Credentialless iframes
The credentialless attribute for the <iframe> HTML element loads third-party content in an ephemeral context and does not send any credentials such as cookies. When using cross-origin isolation, this allows you to embed content that does not send Cross-Origin-Embedder-Policy headers. It is most useful when native HTML semantics or browser capabilities can replace custom implementation work.
Overview
The credentialless attribute for the <iframe> HTML element loads third-party content in an ephemeral context and does not send any credentials such as cookies. When using cross-origin isolation, this allows you to embed content that does not send Cross-Origin-Embedder-Policy headers. It is most useful when native HTML semantics or browser capabilities can replace custom implementation work.
Browser support
| Feature | Desktop | Mobile | ||||
|---|---|---|---|---|---|---|
| Chrome | Edge | Firefox | Safari | Chrome Android | Safari iOS | |
api.HTMLIFrameElement.credentialless Experimental | 110 | 110 | | | 110 | |
| HTML attribute | ||||||
credentialless Experimental IFrame credentialless provides a mechanism for developers to load third-party resources in iframes using a new, ephemeral context. It doesn't have access to its regular origin's network, cookies, and storage data. It uses a new context local to the top-level document lifetime. In return, the Cross-Origin-Embedder-Policy (COEP) embedding rules can be lifted,… | 110 | 110 | | | 110 | |
| DOM API | ||||||
credentialless Experimental The window.credentialless read-only property returns a boolean that indicates whether the current document was loaded inside a credentialless iframe, meaning that it is loaded in a new, ephemeral context. | 110 | 110 | | | 110 | |
Syntax
<iframe src="https://third-party.example.com"
credentialless
width="600" height="400">
</iframe>Live demo
Credentialless embedding
Explain how a credentialless iframe omits cookies and other ambient credentials.
Why use it
Credentialless mode can reduce cross-site state sharing when an embed does not need signed-in context.
Design checklist
Only choose credentialless mode when the embedded experience can work without cookies or other credentials.
Use cases
Strengthen integration
Use Credentialless iframes when browser APIs need clearer security boundaries or more explicit capabilities.
Connect platform features
Apply Credentialless iframes when your app benefits from deeper browser or device integration.
Cautions
- Test Credentialless iframes in your target browsers and input environments before depending on it as a primary behavior.
- Provide a fallback path or acceptable degradation strategy when support is still limited.
Accessibility
- Make sure Credentialless iframes supports the intended task without making the page harder to perceive, understand, or operate.
Related links
Powered by web-features