Bug 230550
| Summary: | Implement COEP:credentialless | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Arthur Sonzogni <arthursonzogni> |
| Component: | Page Loading | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW | ||
| Severity: | Enhancement | CC: | agektmr, annevk, beidson, cdumez, dpaddock, hypertree, jacob, kevin_neal, leaden_story_0j, martin.lundberg, me, webkit-bug-importer, webkitbugzilla |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | All | ||
| OS: | All | ||
Arthur Sonzogni
New feature request.
Filling implementation bug, in order to land spec PR:
- https://github.com/whatwg/html/pull/6638
- https://github.com/whatwg/fetch/pull/1229
Explainer:
- https://github.com/WICG/credentiallessness
Request for position:
- Chrome: https://groups.google.com/a/chromium.org/g/blink-dev/c/Zr9n9_LG7s4/m/4y-b481hBAAJ
- Wekit: https://lists.webkit.org/pipermail/webkit-dev/2021-June/031898.html
- Firefox: https://github.com/mozilla/standards-positions/issues/539
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Chris Dumez
This adds a lot of complexity and seems to have quite a few pre-requisites (Private Network Access, ORB, anonymous iframes).
I am not convinced it is worth the effort at the moment.
Arthur Sonzogni
Yes, that's totally understandable ;-)
Note that anonymous iframe is not a prerequisite.
Radar WebKit Bug Importer
<rdar://problem/83355925>
Sanjay Kumar
From Firefox commit it does not seem like that much work.
https://bugzilla.mozilla.org/show_bug.cgi?id=1731778
Neither Firefox nor Google had PAN (Personal Network Access) or ORB implemented but they shipped because this is something of tremendous value.
As coep: required-corp is implemented today - its too restrictive and you lose many features like third party payment (say Stripe), or Zendesk Help plugins.
So without credentialless: the choice is between SharedArayBuffer (SAB)/PTHREADS and core site functions. And SAB/PTHREADS loses - which is unfortunate.
To me all the great work done on SAB/THREADS in Safari of not much help without credentialless.
Sanjay Kumar
Please note this does not just block SharedArraybuffer/Atotmics/Pthreads - even Origin Private Filesystem (OPFS) can not be used without this header (unless off-course you are happy with coep: required-corp).
Not having OPFS especially is an obstacle (no offline SQLite etc. - you need unlimited amount of memory)
Please consider this a priority. Thank you.
Jacob Bandes-Storch
Hi there, any update on this issue? I work on a complex web app that, and we would love to start using SharedArrayBuffer but cannot use `require-corp` without breaking loading of some other resources.
Some reasons that this feature is needed are described quite thoroughly in this blog post (which is now ~3 years old): https://blog.stackblitz.com/posts/cross-browser-with-coop-coep/