Specify the behavior of COEP: credentialless,
#1229
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ArthurSonzogni
force-pushed
the
coep-credentialless
branch
from
f60b8b4 to
43d078a
Compare
3 tasks
ArthurSonzogni
force-pushed
the
coep-credentialless
branch
from
43d078a to
40674cd
Compare
ArthurSonzogni
force-pushed
the
coep-credentialless
branch
2 times, most recently
from
2b03205 to
6b301ae
Compare
|
I wrote page gathering the two PR in a single page if you want to have a broader view: Would you have some suggestion? The warning I have: will be resolved when landing the HTML PR. |
yutakahirano
reviewed
Jun 9, 2021
|
Don't you want to compare request's current URL's origin and request's origin, rather than request's origin and request's client's origin? |
Yes, this should be the |
Sorry, can you give me an example? request's origin and request's client's origin are usually the same, but other checks such as CORS use request's origin, so I want to understand why in this case we need to use the client's origin. |
|
What is the main difference in between Do you foresee a case where the difference matter for COEP:credentialless? |
For example, process a nativate fetch manually sets request's origin (step 4.1).
Regarding this algorithm, no. For requests with mode: "no-cors", I believe they match. In any case, request's origin is the source of truth for other checks, so using it here is better for consistency. |
Thanks! I addressed this in 9f0be6a. |
ArthurSonzogni
commented
Jun 17, 2021
yutakahirano
approved these changes
Jun 17, 2021
annevk
reviewed
Sep 14, 2021
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Sep 20, 2021
In the Fetch specification PR, we changed our mind and decided to omit credentials as soon as there at least one cross-origin request. Previously, only the current URL was taken into account. See: whatwg/fetch#1229 (comment) Bug:1175099 Change-Id: I308281bdab95be264ca7a2ef990341bddd0e9bc2
|
From CI it seems like this needs rebasing or at least some modernizing as embedder policy is now part of policy container. |
(Draft) Originally described in: https://github.com/mikewest/credentiallessness `credentialless` and `require-corp` are similar. One or the other is a requirements for the `window.crossOriginIsolated` capability. They differ mostly in the fetch specification. `require-corp` requires a CORP header for cross-origin no-cors responses. `credentialless` doesn't, but omits credentials (Cookies, clients certificates, etc...) in no-cors cross-origin requests. * HTML (whatwg/html#6638) * Define how to parse the `credentialless` value. * From the HTML spec point of view, `credentialless` and `require-corp` are equivalent. They have been grouped into `compatible with crossOriginIsolation` and the HTML spec rewritten to use this concept. * Fetch: (This PR) * Define "Cross-Origin-Embedder-Policy allows credentials". * Omit credentials for no-cors, cross-origin, COEP:credentialless requests. * Check CORP for navigational COEP:credentialless response. * ServiceWorker: XXX * Integration with `Cache.matchAll `algorithm. * XXX See: whatwg/html#6637 ---- - [ ] At least two implementers are interested (and none opposed): * Chrome: https://chromestatus.com/feature/4918234241302528#details * Firefox: XXX * Safari: XXX - [X] [Tests](https://github.com/web-platform-tests/wpt) are written and can be reviewed and commented upon at: * https://wpt.fyi/results/html/cross-origin-embedder-policy/credentialless/credentialless - [ ] [Implementation bugs](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) are filed: * Chrome: https://crbug.com/1175099 * Firefox: XXX * Safari: XXX (See [WHATWG Working Mode: Changes](https://whatwg.org/working-mode#changes) for more details.) ---- See: whatwg/html#6637
ArthurSonzogni
force-pushed
the
coep-credentialless
branch
from
8a974e2 to
3c48686
Compare
|
I rebased over PolicyContainer. See the latest patchset for the difference. However, this would still require the HTML specification to land, in order to understand the (I double checked there was no other LINK error beside this one, by replacing |
annevk
reviewed
Sep 22, 2021
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Sep 22, 2021
In the Fetch specification PR, we changed our mind and decided to omit credentials as soon as there at least one cross-origin request. Previously, only the current URL was taken into account. See: whatwg/fetch#1229 (comment) Bug: 1175099 Change-Id: I308281bdab95be264ca7a2ef990341bddd0e9bc2 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3168346 Reviewed-by: Yutaka Hirano <[email protected]> Commit-Queue: Arthur Sonzogni <[email protected]> Cr-Commit-Position: refs/heads/main@{#923884}
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Sep 22, 2021
In the Fetch specification PR, we changed our mind and decided to omit credentials as soon as there at least one cross-origin request. Previously, only the current URL was taken into account. See: whatwg/fetch#1229 (comment) Bug: 1175099 Change-Id: I308281bdab95be264ca7a2ef990341bddd0e9bc2 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3168346 Reviewed-by: Yutaka Hirano <[email protected]> Commit-Queue: Arthur Sonzogni <[email protected]> Cr-Commit-Position: refs/heads/main@{#923884}
pull bot
pushed a commit
to luojiguicai/chromium
that referenced
this pull request
Sep 22, 2021
In the Fetch specification PR, we changed our mind and decided to omit credentials as soon as there at least one cross-origin request. Previously, only the current URL was taken into account. See: whatwg/fetch#1229 (comment) Bug: 1175099 Change-Id: I308281bdab95be264ca7a2ef990341bddd0e9bc2 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3168346 Reviewed-by: Yutaka Hirano <[email protected]> Commit-Queue: Arthur Sonzogni <[email protected]> Cr-Commit-Position: refs/heads/main@{#923884}
moz-v2v-gh
pushed a commit
to mozilla/gecko-dev
that referenced
this pull request
Oct 3, 2021
…r., a=testonly Automatic update from web-platform-tests [credentialless] Update redirect behavior. In the Fetch specification PR, we changed our mind and decided to omit credentials as soon as there at least one cross-origin request. Previously, only the current URL was taken into account. See: whatwg/fetch#1229 (comment) Bug: 1175099 Change-Id: I308281bdab95be264ca7a2ef990341bddd0e9bc2 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3168346 Reviewed-by: Yutaka Hirano <[email protected]> Commit-Queue: Arthur Sonzogni <[email protected]> Cr-Commit-Position: refs/heads/main@{#923884} -- wpt-commits: 2d6d77b3054e9b7f35bdd2b3e7de9b53ecfed7d5 wpt-pr: 30871
jamienicol
pushed a commit
to jamienicol/gecko
that referenced
this pull request
Oct 4, 2021
…r., a=testonly Automatic update from web-platform-tests [credentialless] Update redirect behavior. In the Fetch specification PR, we changed our mind and decided to omit credentials as soon as there at least one cross-origin request. Previously, only the current URL was taken into account. See: whatwg/fetch#1229 (comment) Bug: 1175099 Change-Id: I308281bdab95be264ca7a2ef990341bddd0e9bc2 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3168346 Reviewed-by: Yutaka Hirano <[email protected]> Commit-Queue: Arthur Sonzogni <[email protected]> Cr-Commit-Position: refs/heads/main@{#923884} -- wpt-commits: 2d6d77b3054e9b7f35bdd2b3e7de9b53ecfed7d5 wpt-pr: 30871
moz-v2v-gh
pushed a commit
to mozilla/gecko-dev
that referenced
this pull request
Oct 4, 2021
…r., a=testonly Automatic update from web-platform-tests [credentialless] Update redirect behavior. In the Fetch specification PR, we changed our mind and decided to omit credentials as soon as there at least one cross-origin request. Previously, only the current URL was taken into account. See: whatwg/fetch#1229 (comment) Bug: 1175099 Change-Id: I308281bdab95be264ca7a2ef990341bddd0e9bc2 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3168346 Reviewed-by: Yutaka Hirano <[email protected]> Commit-Queue: Arthur Sonzogni <[email protected]> Cr-Commit-Position: refs/heads/main@{#923884} -- wpt-commits: 2d6d77b3054e9b7f35bdd2b3e7de9b53ecfed7d5 wpt-pr: 30871
jamienicol
pushed a commit
to jamienicol/gecko
that referenced
this pull request
Oct 6, 2021
…r., a=testonly Automatic update from web-platform-tests [credentialless] Update redirect behavior. In the Fetch specification PR, we changed our mind and decided to omit credentials as soon as there at least one cross-origin request. Previously, only the current URL was taken into account. See: whatwg/fetch#1229 (comment) Bug: 1175099 Change-Id: I308281bdab95be264ca7a2ef990341bddd0e9bc2 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3168346 Reviewed-by: Yutaka Hirano <[email protected]> Commit-Queue: Arthur Sonzogni <[email protected]> Cr-Commit-Position: refs/heads/main@{#923884} -- wpt-commits: 2d6d77b3054e9b7f35bdd2b3e7de9b53ecfed7d5 wpt-pr: 30871
ArthurSonzogni
added a commit
to ArthurSonzogni/html
that referenced
this pull request
Oct 20, 2021
Define COEP:credentialless Originally described in: https://github.com/mikewest/credentiallessness `credentialless` and `require-corp` are similar. One or the other is a requirements for the `window.crossOriginIsolated` capability. They differ mostly in the fetch specification. `require-corp` requires a CORP header for cross-origin no-cors responses. `credentialless` doesn't, but omits credentials (Cookies, clients certificates, etc...) in the request. * HTML (whatwg#6638) * Define how to parse the `credentialless` value. * From the HTML spec point of view, `credentialless` and `require-corp` are equivalent. They have been grouped into `compatible with cross-origin isolation` and the HTML spec rewritten to use this concept. * Fetch: (whatwg/fetch#1229) * Define `Cross-Origin-Embedder-Policy allows credentials` algorithm. It omit credentials for no-cors, cross-origin, COEP:credentialless requests. * Define `response's` `request-include-credentials` flag. * In the `Cross-Origin-Resource-Policy check`, if `embedderPolicy` is `credentialless`, require CORP for navigational responses, and opaque responses with `request-include-credentials`. See: whatwg#6637 ---- - [ ] At least two implementers are interested (and none opposed): * Chrome: https://chromestatus.com/feature/4918234241302528#details * Firefox: mozilla/standards-positions#539 (worth prototyping) * Safari: https://lists.webkit.org/pipermail/webkit-dev/2021-June/031898.html (pending) - [X] [Tests](https://github.com/web-platform-tests/wpt) are written and can be reviewed and commented upon at: * https://wpt.fyi/results/html/cross-origin-embedder-policy/credentialless - [X] [Implementation bugs](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) are filed: * Chrome: https://crbug.com/1175099 * Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1731778 * Safari: https://bugs.webkit.org/show_bug.cgi?id=230550 (See [WHATWG Working Mode: Changes](https://whatwg.org/working-mode#changes) for more details.)
domenic
reviewed
Nov 1, 2021
ArthurSonzogni
commented
Nov 1, 2021
annevk
pushed a commit
to whatwg/html
that referenced
this pull request
Nov 2, 2021
This defines Cross-Origin-Embedder-Policy: credentialless. The credentialless and require-corp values are similar. One or the other is a requirements for the cross-origin isolated capability. They differ mostly in terms of fetching. require-corp requires a Cross-Origin-Resource-Policy header for cross-origin opaque responses. credentialless doesn't, but omits credentials (cookies, client certificates, etc.) in cross-origin "no-cors" requests. See https://github.com/WICG/credentiallessness for additional context. Fetch PR: whatwg/fetch#1229. Tests: WPT html/cross-origin-embedder-policy/credentialless. Closes #6637.
|
This can land tomorrow once HTML has been indexed by Shepherd. Note that I made a couple last minute changes, but they are all editorial. |
|
It seems Shepherd has not run. (At least, as far as I can tell HTML was updated and the new term followed an existing pattern that does work and having checked all those things again I cannot find any errors.) @tabatkins @plinss, is that known? |
|
Shepherd has been blocked for the last 18 hours or so, it just ran. The last version of fetch it scanned was published on 2021-11-01 01:32:23 PDT |
|
Thanks @plinss! |
|
And thanks @ArthurSonzogni for the work on the PR, of course! And @domenic and @yutakahirano for the reviews! 😊 |
|
Awesome! 🚀 |
Gabisampaio
pushed a commit
to Gabisampaio/wpt
that referenced
this pull request
Nov 18, 2021
In the Fetch specification PR, we changed our mind and decided to omit credentials as soon as there at least one cross-origin request. Previously, only the current URL was taken into account. See: whatwg/fetch#1229 (comment) Bug: 1175099 Change-Id: I308281bdab95be264ca7a2ef990341bddd0e9bc2 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3168346 Reviewed-by: Yutaka Hirano <[email protected]> Commit-Queue: Arthur Sonzogni <[email protected]> Cr-Commit-Position: refs/heads/main@{#923884}
dandclark
pushed a commit
to dandclark/html
that referenced
this pull request
Dec 4, 2021
This defines Cross-Origin-Embedder-Policy: credentialless. The credentialless and require-corp values are similar. One or the other is a requirements for the cross-origin isolated capability. They differ mostly in terms of fetching. require-corp requires a Cross-Origin-Resource-Policy header for cross-origin opaque responses. credentialless doesn't, but omits credentials (cookies, client certificates, etc.) in cross-origin "no-cors" requests. See https://github.com/WICG/credentiallessness for additional context. Fetch PR: whatwg/fetch#1229. Tests: WPT html/cross-origin-embedder-policy/credentialless. Closes whatwg#6637.
mfreed7
pushed a commit
to mfreed7/html
that referenced
this pull request
Jun 3, 2022
This defines Cross-Origin-Embedder-Policy: credentialless. The credentialless and require-corp values are similar. One or the other is a requirements for the cross-origin isolated capability. They differ mostly in terms of fetching. require-corp requires a Cross-Origin-Resource-Policy header for cross-origin opaque responses. credentialless doesn't, but omits credentials (cookies, client certificates, etc.) in cross-origin "no-cors" requests. See https://github.com/WICG/credentiallessness for additional context. Fetch PR: whatwg/fetch#1229. Tests: WPT html/cross-origin-embedder-policy/credentialless. Closes whatwg#6637.
mjfroman
pushed a commit
to mjfroman/moz-libwebrtc-third-party
that referenced
this pull request
Oct 14, 2022
In the Fetch specification PR, we changed our mind and decided to omit credentials as soon as there at least one cross-origin request. Previously, only the current URL was taken into account. See: whatwg/fetch#1229 (comment) Bug: 1175099 Change-Id: I308281bdab95be264ca7a2ef990341bddd0e9bc2 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3168346 Reviewed-by: Yutaka Hirano <[email protected]> Commit-Queue: Arthur Sonzogni <[email protected]> Cr-Commit-Position: refs/heads/main@{#923884} NOKEYCHECK=True GitOrigin-RevId: 640ff1a8149d911069c5b77ca9c0883abba2e9d3
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Originally described in: https://github.com/mikewest/credentiallessness
credentiallessandrequire-corpare similar. One or the other is a requirements for thewindow.crossOriginIsolatedcapability.They differ mostly in the fetch specification.
require-corprequires a CORP header for cross-origin no-cors responses.credentiallessdoesn't, but omits credentials (Cookies, clients certificates, etc...) in the request.HTML (Add
credentiallessvalue to COEP (HTML spec) html#6638)credentiallessvalue.credentiallessandrequire-corpare equivalent. They have been grouped intocompatible with cross-origin isolationand the HTML spec rewritten to use this concept.Fetch: (Specify the behavior of
COEP: credentialless, #1229)Cross-Origin-Embedder-Policy allows credentialsalgorithm. It omit credentials for no-cors, cross-origin, COEP:credentialless requests.response'srequest-include-credentialsflag.Cross-Origin-Resource-Policy check, ifembedderPolicyiscredentialless, require CORP for navigational responses, and opaque responses withrequest-include-credentials.See: whatwg/html#6637
At least two implementers are interested (and none opposed):
Tests are written and can be reviewed and commented upon at:
Implementation bugs are filed:
(See WHATWG Working Mode: Changes for more details.)
Preview | Diff