Allow credentialless subresources with COEP #4919
Labels
addition/proposal
New features or enhancements
needs implementer interest
Moving the issue forward requires implementers to express interest
topic: cross-origin-embedder-policy
Issues and ideas around the new "require CORP for subresource requests and frames and etc" proposal.
Comments
|
I think this might work if something like CORS-1918 is deployed across user agents by default or is enforced as part of this mode. Another thing that will have to be worked out is the interaction of the modes. If a service worker uses this mode, but its document uses the require-corp mode, do cross-origin resources get blocked or does require-corp only apply when the resource was fetched with credentials? |
annevk
added
addition/proposal
domenic
pushed a commit
that referenced
this issue
Jun 25, 2020
Merges https://github.com/WICG/cross-origin-embedder-policy into HTML. Associated PRs: * whatwg/fetch#1030 * w3c/ServiceWorker#1516 * w3c/css-houdini-drafts#992 Fixes #5368, fixes #5634, fixes whatwg/fetch#985, and fixes w3c/ServiceWorker#1490. Follow-up: #4916, #4919, #4930 #5223, and #5391. (As well as defining cross-origin isolated, per #4732.)
mfreed7
pushed a commit
to mfreed7/html
that referenced
this issue
Sep 11, 2020
Merges https://github.com/WICG/cross-origin-embedder-policy into HTML. Associated PRs: * whatwg/fetch#1030 * w3c/ServiceWorker#1516 * w3c/css-houdini-drafts#992 Fixes whatwg#5368, fixes whatwg#5634, fixes whatwg/fetch#985, and fixes w3c/ServiceWorker#1490. Follow-up: whatwg#4916, whatwg#4919, whatwg#4930 whatwg#5223, and whatwg#5391. (As well as defining cross-origin isolated, per whatwg#4732.)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Branching from #4175:
Some -- probably most -- resources on the web are public, and their content is not sensitive in any way; however, a site which can embed them in a page is still blocked from reading their content, or knowing anything about the content at all, despite the origin server being in the position of being able to fetch the identical resource from its own location.
I'd like to use COEP to declare that certain subresources are public, having been fetched over the public internet (per CORS-1918), without any cookies/credentials attached.
It's not in the current proposal, but I could imagine something like
being used to force that mode. Third-party cookies would not be sent, even if they exist, and the content of the resource could potentially be made available to the embedder. The site would still send first-party cookies for those resources, but is essentially declaring that it does not want to embed any sensitive third-party content.
The text was updated successfully, but these errors were encountered: