Allow credentialless subresources with COEP

[clelland]

Branching from #4175:

Some -- probably most -- resources on the web are public, and their content is not sensitive in any way; however, a site which can embed them in a page is still blocked from reading their content, or knowing anything about the content at all, despite the origin server being in the position of being able to fetch the identical resource from its own location.

I'd like to use COEP to declare that certain subresources are public, having been fetched over the public internet (per CORS-1918), without any cookies/credentials attached.

It's not in the current proposal, but I could imagine something like

Cross-Origin-Embedder-Policy: no-credentials

being used to force that mode. Third-party cookies would not be sent, even if they exist, and the content of the resource could potentially be made available to the embedder. The site would still send first-party cookies for those resources, but is essentially declaring that it does not want to embed any sensitive third-party content.

[annevk]

I think this might work if something like CORS-1918 is deployed across user agents by default or is enforced as part of this mode.

Another thing that will have to be worked out is the interaction of the modes. If a service worker uses this mode, but its document uses the require-corp mode, do cross-origin resources get blocked or does require-corp only apply when the resource was fetched with credentials?