LGTM2 On Fri, Sep 10, 2021 at 9:57 AM Domenic Denicola <[email protected]> wrote:
> > > On Fri, Sep 10, 2021 at 7:17 AM 'Arthur Sonzogni' via blink-dev < > [email protected]> wrote: > >> Contact [email protected], [email protected], >> [email protected] >> >> Explainerhttps://github.com/WICG/credentiallessness >> >> Specificationhttps://wicg.github.io/credentiallessness/ >> > > Note also that Arthur has done the right thing here and submitted PRs to > upstream the monkeypatch spec into HTML and Fetch: > > - https://github.com/whatwg/html/pull/6638 > - https://github.com/whatwg/fetch/pull/1229 > > Both have gotten pretty thorough reviews, which increases my confidence > we're trying to ship something interoperably implementable. Yay! > > >> >> Design docs >> https://github.com/WICG/credentiallessness >> >> https://docs.google.com/document/d/1U1pDzS_WJpfkq6QqOeqgmXmba_I4tIbUR-5C1AHzI9o/edit# >> >> Summary >> >> Introduce Cross-Origin-Embedder-Policy: credentialless. This causes >> cross-origin no-cors requests to omit credentials (cookies, client >> certificates, etc). Similarly to COEP:require-corp, it can enable >> cross-origin isolation. >> >> >> Blink componentBlink>SecurityFeature >> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature> >> >> Search tagscoep <https://chromestatus.com/features#tags:coep>, >> credentialless <https://chromestatus.com/features#tags:credentialless>, >> coop <https://chromestatus.com/features#tags:coop>, crossoriginisolation >> <https://chromestatus.com/features#tags:crossoriginisolation>, >> crossOriginisolated >> <https://chromestatus.com/features#tags:crossOriginisolated> >> >> TAG reviewhttps://github.com/w3ctag/design-reviews/issues/582 >> >> TAG review statusPending >> >> Link to origin trial feedback summary >> https://docs.google.com/document/d/1Rcho9z8obW0A7aeM3Zz1QR3fN7KcmTHgjdF_mKEXiRQ >> >> Risks >> >> >> Interoperability and Compatibility >> >> Compatibility risk: This is an opt-in new feature, so there are no >> compatibility risks. Interoperability risk: New feature. Risk is failing to >> become an interoperable part of the web platform. >> >> >> Gecko: Worth prototyping ( >> https://github.com/mozilla/standards-positions/issues/539#issuecomment-867473836 >> ) >> Worth prototyping, but concerns are about the timing in between shipping: >> COEP:credentialless, Private Network Access (PNA), ORB. See >> https://github.com/mozilla/standards-positions/issues/539#issuecomment-914418485 >> >> WebKit: No signal ( >> https://lists.webkit.org/pipermail/webkit-dev/2021-June/031898.html) >> No official replies yet. Safari is currently implementing COOP/COEP, but >> have no plan yet about COEP:credentialless variant: >> https://twitter.com/mikewest/status/1434878018191826948< >> >> Web developers: Positive ( >> https://github.com/WICG/proposals/issues/31#issuecomment-858822619) >> Google Earth, Twitter, Zoom, etc... are positive. >> >> Ergonomics >> >> Similarly to the existing COEP:require-corp, it will also be often used >> in tandem with Cross-Origin-Opener-Policy: same-origin (COOP) >> >> >> Activation >> >> This is an HTTP header. Developers need to be able to configure their >> server. This is hard for them when hosting their page on servers they don't >> really own, like https://github.io pages. >> >> >> Debuggability >> >> The same devtool features as for COEP:require-corp: 1. Display COEP >> policy: Devtool > Application > Frames > top > Security & Isolation > >> Cross-Origin Embedder Policy. 2. Devtool issues: >> https://source.chromium.org/search?q=file:devtools-frontend%2Fsrc%2Ffront_end%2Fmodels%2Fissues_manager%2Fdescriptions%2FCoep*&ss=chromium >> <https://source.chromium.org/search?q=file%3Adevtools-frontend%2Fsrc%2Ffront_end%2Fmodels%2Fissues_manager%2Fdescriptions%2FCoep%2A&ss=chromium> >> >> >> Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> >> ?Yes >> >> Flag namechrome://flags/#cross-origin-embedder-policy-credentialless >> >> Requires code in //chrome?False >> >> Tracking bughttps://crbug.com/1175099 >> >> Launch bughttps://bugs.chromium.org/p/chromium/issues/detail?id=1218896 >> >> Measurement >> https://chromestatus.com/metrics/feature/timeline/popularity/3881 >> >> Sample links >> http://coep-credentialless.glitch.me/ >> >> Estimated milestones >> OriginTrial desktop last 95 >> OriginTrial desktop first 93 >> DevTrial on desktop 93 >> OriginTrial android last 95 >> OriginTrial android first 93 >> DevTrial on android 93 >> DevTrial on Webview 93 >> >> Link to entry on the Chrome Platform Status >> https://chromestatus.com/feature/4918234241302528 >> >> Links to previous Intent discussionsIntent to prototype: >> https://groups.google.com/a/chromium.org/g/blink-dev/c/DOtU6R4TuAY/m/kPbID-LAAQAJ >> Intent to Experiment: >> https://groups.google.com/a/chromium.org/g/blink-dev/c/Sdc0G1bvKr0/m/YHR8RuWyAAAJ >> >> >> This intent message was generated by Chrome Platform Status >> <https://www.chromestatus.com/>. >> Arthur @arthursonzogni >> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAAzos5GX5UpU_8V5faX0KzvWG9y5FT8BvCDJ5LUQ929LWM3%3DPA%40mail.gmail.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAAzos5GX5UpU_8V5faX0KzvWG9y5FT8BvCDJ5LUQ929LWM3%3DPA%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM0wra8f4jkc_RtVBvjJpuz-0%2BiC7p8KKhBc--PuUQ3zjUbOgg%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM0wra8f4jkc_RtVBvjJpuz-0%2BiC7p8KKhBc--PuUQ3zjUbOgg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw_9WOkMw3nDZP%3DWOeEH2GaJ-svtQ5Jd7S2D%2BbidkOAgqQ%40mail.gmail.com.
