Iframe credentialless demo

Introduction

Iframe credentialless give developers a way to load documents in third party iframe using new and ephemeral context. In return, the Cross-Origin-Embedder-Policy (COEP) embedding rules can be lifted.

This way, developers using COEP can now embed third party iframes that do not.

See specification.

Table of content
  1. Introduction
  2. Feature flags
  3. Feature enabled
  4. window.credentialless attribute
  5. Cookies
  6. COEP embedding rules

Feature flags

Chrome

After version M110, Iframe credentialless is enabled by default.

On version below or equal to M109, it was named anonymous iframe instead. It can be enabled using the origin trial or feature flags.

Firefox

Safari

Feature enabled?

Status =

window.credentialless attribute

The window.credentialless reflects whether the document was loaded inside an iframe credentialless, by its parent...

The attribute was renamed several time: #1, #7. Old versions of Chrome were using a different name.

<iframe> <iframe credentialless>

...or one of its ancestors

<iframe credentialless>

Cookies

Inside an iframe credentialless, documents are loaded from a new and ephemeral context. In particular, it is different from the one associated with its origin. It is also different for every new top-level document.

<iframe > <iframe > <iframe credentialless> <iframe credentialless> Please the page, and verify credentialless iframe's cookies are gone.

COEP embedding rules

Cross-Origin-Embedder-Policy (COEP) embedding rules are recursive. If a document uses COEP, then its children must also use COEP.

Waiting for third party to deploy COEP is painful for developers. This is often out of their control.

Iframe credentialless lift this restrictions, at the cost of loading the document from a fresh context everytime.

<iframe> with COEP:require-corp