Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow credentialless subresources with COEP #4919

Open
clelland opened this issue Sep 19, 2019 · 1 comment
Open

Allow credentialless subresources with COEP #4919

clelland opened this issue Sep 19, 2019 · 1 comment
Labels
addition/proposal New features or enhancements needs implementer interest Moving the issue forward requires implementers to express interest topic: cross-origin-embedder-policy Issues and ideas around the new "require CORP for subresource requests and frames and etc" proposal

Comments

@clelland
Copy link
Contributor

Branching from #4175:

Some -- probably most -- resources on the web are public, and their content is not sensitive in any way; however, a site which can embed them in a page is still blocked from reading their content, or knowing anything about the content at all, despite the origin server being in the position of being able to fetch the identical resource from its own location.

I'd like to use COEP to declare that certain subresources are public, having been fetched over the public internet (per CORS-1918), without any cookies/credentials attached.

It's not in the current proposal, but I could imagine something like

Cross-Origin-Embedder-Policy: no-credentials

being used to force that mode. Third-party cookies would not be sent, even if they exist, and the content of the resource could potentially be made available to the embedder. The site would still send first-party cookies for those resources, but is essentially declaring that it does not want to embed any sensitive third-party content.

@annevk
Copy link
Member

annevk commented Sep 21, 2019

I think this might work if something like CORS-1918 is deployed across user agents by default or is enforced as part of this mode.

Another thing that will have to be worked out is the interaction of the modes. If a service worker uses this mode, but its document uses the require-corp mode, do cross-origin resources get blocked or does require-corp only apply when the resource was fetched with credentials?

@annevk annevk added addition/proposal New features or enhancements needs implementer interest Moving the issue forward requires implementers to express interest topic: cross-origin-embedder-policy Issues and ideas around the new "require CORP for subresource requests and frames and etc" proposal labels Sep 21, 2019
@yutakahirano yutakahirano mentioned this issue Jun 15, 2020
3 tasks
domenic pushed a commit that referenced this issue Jun 25, 2020
Merges https://github.com/WICG/cross-origin-embedder-policy into HTML.

Associated PRs:

* whatwg/fetch#1030
* w3c/ServiceWorker#1516
* w3c/css-houdini-drafts#992

Fixes #5368, fixes #5634, fixes
whatwg/fetch#985, and fixes
w3c/ServiceWorker#1490.

Follow-up: #4916, #4919, #4930 #5223, and #5391. (As well as defining
cross-origin isolated, per #4732.)
mfreed7 pushed a commit to mfreed7/html that referenced this issue Sep 11, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
addition/proposal New features or enhancements needs implementer interest Moving the issue forward requires implementers to express interest topic: cross-origin-embedder-policy Issues and ideas around the new "require CORP for subresource requests and frames and etc" proposal
Development

No branches or pull requests

2 participants