HTML

Living Standard — Last Updated 31 October 2022

1. 7 Loading web pages
   1. 7.1 Browsing contexts Supporting concepts
      1. 7.1.1 Creating browsing contexts Origins
         1. 7.1.2 7.1.1.1 Related browsing contexts Sites
         2. 7.1.2.1 7.1.1.2 Navigating related browsing contexts in Relaxing the DOM same-origin restriction
      2. 7.1.3 Security 7.1.4 7.1.2 Groupings of browsing contexts Origin-keyed agent clusters
      3. 7.1.5 Browsing context names 7.2 7.1.3 Security infrastructure for Window , WindowProxy , and Location objects Cross-origin opener policies
         1. 7.2.1 7.1.3.1 Integration with IDL The headers
         2. 7.2.2 7.1.3.2 Shared internal slot: [[CrossOriginPropertyDescriptorMap]] Browsing context group switches due to cross-origin opener policy
         3. 7.2.3 7.1.3.3 Shared abstract operations Reporting
      4. 7.2.3.1 7.1.4 CrossOriginProperties ( O ) Cross-origin embedder policies 7.2.3.2 CrossOriginPropertyFallback ( P )
         1. 7.2.3.3 7.1.4.1 IsPlatformObjectSameOrigin ( O ) The headers
         2. 7.2.3.4 7.1.4.2 CrossOriginGetOwnPropertyHelper ( O , P ) Embedder policy checks 7.2.3.5 CrossOriginGet ( O , P , Receiver )
      5. 7.2.3.6 7.1.5 CrossOriginSet ( O , P , V , Receiver ) Sandboxing
      6. 7.2.3.7 7.1.6 CrossOriginOwnPropertyKeys ( O ) Policy containers

7 Loading web pages

This section describes features that apply most directly to web browsers. Having said that, except where specified otherwise, the requirements defined in this section do apply to all user agents, whether they are web browsers or not.

7.1 Browsing contexts Supporting concepts

7.1.1 Origins Document objects

Origins are presented the fundamental currency of the web's security model. Two actors in the web platform that share an origin are assumed to trust each other and to have the user. same authority. Actors with differing origins are considered potentially hostile versus each other, and are isolated from each other to varying degrees.

For example, if Example Bank's web browser typically contains site, hosted at bank.example.com , tries to examine the DOM of Example Charity's web site, hosted at charity.example.org , a browsing context , as does an iframe or frame " SecurityError s in a frameset . A browsing context " has a corresponding WindowProxy DOMException object. A browsing context has an opener browsing context , which is null or a browsing context . It is initially null. A browsing context has a disowned boolean. It is initially false. will be raised.

An origin boolean. It is initially false. The following example illustrates the various possibilities one of a browsing context . It can be disowned , is closing , neither, or both. the following:

// Disowned, is closing: const popup4 = window.open(); popup4.opener = null; popup4.close();

An opaque origin

A browsing context has a session history , which lists the Document objects that the browsing context has presented, An internal value, with no serialization it can be recreated from (it is presenting, or will present. A serialized as " Document 's browsing context is the browsing context whose session history contains the Document , if any such browsing context exists and has not been discarded , and null otherwise. A Document does not necessarily have a non-null browsing context . In particular, data mining tools are likely to never instantiate browsing contexts. A Document created using " per serialization of an API such as createDocument() never has a non-null browsing context . And the Document origin originally created ), for an iframe element, which has since been removed from the document , has no associated browsing context, since that browsing context was discarded . only meaningful operation is testing for equality.

A browsing context 's active window tuple origin is its WindowProxy

A tuple consists of:

object's [[Window]]
• A scheme (an ASCII string internal slot value. ).
• A browsing context host (a host 's active document ).
• A port is its active window (null or a 16-bit unsigned integer).
• A domain (null or a domain 's associated Document . ). Null unless stated otherwise.

In general, there is a 1-to-1 mapping from the Window Origins object to the can be shared, e.g., among multiple Document object, as long as objects. Furthermore, origins are generally immutable. Only the Document domain object has of a non-null browsing context . There is one exception. A Window tuple origin can be reused for the presentation of a second Document in the same browsing context , such that the mapping is then 1-to-2. This occurs when a browsing context is navigated from changed, and only through the initial about:blank Document to another, with historyHandling set to " replace document.domain ". API.

A browsing context has a virtual browsing context group ID The effective domain integer. It is initially 0. This is used by cross-origin opener policy reporting , to keep track of the browsing context group switches that would have happened if the report-only policy had been enforced. A browsing context has an initial URL , which is a URL origin or null. It origin is initially null. computed as follows:

1. A browsing context has an opener If origin at creation , which is an opaque origin or null. It is initially , then return null. 7.1.1 Creating browsing contexts

2. If origin 's domain is non-null, then return origin 's domain .

3. To set the active document of a browsing context Return browsingContext origin 's host .

The serialization of an origin is the string obtained by applying the following algorithm to a Document the given origin object document , run these steps: origin :

1. Let If window origin is an opaque origin , then return " null ".

2. Otherwise, let result be document origin 's relevant global object scheme .

3. Set document 's visibility state Append " :// " to browsingContext 's top-level browsing context 's system visibility state . result .

4. Set Append browsingContext origin 's active window host , serialized , to window result .

5. Set If window origin 's associated Document port is non-null, append a U+003A COLON character (:), and origin 's port , serialized , to document result .

6. Set Return window 's relevant settings object 's execution ready flag . result .

The serialization has an associated creator origin (null or returns of (" https ", " xn--maraa-rta.example ", null, null) is " https://xn--maraa-rta.example ".

There used to also be a Unicode serialization of an origin ), creator URL (null or returns a URL ), and creator base URL (null or returns a URL ). These are all initially null. . However, it was never widely adopted.

To determine the origin , given browsing context browsingContext , URL Two origins , url , sandboxing flag set A and sandboxFlags B , and an are said to be same origin invocationOrigin : if the following algorithm returns true:

1. If sandboxFlags A has its sandboxed and B are the same opaque origin browsing context flag set, , then return a new opaque origin . true.

2. If url A is null, and B are both tuple origins and their schemes , hosts , and port are identical, then return a new opaque origin . true.

3. Return false.

Two origins , A and B , are said to be same origin-domain if the following algorithm returns true:

1. If invocationOrigin A is non-null and url B matches about:blank are the same opaque origin , then return true.

2. If invocationOrigin . The result here is that two documents end up with the same underlying origin A and B are both tuple origins , meaning that document.domain affects both. run these substeps:

   1. If url A is about:srcdoc and B 's schemes , are identical, and their domains are identical and non-null, then return the origin of true.

   2. Otherwise, if browsingContext A 's container document . and B are same origin and their domains are identical and null, then return true.

3. Return false.

7.1.1.1 Sites

A scheme-and-host is a tuple of a scheme (an ASCII string ) and a browsing context group host (a host ).

A site is an opaque origin or a scheme-and-host .

To obtain a site , given an origin group origin , run these steps:

1. Let If browsingContext origin be a new browsing context . Let is an opaque origin , then return unsafeContextCreationTime be the unsafe shared current time . origin .

2. If creator is non-null, then set browsingContext origin 's creator origin host to 's registrable domain is null, then return ( creator origin 's origin scheme , browsingContext origin 's creator URL host to return ).

3. Return ( creator origin 's URL scheme , browsingContext origin 's creator base URL host 's registrable domain ).

Two sites , A and B , are said to be same site if the following algorithm returns true:

1. If A and B are the same opaque origin , the return true.

2. If creator A 's base URL or B is an opaque origin , and then return false.

3. If browsingContext A 's virtual browsing context group ID to and creator B 's top-level browsing context scheme 's virtual browsing context group ID . values are different, then return false.

4. Let sandboxFlags be the result of determining the creation sandboxing flags given If browsingContext A 's and embedder . B 's host values are not equal , then return false.

5. Let origin be the result Return true.

The serialization of determining a site is the string obtained by applying the following algorithm to the origin given site browsingContext , site :

about:blank
1. , sandboxFlags , and

   If browsingContext site 's creator is an opaque origin . , then return " null ".

2. Let permissionsPolicy result be the result of creating a permissions policy given browsingContext site and origin . [PERMISSIONSPOLICY] [0].

3. This needs

   Append " :// " to use embedder result .

4. Let Append agent site be the result of obtaining a similar-origin window agent given origin , [1], serialized , to group , and false. result .

5. Let Return realm execution context result .

It needs to be clear from context that the result of creating serialized value is a new realm given site, not an origin, as there is not necessarily a syntactic difference between the two. For example, the origin (" https ", " shop.example ", null, null) and the site (" https ", " shop.example ") have the same serialization: " https://shop.example ".

Two origins , agent A and B , are said to be schemelessly same site if the following customizations: algorithm returns true:

1. For If A and B are the global object, create a new Window object. same opaque origin , then return true.

2. For the global this binding, use If browsingContext A 's WindowProxy and B are both tuple origins , then:

   object.

   1. Let topLevelCreationURL hostA be about:blank if embedder A is null; otherwise 's host , and let embedder hostB be B 's relevant settings object 's top-level creation URL host .

   2. Let If topLevelOrigin hostA be equals origin hostB if and embedder hostA 's registrable domain is null; otherwise null, then return true.

   3. If embedder hostA 's relevant settings object registrable domain equals hostB 's top-level origin . registrable domain and is non-null, then return true.

3. Set up a window environment settings object with about:blank , realm execution context , null, Return false.

Two origins , topLevelCreationURL , A and topLevelOrigin . B , are said to be same site if the following algorithm returns true:

1. Let loadTimingInfo siteA be a new document load timing info with its navigation start time set to the result of calling coarsen time obtaining a site with given unsafeContextCreationTime and the new environment settings object 's cross-origin isolated capability . A .

2. Let coop siteB be the result of obtaining a new cross-origin opener policy . site given B .

3. If creator is non-null and creator siteA 's origin is same origin site with creator 's relevant settings object 's top-level origin , siteB , then set coop to creator 's browsing context 's top-level browsing context 's active document 's cross-origin opener policy . return true.

4. Let document be a new Document Return false.

Unlike the same origin , marked as an HTML document and same origin-domain in quirks mode , whose content type concepts, for schemelessly same site is " text/html ", origin and same site , the port is origin , active sandboxing flag set and domain is sandboxFlags , permissions policy components are ignored.

For the reasons explained in URL , the same site is permissionsPolicy , cross-origin opener policy and schemelessly same site is coop , load timing info concepts should be avoided when possible, in favor of same origin is loadTimingInfo , navigation id checks.

7.1.1.2 Relaxing the same-origin restriction body element.

Set the active document . domain of [ = browsingContext domain to document . ]

If browsingContext 's creator URL is non-null, then Returns the current domain used for security checks.

Can be set document 's referrer to a value that removes subdomains, to change the serialization origin of it. If creator is non-null, then set document 's policy container domain to a clone allow pages on other subdomains of the same domain (if they do the same thing) to access each other. This enables pages on different hosts of creator 's policy container . Append a new session history entry domain to browsingContext 's session history synchronously access each other's DOMs.

In sandboxed iframe whose URL s, Document is about:blank s with opaque origins , Document s without a browsing context , and document when the " document-domain " feature is document . disabled, the setter will throw a " SecurityError " exception. In cases where crossOriginIsolated Completely finish loading or originAgentCluster document . return true, the setter will do nothing.

To create a new auxiliary browsing context , given a browsing context opener : The domain getter steps are:

1. Let group effectiveDomain be opener 's top-level browsing context this 's group origin 's effective domain .

2. Assert : If group effectiveDomain is non-null, as navigating invokes this directly. null, then return the empty string.

3. Let browsingContext be the result of creating a new browsing context with opener 's active document , null, and Return group . effectiveDomain , serialized .

The Append domain browsingContext to group . Set browsingContext 's opener browsing context to opener . setter steps are:

1. Set browsingContext 's virtual browsing context group ID If this to opener 's top-level browsing context 's virtual browsing context group ID . is null, then throw a " SecurityError " DOMException .

2. Set browsingContext 's opener origin at creation If this to opener 's active document sandboxing flag set 's origin . Legacy-clone a has its sandboxed document.domain browsing session storage shed context flag with opener 's browsing session set, then throw a " SecurityError " and browsingContext 's browsing session . [STORAGE] DOMException .

3. Return browsingContext . This creates a top-level browsing context If this that is also an auxiliary browsing context . To create not allowed to use the " document-domain " feature, then throw a new nested browsing context , given an element element : " SecurityError " DOMException .

4. Let group effectiveDomain be element 's node document 's browsing context this 's top-level browsing context origin 's group effective domain .

5. Let If browsingContext effectiveDomain be the result of creating is null, then throw a new browsing context " SecurityError " with element 's node document , element , and group . Set element 's nested browsing context DOMException to browsingContext . .

6. If the given value is not a registrable domain suffix of and is not equal to element has effectiveDomain , then throw a " name SecurityError attribute, then set browsingContext 's name " to the value of this attribute. 7.1.2 Related browsing contexts DOMException Certain elements (for example, iframe .

7. elements) can instantiate further browsing contexts . These elements are called browsing context containers .

   Each browsing context container If the surrounding agent has a nested browsing context , which 's agent cluster 's is either a browsing context origin-keyed or null. It is initially null. true, then return.

8. The container of a browsing context Set bc this is the browsing context container 's origin whose nested browsing context 's domain is bc , or null if there is no such element. Each browsing context to the result of parsing the given value.

To determine if a string bc hostSuffixString has a container document , which is the result a registrable domain suffix of running or is equal to a host originalHost , run these steps:

1. If bc hostSuffixString 's container is null, the empty string, then return null. false.

2. Return Let bc hostSuffix 's container be the result of parsing 's node document . This is equal to bc 's container 's shadow-including root as hostSuffixString .

3. If bc hostSuffix 's container has to be connected . is failure, then return false.

4. A browsing context If child hostSuffix is said to be a child browsing context of another browsing context does not equal parent originalHost , if then:

   1. If child hostSuffix 's container document is non-null and or child originalHost 's container document 's browsing context is parent . not a domain , then return false.

      A browsing context

      This excludes hosts that are IP addresses .

   2. If child is a document-tree child browsing context hostSuffix , prefixed by U+002E (.), does not match the end of parent if originalHost , then return false.

   3. If one of the following is true

      • child hostSuffix is a child browsing context equals and child hostSuffix 's container public suffix is in a document tree .

      • A browsing context child may have a parent browsing context . This is hostSuffix , prefixed by U+002E (.), matches the unique browsing context that has end child originalHost as a child browsing context , if any such browsing context exists. Otherwise, the browsing context 's public suffix has no parent browsing context .

      A browsing context then return false. [URL]

   4. Assert : A originalHost is said to be an ancestor 's public suffix , prefixed by U+002E (.), matches the end of a browsing context B hostSuffix .

5. Return true.

7.1.2 Origin-keyed agent clusters ). It is initially null. A top-level browsing context

window. originAgentCluster has an is popup boolean. It is initially false.

The only mandatory impact in Returns true if this specification of is popup is on the visible Window getter of belongs to an agent cluster which is origin - keyed , in the relevant manner described in this section.

A BarProp Document objects. However, user agents might also use delivered over a secure context can request that it be placed in an origin - keyed agent cluster , by using the following ways: ` Deciding whether or not to provide Origin-Agent-Cluster ` HTTP response header. This header is a minimal web browser user interface for the browsing context . Performing the optional steps in set up browsing context features . In both cases user agents might additionally incorporate user preferences, or present structured header whose value must be a choice as to whether to go down the popup route. boolean . [STRUCTURED-FIELDS]

User agents that provides a minimal web browser user interface for such popups are encouraged to not hide Per the browser's location bar. It is possible to processing model in the create and initialize a new browsing contexts Document object , values that are related to a top-level browsing context while their container not the structured header boolean is null. Such browsing contexts are called auxiliary browsing contexts . Auxiliary browsing contexts are always top-level browsing contexts . true value (i.e., ` ?1 `) will be ignored.

The transitive closure consequences of parent browsing contexts for a browsing context using this header are that is a child browsing context gives the list of ancestor browsing contexts . The list of the descendant browsing contexts of a resulting Document d 's agent cluster key is its origin , instead of the (ordered) list returned by corresponding site . In terms of observable effects, this means that attempting to relax the following algorithm: same-origin restriction using document.domain Let list will instead do nothing, and it will not be an empty list . For each browsing context container possible to send WebAssembly.Module container , whose nested browsing context objects to cross-origin Document is non-null and whose shadow-including root s (even if they are same site is d , in shadow-including tree order : ). Behind the scenes, this isolation can allow user agents to allocate implementation-specific resources corresponding to agent clusters , such as processes or threads, more efficiently.

Let nestedBC be container 's nested Note that within a browsing context . group , the ` Append Origin-Agent-Cluster nestedBC to list . ` header can never cause same-origin Extend Document list with objects to end up in different agent clusters , even if one sends the list of header and the descendant browsing contexts other doesn't. This is prevented by means of nestedBC 's active document the historical agent cluster key map . Return list . A

This means that the Document originAgentCluster d is said to be fully active when d 's browsing context getter can return false, even if the header is non-null, d 's set, if the header was omitted on a previously-loaded same-origin page in the same browsing context 's active document group . Similarly, it can return true even when the header is d , and either d 's browsing context not set.

The originAgentCluster getter steps are to return the surrounding agent is a top-level browsing context , or d 's browsing context agent cluster 's container document is fully active origin-keyed .

Document in their parent browsing context . User agents must not allow the user to interact s with child browsing contexts an opaque origin of elements that are in can be considered unconditionally origin-keyed; for them the header has no effect, and the Document originAgentCluster s that are not themselves fully active . getter will always return true.

Similarly, Document objects. Here a.html s whose agent cluster 's cross-origin isolation mode is loaded into a browser window, b-1.html starts out loaded into an not " iframe none as shown, and b-2.html and c.html " are omitted (they can simply be an empty document). <!-- a.html --> <!DOCTYPE html> <html lang="en"> <title>Browsing context A</title> <iframe src="b-1.html"></iframe> <button onclick="frames[0].location.href = 'b-2.html'">Click me</button> <!-- b-1.html --> <!DOCTYPE html> <html lang="en"> <title>Browsing context B</title> automatically origin-keyed. The ` <iframe src="c.html"></iframe> Origin-Agent-Cluster At this point, the documents given by a.html , b-1.html , and c.html are all the active documents of their respective browsing contexts . They are also all fully active . After clicking on ` header might be useful as an additional hint to implementations about resource allocation, since the ` button Cross-Origin-Opener-Policy , ` and thus loading a new ` Document Cross-Origin-Embedder-Policy from b-2.html into browsing context B, we have ` headers used to achieve cross-origin isolation are more about ensuring that everything in the following results: same address space opts in to being there. But adding it would have no additional observable effects on author code.

The a.html 7.1.3 Cross-origin opener policies Document remains both the active

A cross-origin opener policy value allows a document which is navigated to in a top-level browsing context to force the creation of a new top-level browsing context A, , and fully active a corresponding group . The possible values are:

" b-1.html unsafe-none Document "

This is now not the active (current) default and means that the document of will occupy the same top-level browsing context B. As such it is also not fully active as its predecessor, unless that document specified a different cross-origin opener policy .

" The new b-2.html same-origin-allow-popups Document "

is now

This forces the active document creation of a new top-level browsing context B, for the document, unless its predecessor specified the same cross-origin opener policy and is also fully active they are same origin .

" The c.html same-origin Document "

This behaves the same as " same-origin-allow-popups is still ", with the active document of addition that any auxiliary browsing context C. However, since C's container document is created needs to contain same origin documents that also have the b-1.html Document same cross-origin opener policy , which is itself not fully active , this means or it will appear closed to the opener.

" c.html same-origin-plus-COEP Document "

This behaves the same as " same-origin is now not fully active (even though it is active ). For more explorations of ", with the complexities involved here, especially as addition that it impacts sets the session history , see A Model of Navigation History . [NAVMODEL] A child (new) top-level browsing context can be put into a delaying load events 's group 's cross-origin isolation mode . This is used when it is navigated , to delay the load event to one of its container " logical before the new Document " or " concrete is created. ".

The document family of a browsing context consists of the union of all the

" Document same-origin-plus-COEP objects in that browsing context 's session history and " cannot be directly set via the document families ` Cross-Origin-Opener-Policy ` header, but results from a combination of all those setting both ` Document Cross-Origin-Opener-Policy : same-origin objects. The document family of ` and a ` Document Cross-Origin-Embedder-Policy object consists of the union of all the document families of the browsing contexts ` header whose value is compatible with cross-origin isolation in the list of the descendant browsing contexts together.

A cross-origin opener policy consists of:

• A value , which is a cross-origin opener policy value , initially " unsafe-none of the Document ".

• A reporting endpoint , which is string or null, initially null.

• A report-only value , which is a cross-origin opener policy value , initially " unsafe-none object. ".

• The content document of A report-only reporting endpoint , which is a browsing context container string or null, initially null.

To match cross-origin opener policy values , given a cross-origin opener policy value container is the result of the following algorithm: A , an origin originA , a cross-origin opener policy value B , and an origin originB :

1. If container A 's nested browsing context is " unsafe-none " and B is null, " unsafe-none ", then return null. true.

2. Let context be If container A 's nested browsing context . is " Let document be unsafe-none " or context B 's active document . is " unsafe-none ", then return false.

3. If document A is B 's origin and container originA 's node document 's is same origin are not same origin-domain , with originB , then return null. true.

4. Return document . false.

7.1.2.1 7.1.3.1 Navigating related browsing contexts in the DOM The headers

Returns the A WindowProxy Document for 's cross-origin opener policy is derived from the top-level browsing context . ` window . opener [ = value ] Cross-Origin-Opener-Policy ✔ MDN ` and ` Cross-Origin-Opener-Policy-Report-Only ` HTTP response headers. These headers are structured headers whose value must be a token . [STRUCTURED-FIELDS]

Window/opener The valid token values are the opener policy values . The token may also have attached parameters ; of these, the " Support in all current engines. Firefox 1+ Safari 1+ Chrome 1+ Opera 3+ Edge 79+ Edge (Legacy) 12+ Internet Explorer 9+ report-to " parameter can have a valid URL string identifying an appropriate reporting endpoint. [REPORTING]

Per the processing model described below, user agents will ignore this header if it contains an invalid value. Likewise, user agents will ignore this header if the value cannot be parsed as a token .

To obtain a cross-origin opener policy given a response response and an environment reservedEnvironment :

Firefox Android ? Safari iOS ? Chrome Android ? WebView Android ? Samsung Internet ? Opera Android 10.1+

1. Let policy be a new cross-origin opener policy .

2. If reservedEnvironment is a non-secure context , then return policy .

3. Returns Let value be the result of getting a structured field value given ` WindowProxy Cross-Origin-Opener-Policy for the opener browsing context ` and " item " from response 's header list . Returns null if there isn't one or if it has been set to null.

4. Can be set to null. If parsedItem is not null, then:

   1. If window . parent parsedItem [0] is " same-origin ", then:

      ✔ MDN

      1. Window/parent Let coep be the result of obtaining a cross-origin embedder policy from response and reservedEnvironment .

      2. Support in all current engines. Firefox 1+ Safari 1.3+ Chrome 1+ Opera 3+ Edge 79+ Edge (Legacy) 12+ Internet Explorer 9+ Firefox Android ? Safari iOS ? Chrome Android ?

         If coep 's value is compatible with cross-origin isolation , then set policy 's value to " WebView Android same-origin-plus-COEP ? ".

      3. Otherwise, set policy 's value to " same-origin Samsung Internet ".

   2. ?

      If parsedItem [0] is " same-origin-allow-popups ", then set policy 's value to " Opera Android same-origin-allow-popups 10.1+ ".

   3. If parsedItem [1][" report-to "] exists and it is a string, then set policy 's reporting endpoint to parsedItem [1][" report-to "].

5. Returns Set parsedItem to the result of getting a structured field value given ` WindowProxy Cross-Origin-Opener-Policy-Report-Only for the parent browsing context . ` and " item " from response 's header list .

6. If parsedItem is not null, then:

   1. If window . frameElement parsedItem [0] is " same-origin ", then:

      ✔ MDN

      1. ) in which the window is embedded."> Window/frameElement Let coep be the result of obtaining a cross-origin embedder policy from response and reservedEnvironment .

      2. If coep 's value is compatible with cross-origin isolation or coep 's report-only value is compatible with cross-origin isolation , then set policy 's report-only value to " Support in all current engines. Firefox 1+ Safari 3+ Chrome 1+ Opera 12.1+ Edge 79+ Edge (Legacy) 12+ Internet Explorer 5.5+ same-origin-plus-COEP ".

         Report only COOP also considers report-only COEP to assign the special " same-origin-plus-COEP " value. This allows developers more freedom in the order of deployment of COOP and COEP.

      3. Firefox Android

         Otherwise, set policy 's report-only value to " ? same-origin ".

   2. If parsedItem [0] is " Safari iOS same-origin-allow-popups 1+ ", then set policy 's report-only value to " same-origin-allow-popups ".

   3. Chrome Android

      If parsedItem [1][" ? report-to "] exists and it is a string, then set policy 's report-only reporting endpoint to parsedItem [1][" report-to WebView Android "].

7. ?

   Return policy .

7.1.3.2 Browsing context group switches due to cross-origin opener policy Samsung Internet

To check if COOP values require a browsing context group switch , given a boolean isInitialAboutBlank , two origins responseOrigin and activeDocumentNavigationOrigin , and two cross-origin opener policy values responseCOOPValue and activeDocumentCOOPValue :

?

1. If the result of matching activeDocumentCOOPValue , activeDocumentNavigationOrigin , responseCOOPValue , and responseOrigin is true, return false.

2. If all of the following are true:

   • Opera Android

     12.1+ isInitialAboutBlank ;

   • activeDocumentCOOPValue 's value is " same-origin-allow-popups "; and

   • Returns the Element responseCOOPValue is " unsafe-none for the browsing context container . "

   then return false.

3. Returns null Return true.

To check if there isn't one, enforcing report-only COOP would require a browsing context group switch , given a boolean isInitialAboutBlank , two origins responseOrigin , activeDocumentNavigationOrigin , and in two cross-origin situations. opener policies responseCOOP and activeDocumentCOOP :

attribute's getter must run

1. If the result of checking if COOP values require a browsing context group switch given isInitialAboutBlank , responseOrigin , activeDocumentNavigationOrigin , responseCOOP 's report-only value and activeDocumentCOOPReportOnly 's report-only value is false, then return false.

   Matching report-only policies allows a website to specify the same report-only cross-origin opener policy on all its pages and not receive violation reports for navigations between these steps: pages.

2. If this Window the result of checking if COOP values require a browsing context group switch given isInitialAboutBlank , responseOrigin , activeDocumentNavigationOrigin , responseCOOP 's value and activeDocumentCOOPReportOnly 's report-only value is true, then return true.

3. object's

   If the result of checking if COOP values require a browsing context group switch given isInitialAboutBlank , responseOrigin , activeDocumentNavigationOrigin , responseCOOP 's report-only value and activeDocumentCOOPReportOnly 's value is null, true, then return null. true.

4. Return this Window false.

A cross-origin opener policy enforcement result is a struct with the following items :

object's

• A boolean needs a browsing context 's top-level group switch , initially false.

• A boolean would need a browsing context 's group switch due to report-only , initially false.

• WindowProxy

  A URL url .

• object.

  The An origin origin .

• A cross-origin opener policy cross-origin opener policy .

• getter steps are:

  A boolean current context is navigation source .

To enforce a response's cross-origin opener policy , given a browsing context browsingContext , a URL responseURL , an origin responseOrigin , a cross-origin opener policy responseCOOP , a cross-origin opener policy enforcement result currentCOOPEnforcementResult , and a referrer referrer :

1. Let current newCOOPEnforcementResult be this a new cross-origin opener policy enforcement result whose needs a browsing context group switch is currentCOOPEnforcementResult 's needs a browsing context . If group switch , would need a browsing context group switch due to report-only is current currentCOOPEnforcementResult 's would need a browsing context group switch due to report-only , url is null, then return null. responseURL , origin is responseOrigin , coop is responseCOOP , and current context is navigation source is true.

2. If Let current isInitialAboutBlank be browsingContext 's disowned active document 's is true, then return null. initial about:blank .

3. If current isInitialAboutBlank is true and browsingContext 's opener browsing context initial URL is null, then return null. Return set current browsingContext 's opener initial URL to responseURL .

4. If the result of checking if COOP values require a browsing context group switch given isInitialAboutBlank , currentCOOPEnforcementResult 's WindowProxy object. The cross-origin opener policy setter steps are: 's value , currentCOOPEnforcementResult 's origin , responseCOOP 's value , and responseOrigin is true, then:

   1. If the given value is null and this Set newCOOPEnforcementResult 's needs a browsing context group switch is non-null, then set this to true.

   2. If browsingContext 's group 's browsing context set 's disowned size is greater than 1, then:

      1. Queue a violation report for browsing context group switch when navigating to true. a COOP response with responseCOOP , " enforce ", responseURL , currentCOOPEnforcementResult 's url , currentCOOPEnforcementResult 's origin , responseOrigin , and referrer .

      2. If the given value is non-null, then return ? OrdinaryDefineOwnProperty Queue a violation report for browsing context group switch when navigating away from a COOP response ( this with currentCOOPEnforcementResult 's cross-origin opener policy , " opener enforce ", { [[Value]]: the given value, [[Writable]]: true, [[Enumerable]]: true, [[Configurable]]: true }). currentCOOPEnforcementResult 's url , responseURL , currentCOOPEnforcementResult 's origin , responseOrigin , and currentCOOPEnforcementResult 's current context is navigation source .

5. If the result of checking if enforcing report-only COOP would require a browsing context group switch given isInitialAboutBlank , responseOrigin , currentCOOPEnforcementResult 's disowned origin , responseCOOP , and currentCOOPEnforcementResult 's cross-origin opener policy , is true, its then:

   window.opener
   1. attribute is null. That prevents scripts in the

      Set result 's would need a browsing context group switch due to report-only from changing any properties of its opener to true.

   2. If browsingContext 's group 's browsing context set 's Window size is greater than 1, then:

      object (i.e., the
      1. Window

         object from which the Queue a violation report for browsing context group switch when navigating to a COOP response was created). with responseCOOP , " reporting ", responseURL , currentCOOPEnforcementResult 's url , currentCOOPEnforcementResult 's origin , responseOrigin , and referrer .

      2. Otherwise, if Queue a violation report for browsing context group switch when navigating away from a COOP response with currentCOOPEnforcementResult 's disowned cross-origin opener policy , " reporting ", currentCOOPEnforcementResult 's url , responseURL , currentCOOPEnforcementResult 's origin , responseOrigin , and currentCOOPEnforcementResult 's current context is false, then scripts in that navigation source .

6. Return newCOOPEnforcementResult .

To obtain a browsing context can use window.opener to change properties of its opener use for a navigation response , given a browsing context 's Window object. For example, browsingContext , a script running in the browsing context sandboxing flag set can change the value of window.opener.location , causing the sandboxFlags , a cross-origin opener browsing context policy to navigate to navigationCOOP , and a completely different document. The parent attribute's getter must run these steps: cross-origin opener policy enforcement result coopEnforcementResult :

1. Let If current browsingContext be this Window object's is not a top-level browsing context . , then return browsingContext .

2. If current coopEnforcementResult 's needs a browsing context group switch is null, then return null. false, then:

   1. If current coopEnforcementResult is 's would need a child browsing context group switch due to report-only of another is true, set browsing context parent , then return parent 's WindowProxy virtual browsing context group ID object. to a new unique identifier.

   2. Assert : Return current browsingContext .

3. Let newBrowsingContext is be the first return value of creating a new top-level browsing context and document .

   In this case we are going to perform a browsing context group swap. browsingContext will not be used by the new Document that we are about to create . If it is not used by other Document s either (such as ones in the back/forward cache), then the user agent might destroy it at this point.

4. Return If current navigationCOOP 's value is " WindowProxy same-origin-plus-COEP object. The ", then set newBrowsingContext 's group 's cross-origin isolation mode to either " logical frameElement " or " getter steps are: concrete ". The choice of which is implementation-defined .

   It is difficult on some platforms to provide the security properties required by the cross-origin isolated capability . " concrete Let current be this " grants access to it and " Window logical object's browsing context . " does not.

5. If current sandboxFlags is null, then return null. not empty, then:

   1. Let container be Assert current navigationCOOP 's container . value is " unsafe-none ".

   2. If Assert : container newBrowsingContext 's popup sandboxing flag set is null, then return null. empty .

   3. If Set container newBrowsingContext 's node document 's origin is not same origin-domain popup sandboxing flag set with the current settings object to a clone 's origin , then return null. of sandboxFlags .

6. Return container newBrowsingContext .

<script> "use strict"; const element = document.querySelector("iframe"); const iframeWindow = element.contentWindow; element.remove(); 7.1.3.3 console.assert(iframeWindow.top === null); console.assert(iframeWindow.parent === null); console.assert(iframeWindow.frameElement === null); </script> Reporting

Here An accessor-accessed relationship is an enum that describes the relationship between two browsing context corresponding to iframeWindow was discarded contexts when element was removed from between which an access happened. It can take the document. following values:

A browsing context A accessor is familiar with opener a second

The accessor browsing context B if or one of the following conditions is true: Either the origin of the active document its ancestors of A is the same as the origin opener browsing context of the active document of B , or The browsing context A is a child accessed browsing context and its 's top-level browsing context .

accessor is B , or openee

The accessed browsing context B or one of its ancestors is an auxiliary the opener browsing context and A is familiar with B 's opener of the accessor browsing context , or The 's top-level browsing context B .

none

There is not a top-level no opener relationship between the accessor browsing context , but there exists an ancestor the accessor browsing context of B whose active document has the same origin as the active document , or any of A (possibly in fact being A itself). their ancestors .

A To check if an access between two browsing context contexts should be reported , given two browsing contexts A accessor is allowed to navigate and accessed , a second browsing context JavaScript property name P , and an environment settings object B if the following algorithm returns true: environment :

1. If A P is not the same browsing context as a cross-origin accessible window property name , then return.

2. Assert : B , accessor 's active document and A accessed is not one of the ancestor browsing contexts 's active document of are both fully active .

3. Let B , and accessorTopDocument be B accessor is not a 's top-level browsing context , and 's active document .

4. Let A accessorInclusiveAncestorOrigins 's be the list obtained by taking the origin of the active document of each of accessor 's active sandboxing flag set has its sandboxed navigation browsing context flag document set, then return false. 's inclusive ancestor navigables .

5. Otherwise, if Let B accessedTopDocument is a be accessed 's top-level browsing context , and is one of the ancestor browsing contexts of A , then: 's active document .

6. If Let A accessedInclusiveAncestorOrigins 's active window be the list obtained by taking the origin has transient activation of the active document and of each of A accessed 's active document 's active sandboxing flag set inclusive ancestor navigables .

7. If any of accessorInclusiveAncestorOrigins are not same origin has its sandboxed top-level navigation with user activation browsing context flag accessorTopDocument 's origin , or if any of accessedInclusiveAncestorOrigins are not same origin set, with accessedTopDocument 's origin , then return false. return.

   This avoids leaking information about cross-origin iframes to a top level frame with cross-origin opener policy reporting.

8. Otherwise, if If A accessor 's active window top-level browsing context does not have transient activation 's virtual browsing context group ID and is A accessed 's active document 's active sandboxing flag set has its sandboxed top-level navigation without user activation browsing context flag set, 's virtual browsing context group ID , then return false. return.

9. Otherwise, if Let B accessorAccessedRelationship is be a new accessor-accessed relationship with value none .

10. If accessed 's top-level browsing context , and 's opener browsing context is neither A accessor nor one of the or is an ancestor browsing contexts of A accessor , and then set A accessorAccessedRelationship 's Document to accessor is opener .

11. If accessor 's active sandboxing flag set top-level browsing context has its sandboxed navigation 's opener browsing context flag set, and is A accessed or is not the one permitted sandboxed navigator an ancestor of B accessed , then return false. set accessorAccessedRelationship to accessor is openee .

12. Return true. An element has a browsing context scope origin if its Document Queue violation reports for accesses , given accessorAccessedRelationship , accessorTopDocument 's cross-origin opener policy , accessedTopDocument 's cross-origin opener policy , accessor 's active document 's browsing context URL , accessed 's active document is a 's URL , accessor 's top-level browsing context or if all of its Document 's ancestor initial URL , accessed 's top-level browsing contexts context all have 's initial URL , accessor 's active documents whose origins document are the same 's origin as the element's node , accessed 's active document 's origin . If an element has a , accessor 's top-level browsing context scope 's opener origin at creation , then its value is the origin of the element's node document . 7.1.4 Groupings of accessed 's top-level browsing contexts context 's opener origin at creation , accessorTopDocument 's referrer , accessedTopDocument 's referrer , P , and environment .

A user agent holds To sanitize a browsing context group set URL to send in a report (a set of browsing context groups given a URL ). url :

1. A browsing context group holds Let sanitizedURL be a browsing context set (a set copy of top-level browsing contexts ). A top-level browsing context is added to url .

2. Set the group username when given sanitizedURL and the group is created . All subsequent top-level browsing contexts added to empty string.

3. Set the group password will be auxiliary browsing contexts . given sanitizedURL and the empty string.

4. A browsing context group has an associated agent cluster map (a weak map Return the serialization of agent cluster keys sanitizedURL with exclude fragment set to agent clusters ). User agents are responsible for collecting agent clusters when it is deemed that nothing can access them anymore. true.

A To queue a violation report for browsing context group switch when navigating to a COOP response given a cross-origin opener policy has an associated historical agent cluster key map , which is coop , a map string disposition , a URL of origins coopURL , a URL to agent cluster keys . This map is used to ensure the consistency of the origin-keyed agent clusters previousResponseURL , two origins feature by recording what agent cluster keys were previously used for coopOrigin and previousResponseOrigin , and a given origin. The historical agent cluster key map referrer only ever gains entries over the lifetime of the browsing context group. referrer :

1. A browsing context group If coop 's reporting endpoint has a cross-origin isolation mode , which is a cross-origin isolation mode null, return.

2. Let coopValue be coop 's value . It

3. If disposition is initially " reporting ", then set coopValue to coop 's report-only value .

4. none

   Let serializedReferrer be an empty string.

5. ".

   A cross-origin isolation mode If referrer is one a URL , set serializedReferrer to the serialization of three possible values: " referrer .

6. Let body be a new object containing the following properties:

   none ", " logical ", or " concrete " and "

   key	value
   disposition	". " disposition logical
   effectivePolicy	concrete coopValue " are similar. They
   previousResponseURL	If coopOrigin and previousResponseOrigin are both used for browsing context groups same origin where: this is the sanitization of previousResponseURL , null otherwise.
   referrer	every top-level Document has ` serializedReferrer Cross-Origin-Opener-Policy : same-origin
   type	" navigation-to-response `, and "

7. every Document has a ` Cross-Origin-Embedder-Policy Queue ` header whose value is compatible with cross-origin isolation . On some platforms, it is difficult to provide the security properties required to grant safe access to the APIs gated by the cross-origin isolated capability . As a result, only body as " concrete coop " can grant access that capability. " logical for coop 's reporting endpoint " is used on platform not supporting this capability, where various restrictions imposed by cross-origin isolation will still apply, but the capability is not granted. with coopURL .

To create queue a new violation report for browsing context group , run these steps: switch when navigating away from a COOP response given a cross-origin opener policy coop , a string disposition , a URL coopURL , a URL nextResponseURL , two origins coopOrigin and nextResponseOrigin , and a boolean isCOOPResponseNavigationSource :

1. If coop 's reporting endpoint is null, return.

2. Let group coopValue be a new browsing context group coop 's value .

3. Append If group disposition to the user agent's browsing context group is " reporting ", then set coopValue to coop 's report-only value .

4. Let browsingContext body be the result of creating a new browsing context with null, null, and group . object containing the following properties:

   key	value
   disposition	Append browsingContext disposition to
   effectivePolicy	group . coopValue Return
   nextResponseURL	If group . To append a top-level browsing context coopOrigin and nextResponseOrigin are same origin or browsingContext isCOOPResponseNavigationSource to a browsing context group is true, this is the sanitization of group previousResponseURL , run these steps: null otherwise.
   type	" navigation-from-response "

5. Append Queue browsingContext to group body 's browsing context set . Set as " coop " for browsingContext coop 's group reporting endpoint to with group coopURL .

To remove a top-level browsing context queue violation reports for accesses , given an accessor-accessed relationship browsingContext accessorAccessedRelationship , run these steps: two cross-origin opener policies accessorCOOP and accessedCOOP , four URLs accessorURL , accessedURL , accessorInitialURL , accessedInitialURL , four origins accessorOrigin , accessedOrigin , accessorCreatorOrigin and accessedCreatorOrigin , two referrers accessorReferrer and accessedReferrer , a string propertyName , and an environment settings object environment :

1. Assert : If browsingContext coop 's group reporting endpoint is non-null, because a browsing context only gets discarded once. null, return.

2. Let group coopValue be browsingContext coop 's group value .

3. Set If browsingContext disposition 's group to null. Remove is " reporting ", then set browsingContext coopValue from to group coop 's browsing context set report-only value .

4. If group accessorAccessedRelationship 's browsing context set is empty accessor is opener :

   1. Queue a violation report for access to an opened window , then remove given group from the user agent's browsing context group set . Append accessorCOOP , accessorURL , accessedURL , accessedInitialURL , accessorOrigin , accessedOrigin , accessedCreatorOrigin , propertyName , and remove are primitive operations that help define the lifetime of environment .

   2. Queue a browsing context group . They are called violation report for access from creating a new browsing context group the opener , creating given accessedCOOP , accessedURL , accessorURL , accessedOrigin , accessorOrigin , propertyName , and accessedReferrer .

5. Otherwise, if accessorAccessedRelationship is accessor is openee :

   1. Queue a new auxiliary browsing context violation report for access to the opener , given accessorCOOP , accessorURL , accessedURL , accessorOrigin , accessedOrigin , propertyName , accessorReferrer , and discarding environment .

   2. Queue a browsing context . The HTML Standard used to define " unit of related browsing contexts " violation report for access from an opened window , given accessedCOOP , accessedURL , accessorURL , accessorInitialURL , accessedOrigin , accessorOrigin , accessorCreatorOrigin , and " unit of related similar-origin browsing contexts ". These have been removed as they were not adequate. propertyName .

6. Otherwise:

   7.1.5 Browsing context names

   1. Browsing contexts can have Queue a browsing context name . Unless stated otherwise, it is the empty string. violation report for access to another window , given accessorCOOP , accessorURL , accessedURL , accessorOrigin , accessedOrigin , propertyName , and environment

   2. A valid browsing context name is any string with at least one character that does not start with Queue a U+005F LOW LINE character. (Names starting with an underscore are reserved violation report for special keywords.) access from another window , given accessedCOOP , accessedURL , accessorURL , accessedOrigin , accessorOrigin , and propertyName .

A valid browsing context name or keyword is any string that is either To queue a valid browsing context name or that is an ASCII case-insensitive match violation report for one of: _blank , _self , _parent , or _top . These values have different meanings based on whether the page is sandboxed or not, as summarized in the following (non-normative) table. In this table, "current" means access to the browsing context opener , given a cross-origin opener policy that the link or script is in, "parent" means the parent browsing context coop , two URLs of the one the link or script is in, "top" means the top-level browsing context coopURL and openerURL , two origins of the one the link or script is in, "new" means coopOrigin and openerOrigin , a new top-level browsing context or auxiliary browsing context string propertyName , a referrer is to be created, subject to various user preferences referrer , and user agent policies, "none" means that nothing will happen, an environment settings object environment :

1. Let sourceFile , lineNumber and "maybe new" means the same as "new" if columnNumber be the " relevant script URL and problematic position which triggered this report.

2. allow-popups

   Let serializedReferrer be an empty string.

3. " keyword

   If referrer is also specified on a URL , set serializedReferrer to the sandbox serialization attribute (or if the user overrode the sandboxing), and of referrer .

4. Let body be a new object containing the same as "none" otherwise. following properties:

   Keyword Ordinary effect Effect in an iframe with...

   sandbox="" key	sandbox="allow-top-navigation" value
   none specified, for links and form submissions current current disposition	current " reporting "
   empty string current current effectivePolicy	current coop 's report-only value
   _blank property	new propertyName
   maybe new openerURL	maybe new If coopOrigin and openerOrigin are same origin , this is the sanitization of openerURL , null otherwise.
   _self referrer	current serializedReferrer
   current sourceFile	current sourceFile
   _parent if there isn't a parent lineNumber	current lineNumber
   current columnNumber	current columnNumber
   type	" _parent access-to-opener if parent is also top parent/top none parent/top "

5. Queue body as " _parent coop if there is one " for coop 's reporting endpoint with coopURL and it's not top parent none none environment .

To queue a violation report for access to an opened window , given a cross-origin opener policy coop , three URLs coopURL , openedWindowURL and initialWindowURL , three origins coopOrigin , openedWindowOrigin , and openerInitialOrigin , a string propertyName , and an environment settings object environment :

1. Let sourceFile , lineNumber and columnNumber be the relevant script URL and problematic position which triggered this report.

2. Let body be a new object containing the following properties:

   _top if top is current current current current

   key	value
   disposition	" _top reporting if top is not current top none top "
   name that doesn't exist effectivePolicy	new coop 's report-only value
   maybe new property	maybe new propertyName
   name that exists openedWindowURL	If coopOrigin and openedWindowOrigin are same origin , this is a descendant specified descendant specified descendant specified descendant the sanitization of openedWindowURL , null otherwise.
   name that exists openedWindowInitialURL	If coopOrigin and openerInitialOrigin are same origin , this is current current the sanitization of initialWindowURL , null otherwise.
   current sourceFile	current sourceFile
   name that exists and is an ancestor that is top lineNumber	specified ancestor lineNumber
   none columnNumber	specified ancestor/top columnNumber
   name that exists type	" access-to-opener "

3. Queue body as " coop " for coop 's reporting endpoint with coopURL and environment .

To queue a violation report for access to another window , given a cross-origin opener policy coop , two URLs coopURL and otherURL , two origins coopOrigin and otherOrigin , a string propertyName , and is an ancestor that is not top specified ancestor environment settings object environment :

1. Let sourceFile , lineNumber and columnNumber be the relevant script URL and problematic position which triggered this report.

2. Let body be a new object containing the following properties:

   key	value
   none disposition	none " reporting "
   other name that exists with common top effectivePolicy	specified coop 's report-only value
   none property	none propertyName
   name that exists with different top, if familiar otherURL	If coopOrigin and one permitted sandboxed navigator otherOrigin are same origin , this is the sanitization specified specified specified of otherURL , null otherwise.
   name that exists with different top, if familiar but not one permitted sandboxed navigator sourceFile	specified sourceFile
   none lineNumber	none lineNumber
   name that exists with different top, not familiar columnNumber	new columnNumber
   maybe new type	maybe new " access-to-opener "

3. Most of the restrictions on sandboxed browsing contexts are applied by other algorithms, e.g. the navigation

   Queue algorithm, not the rules body as " coop " for choosing a browsing context coop 's reporting endpoint given below. with coopURL and environment .

The rules for choosing To queue a browsing context violation report for access from the opener , given a browsing context name cross-origin opener policy name coop , a browsing context two URLs current coopURL and openerURL , two origins coopOrigin and openerOrigin , a boolean string noopener are as follows: propertyName , and a referrer referrer :

1. Let If chosen coop be null. 's reporting endpoint is null, return.

2. Let windowType serializedReferrer be " existing or none ". an empty string.

3. If referrer is a URL , set serializedReferrer to the serialization of referrer .

4. Let sandboxingFlagSet body be a new object containing the following properties:

   key	value
   disposition	" reporting "
   effectivePolicy	current coop 's active document report-only value 's active sandboxing flag set .
   property	propertyName
   openerURL	If name coopOrigin and openerOrigin are same origin , this is the empty string or an ASCII case-insensitive sanitization match for of openerURL , null otherwise.
   referrer	serializedReferrer
   type	" _self access-to-opener ", then set "

5. Queue chosen body to as " coop " for current coop 's reporting endpoint with coopURL .

To queue a violation report for access from an opened window , given a cross-origin opener policy coop , three URLs coopURL , openedWindowURL and initialWindowURL , three origins coopOrigin , openedWindowOrigin , and openerInitialOrigin , and a string propertyName :

1. Otherwise, if If name coop is an ASCII case-insensitive 's reporting endpoint match for is null, return.

2. Let body be a new object containing the following properties:

   Otherwise, if

   key	value
   disposition	" _parent reporting ", set "
   effectivePolicy	chosen coopValue to
   property	current coop 's parent browsing context , if any, report-only value
   openedWindowURL	If coopOrigin and current openedWindowOrigin are same origin , this is the sanitization of openedWindowURL , null otherwise.
   openedWindowInitialURL	If name coopOrigin and openerInitialOrigin are same origin , this is an ASCII case-insensitive the sanitization match for of initialWindowURL , null otherwise.
   type	" _top access-to-opener ", set "

3. Queue chosen body to as " coop " for current coop 's top-level browsing context , if any, reporting endpoint with coopURL .

To queue a violation report for access from another window , given a cross-origin opener policy coop , two URLs coopURL and current otherURL , two origins coopOrigin otherwise. and otherOrigin , and a string propertyName :

1. Otherwise, if If name coop is not an ASCII case-insensitive 's reporting endpoint match for is null, return.

2. Let body be a new object containing the following properties:

   key	value
   disposition	" _blank reporting ", there exists a browsing context whose name "
   effectivePolicy	coop 's report-only value
   property	propertyName
   otherURL	If coopOrigin and otherOrigin are same origin , this is the same as sanitization of name otherURL , null otherwise.
   type	access-to-opener

3. Queue current body is familiar as " coop " for coop 's reporting endpoint with coopURL .

7.1.4 Cross-origin embedder policies

An embedder policy value is one of three strings that browsing context, and controls the user agent determines that fetching of cross-origin resources without explicit permission from resource owners.

" unsafe-none "

This is the two browsing contexts default value. When this value is used, cross-origin resources can be fetched without giving explicit permission through the CORS protocol or the ` Cross-Origin-Resource-Policy ` header.

" require-corp "

When this value is used, fetching cross-origin resources requires the server's explicit permission through the CORS protocol or the ` Cross-Origin-Resource-Policy ` header.

" credentialless "

When this value is used, fetching cross-origin no-CORS resources omits credentials. In exchange, an explicit ` Cross-Origin-Resource-Policy ` header is not required. Other requests sent with credentials require the server's explicit permission through the CORS protocol or the ` Cross-Origin-Resource-Policy ` header.

An embedder policy value is compatible with cross-origin isolation if it is " credentialless " or more closely related. " require-corp ".

An embedder policy consists of:

• Otherwise, a new browsing context A value , which is being requested, and what happens depends on an embedder policy value , initially " unsafe-none ".

• A reporting endpoint string, initially the user agent's configuration and abilities — it empty string.

• A report only value , which is determined by the rules given for the first applicable option from an embedder policy value , initially " unsafe-none ".

• A report only reporting endpoint string, initially the following list: empty string.

The " coep " report type is a report type whose value is " coep ". It is visible to ReportingObserver s .

7.1.4.1 The headers If current 's active window does not have transient activation

The ` Cross-Origin-Embedder-Policy ` and the user agent has been configured to not show popups (i.e., the user agent has a "popup blocker" enabled) ` Cross-Origin-Embedder-Policy-Report-Only ` HTTP response headers allow a server to declare an embedder policy for an environment settings object . These headers are structured headers whose values must be token . [STRUCTURED-FIELDS]

The user agent valid token values are the embedder policy values . The token may inform also have attached parameters ; of these, the user that " report-to " parameter can have a popup has been blocked. If sandboxingFlagSet has the sandboxed auxiliary navigation browsing context flag valid URL string identifying an appropriate reporting endpoint. [REPORTING] set

To obtain an embedder policy from a response response and an environment environment :

1. Let currentDocument policy be current 's active document a new embedder policy .

2. If currentDocument environment 's origin is not same origin with currentDocument 's relevant settings object 's top-level origin a non-secure context , then set return noopener to true, policy .

3. Let name parsedItem to be the result of getting a structured field value with ` Cross-Origin-Embedder-Policy ` and " _blank item ", " from response 's header list .

4. If parsedItem is non-null and windowType parsedItem to " new [0] is compatible with no opener ". In the presence of a cross-origin opener policy , nested documents that are cross-origin with their top-level browsing context's active document always set isolation :

   1. Set noopener policy 's value to true. parsedItem [0].

   2. If noopener parsedItem is true, [1][" report-to "] exists , then set chosen policy 's endpoint to the result of creating a new top-level browsing context . Otherwise: parsedItem [1][" report-to "].

5. Set chosen parsedItem to the result of creating getting a new auxiliary browsing context structured field value with ` Cross-Origin-Embedder-Policy-Report-Only ` and " item " from current . response 's header list .

6. If sandboxingFlagSet parsedItem 's sandboxed navigation browsing context flag is set, then current must be set as non-null and chosen parsedItem 's one permitted sandboxed navigator . [0] is compatible with cross-origin isolation :

   1. If Set sandboxingFlagSet policy 's sandbox propagates to auxiliary browsing contexts flag report only value is set, then all the flags that are set in sandboxingFlagSet must be set in to chosen parsedItem 's popup sandboxing flag set . [0].

   2. If name parsedItem is not an ASCII case-insensitive [1][" report-to match for " _blank ", "] exists , then set chosen policy 's name endpoint to name parsedItem [1][" report-to "].

7. Return policy .

7.1.4.2 Embedder policy checks is immediately navigated , then the

To check a navigation will be done with response's adherence to its embedder policy given a " replace response " history handling behavior . If the user agent has been configured such that in this instance it will reuse current response , a navigable navigable , and an embedder policy responsePolicy :

1. Set If chosen navigable to current . If the user agent has been configured such that in this instance it will is not find a browsing context child navigable , then return true.

2. Do nothing. User agents are encouraged to provide a way for users to configure the user agent to always reuse Let current . parentPolicy be navigable 's container document 's policy container 's embedder policy .

3. Return If chosen parentPolicy and windowType . 7.2 Security infrastructure for Window 's report-only value , WindowProxy is compatible with cross-origin isolation , and Location responsePolicy 's value is not, then queue a cross-origin embedder policy inheritance violation with response , " navigation objects ", parentPolicy 's report only reporting endpoint , " reporting ", and navigable 's container document 's relevant settings object .

4. Although typically objects cannot be accessed across origins , the web platform would not be true to itself if it did If parentPolicy 's value is not have some legacy exceptions to that rule that the web depends upon. 7.2.1 Integration compatible with IDL cross-origin isolation or responsePolicy 's value is compatible with cross-origin isolation , then return true.

5. When perform Queue a security check cross-origin embedder policy inheritance violation is invoked, with response , " navigation ", parentPolicy 's reporting endpoint , " enforce ", and navigable 's container document 's relevant settings object .

6. Return false.

To check a global object's embedder policy given a WorkerGlobalScope platformObject workerGlobalScope , an environment settings object identifier owner , and a response type , run these steps: response :

1. If platformObject workerGlobalScope is not a Window or Location DedicatedWorkerGlobalScope object, then return. return true.

2. For each Let e policy of CrossOriginProperties ( be platformObject workerGlobalScope ): 's embedder policy .

3. If SameValue ( Let e .[[Property]], ownerPolicy be identifier owner ) is true, then: 's policy container 's embedder policy .

4. If type ownerPolicy 's report-only value is compatible with cross-origin isolation and policy 's value is not, then queue a cross-origin embedder policy inheritance violation with response , " method worker initialization ", owner's policy 's report only reporting endpoint , " reporting ", and e has neither [[NeedsGet]] nor [[NeedsSet]], then return. owner .

5. Otherwise, if If type ownerPolicy 's value is " getter " and not compatible with cross-origin isolation or e .[[NeedsGet]] policy 's value is true, compatible with cross-origin isolation , then return. return true.

6. Otherwise, if Queue a cross-origin embedder policy inheritance violation with type is response , " setter worker initialization ", owner's policy 's reporting endpoint , " enforce ", and e .[[NeedsSet]] is true, then return. owner .

7. Return false.

To queue a cross-origin embedder policy inheritance violation given a response response , a string type , a string endpoint , a string disposition , and an environment settings object settings :

1. If IsPlatformObjectSameOrigin Let serialized be the result of serializing a response URL for reporting ( with platformObject response .

2. Let body ) is false, then throw be a new object containing the following properties:

   key	value
   type	type
   blockedURL	serialized
   disposition	disposition

3. Queue body as the " SecurityError coep " report type DOMException . for endpoint on settings .

7.2.2 7.1.5 Shared internal slot: [[CrossOriginPropertyDescriptorMap]] Sandboxing

A sandboxing flag set is a set of zero or more of the following flags, which are used to restrict the abilities that potentially untrusted resources have:

The sandboxed navigation browsing context flag Window

This flag prevents content from navigating browsing contexts other than the sandboxed browsing context itself (or browsing contexts further nested inside it), auxiliary browsing contexts (which are protected by the sandboxed auxiliary navigation browsing context flag defined next), and Location the top-level browsing context objects both have a [[CrossOriginPropertyDescriptorMap]] internal slot, whose value (which is initially an empty map. The [[CrossOriginPropertyDescriptorMap]] protected by the sandboxed top-level navigation without user activation browsing context flag internal slot contains a map with entries whose keys are ( currentGlobal , objectGlobal , propertyKey )-tuples and values are property descriptors, as a memoization of what sandboxed top-level navigation with user activation browsing context flag defined below).

If the sandboxed auxiliary navigation browsing context flag is visible not set, then in certain cases the restrictions nonetheless allow popups (new top-level browsing contexts ) to scripts be opened. These browsing contexts always have one permitted sandboxed navigator , set when currentGlobal inspects a the browsing context is created, which allows the browsing context that created them to actually navigate them. (Otherwise, the sandboxed navigation browsing context flag would prevent them from being navigated even if they were opened.)

The sandboxed auxiliary navigation browsing context flag Window

This flag prevents content from creating new auxiliary browsing contexts , e.g. using the target attribute or the Location window.open() object method.

The sandboxed top-level navigation without user activation browsing context flag

This flag prevents content from objectGlobal . navigating their top-level browsing context and prevents content from closing their top-level browsing context . It is filled lazily by CrossOriginGetOwnPropertyHelper , which consults it on future lookups. consulted only when the sandboxed browsing context's active window does not have transient activation .

User agents should allow a value held in When the map to be garbage collected along with sandboxed top-level navigation without user activation browsing context flag is not set, content can navigate its corresponding key when nothing holds a reference to any part of top-level browsing context , but other browsing contexts are still protected by the value. That is, as long as garbage collection sandboxed navigation browsing context flag and possibly the sandboxed auxiliary navigation browsing context flag .

The sandboxed top-level navigation with user activation browsing context flag

This flag prevents content from navigating their top-level browsing context and prevents content from closing their top-level browsing context . It is not observable. consulted only when the sandboxed browsing context's active window has transient activation .

For example,

As with const href = Object.getOwnPropertyDescriptor(crossOriginLocation, "href").set the value and its corresponding key in sandboxed top-level navigation without user activation browsing context flag , this flag only affects the map cannot be garbage collected as that would top-level browsing context ; if it is not set, other browsing contexts might still be observable. protected by other flags.

The sandboxed origin browsing context flag

User agents may have an optimization whereby they remove key-value pairs This flag forces content into a unique origin , thus preventing it from accessing other content from the map when same origin .

This flag also prevents script from reading from or writing to the document.cookie IDL attribute , and blocks access to document.domain localStorage is set. .

The sandboxed forms browsing context flag

This is not observable as flag blocks form submission .

The sandboxed pointer lock browsing context flag document.domain

This flag disables the Pointer Lock API. [POINTERLOCK] cannot revisit an earlier value.

For example, setting

The sandboxed scripts browsing context flag

This flag blocks script execution .

The sandboxed automatic features browsing context flag

This flag blocks features that trigger automatically, such as automatically playing a video or automatically focusing a form control .

The sandboxed document.domain browsing context flag

This flag prevents content from using the document.domain setter.

The sandbox propagates to " example.com " on www.example.com means user agents can remove all key-value pairs auxiliary browsing contexts flag

This flag prevents content from escaping the map where part of the key is www.example.com, as sandbox by ensuring that can never be part of the origin any auxiliary browsing context again and therefore it creates inherits the corresponding value could never be retrieved content's active sandboxing flag set .

The sandboxed modals flag

This flag prevents content from using any of the map. following features to produce modal dialogs:

7.2.3 Shared abstract operations
• window.alert() 7.2.3.1 CrossOriginProperties ( O )
• window.confirm()
• Assert : O is a window.print() Location
• window.prompt() or Window
• the beforeunload object. event

The sandboxed orientation lock browsing context flag

This flag disables the ability to lock the screen orientation. [SCREENORIENTATION]

The sandboxed presentation browsing context flag

This flag disables the Presentation API. [PRESENTATION]

The sandboxed downloads browsing context flag

This flag prevents content from initiating or instantiating downloads, whether through downloading hyperlinks or through navigation that gets handled as a download .

The sandboxed custom protocols navigation browsing context flag

This flag prevents navigations toward non fetch schemes from being handed off to external software .

When the user agent is to parse a sandboxing directive , given a string input , a sandboxing flag set output , it must run the following steps:

1. If Split O input is a on ASCII whitespace , to obtain tokens .

2. Location

   Let output be empty.

3. Add the following flags to output :

   object, then return « { [[Property]]: " href ", [[NeedsGet]]: false, [[NeedsSet]]: true }, { [[Property]]: " replace " } ».

   • Return « { [[Property]]: " window ", [[NeedsGet]]: true, [[NeedsSet]]: false }, { [[Property]]: " self ", [[NeedsGet]]: true, [[NeedsSet]]: false }, { [[Property]]: " location ", [[NeedsGet]]: true, [[NeedsSet]]: true }, { [[Property]]: " close " }, { [[Property]]: " closed ", [[NeedsGet]]: true, [[NeedsSet]]: false }, { [[Property]]: " focus " }, { [[Property]]: " blur " }, { [[Property]]: " frames ", [[NeedsGet]]: true, [[NeedsSet]]: false }, { [[Property]]: " length ", [[NeedsGet]]: true, [[NeedsSet]]: false }, { [[Property]]: " The sandboxed navigation browsing context flag .

   • The sandboxed auxiliary navigation browsing context flag , unless tokens contains the top allow-popups ", [[NeedsGet]]: true, [[NeedsSet]]: false }, { [[Property]]: " keyword.

   • The sandboxed top-level navigation without user activation browsing context flag , unless tokens contains the opener allow-top-navigation ", [[NeedsGet]]: true, [[NeedsSet]]: false }, { [[Property]]: " keyword.

   • The sandboxed top-level navigation with user activation browsing context flag , unless tokens contains either the parent allow-top-navigation-by-user-activation ", [[NeedsGet]]: true, [[NeedsSet]]: false }, { [[Property]]: " postMessage keyword or the allow-top-navigation " } ». This abstract operation does not return a Completion Record . keyword.

     Indexed properties do not need to be safelisted in this algorithm, as they are handled directly by This means that if the WindowProxy allow-top-navigation object. is present, the allow-top-navigation-by-user-activation keyword will have no effect. For this reason, specifying both is a document conformance error.

   • A JavaScript property name The sandboxed origin browsing context flag , unless the P tokens is a cross-origin accessible window property name if it is " window ", " self ", " location ", " close ", " closed ", " contains the focus allow-same-origin ", " blur keyword.

     The allow-same-origin ", " keyword is intended for two cases.

     First, it can be used to allow content from the same site to be sandboxed to disable scripting, while still allowing access to the DOM of the sandboxed content.

     Second, it can be used to embed content from a third-party site, sandboxed to prevent that site from opening popups, etc, without preventing the embedded page from communicating back to its originating site, using the database APIs to store data, etc.

   • The sandboxed forms browsing context flag , unless tokens contains the frames allow-forms ", " keyword.

   • The sandboxed pointer lock browsing context flag , unless tokens contains the length allow-pointer-lock ", " keyword.

   • The sandboxed scripts browsing context flag , unless tokens contains the top allow-scripts ", " opener keyword.

   • The sandboxed automatic features browsing context flag , unless tokens contains the allow-scripts ", " keyword (defined above).

     This flag is relaxed by the same keyword as scripts, because when scripts are enabled these features are trivially possible anyway, and it would be unfortunate to force authors to use script to do them when sandboxed rather than allowing them to use the declarative features.

   • The sandboxed parent document.domain ", " browsing context flag .

   • The sandbox propagates to auxiliary browsing contexts flag , unless tokens contains the postMessage allow-popups-to-escape-sandbox ", or an array index property name . 7.2.3.2 CrossOriginPropertyFallback ( keyword.

   • The sandboxed modals flag , unless P tokens ) contains the allow-modals keyword.

   • If The sandboxed orientation lock browsing context flag , unless P tokens is " contains the then allow-orientation-lock ", @@toStringTag , @@hasInstance , or @@isConcatSpreadable , then return PropertyDescriptor { [[Value]]: undefined, [[Writable]]: false, [[Enumerable]]: false, [[Configurable]]: true }. keyword.

   • Throw a " The sandboxed presentation browsing context flag , unless tokens contains the SecurityError allow-presentation " DOMException keyword.

   • .

     The sandboxed downloads browsing context flag , unless tokens contains the allow-downloads 7.2.3.3 IsPlatformObjectSameOrigin ( keyword.

   • The sandboxed custom protocols navigation browsing context flag , unless O tokens ) contains either the allow-top-navigation-to-custom-protocols keyword, the allow-popups Return true if keyword, or the current settings object allow-top-navigation 's origin keyword.