Iframe credentialless give developers a way to load documents in third party iframe using new and ephemeral context. In return, the Cross-Origin-Embedder-Policy (COEP) embedding rules can be lifted.
This way, developers using COEP can now embed third party iframes that do not.
See specification.
Enabled by default starting from M110
Status =
The window.credentialless
reflects whether the document was
loaded inside an iframe credentialless, by its parent...
<iframe>
<iframe credentialless>
...or one of its ancestors
<iframe credentialless>
Inside an iframe credentialless, documents are loaded from a new and ephemeral context. In particular, it is different from the one associated with its origin. It is also different for every new top-level document.
<iframe >
<iframe >
<iframe credentialless>
<iframe credentialless>
Please the page, and verify
credentialless iframe's cookies are gone.
Cross-Origin-Embedder-Policy (COEP) embedding rules are recursive. If a document uses COEP, then its children must also use COEP.
Waiting for third party to deploy COEP is painful for developers. This is often out of their control.
Iframe credentialless lift this restrictions, at the cost of loading the document from a fresh context everytime.
<iframe> with COEP:require-corp