Merge pull request #261 from espensgr/patch-1

Update 3.crossOriginEmbedderPolicy.md

docs/content/1.documentation/2.headers/3.crossOriginEmbedderPolicy.md

@@ -53,7 +53,7 @@ Cross-Origin-Embedder-Policy: require-corp
 The `crossOriginEmbedderPolicy` header can be configured with following values.
 
 ```ts
-crossOriginEmbedderPolicy: 'unsafe-none' | 'require-corp' | false;
+crossOriginEmbedderPolicy: 'unsafe-none' | 'require-corp' | 'credentialless' | false;
 ```
 
 ### `unsafe-none`
@@ -64,6 +64,10 @@ This is the default value. Allows the document to fetch cross-origin resources w
 
 A document can only load resources from the same origin, or resources explicitly marked as loadable from another origin. If a cross origin resource supports CORS, the crossorigin attribute or the Cross-Origin-Resource-Policy header must be used to load it without being blocked by COEP.
 
+### `credentialless`
+
+no-cors cross-origin requests are sent without credentials. In particular, it means Cookies are omitted from the request, and ignored from the response. The responses are allowed **without** an explicit permission via the Cross-Origin-Resource-Policy header. Navigate responses behave similarly as the require-corp mode: They require Cross-Origin-Resource-Policy response header.
+
 ::alert{type="warning"}
 ⚠️ Read more about `Avoiding blockage with CORS` [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy#avoiding_coep_blockage_with_cors).
 ::

src/types/headers.ts

@@ -2,7 +2,7 @@ export type CrossOriginResourcePolicyValue = 'same-site' | 'same-origin' | 'cros
 
 export type CrossOriginOpenerPolicyValue = 'unsafe-none' | 'same-origin-allow-popups' | 'same-origin';
 
-export type CrossOriginEmbedderPolicyValue = 'unsafe-none' | 'require-corp';
+export type CrossOriginEmbedderPolicyValue = 'unsafe-none' | 'require-corp' | 'credentialless';
 
 export type ReferrerPolicyValue =
   | 'no-referrer'