> Set <var>policy</var> to `<code>same-origin</code>`.
</dl>
</li>

<li>
<p>Switch on <var>policy</var>:
Expand Down Expand Up @@ -4668,6 +4704,10 @@ steps. They return a <a for=/>response</a>.

<p>is true; otherwise false.

<li>
<p>If <a>Cross-Origin-Embedder-Policy allows credentials</a> with
<var>request</var> is false, set <var>includeCredentials</var> to false.</p>

<li><p>Let <var>contentLength</var> be <var>httpRequest</var>'s <a for=request>body</a>'s
<a for=body>length</a>, if <var>httpRequest</var>'s <a for=request>body</a> is non-null;
otherwise null.
Expand Down Expand Up @@ -5028,6 +5068,9 @@ steps. They return a <a for=/>response</a>.
<li><p>If <var>httpRequest</var>'s <a for=request>header list</a> <a for="header list">contains</a>
`<code>Range</code>`, then set <var>response</var>'s <a for=response>range-requested flag</a>.

<li><p>Set <var>response</var>'s <a for=response>request-include-credentials</a> to
<var>includeCredentials</var>.

<li>
<p>If <var>response</var>'s <a for=response>status</a> is 401, <var>httpRequest</var>'s
<a for=request>response tainting</a> is not "<code>cors</code>", <var>includeCredentials</var> is
Expand Down Expand Up @@ -7843,6 +7886,7 @@ Arkadiusz Michalski,
Arne Johannessen,
Artem Skoretskiy,
Arthur Barstow,
Arthur Sonzogni,
Asanka Herath,
Axel Rauschmayer,
Ben Kelly,
Expand Down

0 comments on commit 8406e47

Please sign in to comment.