Should an iframe loaded inside a page with COEP: credentialless be automatically anonymous, or does it have to specify the attribute credentials=omit explicitly?
The former matches better the behaviour of other subresources and could be a bit easier to deploy.
But if we go with the former, would that be a way to override it, like specifying credentials=include?
Should an iframe loaded inside a page with
COEP: credentiallessbe automatically anonymous, or does it have to specify the attributecredentials=omitexplicitly?The former matches better the behaviour of other subresources and could be a bit easier to deploy.
But if we go with the former, would that be a way to override it, like specifying
credentials=include?