Use "coep: credentialless" with credentialless iframes on all pages on Chrome 110+

[benediktwerner]

Second attempt at #11614

Using the "credentialless" (formerly called "anonymous") attribute on iframes new in Chrome 110 to make YT/Twitch embeds work:

• https://developer.chrome.com/blog/anonymous-iframe-origin-trial/
• https://chromestatus.com/feature/5729461725036544
• https://developer.mozilla.org/en-US/docs/Web/Security/IFrame_credentialless

Chrome 110 just got released on the dev channel and should become stable in 4 weeks so probably still a bit early to merge but from cursory testing, everything seems to work. Probably still should be tested on .dev a bit once 110 is stable.

Also, I guess might make sense to create a custom iframe tag or something to always set the attribute?

[benediktwerner]

Ugh, turns out for Twitter embeds, the iframe is created by a Twitter script which ofc doesn't add the attribute.

I guess really, we'd just want a header to tell the browser "make all the iframes credentialless". Filed WICG/anonymous-iframe#14 to make the chrome devs aware of the issue.

I guess one kinda ugly workaround would be to add our own credentialless iframe and then do the Twitter embed stuff inside there (the Twitter iframe will then inherit the attribute). I guess it wouldn't make that much of a difference except for some slight overhead and having to load the Twitter script for each tweet. But I guess Twitter embeds are not that common.

The alternative would be to keep all pages with possible Twitter embeds without the header. I guess that would be the forum and all (official + user) blog posts. Potentially could check whether the page actually contains a Twitter link but that might be a bit of a mess.

[ornicar]

If the only obstacle left is twitter embeds, I'm happy to remove them altogether.

[benediktwerner]

Small update here:

For the twitter embeds, in the issue I filed, a Chromium dev proposed polyfilling document.createElement to add the credentialless attribute to iframes created with it which seems like a reasonable solution. Implemented in 7305cad (only runs once there actually is a twitter embed).

Otherwise, the attribute is now in stable Chrome (actually already since the previous version now) but while testing earlier, I noticed that YouTube embeds with the credentialless attribute unconditionally hard-crash Chrome in incognito windows. Filed a chromium bug but it seems like it doesn't happen in Chrome Beta and Dev (v112 and v113) so possible it's already fixed in those versions (v112 will release in ~3 weeks).

[benediktwerner]

Ok, it looks like Chrome finally fixed the crash in 113 which was rolled out a bit ago. I just did a few more tests checking YT and Twitter embeds and the analysis board and didn't notice any more issues.