Support for credentialless iframes to address COEP header needs #4914
Description
if we see credentialless in the raw params, we should pass it along.
Discussed in #4913
Originally posted by coatless March 21, 2023
Right now, the video short code {{ video }} provides a standard iframe that automatically assumes the pages default headers.
Would it be possible to have the short-code support or set by default a credentialless state? e.g.
<iframe credentialless src="https://example.com">
The credentialles state is important for Cross-Origin-Embedder-Policy
(COEP) environments. For webR startup and package installs, we need to set the COOP and COEP headers to significantly speed up the availability of in the browser R editor. We're running into issues with the iframe because when we turn on COEP, then any embedded lecture video from YouTube using the video shortcode is blocked with "youtube refused to connect."
By having the <iframe> tag include credentialless, the iframe is loaded from a different, empty context. In particular, it is loaded without cookies. This allows for the removal of the COEP restriction for just the video will allow the entire page to still fall under the custom COOP and COEP headers.
For more background, please see:
- Background on
iframe-credentiallessset: https://developer.chrome.com/blog/iframe-credentialless/ - Initial Proposal: https://github.com/camillelamy/explainers/blob/main/anonymous_iframes.md
Where the issue arose: coatless/quarto-webr#8