Open Bug 1863531 Opened 2 years ago Updated 2 years ago

COEP credentialless not working as expected

Categories

(Core :: DOM: Core & HTML, task)

Product:
Core
Component:
DOM: Core & HTML
Version:
Firefox 119
Type:
task

Tracking

()

People

(Reporter: tiberiu.zuld, Unassigned)

References

Details

Attachments

(1 file)

firefox-space-eye-blocked.png
46.01 KB, image/png
Details

Steps to reproduce:

  1. Loaded into our web app an iframe on our subdomain that has another iframe with URL from user.
    The Code looks like this

index.html:

Cross-Origin-Embedder-Policy:credentialless
Cross-Origin-Opener-Policy:same-origin
Cross-Origin-Resource-Policy:same-origin
<iframe sandbox="allow-forms allow-scripts allow-same-origin" referrerpolicy="no-referrer" loading="lazy" credentialless="" src="https://embed.avelon.cloud">

Cross-Origin-Embedder-Policy:credentialless
Cross-Origin-Opener-Policy:same-origin
Cross-Origin-Resource-Policy:cross-origin

<iframe name="embed-user-content" referrerpolicy="no-referrer" loading="lazy" credentialless="true" src="https://www.space-eye.ch/"></iframe>
</iframe>

Actual results:

The space-eye.ch website is blocked. NS_ERROR_DOM_COEP_FAILED

It was working pre 119 and still works in Firefox ESR 115

about:config browser.tabs.remote.coep.credentialless setting it to false will result in the website to work.
In Chrome this setup works.

Expected results:

The space-eye.ch website is NOT blocked.

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → DOM: Security
Product: Firefox → Core

I think this link https://iframe-credentialless.glitch.me/ (scroll to bottom) reproduces my exact issue with COEP and iFrame credentialles
Found the link on https://developer.mozilla.org/en-US/docs/Web/Security/IFrame_credentialless

Blocks: 1851467
Component: DOM: Security → DOM: Core & HTML

Thank you for sending us this report.

The behavior you see is not specifically COEP: credentialless, but much rather credentialless iframes.
The former is supported in Firefox and the latter is not.

Status: UNCONFIRMED → NEW
Type: defect → task
Ever confirmed: true

Can't find the implementation bug, but we've got WTP test failures that sound like they cover it by the names:
bug 1702799
bug 1715581

Yes I agree, after discovering the link that this relates to iFrame credentialles.

The problem is that in previous version without COEP credentialles support in Firefox for my setup was working fine,
now because of COEP support of credentialles is no longer working.

Current workarounds I know:

  1. Setting COEP to unsafe-none for the entire website. (not desirable to lower security)
  2. about:config browser.tabs.remote.coep.credentialless false
  3. using Firefox ESR v115

Is there any other options/workarounds that I can use for my setup to work again?

Our use case is to allow the users to embed any URL's they want inside a widget using an iFrame.
So we resorted to credentialles to secure it as much as possible and not require from target web sites to have CORP/COEP headers that we currently use in our app.

Till now credentialles on COEP and iFrame was supported only on Chromium browsers and it was working fine also for those who didn't.
But with this change in Firefox COEP credentiallessupport without iFrame credentialles support is breaking our feature for our users.

Our use case also includes iFrame.
We are currently blocked to move to support COI on Firefox.
Is there an ETA for the support of iFrames with credentialless header?
Thanks,
Sasha

To clarify the last question, is there an ETA for the support of the iFrame HTML Tag for credentialless?

Another workaround we will deploy soon to production is to apply unsafe-none to the COEP header for Firefox for now.
This is how the COEP header with credentialless was interpreted by Firefox before v119.

<If "%{HTTP_USER_AGENT} =~ /(Firefox)s*/i">
  Header set Cross-Origin-Embedder-Policy "unsafe-none"
</If>
<If "%{HTTP_USER_AGENT} !~ /(Firefox)s*/i">
  Header set Cross-Origin-Embedder-Policy "credentialless"
</If>

It is a bit unclear to what this bug is about. Is this about credentialless header or <iframe credentialless>?

<iframe credentialless> isn't a standard, as https://developer.mozilla.org/en-US/docs/Web/Security/IFrame_credentialless says.

It's about the breaking change in the production applications that COEP credentialless support introduced by not supporting iFrame credentialless.

Since before Firefox v119 COEP with value of credentialless was efectively unsafe-none so the iFrame was loading without issues even without support of iFrame credentialless.

Being that Chromium browsers was the only ones supporting COEP credentialless and iFrame credentialless, our assumption was that if Safari and Firefox implement credentialless, it will be for both COEP and iFrame.

I understand that iFrame credentialless is not standard and it is experimental and it is our risk that we used it.

Our special use case is not something applies to many, so for us it is ok even this first step in supporting COEP credentialless and we will wait patently for iFrame credentialless, or another feature securing iFrame, to be able to have Cross Origin Isolation on Firefox.

So from my perspective you can mark this as not a bug/wontfix.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: