diff --git a/src/NetEscapades.AspNetCore.SecurityHeaders/Headers/CrossOriginPolicies/EmbedderPolicy/CredentiallessDirectiveBuilder.cs b/src/NetEscapades.AspNetCore.SecurityHeaders/Headers/CrossOriginPolicies/EmbedderPolicy/CredentiallessDirectiveBuilder.cs
new file mode 100644
index 0000000..91b91f9
--- /dev/null
+++ b/src/NetEscapades.AspNetCore.SecurityHeaders/Headers/CrossOriginPolicies/EmbedderPolicy/CredentiallessDirectiveBuilder.cs
@@ -0,0 +1,27 @@
+using System;
+using Microsoft.AspNetCore.Http;
+
+namespace NetEscapades.AspNetCore.SecurityHeaders.Headers.CrossOriginPolicies.EmbedderPolicy;
+
+///
+/// no-cors cross-origin requests are sent without credentials.
+/// In particular, it means Cookies are omitted from the request, and ignored from the response.
+/// The responses are allowed without an explicit permission via the Cross-Origin-Resource-Policy header.
+/// Navigate responses behave similarly as the require-corp mode: They require Cross-Origin-Resource-Policy response header.
+/// From: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy#directives
+///
+public class CredentiallessDirectiveBuilder : CrossOriginEmbedderPolicyDirectiveBuilderBase
+{
+ ///
+ /// Initializes a new instance of the class.
+ ///
+ public CredentiallessDirectiveBuilder() : base("credentialless")
+ {
+ }
+
+ ///
+ internal override Func CreateBuilder()
+ {
+ return ctx => Directive;
+ }
+}
\ No newline at end of file
diff --git a/src/NetEscapades.AspNetCore.SecurityHeaders/Headers/CrossOriginPolicies/EmbedderPolicy/CrossOriginEmbedderPolicyBuilder.cs b/src/NetEscapades.AspNetCore.SecurityHeaders/Headers/CrossOriginPolicies/EmbedderPolicy/CrossOriginEmbedderPolicyBuilder.cs
index 3f60c72..2267827 100644
--- a/src/NetEscapades.AspNetCore.SecurityHeaders/Headers/CrossOriginPolicies/EmbedderPolicy/CrossOriginEmbedderPolicyBuilder.cs
+++ b/src/NetEscapades.AspNetCore.SecurityHeaders/Headers/CrossOriginPolicies/EmbedderPolicy/CrossOriginEmbedderPolicyBuilder.cs
@@ -25,4 +25,14 @@ public class CrossOriginEmbedderPolicyBuilder : CrossOriginPolicyBuilder
///
/// A configured
public RequireCorpDirectiveBuilder RequireCorp() => AddDirective(new RequireCorpDirectiveBuilder());
+
+ ///
+ /// no-cors cross-origin requests are sent without credentials.
+ /// In particular, it means Cookies are omitted from the request, and ignored from the response.
+ /// The responses are allowed without an explicit permission via the Cross-Origin-Resource-Policy header.
+ /// Navigate responses behave similarly as the require-corp mode: They require Cross-Origin-Resource-Policy response header.
+ /// From: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy#directives
+ ///
+ /// A configured
+ public CredentiallessDirectiveBuilder Credentialless() => AddDirective(new CredentiallessDirectiveBuilder());
}
\ No newline at end of file
diff --git a/test/NetEscapades.AspNetCore.SecurityHeaders.Test/CrossOriginEmbedderPolicyBuilderTests.cs b/test/NetEscapades.AspNetCore.SecurityHeaders.Test/CrossOriginEmbedderPolicyBuilderTests.cs
index 6fce643..29e97ae 100644
--- a/test/NetEscapades.AspNetCore.SecurityHeaders.Test/CrossOriginEmbedderPolicyBuilderTests.cs
+++ b/test/NetEscapades.AspNetCore.SecurityHeaders.Test/CrossOriginEmbedderPolicyBuilderTests.cs
@@ -63,4 +63,27 @@ public void Build_AddRequireCorp_WithReportEndpoint_AddsValue()
result.ConstantValue.Should().Be("require-corp; report-to=\"default\"");
}
+
+ [Fact]
+ public void Build_AddCredentialless_AddsValue()
+ {
+ var builder = new CrossOriginEmbedderPolicyBuilder();
+ builder.Credentialless();
+
+ var result = builder.Build();
+
+ result.ConstantValue.Should().Be("credentialless");
+ }
+
+ [Fact]
+ public void Build_AddCredentialless_WithReportEndpoint_AddsValue()
+ {
+ var builder = new CrossOriginEmbedderPolicyBuilder();
+ builder.Credentialless();
+ builder.AddReport().To("default");
+
+ var result = builder.Build();
+
+ result.ConstantValue.Should().Be("credentialless; report-to=\"default\"");
+ }
}
\ No newline at end of file