Re: [whatwg/fetch] Specify the behavior of `COEP: credentialless`, (#1229)

@mikewest commented on this pull request.



> @@ -1892,6 +1892,24 @@ source of security bugs. Please seek security review for features that deal with
  <a for="URL serializer"><i>exclude fragment</i></a> set to true.
 </ol>
 
+<p>To check <dfn export>Cross-Origin-Embedder-Policy allows credentials</dfn>, given a
+<a for=/>request</a> <var>request</var>, run theses steps:
+
+<ol>
+ <li><p>If <var>request</var>'s <a for=request>mode</a> is not <code>no-cors</code>", return
+ true.</p>
+
+ <li><p>If <var>request</var>'s <a for=request>client</a> is null, return true.</p>
+
+ <li><p>If <var>request</var>'s <a for=request>client</a>'s <a for="environment settings
+ object">embedder policy</a> is not
+ "<code><a for="embedder policy value">credentialless</a></code>", return true.</p>
+
+ <li><p>If <var>request</var>'s <a for=request>origin</a> is <a>same origin</a> with
+ <var>request</var>'s <a for=request>current URL</a>'s <a for=url>origin</a>, return true.</p>

I don't remember discussing this in particular, so apologies if I disagree with my past self: at the moment, I think it's probably best to match our behavior for `Sec-Fetch-Site` which will treat a request as `cross-origin` for A->B->A transitions (https://w3c.github.io/webappsec-fetch-metadata/#:~:text=for%20each%20url%20in%20r%E2%80%99s%20url%20list%3A). We didn't use the tainted origin flag there, both because I didn't know about it (TIL!), and because we needed to distinguish `cross-origin` and `same-site`.

It might be reasonable to use here, since we don't care about the site boundary in this mechanism.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1229#discussion_r709924447