Iframe credentialless demo


Iframe credentialless give developers a way to load documents in third party iframe using new and ephemeral context. In return, the Cross-Origin-Embedder-Policy (COEP) embedding rules can be lifted.

This way, developers using COEP can now embed third party iframes that do not.

See specification.

Table of content
  1. Introduction
  2. Status
  3. Feature enabled
  4. window.credentialless attribute
  5. Cookies
  6. COEP embedding rules



Enabled by default starting from M110



Feature enabled?

Status =

window.credentialless attribute

The window.credentialless reflects whether the document was loaded inside an iframe credentialless, by its parent...

<iframe> <iframe credentialless>

...or one of its ancestors

<iframe credentialless>


Inside an iframe credentialless, documents are loaded from a new and ephemeral context. In particular, it is different from the one associated with its origin. It is also different for every new top-level document.

<iframe > <iframe > <iframe credentialless> <iframe credentialless> Please the page, and verify credentialless iframe's cookies are gone.

COEP embedding rules

Cross-Origin-Embedder-Policy (COEP) embedding rules are recursive. If a document uses COEP, then its children must also use COEP.

Waiting for third party to deploy COEP is painful for developers. This is often out of their control.

Iframe credentialless lift this restrictions, at the cost of loading the document from a fresh context everytime.

<iframe> with COEP:require-corp