web-feature: Credentialless iframes

The credentialless attribute for the <iframe> HTML element loads third-party content in an ephemeral context and does not send any credentials such as cookies. When using cross-origin isolation, this allows you to embed content that does not send Cross-Origin-Embedder-Policy headers.

WKWebView

macOS

*

iOS

*

Android WebView

Android

*

WebView2

Windows

*

Chrome Browser

Android

110

Safari Browser

iOS

*

Notes

Support data provided by: BCD logo

Know something we don't?

Is any of the above data outdated? Or do you want to add a new WebView to the list? Heads on to GitHub and edit the data file!

Edit this page on GitHub Report an issue on GitHub

Not comfortable with GitHub? Send us an email.

Please help us keeping this data updated

This feature was last updated on November 22, 2025.