Re: [whatwg/fetch] Specify the behavior of `COEP: credentialless`, (#1229) from Arthur Sonzogni on 2021-09-14 (public-webapps-github@w3.org from September 2021)

From: Arthur Sonzogni <notifications@github.com>
Date: Tue, 14 Sep 2021 06:26:48 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/1229/review/753942784@github.com>

@ArthurSonzogni commented on this pull request.



> @@ -1892,6 +1892,24 @@ source of security bugs. Please seek security review for features that deal with
  <a for="URL serializer"><i>exclude fragment</i></a> set to true.
 </ol>
 
+<p>To check <dfn export>Cross-Origin-Embedder-Policy allows credentials</dfn>, given a
+<a for=/>request</a> <var>request</var>, run theses steps:
+
+<ol>
+ <li><p>If <var>request</var>'s <a for=request>mode</a> is not <code>no-cors</code>", return
+ true.</p>
+
+ <li><p>If <var>request</var>'s <a for=request>client</a> is null, return true.</p>
+
+ <li><p>If <var>request</var>'s <a for=request>client</a>'s <a for="environment settings
+ object">embedder policy</a> is not
+ "<code><a for="embedder policy value">credentialless</a></code>", return true.</p>
+
+ <li><p>If <var>request</var>'s <a for=request>origin</a> is <a>same origin</a> with
+ <var>request</var>'s <a for=request>current URL</a>'s <a for=url>origin</a>, return true.</p>

It was described by: https://wicg.github.io/credentiallessness/#redirect

> The decision to include credentials is done independently for each request. The variable includeCredentials is set for the initial request, but also after each redirect.
>
> For example, credentials are not included for a cross-origin no-cors request, but they can be added in the next request if it redirects to a same-origin resource.

Tested by: [redirect.tentative.html](https://wpt.fyi/results/html/cross-origin-embedder-policy/credentialless/redirect.tentative.html?label=master&label=experimental&aligned&q=redirect.tentative.html)

The tainted origin flag, could be used to omit credentials whenever there is a single cross-origin URL in the redirect chain. However, that's not what was originally envisioned. Do you think there is an argument if favor of a different behavior?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1229#discussion_r708267253

Received on Tuesday, 14 September 2021 13:27:01 UTC