Iframe credentialless (WIP)

[ArthurSonzogni]

Explainer and spec:
https://arthursonzogni.github.io/anonymous-iframe/

Iframe credentialless requires updating several specifications:

Spec	PR
HTML	#7695 (this)
Fetch	whatwg/fetch#1416
Storage	whatwg/storage#139
CHIPS/Cookies	XXX

Summary:

• Define the credentialless flag for iframe and Window.
• Inheritance is defined similarly to sandbox. However it do not propage
  toward popups.
• Popup opened from credentialless Window use 'noopener'.
• Navigation in an iframe credentialless are allowed, even if the embedder has
  COEP:require-corp|credentialless and the response do not.
• Define the page credentialless nonce, it is used for credentialless Window as
  an additional keys in:
  • network-partition-keys,
  • storage-partition-keys,
  • cookie-partition-keys
    This ensures the document is loaded within a new and ephemeral
    context. This prevents a cross-origin-isolated parent from stealing
    important data from its child, via a Spectre Attack.
• Password autofill must be disabled inside credentialless Window.

• At least two implementers are interested (and none opposed):
  • Chrome: https://chromestatus.com/feature/5729461725036544
  • …
• Tests are written and can be reviewed and commented upon at:
  • https://wpt.fyi/results/html/anonymous-iframe
• Implementation bugs are filed:
  • Chrome: https://crbug.com/1226469
  • Firefox: …
  • Safari: …
  • Deno: N/A
  • Node.js: N/A

(See WHATWG Working Mode: Changes for more details.)

---

/browsers.html ( diff )
/browsing-the-web.html ( diff )
/history.html ( diff )
/iframe-embed-object.html ( diff )
/index.html ( diff )
/indices.html ( diff )
/infrastructure.html ( diff )
/origin.html ( diff )
/webappapis.html ( diff )
/window-object.html ( diff )
/workers.html ( diff )
/worklets.html ( diff )

[ArthurSonzogni]

This is still WIP. I am not requesting a review now, but you can take a look if you are curious.
+CC @antosart @camillelamy FYI.

I still need to figure out how to integrate this into the "future" spec for storage-partitioning, CHIPS, etc...
I would like at the end to have a "WICG/anonymous-iframe" document with an introduction, a gathering of the different PR needed, and a Security/Privacy section, so that one can understand anonymous iframe in a single view.

[domenic]

I would like at the end to have a "WICG/anonymous-iframe" document with an introduction, a gathering of the different PR needed, and a Security/Privacy section, so that one can understand anonymous iframe in a single view.

I like this plan a lot.

[josephrocca]

Not sure if this is the best place to ask, but: Is the anonymous attribute expected to work for srcdoc iframes? I notice that it doesn't work in the Chrome dev trial. Wondering if this feature could be relevant to this issue - would be very useful for my purposes.

(potentially relevant crbug, as pointed out in the above issue)

[ArthurSonzogni]

Not sure if this is the best place to ask

Thanks for your message!
@josephrocca, if you found a bug, please open an entry on https://crbug.com/ and +CC arthursonzogni@chromium.org
In particular, I would be interested getting more details about what "not working" means to you

I made a quick demo on:https://anonymous-iframe.glitch.me/srcdoc.html
Cookies JS API & LocalStorage in srcdoc iframe are working as I would have expected. I found nothing unexpected so far.
I will had some more WPT in case I might find what you had in mind.

---

Wondering if this feature could be relevant to #7328 - would be very useful for my purposes.

I don't think it can help you. The iframe credentialless (aka anonymous iframe) is still running inside the same agent cluster. So it is executed on the same thread.

[josephrocca]

The iframe credentialless (aka anonymous iframe) is still running inside the same agent cluster. So it is executed on the same thread.

Ah, gotcha - thanks for the clarification!

I would be interested getting more details about what "not working" means to you

I may be misunderstanding something (as you can tell I don't know a lot about this proposal), but I tried executing window.anonymouslyFramed in the anonymous+srcdoc iframe and got undefined whereas I expected true. I also tested it on that demo that you made to confirm the behavior.

(btw, I love your demo - not sure if you're using a template or if you designed it yourself, but it's a really good/clear demonstration! very easy to understand)

[ArthurSonzogni]

I may be misunderstanding something (as you can tell I don't know a lot about this proposal), but I tried executing window.anonymouslyFramed in the anonymous+srcdoc iframe and got undefined whereas I expected true. I also tested it on that demo that you made to confirm the behavior.

Indeed. I think this is specific to the origin trial, and it isn't going to show up for the final release. The origin trial token is valid only for a given origin. I think the origin trial component might be checking against the URL's origin instead of the window.origin. In this case "about:srcdoc" doesn't match.

Still worth double checking. I will add additional WPTs.

(btw, I love your demo - not sure if you're using a template or if you designed it yourself, but it's a really good/clear demonstration! very easy to understand)

Thank you!