Document COEP:credentialless (mdn#23344)

* Document COEP:credentialless This PR adds documentation for `Cross-Origin-Embedder-Policy`: `credentialless` value. This is part of the HTML specification + FETCH. It is implemented by: - Chrome: 96. - Firefox: Nightly + origin trial. In a follow-up, I am also going to fix the Iframe.credentialless documentation, and I need refer to COEP:credentialless. Chrome status: - https://chromestatus.com/feature/4918234241302528 Firefox status: - https://bugzilla.mozilla.org/show_bug.cgi?id=1731778 Past PR about COEP: - mdn#8871 - mdn#23097 - mdn#23275 * Update files/en-us/web/http/headers/cross-origin-embedder-policy/index.md Co-authored-by: Chris Mills <[email protected]> * Update files/en-us/web/http/headers/cross-origin-embedder-policy/index.md Co-authored-by: Chris Mills <[email protected]> * Address Chris #2 comment. * Address @Elchi3 suggestions. Co-authored-by: Chris Mills <[email protected]>
wbamberg · Jan 4, 2023 · ec1c026 · ec1c026
1 parent ccafad9
commit ec1c026
Show file tree

Hide file tree

Showing 6 changed files with 14 additions and 9 deletions.
diff --git a/files/en-us/web/api/performance/measureuseragentspecificmemory/index.md b/files/en-us/web/api/performance/measureuseragentspecificmemory/index.md
@@ -109,7 +109,7 @@ Your site needs to be in a [secure context](/en-US/docs/Web/Security/Secure_Cont
 Two headers need to be set to cross-origin isolate your site:
 
 - [`Cross-Origin-Opener-Policy`](/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy) with `same-origin` as value (protects your origin from attackers)
-- [`Cross-Origin-Embedder-Policy`](/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy) with `require-corp` as value (protects victims from your origin)
+- [`Cross-Origin-Embedder-Policy`](/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy) with `require-corp` or `credentialless` as value (protects victims from your origin)
 
 ```http
 Cross-Origin-Opener-Policy: same-origin

diff --git a/files/en-us/web/api/performance/now/index.md b/files/en-us/web/api/performance/now/index.md
@@ -103,7 +103,7 @@ Starting with Firefox 79, high resolution timers can be used if you cross-origin
 isolate your document using the {{HTTPHeader("Cross-Origin-Opener-Policy")}} and
 {{HTTPHeader("Cross-Origin-Embedder-Policy")}} headers:
 
-```plain
+```http
 Cross-Origin-Opener-Policy: same-origin
 Cross-Origin-Embedder-Policy: require-corp
 ```

diff --git a/files/en-us/web/api/window/postmessage/index.md b/files/en-us/web/api/window/postmessage/index.md
@@ -127,8 +127,8 @@ memory is gated behind two HTTP headers:
 
 - {{HTTPHeader("Cross-Origin-Opener-Policy")}} with `same-origin` as value
   (protects your origin from attackers)
-- {{HTTPHeader("Cross-Origin-Embedder-Policy")}} with `require-corp` as
-  value (protects victims from your origin)
+- {{HTTPHeader("Cross-Origin-Embedder-Policy")}} with `require-corp` or
+  `credentialless` as value (protects victims from your origin)
 
 ```http
 Cross-Origin-Opener-Policy: same-origin

diff --git a/files/en-us/web/http/headers/cross-origin-embedder-policy/index.md b/files/en-us/web/http/headers/cross-origin-embedder-policy/index.md
@@ -12,7 +12,8 @@ browser-compat: http.headers.Cross-Origin-Embedder-Policy
 
 {{HTTPSidebar}}
 
-The HTTP **`Cross-Origin-Embedder-Policy`** (COEP) response header prevents a document from loading any cross-origin resources that don't explicitly grant the document permission (using [CORP](</en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy_(CORP)>) or [CORS](/en-US/docs/Web/HTTP/CORS)).
+The HTTP **`Cross-Origin-Embedder-Policy`** (COEP) response header configures
+embedding cross-origin resources into the document.
 
 <table class="properties">
   <tbody>
@@ -30,7 +31,7 @@ The HTTP **`Cross-Origin-Embedder-Policy`** (COEP) response header prevents a do
 ## Syntax
 
 ```http
-Cross-Origin-Embedder-Policy: unsafe-none | require-corp
+Cross-Origin-Embedder-Policy: unsafe-none | require-corp | credentialless
 ```
 
 ### Directives
@@ -40,12 +41,14 @@ Cross-Origin-Embedder-Policy: unsafe-none | require-corp
 - `require-corp`
   - : A document can only load resources from the same origin, or resources explicitly marked as loadable from another origin.
     If a cross origin resource supports CORS, the [`crossorigin`](/en-US/docs/Web/HTML/Attributes/crossorigin) attribute or the {{HTTPHeader("Cross-Origin-Resource-Policy")}} header must be used to load it without being blocked by COEP.
+- `credentialless`
+  - : [no-cors](/en-US/docs/Web/API/Request/mode) cross-origin requests are sent without credentials. In particular, it means Cookies are omitted from the request, and ignored from the response. The responses are allowed **without** an explicit permission via the {{HTTPHeader("Cross-Origin-Resource-Policy")}} header. [Navigate](/en-US/docs/Web/API/Request/mode) responses behave similarly as the `require-corp` mode: They require {{HTTPHeader("Cross-Origin-Resource-Policy")}} response header.
 
 ## Examples
 
 ### Certain features depend on cross-origin isolation
 
-You can only access certain features like {{jsxref("SharedArrayBuffer")}} objects or {{domxref("Performance.now()")}} with unthrottled timers, if your document has a COEP header with the value `require-corp` value set.
+You can only access certain features like {{jsxref("SharedArrayBuffer")}} objects or {{domxref("Performance.now()")}} with unthrottled timers, if your document has a COEP header with a value of `require-corp` or `credentialless` set.
 
 ```http
 Cross-Origin-Embedder-Policy: require-corp
@@ -76,6 +79,8 @@ If you enable COEP using `require-corp` and have a cross origin resource that ne
 <img src="https://thirdparty.com/img.png" crossorigin />
 ```
 
+If CORS is not supported for some images, a COEP value of `credentialless` can be used as an alternative to load the image without any explicit opt-in from the cross-origin server, at the cost of requesting it without cookies.
+
 ## Specifications
 
 {{Specifications}}

diff --git a/files/en-us/web/http/headers/cross-origin-opener-policy/index.md b/files/en-us/web/http/headers/cross-origin-opener-policy/index.md
@@ -59,7 +59,7 @@ Cross-Origin-Opener-Policy: same-origin
 Cross-Origin-Embedder-Policy: require-corp
 ```
 
-See also the {{HTTPHeader("Cross-Origin-Embedder-Policy")}} header which you'll need to set as well.
+See also the {{HTTPHeader("Cross-Origin-Embedder-Policy")}} header which you'll need to set to `require-corp` or `credentialless` as well.
 
 To check if cross-origin isolation has been successful, you can test against the [`crossOriginIsolated`](/en-US/docs/Web/API/crossOriginIsolated) property available to window and worker contexts:
 

diff --git a/files/en-us/web/javascript/reference/global_objects/sharedarraybuffer/index.md b/files/en-us/web/javascript/reference/global_objects/sharedarraybuffer/index.md
@@ -43,7 +43,7 @@ As a baseline requirement, your document needs to be in a [secure context](/en-U
 For top-level documents, two headers need to be set to cross-origin isolate your site:
 
 - [`Cross-Origin-Opener-Policy`](/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy) with `same-origin` as value (protects your origin from attackers)
-- [`Cross-Origin-Embedder-Policy`](/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy) with `require-corp` as value (protects victims from your origin)
+- [`Cross-Origin-Embedder-Policy`](/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy) with `require-corp` or `credentialless` as value (protects victims from your origin)
 
 ```http
 Cross-Origin-Opener-Policy: same-origin