- From: Arthur Sonzogni <notifications@github.com>
- Date: Mon, 03 May 2021 09:46:45 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/1229@github.com>
(Draft)
Originally described in: https://github.com/mikewest/credentiallessness
`credentialless` and `require-corp` are similar. One or the other is a requirements for the `window.crossOriginIsolated` capability.
They differ mostly in the fetch specification. `require-corp` requires a CORP header for cross-origin no-cors responses. `credentialless` doesn't, but omits credentials (Cookies, clients certificates, etc...) in no-cors cross-origin requests.
* HTML (https://github.com/whatwg/html/pull/6638)
* Define how to parse the `credentialless` value.
* From the HTML spec point of view, `credentialless` and `require-corp` are equivalent. They have been grouped into `compatible with crossOriginIsolation` and the HTML spec rewritten to use this concept.
* Fetch: (This PR)
* Define "Cross-Origin-Embedder-Policy allows credentials".
* Omit credentials for no-cors, cross-origin, COEP:credentialless requests.
* Check CORP for navigational COEP:credentialless response.
* ServiceWorker: XXX
* Integration with `Cache.matchAll `algorithm.
* XXX
See: https://github.com/whatwg/html/issues/6637
----
- [ ] At least two implementers are interested (and none opposed):
* Chrome: https://chromestatus.com/feature/4918234241302528#details
* Firefox: XXX
* Safari: XXX
- [X] [Tests](https://github.com/web-platform-tests/wpt) are written and can be reviewed and commented upon at:
* https://wpt.fyi/results/html/cross-origin-embedder-policy/credentialless/credentialless
- [ ] [Implementation bugs](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) are filed:
* Chrome: https://crbug.com/1175099
* Firefox: XXX
* Safari: XXX
(See [WHATWG Working Mode: Changes](https://whatwg.org/working-mode#changes) for more details.)
----
See: https://github.com/whatwg/html/issues/6637
<!--
Thank you for contributing to the Fetch Standard! Please describe the change you are making and complete the checklist below if your change is not editorial.
-->
- [ ] At least two implementers are interested (and none opposed):
* …
* …
- [ ] [Tests](https://github.com/web-platform-tests/wpt) are written and can be reviewed and commented upon at:
* …
- [ ] [Implementation bugs](https://github.com/whatwg/meta/blob/main/MAINTAINERS.md#handling-pull-requests) are filed:
* Chrome: …
* Firefox: …
* Safari: …
(See [WHATWG Working Mode: Changes](https://whatwg.org/working-mode#changes) for more details.)
You can view, comment on, or merge this pull request online at:
https://github.com/whatwg/fetch/pull/1229
-- Commit Summary --
* Specify the behavior of `COEP: credentialless`,
-- File Changes --
M fetch.bs (28)
-- Patch Links --
https://github.com/whatwg/fetch/pull/1229.patch
https://github.com/whatwg/fetch/pull/1229.diff
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1229
Received on Monday, 3 May 2021 16:46:58 UTC