To our understanding there is no reason to use COEP Credentials. It seems less secure than using SAB + WebCodecs and does not provide any advantage over the other two.
It’s not a question of being more or less secure, but to be able to use features required by Zoom without the web isolation strict mode.
Looks like either you did not realize that he SAB will ends in December and that after that, unless web isolation is set, the Zoom Web SDK will not work anymore.
So it’s all about being able to implement web isolation on time, before that SAB OT ends, and credentialless bring another mode for the web isolation, more permissive yes but that unblock the situation where it’s impossible to implement web isolation in its strict mode.
I understand that you - Zoom - within your very simple example application do not need it as you are not using anything else than your own services, but we - Zoom’s client - are doing integration of your products inside another larger application scope that potentially uses other services (like Datadog in our example) that cannot be used - yet - with the web isolation mode setup.
This is why in our cases the credentialless mode seems to be a good temporary solution to have features requiring web isolation mode to continue to work, but without the pain to be forced to implement the web isolation everywhere, especially when it comes to request this web isolation implementation to 3rd party vendors (they also have their own agenda that might not match with our or your)
I asked that question, because from our test, it’s obvious that the Web SDK do not care at all about the credentialless mode right now, since when we use it, the SharedArrayBuffer warning log saying “hey, you have to implement web isolation before…” still popup. I bet the current code check the value of the web isolation mode for the strict mode only since it was published before the OT for the credentialless mode being public.
Would be great if the SDK is a bit more flexible and take the credentialless mode into consideration. And because it’s a feature allowed by Google (after so many customers complained about them forcing this web isolation everywhere at last minute), you should de-facto support it and include that in the guide & your tests as your customers may use it - again, as a temporary solution, we all agree this is not a long term solution.
PS: if you don’t know what is the Credentialless mode for the web isolation, i invite you to read this. This mode will be definitively part of Chrome 96 by the way, so it’s real & official, not just an OT.
And let me quote this here to make sure this reply to your original answer:
With COEP: credentialless, we want to find a robust-enough protection against accidental cross-process leakage, without requiring an explicit opt-in from every subresource.