Limited support Use with care and provide a fallback when broad support matters.

Credentialless iframes

Experimental: This is an experimental technology

Check the Browser compatibility table carefully before using this in production.

IFrame credentialless provides a mechanism for developers to load third-party resources in <iframe>s using a new, ephemeral context. It doesn't have access to its regular origin's network, cookies, and storage data. It uses a new context local to the top-level document lifetime. In return, the Cross-Origin-Embedder-Policy (COEP) embedding rules can be lifted, so documents with COEP set can embed third-party documents that do not.

Security and APIsSecurity

Browser support

Feature Desktop Mobile
Chrome
Edge
Firefox
Safari
Chrome Android
Safari iOS
api.HTMLIFrameElement.credentialless
Experimental
110
110
110
HTML attribute
credentialless
Experimental

IFrame credentialless provides a mechanism for developers to load third-party resources in iframes using a new, ephemeral context. It doesn't have access to its regular origin's network, cookies, and storage data. It uses a new context local to the top-level document lifetime. In return, the Cross-Origin-Embedder-Policy (COEP) embedding rules can be lifted,…
110
110
110
DOM API
credentialless
Experimental

The window.credentialless read-only property returns a boolean that indicates whether the current document was loaded inside a credentialless iframe, meaning that it is loaded in a new, ephemeral context.
110
110
110
1+Supported (version) Not supported Has note Sub-feature descriptions sourced from MDN Web Docs (CC BY-SA 2.5)

Syntax

HTML 
<iframe src="https://third-party.example.com"
  credentialless
  width="600" height="400">
</iframe>

Live demo

Credentialless embedding

Explain how a credentialless iframe omits cookies and other ambient credentials.

PreviewFullscreen

Why use it

Credentialless mode can reduce cross-site state sharing when an embed does not need signed-in context.

PreviewFullscreen

Design checklist

Only choose credentialless mode when the embedded experience can work without cookies or other credentials.

PreviewFullscreen

Use cases

  • Strengthen integration

    Use Credentialless iframes when browser APIs need clearer security boundaries or more explicit capabilities.

  • Connect platform features

    Apply Credentialless iframes when your app benefits from deeper browser or device integration.

Cautions

  • Test Credentialless iframes in your target browsers and input environments before depending on it as a primary behavior.
  • Provide a fallback path or acceptable degradation strategy when support is still limited.

Accessibility

  • Make sure Credentialless iframes supports the intended task without making the page harder to perceive, understand, or operate.

Related links