-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add credentialless
value to COEP (HTML spec)
#6638
Conversation
This is still work in progress. I still need write PR for fetch and ServiceWorker. Those will be more interesting. @whatwg/cross-origin-isolation @antosart @mikewest @camillelamy @iVanlIsh |
Specify the behavior of `Cross-Origin-Embedder-Policy: cors-or-credentialless`, Originally described in: https://github.com/mikewest/credentiallessness `cors-or-credentialless` and `require-corp` are similar. One or the other is a requirements for the `window.crossOriginIsolated` capability. They differ mostly in the fetch specification. `require-corp` requires a CORP header for cross-origin no-cors responses. `cors-or-credentialless` doesn't, but omits credentials (Cookies, clients certificates, etc...) in no-cors cross-origin requests. * HTML (whatwg/html#6638) * Define how to parse the `cors-or-credentialless` value. * From the HTML spec point of view, `cors-or-credentialless` and `require-corp` are equivalent. They have been grouped into `compatible with crossOriginIsolation` and the HTML spec rewritten to use this concept. * Fetch: (This PR) * Define "Cross-Origin-Embedder-Policy allows credentials". * Omit credentials for no-cors, cross-origin, COEP:credentialless requests. * Check CORP for navigational COEP:credentialless response. * ServiceWorker: XXX * Integration with `Cache.matchAll `algorithm. * XXX See: whatwg/html#6637 ---- - [ ] At least two implementers are interested (and none opposed): * Chrome: https://chromestatus.com/feature/4918234241302528#details * Firefox: XXX * Safari: XXX - [X] [Tests](https://github.com/web-platform-tests/wpt) are written and can be reviewed and commented upon at: * https://wpt.fyi/results/html/cross-origin-embedder-policy/credentialless/cors-or-credentialless - [ ] [Implementation bugs](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) are filed: * Chrome: https://crbug.com/1175099 * Firefox: XXX * Safari: XXX (See [WHATWG Working Mode: Changes](https://whatwg.org/working-mode#changes) for more details.) ---- See: whatwg/html#6637
Specify the behavior of `Cross-Origin-Embedder-Policy: cors-or-credentialless`, Originally described in: https://github.com/mikewest/credentiallessness `cors-or-credentialless` and `require-corp` are similar. One or the other is a requirements for the `window.crossOriginIsolated` capability. They differ mostly in the fetch specification. `require-corp` requires a CORP header for cross-origin no-cors responses. `cors-or-credentialless` doesn't, but omits credentials (Cookies, clients certificates, etc...) in no-cors cross-origin requests. * HTML (whatwg/html#6638) * Define how to parse the `cors-or-credentialless` value. * From the HTML spec point of view, `cors-or-credentialless` and `require-corp` are equivalent. They have been grouped into `compatible with crossOriginIsolation` and the HTML spec rewritten to use this concept. * Fetch: (This PR) * Define "Cross-Origin-Embedder-Policy allows credentials". * Omit credentials for no-cors, cross-origin, COEP:credentialless requests. * Check CORP for navigational COEP:credentialless response. * ServiceWorker: XXX * Integration with `Cache.matchAll `algorithm. * XXX See: whatwg/html#6637 ---- - [ ] At least two implementers are interested (and none opposed): * Chrome: https://chromestatus.com/feature/4918234241302528#details * Firefox: XXX * Safari: XXX - [X] [Tests](https://github.com/web-platform-tests/wpt) are written and can be reviewed and commented upon at: * https://wpt.fyi/results/html/cross-origin-embedder-policy/credentialless/cors-or-credentialless - [ ] [Implementation bugs](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) are filed: * Chrome: https://crbug.com/1175099 * Firefox: XXX * Safari: XXX (See [WHATWG Working Mode: Changes](https://whatwg.org/working-mode#changes) for more details.) ---- See: whatwg/html#6637
Specify the behavior of `Cross-Origin-Embedder-Policy: cors-or-credentialless`, Originally described in: https://github.com/mikewest/credentiallessness `cors-or-credentialless` and `require-corp` are similar. One or the other is a requirements for the `window.crossOriginIsolated` capability. They differ mostly in the fetch specification. `require-corp` requires a CORP header for cross-origin no-cors responses. `cors-or-credentialless` doesn't, but omits credentials (Cookies, clients certificates, etc...) in no-cors cross-origin requests. * HTML (whatwg/html#6638) * Define how to parse the `cors-or-credentialless` value. * From the HTML spec point of view, `cors-or-credentialless` and `require-corp` are equivalent. They have been grouped into `compatible with crossOriginIsolation` and the HTML spec rewritten to use this concept. * Fetch: (This PR) * Define "Cross-Origin-Embedder-Policy allows credentials". * Omit credentials for no-cors, cross-origin, COEP:credentialless requests. * Check CORP for navigational COEP:credentialless response. * ServiceWorker: XXX * Integration with `Cache.matchAll `algorithm. * XXX See: whatwg/html#6637 ---- - [ ] At least two implementers are interested (and none opposed): * Chrome: https://chromestatus.com/feature/4918234241302528#details * Firefox: XXX * Safari: XXX - [X] [Tests](https://github.com/web-platform-tests/wpt) are written and can be reviewed and commented upon at: * https://wpt.fyi/results/html/cross-origin-embedder-policy/credentialless/cors-or-credentialless - [ ] [Implementation bugs](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) are filed: * Chrome: https://crbug.com/1175099 * Firefox: XXX * Safari: XXX (See [WHATWG Working Mode: Changes](https://whatwg.org/working-mode#changes) for more details.) ---- See: whatwg/html#6637
(Draft) Originally described in: https://github.com/mikewest/credentiallessness `credentialless` and `require-corp` are similar. One or the other is a requirements for the `window.crossOriginIsolated` capability. They differ mostly in the fetch specification. `require-corp` requires a CORP header for cross-origin no-cors responses. `credentialless` doesn't, but omits credentials (Cookies, clients certificates, etc...) in no-cors cross-origin requests. * HTML (whatwg/html#6638) * Define how to parse the `credentialless` value. * From the HTML spec point of view, `credentialless` and `require-corp` are equivalent. They have been grouped into `compatible with crossOriginIsolation` and the HTML spec rewritten to use this concept. * Fetch: (This PR) * Define "Cross-Origin-Embedder-Policy allows credentials". * Omit credentials for no-cors, cross-origin, COEP:credentialless requests. * Check CORP for navigational COEP:credentialless response. * ServiceWorker: XXX * Integration with `Cache.matchAll `algorithm. * XXX See: whatwg/html#6637 ---- - [ ] At least two implementers are interested (and none opposed): * Chrome: https://chromestatus.com/feature/4918234241302528#details * Firefox: XXX * Safari: XXX - [X] [Tests](https://github.com/web-platform-tests/wpt) are written and can be reviewed and commented upon at: * https://wpt.fyi/results/html/cross-origin-embedder-policy/credentialless/credentialless - [ ] [Implementation bugs](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) are filed: * Chrome: https://crbug.com/1175099 * Firefox: XXX * Safari: XXX (See [WHATWG Working Mode: Changes](https://whatwg.org/working-mode#changes) for more details.) ---- See: whatwg/html#6637
(Draft) Originally described in: https://github.com/mikewest/credentiallessness `credentialless` and `require-corp` are similar. One or the other is a requirements for the `window.crossOriginIsolated` capability. They differ mostly in the fetch specification. `require-corp` requires a CORP header for cross-origin no-cors responses. `credentialless` doesn't, but omits credentials (Cookies, clients certificates, etc...) in no-cors cross-origin requests. * HTML (whatwg/html#6638) * Define how to parse the `credentialless` value. * From the HTML spec point of view, `credentialless` and `require-corp` are equivalent. They have been grouped into `compatible with crossOriginIsolation` and the HTML spec rewritten to use this concept. * Fetch: (This PR) * Define "Cross-Origin-Embedder-Policy allows credentials". * Omit credentials for no-cors, cross-origin, COEP:credentialless requests. * Check CORP for navigational COEP:credentialless response. * ServiceWorker: XXX * Integration with `Cache.matchAll `algorithm. * XXX See: whatwg/html#6637 ---- - [ ] At least two implementers are interested (and none opposed): * Chrome: https://chromestatus.com/feature/4918234241302528#details * Firefox: XXX * Safari: XXX - [X] [Tests](https://github.com/web-platform-tests/wpt) are written and can be reviewed and commented upon at: * https://wpt.fyi/results/html/cross-origin-embedder-policy/credentialless/credentialless - [ ] [Implementation bugs](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) are filed: * Chrome: https://crbug.com/1175099 * Firefox: XXX * Safari: XXX (See [WHATWG Working Mode: Changes](https://whatwg.org/working-mode#changes) for more details.) ---- See: whatwg/html#6637
(Draft) Originally described in: https://github.com/mikewest/credentiallessness `credentialless` and `require-corp` are similar. One or the other is a requirements for the `window.crossOriginIsolated` capability. They differ mostly in the fetch specification. `require-corp` requires a CORP header for cross-origin no-cors responses. `credentialless` doesn't, but omits credentials (Cookies, clients certificates, etc...) in no-cors cross-origin requests. * HTML (whatwg/html#6638) * Define how to parse the `credentialless` value. * From the HTML spec point of view, `credentialless` and `require-corp` are equivalent. They have been grouped into `compatible with crossOriginIsolation` and the HTML spec rewritten to use this concept. * Fetch: (This PR) * Define "Cross-Origin-Embedder-Policy allows credentials". * Omit credentials for no-cors, cross-origin, COEP:credentialless requests. * Check CORP for navigational COEP:credentialless response. * ServiceWorker: XXX * Integration with `Cache.matchAll `algorithm. * XXX See: whatwg/html#6637 ---- - [ ] At least two implementers are interested (and none opposed): * Chrome: https://chromestatus.com/feature/4918234241302528#details * Firefox: XXX * Safari: XXX - [X] [Tests](https://github.com/web-platform-tests/wpt) are written and can be reviewed and commented upon at: * https://wpt.fyi/results/html/cross-origin-embedder-policy/credentialless/credentialless - [ ] [Implementation bugs](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) are filed: * Chrome: https://crbug.com/1175099 * Firefox: XXX * Safari: XXX (See [WHATWG Working Mode: Changes](https://whatwg.org/working-mode#changes) for more details.) ---- See: whatwg/html#6637
(Draft) Originally described in: https://github.com/mikewest/credentiallessness `credentialless` and `require-corp` are similar. One or the other is a requirements for the `window.crossOriginIsolated` capability. They differ mostly in the fetch specification. `require-corp` requires a CORP header for cross-origin no-cors responses. `credentialless` doesn't, but omits credentials (Cookies, clients certificates, etc...) in no-cors cross-origin requests. * HTML (whatwg/html#6638) * Define how to parse the `credentialless` value. * From the HTML spec point of view, `credentialless` and `require-corp` are equivalent. They have been grouped into `compatible with crossOriginIsolation` and the HTML spec rewritten to use this concept. * Fetch: (This PR) * Define "Cross-Origin-Embedder-Policy allows credentials". * Omit credentials for no-cors, cross-origin, COEP:credentialless requests. * Check CORP for navigational COEP:credentialless response. * ServiceWorker: XXX * Integration with `Cache.matchAll `algorithm. * XXX See: whatwg/html#6637 ---- - [ ] At least two implementers are interested (and none opposed): * Chrome: https://chromestatus.com/feature/4918234241302528#details * Firefox: XXX * Safari: XXX - [X] [Tests](https://github.com/web-platform-tests/wpt) are written and can be reviewed and commented upon at: * https://wpt.fyi/results/html/cross-origin-embedder-policy/credentialless/credentialless - [ ] [Implementation bugs](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) are filed: * Chrome: https://crbug.com/1175099 * Firefox: XXX * Safari: XXX (See [WHATWG Working Mode: Changes](https://whatwg.org/working-mode#changes) for more details.) ---- See: whatwg/html#6637
(Draft) Originally described in: https://github.com/mikewest/credentiallessness `credentialless` and `require-corp` are similar. One or the other is a requirements for the `window.crossOriginIsolated` capability. They differ mostly in the fetch specification. `require-corp` requires a CORP header for cross-origin no-cors responses. `credentialless` doesn't, but omits credentials (Cookies, clients certificates, etc...) in no-cors cross-origin requests. * HTML (whatwg/html#6638) * Define how to parse the `credentialless` value. * From the HTML spec point of view, `credentialless` and `require-corp` are equivalent. They have been grouped into `compatible with crossOriginIsolation` and the HTML spec rewritten to use this concept. * Fetch: (This PR) * Define "Cross-Origin-Embedder-Policy allows credentials". * Omit credentials for no-cors, cross-origin, COEP:credentialless requests. * Check CORP for navigational COEP:credentialless response. * ServiceWorker: XXX * Integration with `Cache.matchAll `algorithm. * XXX See: whatwg/html#6637 ---- - [ ] At least two implementers are interested (and none opposed): * Chrome: https://chromestatus.com/feature/4918234241302528#details * Firefox: XXX * Safari: XXX - [X] [Tests](https://github.com/web-platform-tests/wpt) are written and can be reviewed and commented upon at: * https://wpt.fyi/results/html/cross-origin-embedder-policy/credentialless/credentialless - [ ] [Implementation bugs](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) are filed: * Chrome: https://crbug.com/1175099 * Firefox: XXX * Safari: XXX (See [WHATWG Working Mode: Changes](https://whatwg.org/working-mode#changes) for more details.) ---- See: whatwg/html#6637
cbb986b
to
df8e1ed
Compare
I am happy with the spec. Would you have some suggestion? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Normatively this is looking good! A number of style and clarity suggestions:
source
Outdated
<dt>"<dfn data-x="coep-credentialless" export for="embedder policy value"><code | ||
data-x="">credentialless</code></dfn>"</dt> | ||
<dd><p>When this value is used, fetching cross-origin no-CORS resources omits credentials. In | ||
exchange, an explicit `<code>Cross-Origin-Resource-Policy</code>` on response is not required. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe this should be more general and talk about explicit server permission, to cover CORS as well (like the next bullet pointed does)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe sometime like:
When this value is used, fetching cross-origin no-CORS resources omits credentials and don't require an explicit `Cross-Origin-Resource-Policy` header. The other requests sent with credentials requires the server's explicit permission through the CORS protocol or the `Cross-Origin-Resource-Policy` header.
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds good, although "The Other" requests seems a bit confusing. Maybe
Other requests are sent with credentials, and require the server's....
?
source
Outdated
<p>If <var>parsedItem</var> is non-null and <var>parsedItem</var>[0] is "<code | ||
data-x="">require-corp</code>":</p> | ||
|
||
<li><p>If <var>parsedItem</var> is non-null</p> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Colon before </p>
, and follow the previous pattern for how the <p>
is linebreaked and positioned relative to the <li>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe I addressed this comment, but it wasn't fully clear to me. Please double check.
source
Outdated
<li><p>Set <var>policy</var>'s <span data-x="embedder-policy-value">value</span> to "<code | ||
data-x="coep-require-corp">require-corp</code>".</p></li>. | ||
<!--credentialless--> | ||
<li><p>If <var>parsedItem</var>[0] is "<code data-x="">credentialless</code>":</p> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Indentation is off for both the <p>
and <ol>
here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you meant going from two space to one, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No. You have written
<li><p>...
<ol>
...
</ol>
whereas the prevailing style is
<li>
<p>...</p>
<ol>
...
</ol>
</li>
I will push this in my fix.
Also I'm a bit confused on whether we landed on |
cors-or-credentialless
value to COEP (HTML spec)credentialless
value to COEP (HTML spec)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks you Domenic,
I addressed your comments below:
source
Outdated
<dt>"<dfn data-x="coep-credentialless" export for="embedder policy value"><code | ||
data-x="">credentialless</code></dfn>"</dt> | ||
<dd><p>When this value is used, fetching cross-origin no-CORS resources omits credentials. In | ||
exchange, an explicit `<code>Cross-Origin-Resource-Policy</code>` on response is not required. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe sometime like:
When this value is used, fetching cross-origin no-CORS resources omits credentials and don't require an explicit `Cross-Origin-Resource-Policy` header. The other requests sent with credentials requires the server's explicit permission through the CORS protocol or the `Cross-Origin-Resource-Policy` header.
?
source
Outdated
<p>If <var>parsedItem</var> is non-null and <var>parsedItem</var>[0] is "<code | ||
data-x="">require-corp</code>":</p> | ||
|
||
<li><p>If <var>parsedItem</var> is non-null</p> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe I addressed this comment, but it wasn't fully clear to me. Please double check.
source
Outdated
<li><p>Set <var>policy</var>'s <span data-x="embedder-policy-value">value</span> to "<code | ||
data-x="coep-require-corp">require-corp</code>".</p></li>. | ||
<!--credentialless--> | ||
<li><p>If <var>parsedItem</var>[0] is "<code data-x="">credentialless</code>":</p> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you meant going from two space to one, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I pushed a commit with the whitespace fixes; please take a look for next time. Overall this LGTM modulo our discussion on the phrasing of how "credentialless" is explained.
source
Outdated
data-x=""><span>Cross-Origin-Embedder-Policy</span>: <span | ||
data-x="coep-require-corp">require-corp</span></code>`.</p></li> | ||
<li><p>every <span>Document</span> has a `<code data-x="embedder policy value"> | ||
Cross-Origin-Embedder-Policy</code> value <span>compatible with cross-origin isolation</span>. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
More line-breaking and whitespace problems. Note how adding a newline and spaces before Cross
makes a visible space in the output, which is undesirable. The same for adding a newline and space before </p>
.
This reoccurs several times in the PR.
I will push a commit fixing this and other such problems, but please take a look at the diff I upload so that it's clearer in the future how to avoid such problems in the output.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, my editor (vim) is able to correctly insert new lines to the right locations, including in the location you fixed if I remove the additional spaces. There must be some unknown (yet) cause to this in my editor. Next time I should stop relying on tooling and verify manually every new lines are correct. I didn't realized this. Thanks for the fix!
source
Outdated
<dt>"<dfn data-x="coep-credentialless" export for="embedder policy value"><code | ||
data-x="">credentialless</code></dfn>"</dt> | ||
<dd><p>When this value is used, fetching cross-origin no-CORS resources omits credentials. In | ||
exchange, an explicit `<code>Cross-Origin-Resource-Policy</code>` on response is not required. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds good, although "The Other" requests seems a bit confusing. Maybe
Other requests are sent with credentials, and require the server's....
?
source
Outdated
<li><p>Set <var>policy</var>'s <span data-x="embedder-policy-value">value</span> to "<code | ||
data-x="coep-require-corp">require-corp</code>".</p></li>. | ||
<!--credentialless--> | ||
<li><p>If <var>parsedItem</var>[0] is "<code data-x="">credentialless</code>":</p> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No. You have written
<li><p>...
<ol>
...
</ol>
whereas the prevailing style is
<li>
<p>...</p>
<ol>
...
</ol>
</li>
I will push this in my fix.
Thank you!
Fixed in f04b0dc |
At the moment, we are evaluating shipping it in Chrome M96 based on the feedback we've got so far. Please let me know if you have any objections. Until a second web browser is interested implementing it, this will have to stay as two indefinitely open PRs for fetch and HTML + one monkey-patch summarizing the two. |
I'm not sure how many other changes are contemplated in this area, but I would be okay with landing this to ease maintenance. However, I do think we should add an implementer warning alongside this value that PNA and ORB are strongly encouraged to be supported in some form. |
f36c796
to
6bddeee
Compare
I rebased without conflict, and added in the latest commit the warning:
This would encompass this change and the one in Fetch: |
That looks good to me. I have some concerns about the Fetch PR (noted there). The Fetch PR also notes the need for a SW PR which I recall discussing at some point. Is that ready? |
Thanks @annevk . I will take a look at the Fetch PR.
At the end, there was no SW PR. It was resolved in Fetch only. See: The resolution was modifying the CORP check in the Fetch specification.
|
(Draft) Originally described in: https://github.com/mikewest/credentiallessness `credentialless` and `require-corp` are similar. One or the other is a requirements for the `window.crossOriginIsolated` capability. They differ mostly in the fetch specification. `require-corp` requires a CORP header for cross-origin no-cors responses. `credentialless` doesn't, but omits credentials (Cookies, clients certificates, etc...) in no-cors cross-origin requests. * HTML (whatwg/html#6638) * Define how to parse the `credentialless` value. * From the HTML spec point of view, `credentialless` and `require-corp` are equivalent. They have been grouped into `compatible with crossOriginIsolation` and the HTML spec rewritten to use this concept. * Fetch: (This PR) * Define "Cross-Origin-Embedder-Policy allows credentials". * Omit credentials for no-cors, cross-origin, COEP:credentialless requests. * Check CORP for navigational COEP:credentialless response. * ServiceWorker: XXX * Integration with `Cache.matchAll `algorithm. * XXX See: whatwg/html#6637 ---- - [ ] At least two implementers are interested (and none opposed): * Chrome: https://chromestatus.com/feature/4918234241302528#details * Firefox: XXX * Safari: XXX - [X] [Tests](https://github.com/web-platform-tests/wpt) are written and can be reviewed and commented upon at: * https://wpt.fyi/results/html/cross-origin-embedder-policy/credentialless/credentialless - [ ] [Implementation bugs](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) are filed: * Chrome: https://crbug.com/1175099 * Firefox: XXX * Safari: XXX (See [WHATWG Working Mode: Changes](https://whatwg.org/working-mode#changes) for more details.) ---- See: whatwg/html#6637
So Mozilla committed to implement this? |
Yeah agreed. We are reluctant and it's conditional upon ORB/PNA working out, but this would ease adoption quite a bit. I do think more pressure could be put on sites to adopt COOP/COEP as-is though. |
Even though we recently implemented COOP/COEP in WebKit, I have no plan to add support for credentialless at the moment. It adds too much complexity and seems to have quite a few dependencies. |
However, implementing the dependencies: Private Network Access and ORB is indeed not trivial. Note that it works independently from anonymous iframe, which doesn't really exist yet. I don't count this as a dependency. I added a comment on the webkit bug I opened today. |
The argument about added complexity is reasonable, but I just wanted to note that there are substantial adoption benefits associated with For WebKit specifically, I wonder if the fact that it disables 3p cookies is an advantage in this context. As in, WebKit already sends cross-site requests as effectively credentialless, which aligns very well with the goal here -- this significantly reduces the risk associated with not implementing PNA/ORB. (Though note that same-site requests can still be a concern.) |
No, it does not reduce the risk. The risk was never with CORS requests. The risk of credentialless without PNA/ORB is entirely about resources behind firewalls of sorts. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall this looks solid, but I found a number of typos and also have some suggestions for light refactoring.
source
Outdated
@@ -84117,16 +84142,16 @@ interface <dfn interface>BarProp</dfn> { | |||
|
|||
<li> | |||
<p>If <var>parsedItem</var> is non-null and <var>parsedItem</var>[0] is "<code | |||
data-x="">require-corp</code>":</p> | |||
data-x="">credentialless</code>" or "<code data-x="">require-corp</code>":</p> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we use compatible with cross-origin isolation here? Perhaps we should not have "embedder policy value" as a type? And just make it a string. That would also help with the next step.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I feel using "compatible with cross-origin isolation" here would be a misfit, since its goal is to discriminate the COEP values bringing (potentially) the COI capability from the other. Here, this is a parser and we just want to filter valid string value.
Yes, for now, they both correspond to the same set (% string vs enum). If you don't feel too strongly about this, I would prefer not to change this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I were to refactor this I'd do away with the dedicated "embedder policy value" and reuse "compatible" here (it being a simple list of things) as I'm not really convinced it helps to have to maintain that list in multiple places.
Also, in the very next step you give up on the pretense that there is some distinction by setting the policy value directly to the parsed value.
That second thing especially makes me think the current setup isn't sound and just making everything be strings would be easier.
What do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I feel I am not fully understanding your previous comment. Also, I am not fully sure how you would like me to make COEP's value to be of string type.
I gave it a try in:
815311b
Is it what you wanted?
Thanks @annevk! I addressed the suggestions from your last review (+ one unresolved). Sorry for the delay, I didn't see your review immediately. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, I thought we were done, but upon rereading I found more nits and including somewhat substantive nits.
source
Outdated
@@ -84117,16 +84142,16 @@ interface <dfn interface>BarProp</dfn> { | |||
|
|||
<li> | |||
<p>If <var>parsedItem</var> is non-null and <var>parsedItem</var>[0] is "<code | |||
data-x="">require-corp</code>":</p> | |||
data-x="">credentialless</code>" or "<code data-x="">require-corp</code>":</p> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I were to refactor this I'd do away with the dedicated "embedder policy value" and reuse "compatible" here (it being a simple list of things) as I'm not really convinced it helps to have to maintain that list in multiple places.
Also, in the very next step you give up on the pretense that there is some distinction by setting the policy value directly to the parsed value.
That second thing especially makes me think the current setup isn't sound and just making everything be strings would be easier.
What do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks Anne!
I addressed you comment with the latest 2 additional commit.
source
Outdated
@@ -84117,16 +84142,16 @@ interface <dfn interface>BarProp</dfn> { | |||
|
|||
<li> | |||
<p>If <var>parsedItem</var> is non-null and <var>parsedItem</var>[0] is "<code | |||
data-x="">require-corp</code>":</p> | |||
data-x="">credentialless</code>" or "<code data-x="">require-corp</code>":</p> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I feel I am not fully understanding your previous comment. Also, I am not fully sure how you would like me to make COEP's value to be of string type.
I gave it a try in:
815311b
Is it what you wanted?
source
Outdated
@@ -86879,9 +86902,9 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location | |||
|
|||
<li> | |||
<p>If <var>sandboxFlags</var> is not empty and <var>responseCOOP</var>'s <span | |||
data-x="coop-struct-value">value</span> is not "<code | |||
data-x="coop-unsafe-none">unsafe-none</code>", then set <var>response</var> to an |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Self suggestion: This has nothing to do with COEP. Revert this part.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Apologies, I was thinking we could do away with "embedder policy value" as a concept altogether, but it seems we need it as two members take it, so it's useful to have as an abstraction.
I'd appreciate it if @domenic or someone else can take another look as well given the back-and-forth thus far. Makes it easy to overlook something.
source
Outdated
<li><p>every <span>Document</span> has a `<code data-x="embedder policy | ||
value">Cross-Origin-Embedder-Policy</code>' header whose <span | ||
data-x="embedder-policy-value">value</span> is <span>compatible with cross-origin | ||
isolation</span>.</p></li> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- The header name should end with ` not '.
- The header name should not xref embedder policy.
- When you talk about the header value it should not xref embedder policy value either. You can reference the value definition for header in Fetch, but I don't think that's really needed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- 1: Done in 0bb1a99.
- 2 & 3: Done in 0bb1a99. I removed the
data-x
for both the header name and value. However I have no idea when we should and we shouldn't I naively thought adding it every time was best. I will follow you blindly here, but if you can explain why, that would allow me to do it better next time.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It might be easier if you could join https://whatwg.org/chat so we can discuss this more synchronously as I'm not entirely sure where the confusion lies. The problem with the data-x value that you added here is that it's not for the definition of the header or the definition of a header's value member. The header links just fine without a data-x and word "value" would have to link to https://fetch.spec.whatwg.org/#concept-header-value if anything.
source
Outdated
data-x="coop-same-origin">same-origin</span></code>` and a `<code data-x="embedder policy | ||
value">Cross-Origin-Embedder-Policy</code>` whose <span | ||
data-x="embedder-policy-value">value</span> is <span>compatible with cross-origin | ||
isolation</span> together.<p> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Similar comments applicable here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done in 0bb1a99.
However, I don't really understand why we do this for COEP and not for COOP on the same sentence.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, you're not changing COOP but also for COOP we can list the header-value construct as a single thing (and have done so), but that's no longer possible for COEP as multiple values are okay now.
Hope that helps.
Define COEP:credentialless Originally described in: https://github.com/mikewest/credentiallessness `credentialless` and `require-corp` are similar. One or the other is a requirements for the `window.crossOriginIsolated` capability. They differ mostly in the fetch specification. `require-corp` requires a CORP header for cross-origin no-cors responses. `credentialless` doesn't, but omits credentials (Cookies, clients certificates, etc...) in the request. * HTML (whatwg#6638) * Define how to parse the `credentialless` value. * From the HTML spec point of view, `credentialless` and `require-corp` are equivalent. They have been grouped into `compatible with cross-origin isolation` and the HTML spec rewritten to use this concept. * Fetch: (whatwg/fetch#1229) * Define `Cross-Origin-Embedder-Policy allows credentials` algorithm. It omit credentials for no-cors, cross-origin, COEP:credentialless requests. * Define `response's` `request-include-credentials` flag. * In the `Cross-Origin-Resource-Policy check`, if `embedderPolicy` is `credentialless`, require CORP for navigational responses, and opaque responses with `request-include-credentials`. See: whatwg#6637 ---- - [ ] At least two implementers are interested (and none opposed): * Chrome: https://chromestatus.com/feature/4918234241302528#details * Firefox: mozilla/standards-positions#539 (worth prototyping) * Safari: https://lists.webkit.org/pipermail/webkit-dev/2021-June/031898.html (pending) - [X] [Tests](https://github.com/web-platform-tests/wpt) are written and can be reviewed and commented upon at: * https://wpt.fyi/results/html/cross-origin-embedder-policy/credentialless - [X] [Implementation bugs](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) are filed: * Chrome: https://crbug.com/1175099 * Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1731778 * Safari: https://bugs.webkit.org/show_bug.cgi?id=230550 (See [WHATWG Working Mode: Changes](https://whatwg.org/working-mode#changes) for more details.)
6f79635
to
9485456
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Should we merge before or after whatwg/fetch#1229 ?
Thanks!
The fetch specification uses the exported |
This complements this HTML PR: whatwg/html#6638.
This complements this HTML PR: whatwg/html#6638.
Originally described in: https://github.com/mikewest/credentiallessness
credentialless
andrequire-corp
are similar. One or the other is a requirements for thewindow.crossOriginIsolated
capability.They differ mostly in the fetch specification.
require-corp
requires a CORP header for cross-origin no-cors responses.credentialless
doesn't, but omits credentials (Cookies, clients certificates, etc...) in the request.HTML (Add
credentialless
value to COEP (HTML spec) #6638)credentialless
value.credentialless
andrequire-corp
are equivalent. They have been grouped intocompatible with cross-origin isolation
and the HTML spec rewritten to use this concept.Fetch: (Specify the behavior of
COEP: credentialless
, fetch#1229)Cross-Origin-Embedder-Policy allows credentials
algorithm. It omit credentials for no-cors, cross-origin, COEP:credentialless requests.response's
request-include-credentials
flag.Cross-Origin-Resource-Policy check
, ifembedderPolicy
iscredentialless
, require CORP for navigational responses, and opaque responses withrequest-include-credentials
.See: #6637
At least two implementers are interested (and none opposed):
Tests are written and can be reviewed and commented upon at:
Implementation bugs are filed:
(See WHATWG Working Mode: Changes for more details.)
See: #6637
/browsers.html ( diff )
/origin.html ( diff )
/workers.html ( diff )