Load cross-origin resources without CORP headers using COEP: credentialless

Cross-origin resources served by third-parties often do not include adequate CORP headers. If they can be requested without credentials, now you can enable cross-origin isolation by marking them as such.

We have shipped the new Cross-Origin Embedder Policy (COEP) value credentialless which allows the browser to load cross-origin resources which don't use the Cross-Origin Resource Policy (CORP), by sending a request without credentials, such as cookies. This helps developers to adopt cross-origin isolation more easily.

Why we need cross-origin isolation

Some web APIs increase the risk of side-channel attacks such as Spectre. To mitigate that risk, browsers offer an opt-in-based isolated environment called cross-origin isolation. With a cross-origin isolated state, the webpage can use privileged features including SharedArrayBuffer, performance.measureUserAgentSpecificMemory() and high-precision timers with better resolution while isolating the origin from others unless they are opted in.

The webpage must send two HTTP headers to enable cross-origin isolation:

Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin

With a cross-origin isolated state, all cross-origin resources must be served with CORS or set a Cross-Origin-Resource-Policy header to be loaded.

Challenges with enabling cross-origin isolation

While cross-origin isolation brings webpages better security and the ability to enable powerful features, deploying it can be difficult. One of the biggest challenges is the requirement to enable CORS or CORP for all cross-origin resources. Resources without those headers will not be loaded by the browser on a cross-origin isolated page.

These cross-origin resources are usually served by third-parties for whom it may not be easy to add the necessary headers.

But what if we know the resource is safe enough to be loaded? In fact, the only resources that are at risk are ones requested with credentials, because they potentially include sensitive information which the attacker can't load on their own. This means resources that can be requested without credentials are publicly available and safe to load.

credentialless to the rescue

That's where COEP: credentialless comes in. credentialless is a new value for the Cross-Origin-Embedder-Policy header. Similar to require-corp, it can enable cross-origin isolation, but instead of requiring a CORP:cross-origin header for no-cors cross-origin requests, they are instead sent without credentials (for example, cookies).

You will be able to enable cross-origin isolation alternatively with the following two headers:

Cross-Origin-Embedder-Policy: credentialless
Cross-Origin-Opener-Policy: same-origin

This means the requested cross-origin server won't be able to respond with a sensitive resource and the requester can always assume that the response only contains publicly available information.

This is also aligned with browsers' plan of phasing out third-party cookies.


You can try various header options in this demo: https://cross-origin-isolation.glitch.me


Can I send a credentialed request under a credentialless environment?

Absolutely, at the cost of shifting the request's mode to require a CORS check on the response. For HTML tags such as <audio>, <img>, <link>, <script>, and <video>, just append crossorigin="use-credentials" explicitly to inform the browser to send credentialed requests.

For example, even if a document on https://www.example.com has Cross-Origin-Embedder-Policy: credentialless header, <img src="https://images.example.com/avatar.png" crossorigin="use-credentials"> will send a credentialed request.

For the fetch() API, request.mode = 'cors' can be used.

Provided COEP: credentialless, how is COEP: require-corp still useful for my website?

COEP: require-corp doesn't require you to manually switch the request mode to CORS if cookies are needed for some cross-origin subresources.

Can I also load cross-origin iframes without special headers under a credentialless environment?

No. Loading cross-origin iframes under a credentialless environment still requires the same conditions as require-corp. iframe documents need to be served with two headers:

  • Cross-Origin-Embedder-Policy: credentialless (or require-corp)
  • Cross-Origin-Resource-Policy: cross-origin

The good news is, there's an ongoing discussion about allowing loading cross-origin iframes without those headers by giving iframes crossorigin="anonymous". This will allow cross-origin iframes being loaded without headers but without credentials.

Will this feature be adopted by other browsers?

What's coming next

There are two additional updates coming to mitigate other challenges related to cross-origin isolation:

Those who registered for the Chrome origin trial to extend the SharedArrayBuffer change due to the above obstacles might be wondering when it will be terminated. Originally we announced that it will be terminated in Chrome 96, but we have decided to postpone this to Chrome 106.


Photo by Martin Adams on Unsplash