From 40674cd3771b8bab35f261f1342071d16a6fcad3 Mon Sep 17 00:00:00 2001 From: Arthur Sonzogni Date: Mon, 3 May 2021 18:33:13 +0200 Subject: [PATCH] Specify the behavior of `COEP: credentialless`, (Draft) Originally described in: https://github.com/mikewest/credentiallessness `credentialless` and `require-corp` are similar. One or the other is a requirements for the `window.crossOriginIsolated` capability. They differ mostly in the fetch specification. `require-corp` requires a CORP header for cross-origin no-cors responses. `credentialless` doesn't, but omits credentials (Cookies, clients certificates, etc...) in no-cors cross-origin requests. * HTML (https://github.com/whatwg/html/pull/6638) * Define how to parse the `credentialless` value. * From the HTML spec point of view, `credentialless` and `require-corp` are equivalent. They have been grouped into `compatible with crossOriginIsolation` and the HTML spec rewritten to use this concept. * Fetch: (This PR) * Define "Cross-Origin-Embedder-Policy allows credentials". * Omit credentials for no-cors, cross-origin, COEP:credentialless requests. * Check CORP for navigational COEP:credentialless response. * ServiceWorker: XXX * Integration with `Cache.matchAll `algorithm. * XXX See: https://github.com/whatwg/html/issues/6637 ---- - [ ] At least two implementers are interested (and none opposed): * Chrome: https://chromestatus.com/feature/4918234241302528#details * Firefox: XXX * Safari: XXX - [X] [Tests](https://github.com/web-platform-tests/wpt) are written and can be reviewed and commented upon at: * https://wpt.fyi/results/html/cross-origin-embedder-policy/credentialless/credentialless - [ ] [Implementation bugs](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) are filed: * Chrome: https://crbug.com/1175099 * Firefox: XXX * Safari: XXX (See [WHATWG Working Mode: Changes](https://whatwg.org/working-mode#changes) for more details.) ---- See: https://github.com/whatwg/html/issues/6637 --- fetch.bs | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/fetch.bs b/fetch.bs index 30dceaceb..58c31aca6 100644 --- a/fetch.bs +++ b/fetch.bs @@ -1870,6 +1870,25 @@ source of security bugs. Please seek security review for features that deal with exclude fragment set to true. +

To check Cross-Origin-Embedder-Policy allows credentials, given a +request request, run theses steps: + +

    +

  1. If request's mode is not no-cors", return + true.

    + +

  2. If request's client is null, return true.

    + +

  3. If request's client's embedder policy is not + "credentialless", return true.

    + +

  4. If request's origin is not same origin with + request's client's origin, + return true.

    + +

  5. Return false.

    +

Responses

@@ -3399,6 +3418,10 @@ Cross-Origin-Resource-Policy = %s"same-origin" / %s"same-site" / %s"cross-or "require-corp", then set policy to `same-origin`. +

  • If policy is null, embedderPolicyValue is + "credentialless", and + forNavigation is true, then set policy to `same-origin`. +

  • Switch on policy: @@ -4549,6 +4572,10 @@ steps. They return a response.

    is true; otherwise false. +

  • +

    If Cross-Origin-Embedder-Policy allows credentials with + request is false, set includeCredentials to false.

    +

  • Let contentLength be httpRequest's body's length, if httpRequest's body is non-null; otherwise null. @@ -7720,6 +7747,7 @@ Arkadiusz Michalski, Arne Johannessen, Artem Skoretskiy, Arthur Barstow, +Arthur Sonzogni, Asanka Herath, Axel Rauschmayer, Ben Kelly,