[whatwg/fetch] COEP:credentialless and the HTTP cache. (#1253)

_topic:coep-credentialless_

The request's includeCredentials isn't part of the HTTP cache key.

It means if:
- `a.com` requests `c.com` with credentials, 
- `b.com` requests `c.com` **without** credentials

Then both `a.com` and `b.com` will get a response requested **with** credentials.

This seems problematic in general. The request's credential mode is not respected, and `a.com` influences directly `b.com`. The partitioned HTTP cache will fixe one of the two problem.

With COEP:credentialless, we obviously don't want to request a resource without credentials and get a response with credentials. That would be a security issue. ([tentative WPT](https://chromium-review.googlesource.com/c/chromium/src/+/2961290/2/third_party/blink/web_tests/external/wpt/html/cross-origin-embedder-policy/credentialless/cache.tentative.html))

One obvious solution would be to add this flag to the [HTTP cache key](https://fetch.spec.whatwg.org/#http-cache-partitions). Not sure if there are alternatives and what would be the potentials drawback to this. Happy to get your opinions. +CC @whatwg/cross-origin-isolation



-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1253

Received on Tuesday, 15 June 2021 08:05:01 UTC