Window: credentialless property

Experimental: This is an experimental technology
Check the Browser compatibility table carefully before using this in production.

Non-standard: This feature is non-standard and is not on a standards track. Do not use it on production sites facing the Web: it will not work for every user. There may also be large incompatibilities between implementations and the behavior may change in the future.

The window.credentialless read-only property returns a boolean that indicates whether the current document was loaded inside a credentialless <iframe>, meaning that it is loaded in a new, ephemeral context.

This context doesn't have access to the network, cookies, and storage data associated with its origin. It uses a new context local to the top-level document lifetime. In return, the Cross-Origin-Embedder-Policy (COEP) embedding rules can be lifted, so documents with COEP set can embed third-party documents that do not.

See IFrame credentialless for a deeper explanation.


A boolean. A value of true indicates that the document was loaded inside a credentialless <iframe>; false indicates that it was not.


You can specify a credentialless <iframe> like so:

  title="Spectre vulnerability Wikipedia page"

In supporting browsers, if the document loaded in the <iframe> were to run the following line, it would return true:



No specification found

No specification data found for api.Window.credentialless.
Check for problems with this page or contribute a missing spec_url to mdn/browser-compat-data. Also make sure the specification is included in w3c/browser-specs.

Browser compatibility

BCD tables only load in the browser