Origins are the fundamental currency of the Web's security model. Two actors in the Web platform that share an origin are assumed to trust each other and to have the same authority. Actors with differing origins are considered potentially hostile versus each other, and are isolated from each other to varying degrees.
For
example,
if
Example
Bank's
Web
site,
hosted
at
bank.example.com
,
tries
to
examine
the
DOM
of
Example
Charity's
Web
site,
hosted
at
charity.example.org
,
a
"
SecurityError
"
DOMException
will
be
raised.
An origin is one of the following:
An
internal
value,
with
no
serialization
it
can
be
recreated
from
(it
is
serialized
as
"
null
"
per
serialization
of
an
origin
),
for
which
the
only
meaningful
operation
is
testing
for
equality.
A tuple consists of:
Origins
can
be
shared,
e.g.,
among
multiple
Document
objects.
Furthermore,
origins
are
generally
immutable.
Only
the
domain
of
a
tuple
origin
can
be
changed,
and
only
through
the
document.domain
API.
The effective domain of an origin origin is computed as follows:
If origin is an opaque origin , then return null.
If origin 's domain is non-null, then return origin 's domain .
Return origin 's host .
Various specification objects are defined to have an origin . These origins are determined as follows:
Document
objects
The create a new browsing context and navigation algorithms assign the origin at construction time. Otherwise, the default default behavior as defined in DOM applies. [DOM]
img
elements
A unique opaque origin assigned when the image is created.
The
img
element's
node
document
's
origin
.
audio
and
video
elements
A unique opaque origin assigned when the media data is fetched.
The media element 's node document 's origin .
Other
specifications
can
override
the
above
definitions
by
themselves
specifying
the
origin
of
a
particular
Document
object,
image,
or
media
element
.
The serialization of an origin is the string obtained by applying the following algorithm to the given origin origin :
If
origin
is
an
opaque
origin
,
then
return
"
null
".
Otherwise, let result be origin 's scheme .
Append
"
://
"
to
result
.
Append origin 's host , serialized , to result .
If origin 's port is non-null, append a U+003A COLON character (:), and origin 's port , serialized , to result .
Return result .
The
serialization
of
("
https
",
"
xn--maraa-rta.example
",
null,
null)
is
"
https://xn--maraa-rta.example
".
There used to also be a Unicode serialization of an origin . However, it was never widely adopted.
Two origins , A and B , are said to be same origin if the following algorithm returns true:
If A and B are the same opaque origin , then return true.
If A and B are both tuple origins and their schemes , hosts , and port are identical, then return true.
Return false.
Two origins , A and B , are said to be same origin-domain if the following algorithm returns true:
If A and B are the same opaque origin , then return true.
If A and B are both tuple origins , run these substeps:
If A and B 's schemes are identical, and their domains are identical and non-null, then return true.
Otherwise, if A and B are same origin and their domains are identical and null, then return true.
Return false.
| A | B | same origin | same origin-domain |
|---|---|---|---|
("
https
",
"
example.org
",
null,
null)
|
("
https
",
"
example.org
",
null,
null)
| ✅ | ✅ |
("
https
",
"
example.org
",
314,
null)
|
("
https
",
"
example.org
",
420,
null)
| ❌ | ❌ |
("
https
",
"
example.org
",
314,
"
example.org
")
|
("
https
",
"
example.org
",
420,
"
example.org
")
| ❌ | ✅ |
("
https
",
"
example.org
",
null,
null)
|
("
https
",
"
example.org
",
null,
"
example.org
")
| ✅ | ❌ |
("
https
",
"
example.org
",
null,
"
example.org
")
|
("
http
",
"
example.org
",
null,
"
example.org
")
| ❌ | ❌ |
A scheme-and-registrable-domain is a tuple of a scheme and a domain .
A site is an opaque origin , a tuple origin whose host 's registrable domain is null, or a scheme-and-registrable-domain .
To obtain a site , given an origin origin , run these steps:
If origin is an opaque origin , then return origin .
If origin 's host 's registrable domain is null, then return origin .
Return ( origin 's scheme , origin 's host 's registrable domain ).
Two origins , A and B , are said to be schemelessly same site if the following algorithm returns true:
If A and B are the same opaque origin , then return true.
If A and B are both tuple origins , then:
If hostA equals hostB and hostA 's registrable domain is null, then return true.
If hostA 's registrable domain equals hostB 's registrable domain and is non-null, then return true.
Return false.
Two origins , A and B , are said to be same site if both of the following statements are true:
A and B are schemelessly same site
A and B are either both opaque origins , or both tuple origins with the same scheme
Unlike the same origin and same origin-domain concepts, for schemelessly same site and same site , the port and domain components are ignored.
For the reasons explained in URL , the same site and schemelessly same site concepts should be avoided when possible, in favor of same origin checks.
Given
that
wildlife.museum
,
museum
,
and
com
are
public
suffixes
and
that
example.com
is
not:
| A | B | schemelessly same site | same site |
|---|---|---|---|
("
https
",
"
example.com
")
|
("
https
",
"
sub.example.com
")
| ✅ | ✅ |
("
https
",
"
example.com
")
|
("
https
",
"
sub.other.example.com
")
| ✅ | ✅ |
("
https
",
"
example.com
")
|
("
http
",
"
non-secure.example.com
")
| ✅ | ❌ |
("
https
",
"
r.wildlife.museum
")
|
("
https
",
"
sub.r.wildlife.museum
")
| ✅ | ✅ |
("
https
",
"
r.wildlife.museum
")
|
("
https
",
"
sub.other.r.wildlife.museum
")
| ✅ | ✅ |
("
https
",
"
r.wildlife.museum
")
|
("
https
",
"
other.wildlife.museum
")
| ❌ | ❌ |
("
https
",
"
r.wildlife.museum
")
|
("
https
",
"
wildlife.museum
")
| ❌ | ❌ |
("
https
",
"
wildlife.museum
")
|
("
https
",
"
wildlife.museum
")
| ❌ | ❌ |
(Here we have omitted the port and domain components since they are not considered.)
domain
[
=
domain
]
Returns the current domain used for security checks.
Can
be
set
to
a
value
that
removes
subdomains,
to
change
the
origin
's
domain
to
allow
pages
on
other
subdomains
of
the
same
domain
(if
they
do
the
same
thing)
to
access
each
other.
(Can't
be
set
in
sandboxed
iframe
s.)
To determine if a string hostSuffixString is a registrable domain suffix of or is equal to a host originalHost , run these steps:
If hostSuffixString is the empty string, then return false.
Let host be the result of parsing hostSuffixString .
If host is failure, then return false.
If host does not equal originalHost , then:
If host or originalHost is not a domain , then return false.
This excludes hosts that are an IPv4 address or an IPv6 address .
If host , prefixed by a U+002E FULL STOP (.), does not exactly match the end of originalHost , then return false.
If host equals host 's public suffix , then return false. [URL]
Return true.
The
domain
attribute's
getter
must
run
these
steps:
Let
effectiveDomain
be
this
Document
object's
origin
's
effective
domain
.
If effectiveDomain is null, then return the empty string.
Return effectiveDomain , serialized .
The
domain
attribute's
setter
must
run
these
steps:
If
this
Document
object's
browsing
context
is
null,
then
throw
a
"
SecurityError
"
DOMException
.
If
this
Document
object's
active
sandboxing
flag
set
has
its
sandboxed
document.domain
browsing
context
flag
set,
then
throw
a
"
SecurityError
"
DOMException
.
If
this
Document
object
is
not
allowed
to
use
the
"
document-domain
"
feature,
then
throw
a
"
SecurityError
"
DOMException
.
Let
effectiveDomain
be
this
Document
object's
origin
's
effective
domain
.
If
effectiveDomain
is
null,
then
throw
a
"
SecurityError
"
DOMException
.
If
the
given
value
is
not
a
registrable
domain
suffix
of
and
is
not
equal
to
effectiveDomain
,
then
throw
a
"
SecurityError
"
DOMException
.
If the surrounding agent 's agent cluster 's cross-origin isolated is true, then return.
Set
this
Document
object's
origin
's
domain
to
the
result
of
parsing
the
given
value.
The
document.domain
attribute
is
used
to
enable
pages
on
different
hosts
of
a
domain
to
access
each
other's
DOMs.
Do
not
use
the
document.domain
attribute
when
using
shared
hosting.
If
an
untrusted
third
party
is
able
to
host
an
HTTP
server
at
the
same
IP
address
but
on
a
different
port,
then
the
same-origin
protection
that
normally
protects
two
different
sites
on
the
same
host
will
fail,
as
the
ports
are
ignored
when
comparing
origins
after
the
document.domain
attribute
has
been
used.
A sandboxing flag set is a set of zero or more of the following flags, which are used to restrict the abilities that potentially untrusted resources have:
This flag prevents content from navigating browsing contexts other than the sandboxed browsing context itself (or browsing contexts further nested inside it), auxiliary browsing contexts (which are protected by the sandboxed auxiliary navigation browsing context flag defined next), and the top-level browsing context (which is protected by the sandboxed top-level navigation without user activation browsing context flag and sandboxed top-level navigation with user activation browsing context flag defined below).
If the sandboxed auxiliary navigation browsing context flag is not set, then in certain cases the restrictions nonetheless allow popups (new top-level browsing contexts ) to be opened. These browsing contexts always have one permitted sandboxed navigator , set when the browsing context is created, which allows the browsing context that created them to actually navigate them. (Otherwise, the sandboxed navigation browsing context flag would prevent them from being navigated even if they were opened.)
This
flag
prevents
content
from
creating
new
auxiliary
browsing
contexts
,
e.g.
using
the
target
attribute
or
the
window.open()
method.
This flag prevents content from navigating their top-level browsing context and prevents content from closing their top-level browsing context . It is consulted only when the sandboxed browsing context's active window does not have transient activation .
When the sandboxed top-level navigation without user activation browsing context flag is not set, content can navigate its top-level browsing context , but other browsing contexts are still protected by the sandboxed navigation browsing context flag and possibly the sandboxed auxiliary navigation browsing context flag .
This flag prevents content from navigating their top-level browsing context and prevents content from closing their top-level browsing context . It is consulted only when the sandboxed browsing context's active window has transient activation .
As with the sandboxed top-level navigation without user activation browsing context flag , this flag only affects the top-level browsing context ; if it is not set, other browsing contexts might still be protected by other flags.
This
flag
prevents
content
from
instantiating
plugins
,
whether
using
the
embed
element
,
the
object
element
,
or
through
navigation
of
their
nested
browsing
context
,
unless
those
plugins
can
be
secured
.
This flag forces content into a unique origin , thus preventing it from accessing other content from the same origin .
This
flag
also
prevents
script
from
reading
from
or
writing
to
the
document.cookie
IDL
attribute
,
and
blocks
access
to
localStorage
.
This flag blocks form submission .
This flag disables the Pointer Lock API. [POINTERLOCK]
This flag blocks script execution .
This flag blocks features that trigger automatically, such as automatically playing a video or automatically focusing a form control .
document.domain
browsing
context
flag
This
flag
prevents
content
from
using
the
document.domain
setter.
This flag prevents content from escaping the sandbox by ensuring that any auxiliary browsing context it creates inherits the content's active sandboxing flag set .
This flag prevents content from using any of the following features to produce modal dialogs:
This flag disables the ability to lock the screen orientation. [SCREENORIENTATION]
This flag disables the Presentation API. [PRESENTATION]
This flag prevents content from initiating or instantiating downloads, whether through downloading hyperlinks or through navigation that gets handled as a download .
When the user agent is to parse a sandboxing directive , given a string input , a sandboxing flag set output , it must run the following steps:
Split input on ASCII whitespace , to obtain tokens .
Let output be empty.
Add the following flags to output :
The
sandboxed
auxiliary
navigation
browsing
context
flag
,
unless
tokens
contains
the
allow-popups
keyword.
The
sandboxed
top-level
navigation
without
user
activation
browsing
context
flag
,
unless
tokens
contains
the
allow-top-navigation
keyword.
The
sandboxed
top-level
navigation
with
user
activation
browsing
context
flag
,
unless
tokens
contains
either
the
allow-top-navigation-by-user-activation
keyword
or
the
allow-top-navigation
keyword.
This
means
that
if
the
allow-top-navigation
is
present,
the
allow-top-navigation-by-user-activation
keyword
will
have
no
effect.
For
this
reason,
specifying
both
is
a
document
conformance
error.
The
sandboxed
origin
browsing
context
flag
,
unless
the
tokens
contains
the
allow-same-origin
keyword.
The
allow-same-origin
keyword
is
intended
for
two
cases.
First, it can be used to allow content from the same site to be sandboxed to disable scripting, while still allowing access to the DOM of the sandboxed content.
Second, it can be used to embed content from a third-party site, sandboxed to prevent that site from opening popups, etc, without preventing the embedded page from communicating back to its originating site, using the database APIs to store data, etc.
The
sandboxed
forms
browsing
context
flag
,
unless
tokens
contains
the
allow-forms
keyword.
The
sandboxed
pointer
lock
browsing
context
flag
,
unless
tokens
contains
the
allow-pointer-lock
keyword.
The
sandboxed
scripts
browsing
context
flag
,
unless
tokens
contains
the
allow-scripts
keyword.
The
sandboxed
automatic
features
browsing
context
flag
,
unless
tokens
contains
the
allow-scripts
keyword
(defined
above).
This flag is relaxed by the same keyword as scripts, because when scripts are enabled these features are trivially possible anyway, and it would be unfortunate to force authors to use script to do them when sandboxed rather than allowing them to use the declarative features.
The
sandbox
propagates
to
auxiliary
browsing
contexts
flag
,
unless
tokens
contains
the
allow-popups-to-escape-sandbox
keyword.
The
sandboxed
modals
flag
,
unless
tokens
contains
the
allow-modals
keyword.
The
sandboxed
orientation
lock
browsing
context
flag
,
unless
tokens
contains
the
allow-orientation-lock
keyword.
The
sandboxed
presentation
browsing
context
flag
,
unless
tokens
contains
the
allow-presentation
keyword.
The
sandboxed
downloads
browsing
context
flag
,
unless
tokens
contains
the
allow-downloads
keyword.
Every top-level browsing context has a popup sandboxing flag set , which is a sandboxing flag set . When a browsing context is created, its popup sandboxing flag set must be empty. It is populated by the rules for choosing a browsing context .
Every
iframe
element
has
an
iframe
sandboxing
flag
set
,
which
is
a
sandboxing
flag
set
.
Which
flags
in
an
iframe
sandboxing
flag
set
are
set
at
any
particular
time
is
determined
by
the
iframe
element's
sandbox
attribute.
Every
Document
has
an
active
sandboxing
flag
set
,
which
is
a
sandboxing
flag
set
.
When
the
Document
is
created,
its
active
sandboxing
flag
set
must
be
empty.
It
is
populated
by
the
navigation
algorithm
.
Every resource that is obtained by the navigation algorithm has a forced sandboxing flag set , which is a sandboxing flag set . A resource by default has no flags set in its forced sandboxing flag set , but other specifications can define that certain flags are set.
In particular, the forced sandboxing flag set is used by Content Security Policy . [CSP]
To determine the creation sandboxing flags for a browsing context browsing context , given null or an element embedder , return the union of the flags that are present in the following sandboxing flag sets :
If embedder is null, then: the flags set on browsing context 's popup sandboxing flag set .
If
embedder
is
an
element,
then:
the
flags
set
on
embedder
's
iframe
sandboxing
flag
set
.
If embedder is an element, then: the flags set on embedder 's node document 's active sandboxing flag set .
After creation, the sandboxing flags for a browsing context browsing context are the result of determining the creation sandboxing flags given browsing context and browsing context 's container .
A cross-origin opener policy allows a document which is navigated to in a top-level browsing context to force the creation of a new top-level browsing context , and a corresponding group . It has one of the following values:
unsafe-none
"
This is the (current) default and means that the document will occupy the same top-level browsing context as its predecessor, unless that document specified a different cross-origin opener policy .
same-origin-allow-popups
"
This forces the creation of a new top-level browsing context for the document, unless its predecessor specified the same cross-origin opener policy and they are same origin .
same-origin
"
This
behaves
the
same
as
"
same-origin-allow-popups
",
with
the
addition
that
any
auxiliary
browsing
context
created
needs
to
contain
same
origin
documents
that
also
have
the
same
cross-origin
opener
policy
or
it
will
appear
closed
to
the
opener.
same-origin-plus-COEP
"
This
behaves
the
same
as
"
same-origin
",
with
the
addition
that
it
sets
the
(new)
top-level
browsing
context
's
group
's
cross-origin
isolated
to
true.
"
same-origin-plus-COEP
"
cannot
be
directly
set
via
the
`
Cross-Origin-Opener-Policy
`
header,
but
results
from
a
combination
of
setting
both
`
Cross-Origin-Opener-Policy
:
same-origin
`
and
`
Cross-Origin-Embedder-Policy
:
require-corp
`
together.
To match cross-origin opener policies , given a cross-origin opener policy A , an origin originA , a cross-origin opener policy B , and an origin originB :
If
A
is
"
unsafe-none
"
and
B
is
"
unsafe-none
",
then
return
true.
If
A
is
"
unsafe-none
"
or
B
is
"
unsafe-none
",
then
return
false.
If A is B and originA is same origin with originB , then return true.
Return false.
Cross-Origin-Opener-Policy
`
header
A
Document
's
cross-origin
opener
policy
is
derived
from
the
`
Cross-Origin-Opener-Policy
`
HTTP
response
header.
This
header
is
a
structured
header
whose
value
must
be
a
token
.
[STRUCTURED-HEADERS]
The
valid
token
values
are
"
unsafe-none
",
"
same-origin-allow-popups
",
and
"
same-origin
".
Per the processing model described below, user agents will ignore this header if it contains an invalid value. Likewise, user agents will ignore this header if the value cannot be parsed as a token .
To obtain a cross-origin opener policy given a response response and an environment reservedEnvironment :
If
reservedEnvironment
is
a
non-secure
context
,
then
return
"
unsafe-none
".
If
response
's
HTTPS
state
is
"
deprecated
",
then
return
"
unsafe-none
".
Let
value
be
the
result
of
getting
a
structured
header
given
`
Cross-Origin-Opener-Policy
`
and
"
item
"
from
response
's
header
list
.
If
value
is
failure
or
null,
then
return
"
unsafe-none
".
If
value
[0]
is
not
"
same-origin
"
or
"
same-origin-allow-popups
",
then
return
"
unsafe-none
".
If
value
[0]
is
"
same-origin
",
then:
Let coep be the result of obtaining an embedder policy from response .
If
coep
is
"
require-corp
",
then
return
"
same-origin-plus-COEP
".
Return value [0].
To check if a response requires a browsing context group switch , given a browsing context browsingContext , an origin responseOrigin and a cross-origin opener policy responseCOOP :
Let activeDocumentNavigationOrigin be browsingContext 's active document 's origin .
Let activeDocumentCOOP be browsingContext 's active document 's cross-origin opener policy .
Let isInitialAboutBlank be false.
If
browsingContext
's
only
entry
in
its
session
history
is
the
about:blank
Document
that
was
added
when
browsingContext
was
created
,
then
set
isInitialAboutBlank
to
true.
If the result of matching activeDocumentCOOP , activeDocumentNavigationOrigin , responseCOOP and responseOrigin is true, then return false.
If all of the following are true:
isInitialAboutBlank
activeDocumentCOOP
is
"
same-origin-allow-popups
".
responseCOOP
is
"
unsafe-none
".
then return false.
Return true.
To obtain a browsing context to use for a navigation response , given a browsing context browsingContext , a sandboxing flag set sandboxFlags , and a cross-origin opener policy navigationCOOP :
Assert: browsingContext is a top-level browsing context .
Let newBrowsingContext be the result of creating a new top-level browsing context .
If
navigationCOOP
is
"
same-origin-plus-COEP
",
then
set
newBrowsingContext
's
group
's
cross-origin
isolated
to
true.
If sandboxFlags is not empty, then:
Assert:
navigationCOOP
is
"
unsafe-none
".
Set newBrowsingContext 's sandboxing flag set to sandboxFlags .
Discard browsingContext .
This has no effect on browsingContext 's group , unless browsingContext was its sole top-level browsing context . In that case, the user agent might delete the browsing context group which no longer contains any browsing contexts .
Return newBrowsingContext .
The impact of swapping browsing context groups following a navigation is not fully defined. It is currently under discussion in issue #5350 .
An embedder policy value controls the fetching of cross-origin resources without explicit permission from resource owners. There are two such values:
unsafe-none
"
This
is
the
default
value.
When
this
value
is
used,
cross-origin
resources
can
be
fetched
without
giving
explicit
permission
through
the
CORS
protocol
or
the
`
Cross-Origin-Resource-Policy
`
header.
require-corp
"
When
this
value
is
used,
fetching
cross-origin
resources
requires
the
server's
explicit
permission
through
the
CORS
protocol
or
the
`
Cross-Origin-Resource-Policy
`
header.
An embedder policy consists of:
A
value
,
which
is
an
embedder
policy
value
,
initially
"
unsafe-none
".
A reporting endpoint string, initially the empty string.
A
report
only
value
,
which
is
an
embedder
policy
value
,
initially
"
unsafe-none
".
A report only reporting endpoint string, initially the empty string.
The
"
coep
"
report
type
is
a
report
type
whose
value
is
"
coep
".
It
is
visible
to
ReportingObserver
s
.
The
`
Cross-Origin-Embedder-Policy
`
and
`
Cross-Origin-Embedder-Policy-Report-Only
`
HTTP
response
header
fields
allow
a
server
to
declare
an
embedder
policy
for
an
environment
settings
object
.
These
headers
are
structured
headers
whose
values
must
be
token
.
[STRUCTURED-HEADERS]
The
valid
token
values
are
the
embedder
policy
values
.
The
token
may
also
have
attached
parameters
;
of
these,
the
"
report-to
"
parameter
can
have
a
valid
URL
string
identifying
an
appropriate
reporting
endpoint.
[REPORTING]
The
processing
model
fails
open
(by
defaulting
to
"
unsafe-none
")
in
the
presence
of
a
header
that
cannot
be
parsed
as
a
token.
This
includes
inadvertent
lists
created
by
combining
multiple
instances
of
the
`
Cross-Origin-Embedder-Policy
`
header
present
in
a
given
response:
`
Cross-Origin-Embedder-Policy
`
| Final embedder policy value |
|---|---|
| No header delivered |
"
unsafe-none
"
|
`
require-corp
`
|
"
require-corp
"
|
`
unknown-value
`
|
"
unsafe-none
"
|
`
require-corp,
unknown-value
`
|
"
unsafe-none
"
|
`
unknown-value,
unknown-value
`
|
"
unsafe-none
"
|
`
unknown-value,
require-corp
`
|
"
unsafe-none
"
|
`
require-corp,
require-corp
`
|
"
unsafe-none
"
|
(The
same
applies
to
`
Cross-Origin-Embedder-Policy-Report-Only
`.)
To obtain an embedder policy from a response response :
Let policy be a new embedder policy .
Let
parsedItem
be
the
result
of
getting
a
structured
header
with
`
Cross-Origin-Embedder-Policy
`
and
"
item
".
If
parsedItem
is
neither
failure
nor
null
and
parsedItem
[0]
is
"
require-corp
":
Set
parsedItem
to
the
result
of
getting
a
structured
header
with
`
Cross-Origin-Embedder-Policy-Report-Only
`
and
"
item
".
If
parsedItem
is
neither
failure
nor
null
and
parsedItem
[0]
is
"
require-corp
":
Set
policy
's
report
only
value
to
"
require-corp
".
If
parsedItem
[1]["
report-to
"]
exists
,
then
set
policy
's
report
only
reporting
endpoint
to
parsedItem
[1]["
report-to
"].
Return policy .
To check a navigation response's adherence to its embedder policy given a response response and a browsing context target :
If target is not a child browsing context , then return true.
Let responsePolicy be the result of obtaining an embedder policy from response .
Let parentPolicy be target 's container document 's embedder policy .
If
parentPolicy
's
report
only
value
is
"
require-corp
"
and
responsePolicy
's
value
is
"
unsafe-none
",
then
queue
a
cross-origin
embedder
policy
inheritance
violation
with
response
,
"
navigation
",
parentPolicy
's
report
only
reporting
endpoint
,
and
target
's
container
document
's
relevant
settings
object
.
If
parentPolicy
's
value
is
"
unsafe-none
"
or
responsePolicy
's
value
is
"
require-corp
",
then
return
true.
Queue
a
cross-origin
embedder
policy
inheritance
violation
with
response
,
"
navigation
",
parentPolicy
's
reporting
endpoint
,
and
target
's
container
document
's
relevant
settings
object
.
Return false.
To
check
a
global
object's
embedder
policy
given
a
WorkerGlobalScope
workerGlobalScope
,
an
environment
settings
object
owner
,
and
a
response
response
:
If
workerGlobalScope
is
not
a
DedicatedWorkerGlobalScope
object,
then
return
true.
Let policy be workerGlobalScope 's embedder policy .
Let ownerPolicy be owner 's embedder policy .
If
ownerPolicy
's
report
only
value
is
"
require-corp
"
and
policy
's
value
is
"
unsafe-none
",
then
queue
a
cross-origin
embedder
policy
inheritance
violation
with
response
,
"
worker
initialization
",
owner's
policy
's
report
only
reporting
endpoint
,
and
owner
.
If
ownerPolicy
's
value
is
"
unsafe-none
"
or
policy
's
value
is
"
require-corp
",
then
return
true.
Queue
a
cross-origin
embedder
policy
inheritance
violation
with
response
,
"
worker
initialization
",
owner's
policy
's
reporting
endpoint
,
and
owner
.
Return false.
To queue a cross-origin embedder policy inheritance violation given a response response , a string type , a string endpoint , and an environment settings object settings :
Let serialized be the result of serializing a response URL for reporting with response .
Let body be a new object containing the following properties:
| key | value |
|---|---|
| type | type |
| blocked-url | serialized |
Queue
body
as
the
"
coep
"
report
type
for
endpoint
on
settings
.