Iframe credentialless (was: Anonymous iframe) #45
Comments
othermaciej
added
topic: loading
topic: privacy
topic: security
topic: storage
annevk
changed the title
|
I think WebKit's storage policies are already pretty close to the desires of this feature:
I guess that Chromium doesn't mean for cross-site storage to become ephemeral? |
|
Thanks @annevk !
Yes, it has some similar properties indeed, which are nice! However, at the end, the goal of iframe credentialless is to allow embedding safely non-COEP document inside a COEP one. In particular it must be safe with regards to Spectre attacks, because the parent can be crossOriginIsolated. That's the only "real" feature of iframe credentialess. Everything else are only means to this end. From the current Safari state, if we wanted to supersede iframe credentialless and allow the embedding without it, I think we would have to:
I don't know myself if there are plans for this, beyond the current plan to bring in partitioning. |
annevk
added
the
concerns: security
|
It has come to my attention that |
|
+CC @camillelamy & @mikewest, as I haven't worked on <iframe credentialless> for years. In Chrome's implementation, I remember it was explicitely decided not to. [internal design doc about autofill]. extractQuestion: What components of autofill need to be disabled? There are several components in autofill: payment, username/password and addresses. From the design of anonymous iframe, the only component we want to disable is username and password autofill. |
|
I think that very much depends. If you checkout through PayPal you might well have to login. But it also strikes me as very risky that some autofill functionality works and some doesn't. I don't think web developers will be able to make the right tradeoffs here as it creates a very subtle model. And web developers will just want to enable COOP+COEP and choose the most expedient route to get there. (Also, autofill of other data might well be domain-bound in some way.) |
|
Lack of
These two require conflicting CORP headers, but can work together with |
|
Thank you, rest assured that we know how the feature works and what it enables. The problem I tried to outline above is that we don't think we can support this in a way that safeguards end users. |
Request for position on an emerging web specification
This was previously filled as: https://lists.webkit.org/pipermail/webkit-dev/2022-April/032205.html
but didn't get any replies. Since WebKit is now using this new Github Medium, I am asking again. We would appreciate your feedback. In particular, there is a recent discussion with Mozilla who suggested activating it via a sandbox flag instead.
Information about the spec
Design reviews and vendor positions
Bugs tracking this feature
Anything else we need to know
Anonymous iframes give developers a way to load documents in third party iframes using new and ephemeral contexts.
Anonymous iframes are a generalization of COEP credentialless to support 3rd party iframes that may not deploy COEP. Like with COEP credentialless, we replace the opt-in of cross-origin subresources by avoiding to load non-public resources. This will remove the constraint that 3rd party iframes must support COEP in order to be embedded in a COEP page and will unblock developers looking to adopt cross-origin-isolation.
This way, developers using COEP can now embed third party iframes that do not.
The text was updated successfully, but these errors were encountered: