Anonymous iframe: relation with COEP credentialless

camillelamy / explainers

11 stars 5 forks source link

Anonymous iframe: relation with COEP credentialless #18

Open antosart opened 3 years ago

antosart commented 3 years ago

Should an iframe loaded inside a page with COEP: credentialless be automatically anonymous, or does it have to specify the attribute credentials=omit explicitly?

The former matches better the behaviour of other subresources and could be a bit easier to deploy.

But if we go with the former, would that be a way to override it, like specifying credentials=include?

camillelamy commented 3 years ago

Right now, the two concepts are different. An iframe embedded inside a page with COEP credentialless is not anonymous, unless explicitly declared to be so. Considering that COEP credentialless is meant to be deployed over first-party documents, which might also embed first party iframes, we thought it was not desirable to have those frames be by default anonymous.