From ec1c026ce99e162959ab62dd6d3cf6c4bed47b98 Mon Sep 17 00:00:00 2001
From: Arthur Sonzogni <arthursonzogni@chromium.org>
Date: Wed, 4 Jan 2023 13:22:28 +0100
Subject: [PATCH] Document COEP:credentialless (#23344)

* Document COEP:credentialless

This PR adds documentation for `Cross-Origin-Embedder-Policy`:
`credentialless` value.

This is part of the HTML specification + FETCH.
It is implemented by:
- Chrome: 96.
- Firefox: Nightly + origin trial.

In a follow-up, I am also going to fix the Iframe.credentialless
documentation, and I need refer to COEP:credentialless.

Chrome status:
- https://chromestatus.com/feature/4918234241302528

Firefox status:
- https://bugzilla.mozilla.org/show_bug.cgi?id=1731778

Past PR about COEP:
- https://github.com/mdn/content/pull/8871
- https://github.com/mdn/content/pull/23097
- https://github.com/mdn/content/pull/23275

* Update files/en-us/web/http/headers/cross-origin-embedder-policy/index.md

Co-authored-by: Chris Mills <chrisdavidmills@gmail.com>

* Update files/en-us/web/http/headers/cross-origin-embedder-policy/index.md

Co-authored-by: Chris Mills <chrisdavidmills@gmail.com>

* Address Chris #2 comment.

* Address @Elchi3 suggestions.

Co-authored-by: Chris Mills <chrisdavidmills@gmail.com>
---
 .../measureuseragentspecificmemory/index.md           |  2 +-
 files/en-us/web/api/performance/now/index.md          |  2 +-
 files/en-us/web/api/window/postmessage/index.md       |  4 ++--
 .../headers/cross-origin-embedder-policy/index.md     | 11 ++++++++---
 .../http/headers/cross-origin-opener-policy/index.md  |  2 +-
 .../global_objects/sharedarraybuffer/index.md         |  2 +-
 6 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/files/en-us/web/api/performance/measureuseragentspecificmemory/index.md b/files/en-us/web/api/performance/measureuseragentspecificmemory/index.md
index e9756232ea6172b..f1cf56f745583a9 100644
--- a/files/en-us/web/api/performance/measureuseragentspecificmemory/index.md
+++ b/files/en-us/web/api/performance/measureuseragentspecificmemory/index.md
@@ -109,7 +109,7 @@ Your site needs to be in a [secure context](/en-US/docs/Web/Security/Secure_Cont
 Two headers need to be set to cross-origin isolate your site:
 
 - [`Cross-Origin-Opener-Policy`](/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy) with `same-origin` as value (protects your origin from attackers)
-- [`Cross-Origin-Embedder-Policy`](/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy) with `require-corp` as value (protects victims from your origin)
+- [`Cross-Origin-Embedder-Policy`](/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy) with `require-corp` or `credentialless` as value (protects victims from your origin)
 
 ```http
 Cross-Origin-Opener-Policy: same-origin
diff --git a/files/en-us/web/api/performance/now/index.md b/files/en-us/web/api/performance/now/index.md
index e51054d0b9dd965..3b667bb2c1f6273 100644
--- a/files/en-us/web/api/performance/now/index.md
+++ b/files/en-us/web/api/performance/now/index.md
@@ -103,7 +103,7 @@ Starting with Firefox 79, high resolution timers can be used if you cross-origin
 isolate your document using the {{HTTPHeader("Cross-Origin-Opener-Policy")}} and
 {{HTTPHeader("Cross-Origin-Embedder-Policy")}} headers:
 
-```plain
+```http
 Cross-Origin-Opener-Policy: same-origin
 Cross-Origin-Embedder-Policy: require-corp
 ```
diff --git a/files/en-us/web/api/window/postmessage/index.md b/files/en-us/web/api/window/postmessage/index.md
index 9a32ba6b8773852..e0f852a774b2da6 100644
--- a/files/en-us/web/api/window/postmessage/index.md
+++ b/files/en-us/web/api/window/postmessage/index.md
@@ -127,8 +127,8 @@ memory is gated behind two HTTP headers:
 
 - {{HTTPHeader("Cross-Origin-Opener-Policy")}} with `same-origin` as value
   (protects your origin from attackers)
-- {{HTTPHeader("Cross-Origin-Embedder-Policy")}} with `require-corp` as
-  value (protects victims from your origin)
+- {{HTTPHeader("Cross-Origin-Embedder-Policy")}} with `require-corp` or
+  `credentialless` as value (protects victims from your origin)
 
 ```http
 Cross-Origin-Opener-Policy: same-origin
diff --git a/files/en-us/web/http/headers/cross-origin-embedder-policy/index.md b/files/en-us/web/http/headers/cross-origin-embedder-policy/index.md
index e6b6c7c3b435861..511a394ded2b309 100644
--- a/files/en-us/web/http/headers/cross-origin-embedder-policy/index.md
+++ b/files/en-us/web/http/headers/cross-origin-embedder-policy/index.md
@@ -12,7 +12,8 @@ browser-compat: http.headers.Cross-Origin-Embedder-Policy
 
 {{HTTPSidebar}}
 
-The HTTP **`Cross-Origin-Embedder-Policy`** (COEP) response header prevents a document from loading any cross-origin resources that don't explicitly grant the document permission (using [CORP](</en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy_(CORP)>) or [CORS](/en-US/docs/Web/HTTP/CORS)).
+The HTTP **`Cross-Origin-Embedder-Policy`** (COEP) response header configures
+embedding cross-origin resources into the document.
 
 <table class="properties">
   <tbody>
@@ -30,7 +31,7 @@ The HTTP **`Cross-Origin-Embedder-Policy`** (COEP) response header prevents a do
 ## Syntax
 
 ```http
-Cross-Origin-Embedder-Policy: unsafe-none | require-corp
+Cross-Origin-Embedder-Policy: unsafe-none | require-corp | credentialless
 ```
 
 ### Directives
@@ -40,12 +41,14 @@ Cross-Origin-Embedder-Policy: unsafe-none | require-corp
 - `require-corp`
   - : A document can only load resources from the same origin, or resources explicitly marked as loadable from another origin.
     If a cross origin resource supports CORS, the [`crossorigin`](/en-US/docs/Web/HTML/Attributes/crossorigin) attribute or the {{HTTPHeader("Cross-Origin-Resource-Policy")}} header must be used to load it without being blocked by COEP.
+- `credentialless`
+  - : [no-cors](/en-US/docs/Web/API/Request/mode) cross-origin requests are sent without credentials. In particular, it means Cookies are omitted from the request, and ignored from the response. The responses are allowed **without** an explicit permission via the {{HTTPHeader("Cross-Origin-Resource-Policy")}} header. [Navigate](/en-US/docs/Web/API/Request/mode) responses behave similarly as the `require-corp` mode: They require {{HTTPHeader("Cross-Origin-Resource-Policy")}} response header.
 
 ## Examples
 
 ### Certain features depend on cross-origin isolation
 
-You can only access certain features like {{jsxref("SharedArrayBuffer")}} objects or {{domxref("Performance.now()")}} with unthrottled timers, if your document has a COEP header with the value `require-corp` value set.
+You can only access certain features like {{jsxref("SharedArrayBuffer")}} objects or {{domxref("Performance.now()")}} with unthrottled timers, if your document has a COEP header with a value of `require-corp` or `credentialless` set.
 
 ```http
 Cross-Origin-Embedder-Policy: require-corp
@@ -76,6 +79,8 @@ If you enable COEP using `require-corp` and have a cross origin resource that ne
 <img src="https://thirdparty.com/img.png" crossorigin />
 ```
 
+If CORS is not supported for some images, a COEP value of `credentialless` can be used as an alternative to load the image without any explicit opt-in from the cross-origin server, at the cost of requesting it without cookies.
+
 ## Specifications
 
 {{Specifications}}
diff --git a/files/en-us/web/http/headers/cross-origin-opener-policy/index.md b/files/en-us/web/http/headers/cross-origin-opener-policy/index.md
index 5bf07910dea90db..a36352da227e692 100644
--- a/files/en-us/web/http/headers/cross-origin-opener-policy/index.md
+++ b/files/en-us/web/http/headers/cross-origin-opener-policy/index.md
@@ -59,7 +59,7 @@ Cross-Origin-Opener-Policy: same-origin
 Cross-Origin-Embedder-Policy: require-corp
 ```
 
-See also the {{HTTPHeader("Cross-Origin-Embedder-Policy")}} header which you'll need to set as well.
+See also the {{HTTPHeader("Cross-Origin-Embedder-Policy")}} header which you'll need to set to `require-corp` or `credentialless` as well.
 
 To check if cross-origin isolation has been successful, you can test against the [`crossOriginIsolated`](/en-US/docs/Web/API/crossOriginIsolated) property available to window and worker contexts:
 
diff --git a/files/en-us/web/javascript/reference/global_objects/sharedarraybuffer/index.md b/files/en-us/web/javascript/reference/global_objects/sharedarraybuffer/index.md
index 0a01e0454337650..39a58aa822fea12 100644
--- a/files/en-us/web/javascript/reference/global_objects/sharedarraybuffer/index.md
+++ b/files/en-us/web/javascript/reference/global_objects/sharedarraybuffer/index.md
@@ -43,7 +43,7 @@ As a baseline requirement, your document needs to be in a [secure context](/en-U
 For top-level documents, two headers need to be set to cross-origin isolate your site:
 
 - [`Cross-Origin-Opener-Policy`](/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy) with `same-origin` as value (protects your origin from attackers)
-- [`Cross-Origin-Embedder-Policy`](/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy) with `require-corp` as value (protects victims from your origin)
+- [`Cross-Origin-Embedder-Policy`](/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy) with `require-corp` or `credentialless` as value (protects victims from your origin)
 
 ```http
 Cross-Origin-Opener-Policy: same-origin