Load cross-origin resources without CORP headers using `COEP: credentialless`
Cross-origin resources served by third-parties often do not include adequate CORP headers. If they can be requested without credentials, now you can enable cross-origin isolation by marking them as such.
We are experimenting with the new Cross-Origin Embedder Policy (COEP) value
credentialless which allows the browser to load cross-origin resources which don't use the Cross-Origin Resource Policy (CORP), by sending a request without credentials, such as cookies. This helps developers to adopt cross-origin isolation more easily.
Why we need cross-origin isolation
Some web APIs increase the risk of side-channel attacks such as Spectre. To mitigate that risk, browsers offer an opt-in-based isolated environment called cross-origin isolation. With a cross-origin isolated state, the webpage can use privileged features including
performance.measureUserAgentSpecificMemory() and high-precision timers with better resolution while isolating the origin from others unless they are opted in.
The webpage must send two HTTP headers to enable cross-origin isolation:
With a cross-origin isolated state, all cross-origin resources must be served with CORS or set a
Cross-Origin-Resource-Policy header to be loaded.
Challenges with enabling cross-origin isolation
While cross-origin isolation brings webpages better security and the ability to enable powerful features, deploying it can be difficult. One of the biggest challenges is the requirement to enable CORS or CORP for all cross-origin resources. Resources without those headers will not be loaded by the browser on a cross-origin isolated page.
These cross-origin resources are usually served by third-parties for whom it may not be easy to add the necessary headers.
But what if we know the resource is safe enough to be loaded? In fact, the only resources that are at risk are ones requested with credentials, because they potentially include sensitive information which the attacker can't load on their own. This means resources that can be requested without credentials are publicly available and safe to load.
credentialless to the rescue
COEP: credentialless comes in.
credentialless is a new value for the
Cross-Origin-Embedder-Policy header. Similar to
require-corp, it can enable cross-origin isolation, but instead of requiring a
CORP:cross-origin header for no-cors cross-origin requests, they are instead sent without credentials (for example, cookies).
You will be able to enable cross-origin isolation alternatively with the following two headers:
This means the requested cross-origin server won't be able to respond with a sensitive resource and the requester can always assume that the response only contains publicly available information.
This is also aligned with browsers' plan of phasing out third-party cookies.
You can try various header options in this demo: https://first-party-test.glitch.me
Can I send a credentialed request under a
Absolutely, at the cost of shifting the request's mode to require a CORS check on the response. For HTML tags such as
<video>, just append
crossorigin="use-credentials" explicitly to inform the browser to send credentialed requests.
For example, even if a document on
Cross-Origin-Embedder-Policy: credentialless header,
<img src="https://images.example.com/avatar.png" crossorigin="use-credentials"> will send a credentialed request.
request.mode = 'cors' can be used.
COEP: credentialless, how is
COEP: require-corp still useful for my website?
COEP: require-corp doesn't require you to manually switch the request mode to CORS if cookies are needed for some cross-origin subresources.
Can I also load cross-origin iframes without special headers under a
No. Loading cross-origin iframes under a
credentialless environment still requires the same conditions as
require-corp. iframe documents need to be served with two headers:
The good news is, there's an ongoing discussion about allowing loading cross-origin iframes without those headers by giving iframes
crossorigin="anonymous". This will allow cross-origin iframes being loaded without headers but without credentials.
Will this feature be adopted by other browsers?
- Mozilla Request for position: Worth prototyping
- Webkit Request for position: No signal
- W3C TAG Request for position: Pending
Register for an origin trial
To ensure that
COEP: credentialless is helping developers to adopt cross origin isolation, we are making it available in Chrome 93 as an origin trial. You can register for it to allowlist your website to make the
Cross-Origin-Embedder-Policy: credentialless header to take effect.
- Request a token for your origin.
- Apply an
Origin-TrialHTTP header to the document you want to apply
Cross-Origin-Embedder-Policy: credentiallessheader. The resulting response header should look something like:
Origin-Trial: TOKEN_GOES_HERE. (Adding the token as a meta tag is usually an option for many origin trials, but it won't work for this feature.)
- Start serving
For instance, to get a cross-origin isolated environment, the HTTP headers sent are:
If you have any feedback on this functionality, file an issue at the GitHub repository.
What's coming next
There are two additional updates coming to mitigate other challenges related to cross-origin isolation:
Both of these changes are planned to land sometime in Q4 2021. Those who registered for the Chrome origin trial to extend the SharedArrayBuffer change due to the above obstacles might be wondering when it will be terminated. Originally we announced that it will be terminated in Chrome 96, but we will not do so until these updates are in place.
- Making your website "cross-origin isolated" using COOP and COEP
- Why you need "cross-origin isolated" for powerful features
- A guide to enable cross-origin isolation
- SharedArrayBuffer updates in Android Chrome 88 and Desktop Chrome 92