#582: "credentialless" embedder policy.

Visit on Github.

Opened Dec 3, 2020

Guten TAG!

I'm requesting a TAG review of a "credentialless" cross-origin embedder policy mode.

Today, COEP: require-corp exists, and is used to enable cross-origin isolation (and therefore SharedArrayBuffer, etc). It is functional and solid, but turns out to be difficult to deploy at scale, as it requires all subresources to explicitly opt-in. This is fine for some sites, but creates dependency problems for sites that gather content from users (Google Earth, social media generally, forums, etc). https://github.com/mikewest/credentiallessness/ suggests an alternative that might have better deployment characteristics: strip credentials from outgoing requests by default, and send them only for CORS-enabled requests. In this model, resources would either explicitly opt-into sharing themselves with the requestor, or would be low-risk, insofar as it's less likely to contain personal information if browser-controlled identifiers like cookies aren't included.

  • Explainer¹ (minimally containing user needs and example code): https://github.com/WICG/credentiallessness
  • Security and Privacy self-review²: Let me get back to this when we're further along... It should be strictly positive.
  • Primary contacts (and their relationship to the specification):
    • Mike West (@mikewest), Camille Lamy (@camillelamy), Ian Clelland (@clelland)
  • Organization/project driving the design: Google
  • External status/issue trackers for this feature (publicly visible, e.g. Chrome Status): Nope.

Further details:

  • I have reviewed the TAG's API Design Principles
  • The group where the incubation/design work on this is being done (or is intended to be done in the future): WICG, or just WHATWG PRs, as it might not be complicated enough for an entirely separate doc.
  • The group where standardization of this work is intended to be done ("unknown" if not known): WHATWG (this would live in HTML (and maybe bits in Fetch?))
  • Existing major pieces of multi-stakeholder review or discussion of this design: This is it. Being my favourite standards review body, y'all are first on my list.
  • Major unresolved issues with or opposition to this design: None (yet!).
  • This work is being funded by: Google

You should also know that: the subresource bits of this proposal seem pretty clear to me, and I have some reasonable amount of confidence that they make sense. Frames are harder, and I'd appreciate y'all's thoughts. I'd also appreciate your help weighing the impact of non-cookie based ACLs, and the potential dependency upon CORS-RFC1918 (which y'all are reviewing in https://github.com/w3ctag/design-reviews/issues/572. It might also be helpful to review conversations like https://github.com/whatwg/html/issues/4175#issuecomment-466047231 where @clelland originally surfaced this suggestion.

We'd prefer the TAG provide feedback as:

💬 a comment in this issue and @-notify the folks above.

Discussions

2021-01-Kronos

Minutes

David: Mike west asked for review of credentialess embedder policy...

David: connected to SPECTRE mitigation...

Dan: I would like more context in the explainer - getting at the user need and the issue with SPECTRE veunerablity...

David: browsers can't trust the CPU to maintain isolation between processes anymore.

David: ways to turn sharedarraybuffer back on...

Dan: left comment

David: need to digest a bit more... Seems not unreasonable on the surface.

2021-02-08

Minutes

Dan: let's schedule a breakout on this at the plenary. Maybe we can get Mike to join as well.

2021-02-08

Minutes

Amy: not much to report - David said looks reasonable but a lot to digest. Recent comments from today.

2021-02-22

Minutes

[punted]

2021-03-08

Minutes

Yves: it's under discussion. Multiple proposals. My position is to recommend they pick the solution that is the easiest to use for an end user (web developers) and easiest to understand so it doesn't add extra complexity. Will send feedback later.

Dan: propose close.. until they have something specific to review.

2021-07-05

Minutes

Dan: they are moving this to WICG. They've changed something about the approach and wanted us to reopen

Yves: no longer about communication between iframe, but subresource loading in an anonymous way

Dan: what additional value can we add? They asked to reopen because our response no longer fit. We said yes that sounds fine, but the 'that' is something the ended up not choosing

Yves: as it's a completely stripped down version of the original proposal I'll need to take a look again, and ensure different stakeholders agree, which might happen in WICG

Dan: take a look and agenda for next week?

Yves: yes

2021-07-05

Minutes

Yves: re-opened - they changed the Use case..

Yves: use case is comms between iframes / popups and main document - mostly for webassembly - they used sharedarray buffer - and for payments. The goal is to allow it and gate it in some way - not open to any iframe. The change is the way to restrict / not restrict it. The current issue - allow subresources like images to be loaded credentialless instead of sending credentials - which is the default for using non-cors subresources.

Dan: left a comment about venue

2021-07-12

Minutes

Yves: specific issue with service worker and cache.... looked at discussion. 2 different caches could be a mitigation - one private cache with credential and one without.

Dan: mark proposed close and close at plenary?

Yves: I will leave some comments in the issue

2021-07-26

Minutes

Yves: looks good to me - would like to see in caches differentiation between what is retreived with and without credentials - eg. service worker and native cache of the browser. If everyone is happy with that, i can send that comment.