Forcing all iframes to be credentialless / dealing with iframes created by external scripts

[benediktwerner]

Not sure if this is the right place to post this but I ran into the following issue trying to use the credentialless attribute with Twitter tweet embeds:

The iframes in this case are created by an external script (https://platform.twitter.com/widgets.js) which of course doesn't add the credentialless attribute. There is an event mechanism to run code when a tweet is rendered but it only triggers after the tweet is added to the DOM which appears to be too late.

I guess one kinda ugly workaround would be to do the tweet embedding inside a credentialless iframe but that's not really a great solution.

Ideally, there would be some way to say "please make all iframes credentialless", presumably via an HTTP header. This also would solve the issue of having to add the attribute to all iframes.

[ArthurSonzogni]

Hi @benediktwerner !

Historically, this was the original idea: Bundling everything behind COEP:credentialless.
This is a bit problematic, because developers don't have any flexibility. You get everything credentialless or nothing. Most website do need to embed at least some resources with credentials. This would make the feature unusable for most. The problem can be overcome for simple subresources, because you can add crossorigin="use-credentials" attribute to switch the Request.mode from "no-cors" to "cors" to use credentials. There are no attribute like this one for iframes (request.mode = "navigation").

The second problem was about how to define the behavior of iframe.credentialess. Its implementation is totally different from COEP:credentialless. This is not about the request, but about the whole network/storage/cookies contexts. Two years ago, it was an idea not likely to succeed. It made sense to break the two to support COEP:credentialless at least, get cross-browser support, and help the majority of the users as a result.

Iframe.credentialless was developed after COEP:credentialless. An attribute was added. It got renamed several times:

<iframe crossorigin="anonymous"></iframe>  <!-- original -->
<iframe anonymous></iframe> <!-- V2 -->
<iframe credentialless></iframe> <!-- V3 -->

Adding a way to configure the default behavior globally could be done easily. The real difficulty is getting a sufficiently strong interested from web-developers and browser vendors. The real difficulty is getting a consensus.

In the meantime, some solution/hack could be used:

• Wait for twitter to provide an API doing it.
• Do not use twitter script, implement your own.
• Load the script inside a credentialless iframe. You can use srcdoc attribute for this.
• Polyfill the feature you want: Add credentialless by default on HTMLIframeElement.

Polyfill

  const originalCreateElement = document.createElement;
  document.createElement = function() {
    const element = originalCreateElement.apply(this, arguments);
    if (element instanceof HTMLIFrameElement) {
      element.credentialless = true;
    }
    return element;
  }

[benediktwerner]

Thanks for the detailed response! The polyfill seems like a reasonable enough solution I hadn't considered.

I still would love to see a way to have a global default and potentially disable it per iframe with an attribute to also avoid having to specify it on all iframes (and potentially forgetting it somewhere) but yeah, I understand that the interest from devs and browser vendors isn't that large currently. I'm already quite happy about the attribute in Chrome and that Firefox seems to be moving forward with COEP:credentialless.