7.5 Origin
Origins are the fundamental currency of the web's security model. Two actors in the web platform that share an origin are assumed to trust each other and to have the same authority. Actors with differing origins are considered potentially hostile versus each other, and are isolated from each other to varying degrees.
For example, if Example Bank's web site, hosted at bank.example.com
, tries to examine the DOM of Example Charity's web site, hosted at charity.example.org
, a "SecurityError
" DOMException
will be raised.
An origin is one of the following:
An opaque origin
An internal value, with no serialization it can be recreated from (it is serialized as "
null
" per serialization of an origin), for which the only meaningful operation is testing for equality.A tuple origin
A tuple consists of:
- A scheme (an ASCII string).
- A host (a host).
- A port (null or a 16-bit unsigned integer).
- A domain (null or a domain). Null unless stated otherwise.
Origins can be shared, e.g., among multiple Document
objects. Furthermore, origins are generally immutable. Only the domain of a tuple origin can be changed, and only through the document.domain
API.
The effective domain of an origin origin
is computed as follows:
- If
origin
is an opaque origin, then return null. - If
origin
's domain is non-null, then returnorigin
's domain. - Return
origin
's host.
The serialization of an origin is the string obtained by applying the following algorithm to the given origin origin
:
- If
origin
is an opaque origin, then return "null
". - Otherwise, let
result
beorigin
's scheme. - Append "
://
" toresult
. - Append
origin
's host, serialized, toresult
. - If
origin
's port is non-null, append a U+003A COLON character (:), andorigin
's port, serialized, toresult
. - Return
result
.
The serialization of ("https
", "xn--maraa-rta.example
", null, null) is "https://xn--maraa-rta.example
".
There used to also be a Unicode serialization of an origin. However, it was never widely adopted.
Two origins, A
and B
, are said to be same origin if the following algorithm returns true:
- If
A
andB
are the same opaque origin, then return true. - If
A
andB
are both tuple origins and their schemes, hosts, and port are identical, then return true. - Return false.
Two origins, A
and B
, are said to be same origin-domain if the following algorithm returns true:
- If
A
andB
are the same opaque origin, then return true. If
A
andB
are both tuple origins, run these substeps:- If
A
andB
's schemes are identical, and their domains are identical and non-null, then return true. - Otherwise, if
A
andB
are same origin and their domains are identical and null, then return true.
- If
- Return false.
A | B | same origin | same origin-domain |
---|---|---|---|
("https ", "example.org ", null, null) | ("https ", "example.org ", null, null) | ✅ | ✅ |
("https ", "example.org ", 314, null) | ("https ", "example.org ", 420, null) | ❌ | ❌ |
("https ", "example.org ", 314, "example.org ") | ("https ", "example.org ", 420, "example.org ") | ❌ | ✅ |
("https ", "example.org ", null, null) | ("https ", "example.org ", null, "example.org ") | ✅ | ❌ |
("https ", "example.org ", null, "example.org ") | ("http ", "example.org ", null, "example.org ") | ❌ | ❌ |
7.5.1 Sites
A scheme-and-host is a tuple of a scheme (an ASCII string) and a host (a host).
A site is an opaque origin or a scheme-and-host.
To obtain a site, given an origin origin
, run these steps:
- If
origin
is an opaque origin, then returnorigin
. - If
origin
's host's registrable domain is null, then return (origin
's scheme,origin
's host). - Return (
origin
's scheme,origin
's host's registrable domain).
Two sites, A
and B
, are said to be same site if the following algorithm returns true:
- If
A
andB
are the same opaque origin, the return true. - If
A
orB
is an opaque origin, then return false. - If
A
's andB
's scheme values are different, then return false. - If
A
's andB
's host values are not equal, then return false. - Return true.
The serialization of a site is the string obtained by applying the following algorithm to the given site site
:
- If
site
is an opaque origin, then return "null
". - Let
result
besite
[0]. - Append "
://
" toresult
. - Append
site
[1], serialized, toresult
. - Return
result
.
It needs to be clear from context that the serialized value is a site, not an origin, as there is not necessarily a syntactic difference between the two. For example, the origin ("https
", "shop.example
", null, null) and the site ("https
", "shop.example
") have the same serialization: "https://shop.example
".
Two origins, A
and B
, are said to be schemelessly same site if the following algorithm returns true:
- If
A
andB
are the same opaque origin, then return true. If
A
andB
are both tuple origins, then:- Let
hostA
beA
's host, and lethostB
beB
's host. - If
hostA
equalshostB
andhostA
's registrable domain is null, then return true. - If
hostA
's registrable domain equalshostB
's registrable domain and is non-null, then return true.
- Let
- Return false.
Two origins, A
and B
, are said to be same site if the following algorithm returns true:
- Let
siteA
be the result of obtaining a site givenA
. - Let
siteB
be the result of obtaining a site givenB
. - If
siteA
is same site withsiteB
, then return true. - Return false.
Unlike the same origin and same origin-domain concepts, for schemelessly same site and same site, the port and domain components are ignored.
For the reasons explained in URL, the same site and schemelessly same site concepts should be avoided when possible, in favor of same origin checks.
Given that wildlife.museum
, museum
, and com
are public suffixes and that example.com
is not:
A | B | schemelessly same site | same site |
---|---|---|---|
("https ", "example.com ") | ("https ", "sub.example.com ") | ✅ | ✅ |
("https ", "example.com ") | ("https ", "sub.other.example.com ") | ✅ | ✅ |
("https ", "example.com ") | ("http ", "non-secure.example.com ") | ✅ | ❌ |
("https ", "r.wildlife.museum ") | ("https ", "sub.r.wildlife.museum ") | ✅ | ✅ |
("https ", "r.wildlife.museum ") | ("https ", "sub.other.r.wildlife.museum ") | ✅ | ✅ |
("https ", "r.wildlife.museum ") | ("https ", "other.wildlife.museum ") | ❌ | ❌ |
("https ", "r.wildlife.museum ") | ("https ", "wildlife.museum ") | ❌ | ❌ |
("https ", "wildlife.museum ") | ("https ", "wildlife.museum ") | ✅ | ✅ |
("https ", "example.com ") | ("https ", "example.com. ") | ❌ | ❌ |
(Here we have omitted the port and domain components since they are not considered.)
7.5.2 Relaxing the same-origin restriction
document.domain [ = domain ]
Returns the current domain used for security checks.
Can be set to a value that removes subdomains, to change the origin's domain to allow pages on other subdomains of the same domain (if they do the same thing) to access each other. This enables pages on different hosts of a domain to synchronously access each other's DOMs.
In sandboxed
iframe
s,Document
s with opaque origins,Document
s without a browsing context, and when the "document-domain
" feature is disabled, the setter will throw a "SecurityError
" exception. In cases wherecrossOriginIsolated
ororiginAgentCluster
return true, the setter will do nothing.
Avoid using the document.domain
setter. It undermines the security protections provided by the same-origin policy. This is especially acute when using shared hosting; for example, if an untrusted third party is able to host an HTTP server at the same IP address but on a different port, then the same-origin protection that normally protects two different sites on the same host will fail, as the ports are ignored when comparing origins after the document.domain
setter has been used.
Because of these security pitfalls, this feature is in the process of being removed from the web platform. (This is a long process that takes many years.)
Instead, use postMessage()
or MessageChannel
objects to communicate across origins in a safe manner.
The domain
getter steps are:
- Let
effectiveDomain
be this's origin's effective domain. - If
effectiveDomain
is null, then return the empty string. - Return
effectiveDomain
, serialized.
The domain
setter steps are:
- If this's browsing context is null, then throw a "
SecurityError
"DOMException
. - If this's active sandboxing flag set has its sandboxed
document.domain
browsing context flag set, then throw a "SecurityError
"DOMException
. - If this is not allowed to use the "
document-domain
" feature, then throw a "SecurityError
"DOMException
. - Let
effectiveDomain
be this's origin's effective domain. - If
effectiveDomain
is null, then throw a "SecurityError
"DOMException
. - If the given value is not a registrable domain suffix of and is not equal to
effectiveDomain
, then throw a "SecurityError
"DOMException
. - If the surrounding agent's agent cluster's is origin-keyed is true, then return.
- Set
this
's origin's domain to the result of parsing the given value.
To determine if a string hostSuffixString
is a registrable domain suffix of or is equal to a host originalHost
, run these steps:
- If
hostSuffixString
is the empty string, then return false. - Let
hostSuffix
be the result of parsinghostSuffixString
. - If
hostSuffix
is failure, then return false. If
hostSuffix
does not equaloriginalHost
, then:- If
hostSuffix
ororiginalHost
is not a domain, then return false.
This excludes hosts that are IP addresses.
- If
hostSuffix
, prefixed by U+002E (.), does not match the end oforiginalHost
, then return false. - If one of the following is true
hostSuffix
equalshostSuffix
's public suffixhostSuffix
, prefixed by U+002E (.), matches the endoriginalHost
's public suffix
then return false. [[URL]](https://html.spec.whatwg.org/multipage/references.html#refsURL)
- Assert:
originalHost
's public suffix, prefixed by U+002E (.), matches the end ofhostSuffix
.
- If
- Return true.
hostSuffixString | originalHost | Outcome of is a registrable domain suffix of or is equal to | Notes |
---|---|---|---|
"0.0.0.0 " | 0.0.0.0 | ✅ | |
"0x10203 " | 0.1.2.3 | ✅ | |
"[0::1] " | ::1 | ✅ | |
"example.com " | example.com | ✅ | |
"example.com " | example.com. | ❌ | Trailing dot is significant. |
"example.com. " | example.com | ❌ | |
"example.com " | www.example.com | ✅ | |
"com " | example.com | ❌ | At the time of writing, com is a public suffix. |
"example " | example | ✅ | |
"compute.amazonaws.com " | example.compute.amazonaws.com | ❌ | At the time of writing, *.compute.amazonaws.com is a public suffix. |
"example.compute.amazonaws.com " | www.example.compute.amazonaws.com | ❌ | |
"amazonaws.com " | www.example.compute.amazonaws.com | ❌ | |
"amazonaws.com " | test.amazonaws.com | ✅ | At the time of writing, amazonaws.com is a registrable domain. |
7.5.3 Origin-keyed agent clusters
window.originAgentCluster
Returns true if this
Window
belongs to an agent cluster which is origin-keyed, in the manner described in this section.
A Document
delivered over a secure context can request that it be placed in an origin-keyed agent cluster, by using the Origin-Agent-Cluster
HTTP response header. This header is a structured header whose value must be a boolean. [[STRUCTURED-FIELDS]](https://html.spec.whatwg.org/multipage/references.html#refsSTRUCTURED-FIELDS)
Per the processing model in the create and initialize a new Document
object, values that are not the structured header boolean true value (i.e., ?1
) will be ignored.
The consequences of using this header are that the resulting Document
's agent cluster key is its origin, instead of the corresponding site. In terms of observable effects, this means that attempting to relax the same-origin restriction using document.domain
will instead do nothing, and it will not be possible to send WebAssembly.Module
objects to cross-origin Document
s (even if they are same site). Behind the scenes, this isolation can allow user agents to allocate implementation-specific resources corresponding to agent clusters, such as processes or threads, more efficiently.
Note that within a browsing context group, the Origin-Agent-Cluster
header can never cause same-origin Document
objects to end up in different agent clusters, even if one sends the header and the other doesn't. This is prevented by means of the historical agent cluster key map.
This means that the originAgentCluster
getter can return false, even if the header is set, if the header was omitted on a previously-loaded same-origin page in the same browsing context group. Similarly, it can return true even when the header is not set.
The originAgentCluster
getter steps are to return the surrounding agent's agent cluster's is origin-keyed.
Document
s with an opaque origin can be considered unconditionally origin-keyed; for them the header has no effect, and the originAgentCluster
getter will always return true.
Similarly, Document
s whose agent cluster's cross-origin isolation mode is not "none
" are automatically origin-keyed. The Origin-Agent-Cluster`\` header might be useful as an additional hint to implementations about resource allocation, since the \
Cross-Origin-Opener-Policy\
and ``Cross-Origin-Embedder-Policy headers used to achieve cross-origin isolation are more about ensuring that everything in the same address space opts in to being there. But adding it would have no additional observable effects on author code.
7.6 Sandboxing
A sandboxing flag set is a set of zero or more of the following flags, which are used to restrict the abilities that potentially untrusted resources have:
The sandboxed navigation browsing context flag
This flag prevents content from navigating browsing contexts other than the sandboxed browsing context itself (or browsing contexts further nested inside it), auxiliary browsing contexts (which are protected by the sandboxed auxiliary navigation browsing context flag defined next), and the top-level browsing context (which is protected by the sandboxed top-level navigation without user activation browsing context flag and sandboxed top-level navigation with user activation browsing context flag defined below).
If the sandboxed auxiliary navigation browsing context flag is not set, then in certain cases the restrictions nonetheless allow popups (new top-level browsing contexts) to be opened. These browsing contexts always have one permitted sandboxed navigator, set when the browsing context is created, which allows the browsing context that created them to actually navigate them. (Otherwise, the sandboxed navigation browsing context flag would prevent them from being navigated even if they were opened.)
The sandboxed auxiliary navigation browsing context flag
This flag prevents content from creating new auxiliary browsing contexts, e.g. using the
target
attribute or thewindow.open()
method.The sandboxed top-level navigation without user activation browsing context flag
This flag prevents content from navigating their top-level browsing context and prevents content from closing their top-level browsing context. It is consulted only when the sandboxed browsing context's active window does not have transient activation.
When the sandboxed top-level navigation without user activation browsing context flag is not set, content can navigate its top-level browsing context, but other browsing contexts are still protected by the sandboxed navigation browsing context flag and possibly the sandboxed auxiliary navigation browsing context flag.
The sandboxed top-level navigation with user activation browsing context flag
This flag prevents content from navigating their top-level browsing context and prevents content from closing their top-level browsing context. It is consulted only when the sandboxed browsing context's active window has transient activation.
As with the sandboxed top-level navigation without user activation browsing context flag, this flag only affects the top-level browsing context; if it is not set, other browsing contexts might still be protected by other flags.
The sandboxed plugins browsing context flag
This flag prevents content from instantiating plugins, whether using the
embed
element, theobject
element, or through navigation of their nested browsing context.The sandboxed origin browsing context flag
This flag forces content into a unique origin, thus preventing it from accessing other content from the same origin.
This flag also prevents script from reading from or writing to the
document.cookie
IDL attribute, and blocks access tolocalStorage
.The sandboxed forms browsing context flag
This flag blocks form submission.
The sandboxed pointer lock browsing context flag
This flag disables the Pointer Lock API. [[POINTERLOCK]](https://html.spec.whatwg.org/multipage/references.html#refsPOINTERLOCK)
The sandboxed scripts browsing context flag
This flag blocks script execution.
The sandboxed automatic features browsing context flag
This flag blocks features that trigger automatically, such as automatically playing a video or automatically focusing a form control.
The sandboxed
document.domain
browsing context flagThis flag prevents content from using the
document.domain
setter.The sandbox propagates to auxiliary browsing contexts flag
This flag prevents content from escaping the sandbox by ensuring that any auxiliary browsing context it creates inherits the content's active sandboxing flag set.
The sandboxed modals flag
This flag prevents content from using any of the following features to produce modal dialogs:
window.alert()
window.confirm()
window.print()
window.prompt()
- the
beforeunload
event
The sandboxed orientation lock browsing context flag
This flag disables the ability to lock the screen orientation. [[SCREENORIENTATION]](https://html.spec.whatwg.org/multipage/references.html#refsSCREENORIENTATION)
The sandboxed presentation browsing context flag
This flag disables the Presentation API. [[PRESENTATION]](https://html.spec.whatwg.org/multipage/references.html#refsPRESENTATION)
The sandboxed downloads browsing context flag
This flag prevents content from initiating or instantiating downloads, whether through downloading hyperlinks or through navigation that gets handled as a download.
The sandboxed custom protocols navigation browsing context flag
This flag prevents navigations toward non fetch schemes from being handed off to external software.
When the user agent is to parse a sandboxing directive, given a string input
, a sandboxing flag set output
, it must run the following steps:
- Split
input
on ASCII whitespace, to obtaintokens
. - Let
output
be empty. Add the following flags to
output
:- The sandboxed navigation browsing context flag.
- The sandboxed auxiliary navigation browsing context flag, unless
tokens
contains theallow-popups
keyword. - The sandboxed top-level navigation without user activation browsing context flag, unless
tokens
contains theallow-top-navigation
keyword. - The sandboxed top-level navigation with user activation browsing context flag, unless
tokens
contains either theallow-top-navigation-by-user-activation
keyword or theallow-top-navigation
keyword.
This means that if the
allow-top-navigation
is present, theallow-top-navigation-by-user-activation
keyword will have no effect. For this reason, specifying both is a document conformance error.- The sandboxed plugins browsing context flag.
- The sandboxed origin browsing context flag, unless the
tokens
contains theallow-same-origin
keyword.
The
allow-same-origin
keyword is intended for two cases.First, it can be used to allow content from the same site to be sandboxed to disable scripting, while still allowing access to the DOM of the sandboxed content.
Second, it can be used to embed content from a third-party site, sandboxed to prevent that site from opening popups, etc, without preventing the embedded page from communicating back to its originating site, using the database APIs to store data, etc.
- The sandboxed forms browsing context flag, unless
tokens
contains theallow-forms
keyword. - The sandboxed pointer lock browsing context flag, unless
tokens
contains theallow-pointer-lock
keyword. - The sandboxed scripts browsing context flag, unless
tokens
contains theallow-scripts
keyword. - The sandboxed automatic features browsing context flag, unless
tokens
contains theallow-scripts
keyword (defined above).
This flag is relaxed by the same keyword as scripts, because when scripts are enabled these features are trivially possible anyway, and it would be unfortunate to force authors to use script to do them when sandboxed rather than allowing them to use the declarative features.
- The sandboxed
document.domain
browsing context flag. - The sandbox propagates to auxiliary browsing contexts flag, unless
tokens
contains theallow-popups-to-escape-sandbox
keyword. - The sandboxed modals flag, unless
tokens
contains theallow-modals
keyword. - The sandboxed orientation lock browsing context flag, unless
tokens
contains theallow-orientation-lock
keyword. - The sandboxed presentation browsing context flag, unless
tokens
contains theallow-presentation
keyword. - The sandboxed downloads browsing context flag, unless
tokens
contains theallow-downloads
keyword. - The sandboxed custom protocols navigation browsing context flag, unless
tokens
contains either theallow-top-navigation-to-custom-protocols
keyword, theallow-popups
keyword, or theallow-top-navigation
keyword.
Every top-level browsing context has a popup sandboxing flag set, which is a sandboxing flag set. When a browsing context is created, its popup sandboxing flag set must be empty. It is populated by the rules for choosing a browsing context and the obtain a browsing context to use for a navigation response algorithm.
Every iframe
element has an iframe
sandboxing flag set, which is a sandboxing flag set. Which flags in an iframe
sandboxing flag set are set at any particular time is determined by the iframe
element's sandbox
attribute.
Every Document
has an active sandboxing flag set, which is a sandboxing flag set. When the Document
is created, its active sandboxing flag set must be empty. It is populated by the navigation algorithm.
Every resource that is obtained by the navigation algorithm has a forced sandboxing flag set, which is a sandboxing flag set. A resource by default has no flags set in its forced sandboxing flag set, but other specifications can define that certain flags are set.
In particular, the forced sandboxing flag set is used by Content Security Policy. [[CSP]](https://html.spec.whatwg.org/multipage/references.html#refsCSP)
To determine the creation sandboxing flags for a browsing context browsing context
, given null or an element embedder
, return the union of the flags that are present in the following sandboxing flag sets:
- If
embedder
is null, then: the flags set onbrowsing context
's popup sandboxing flag set. - If
embedder
is an element, then: the flags set onembedder
'siframe
sandboxing flag set. - If
embedder
is an element, then: the flags set onembedder
's node document's active sandboxing flag set.
After creation, the sandboxing flags for a browsing context browsing context
are the result of determining the creation sandboxing flags given browsing context
and browsing context
's container.
7.7 Cross-origin opener policies
A cross-origin opener policy value allows a document which is navigated to in a top-level browsing context to force the creation of a new top-level browsing context, and a corresponding group. The possible values are:
"
unsafe-none
"This is the (current) default and means that the document will occupy the same top-level browsing context as its predecessor, unless that document specified a different cross-origin opener policy.
"
same-origin-allow-popups
"This forces the creation of a new top-level browsing context for the document, unless its predecessor specified the same cross-origin opener policy and they are same origin.
"
same-origin
"This behaves the same as "
same-origin-allow-popups
", with the addition that any auxiliary browsing context created needs to contain same origin documents that also have the same cross-origin opener policy or it will appear closed to the opener."
same-origin-plus-COEP
"This behaves the same as "
same-origin
", with the addition that it sets the (new) top-level browsing context's group's cross-origin isolation mode to one of "logical
" or "concrete
"."
same-origin-plus-COEP
" cannot be directly set via theCross-Origin-Opener-Policy`\` header, but results from a combination of setting both \
Cross-Origin-Opener-Policy: same-origin\
and a ``Cross-Origin-Embedder-Policy header whose value is compatible with cross-origin isolation together.
A cross-origin opener policy consists of:
- A value, which is a cross-origin opener policy value, initially "
unsafe-none
". - A reporting endpoint, which is string or null, initially null.
- A report-only value, which is a cross-origin opener policy value, initially "
unsafe-none
". - A report-only reporting endpoint, which is a string or null, initially null.
To match cross-origin opener policy values, given a cross-origin opener policy value A
, an origin originA
, a cross-origin opener policy value B
, and an origin originB
:
- If
A
is "unsafe-none
" andB
is "unsafe-none
", then return true. - If
A
is "unsafe-none
" orB
is "unsafe-none
", then return false. - If
A
isB
andoriginA
is same origin withoriginB
, then return true. - Return false.
7.7.1 The headers
✔MDN
A Document
's cross-origin opener policy is derived from the Cross-Origin-Opener-Policy`\` and \
Cross-Origin-Opener-Policy-Report-Only HTTP response headers. These headers are structured headers whose value must be a token. [[STRUCTURED-FIELDS]](https://html.spec.whatwg.org/multipage/references.html#refsSTRUCTURED-FIELDS)
The valid token values are the opener policy values. The token may also have attached parameters; of these, the "report-to
" parameter can have a valid URL string identifying an appropriate reporting endpoint. [[REPORTING]](https://html.spec.whatwg.org/multipage/references.html#refsREPORTING)
Per the processing model described below, user agents will ignore this header if it contains an invalid value. Likewise, user agents will ignore this header if the value cannot be parsed as a token.
To obtain a cross-origin opener policy given a response response
and an environment reservedEnvironment
:
- Let
policy
be a new cross-origin opener policy. - If
reservedEnvironment
is a non-secure context, then returnpolicy
. - Let
value
be the result of getting a structured field value givenCross-Origin-Opener-Policy
and "item
" fromresponse
's header list. If
parsedItem
is not null, then:- If
parsedItem
[0] is "same-origin
", then: - Let
coep
be the result of obtaining a cross-origin embedder policy fromresponse
andreservedEnvironment
. - If
coep
's value is compatible with cross-origin isolation, then setpolicy
's value to "same-origin-plus-COEP
". - Otherwise, set
policy
's value to "same-origin
". - If
parsedItem
[0] is "same-origin-allow-popups
", then setpolicy
's value to "same-origin-allow-popups
". - If
parsedItem
[1]["report-to
"] exists and it is a string, then setpolicy
's reporting endpoint toparsedItem
[1]["report-to
"].
- If
- Set
parsedItem
to the result of getting a structured field value givenCross-Origin-Opener-Policy-Report-Only
and "item
" fromresponse
's header list. If
parsedItem
is not null, then:- If
parsedItem
[0] is "same-origin
", then: - Let
coep
be the result of obtaining a cross-origin embedder policy fromresponse
andreservedEnvironment
. If
coep
's value is compatible with cross-origin isolation orcoep
's report-only value is compatible with cross-origin isolation, then setpolicy
's report-only value to "same-origin-plus-COEP
".Report only COOP also considers report-only COEP to assign the special "
same-origin-plus-COEP
" value. This allows developers more freedom in the order of deployment of COOP and COEP.- Otherwise, set
policy
's report-only value to "same-origin
". - If
parsedItem
[0] is "same-origin-allow-popups
", then setpolicy
's report-only value to "same-origin-allow-popups
". - If
parsedItem
[1]["report-to
"] exists and it is a string, then setpolicy
's report-only reporting endpoint toparsedItem
[1]["report-to
"].
- If
- Return
policy
.
7.7.2 Browsing context group switches due to cross-origin opener policy
To check if COOP values require a browsing context group switch, given a boolean isInitialAboutBlank
, two origins responseOrigin
and activeDocumentNavigationOrigin
, and two cross-origin opener policy values responseCOOPValue
and activeDocumentCOOPValue
:
- If the result of matching
activeDocumentCOOPValue
,activeDocumentNavigationOrigin
,responseCOOPValue
, andresponseOrigin
is true, return false. If all of the following are true:
isInitialAboutBlank
,activeDocumentCOOPValue
's value is "same-origin-allow-popups
".responseCOOPValue
is "unsafe-none
",
then return false.
- Return true.
To check if enforcing report-only COOP would require a browsing context group switch, given a boolean isInitialAboutBlank
, two origins responseOrigin
, activeDocumentNavigationOrigin
, and two cross-origin opener policies responseCOOP
and activeDocumentCOOP
:
If the result of checking if COOP values require a browsing context group switch given
isInitialAboutBlank
,responseOrigin
,activeDocumentNavigationOrigin
,responseCOOP
's report-only value andactiveDocumentCOOPReportOnly
's report-only value is false, then return false.Matching report-only policies allows a website to specify the same report-only cross-origin opener policy on all its pages and not receive violation reports for navigations between these pages.
- If the result of checking if COOP values require a browsing context group switch given
isInitialAboutBlank
,responseOrigin
,activeDocumentNavigationOrigin
,responseCOOP
's value andactiveDocumentCOOPReportOnly
's report-only value is true, then return true. - If the result of checking if COOP values require a browsing context group switch given
isInitialAboutBlank
,responseOrigin
,activeDocumentNavigationOrigin
,responseCOOP
's report-only value andactiveDocumentCOOPReportOnly
's value is true, then return true. - Return false.
A cross-origin opener policy enforcement result is a struct with the following items:
- A boolean needs a browsing context group switch, initially false.
- A boolean would need a browsing context group switch due to report-only, initially false.
- A URL url.
- An origin origin.
- A cross-origin opener policy cross-origin opener policy.
- A boolean current context is navigation source.
To enforce a response's cross-origin opener policy, given a browsing context browsingContext
, a URL responseURL
, an origin responseOrigin
, a cross-origin opener policy responseCOOP
, a cross-origin opener policy enforcement result currentCOOPEnforcementResult
, and a referrer referrer
:
- Let
newCOOPEnforcementResult
be a new cross-origin opener policy enforcement result whose needs a browsing context group switch iscurrentCOOPEnforcementResult
's needs a browsing context group switch, would need a browsing context group switch due to report-only iscurrentCOOPEnforcementResult
's would need a browsing context group switch due to report-only, url isresponseURL
, origin isresponseOrigin
, coop isresponseCOOP
, and current context is navigation source is true. - Let
isInitialAboutBlank
be true ifbrowsingContext
is still on its initialabout:blank
Document
; otherwise, false. - If
isInitialAboutBlank
is true andbrowsingContext
's initial URL is null, setbrowsingContext
's initial URL toresponseURL
. If the result of checking if COOP values require a browsing context group switch given
isInitialAboutBlank
,currentCOOPEnforcementResult
's cross-origin opener policy's value,currentCOOPEnforcementResult
's origin,responseCOOP
's value, andresponseOrigin
is true, then:- Set
newCOOPEnforcementResult
's needs a browsing context group switch to true. - If
browsingContext
's group's browsing context set's size is greater than 1, then: - Queue a violation report for browsing context group switch when navigating to a COOP response with
responseCOOP
, "enforce
",responseURL
,currentCOOPEnforcementResult
's url,currentCOOPEnforcementResult
's origin,responseOrigin
, andreferrer
. - Queue a violation report for browsing context group switch when navigating away from a COOP response with
currentCOOPEnforcementResult
's cross-origin opener policy, "enforce
",currentCOOPEnforcementResult
's url,responseURL
,currentCOOPEnforcementResult
's origin,responseOrigin
, andcurrentCOOPEnforcementResult
's current context is navigation source.
- Set
If the result of checking if enforcing report-only COOP would require a browsing context group switch given
isInitialAboutBlank
,responseOrigin
,currentCOOPEnforcementResult
's origin,responseCOOP
, andcurrentCOOPEnforcementResult
's cross-origin opener policy, is true, then:- Set
result
's would need a browsing context group switch due to report-only to true. - If
browsingContext
's group's browsing context set's size is greater than 1, then: - Queue a violation report for browsing context group switch when navigating to a COOP response with
responseCOOP
, "reporting
",responseURL
,currentCOOPEnforcementResult
's url,currentCOOPEnforcementResult
's origin,responseOrigin
, andreferrer
. - Queue a violation report for browsing context group switch when navigating away from a COOP response with
currentCOOPEnforcementResult
's cross-origin opener policy, "reporting
",currentCOOPEnforcementResult
's url,responseURL
,currentCOOPEnforcementResult
's origin,responseOrigin
, andcurrentCOOPEnforcementResult
's current context is navigation source.
- Set
- Return
newCOOPEnforcementResult
.
To obtain a browsing context to use for a navigation response, given a browsing context browsingContext
, a sandboxing flag set sandboxFlags
, a cross-origin opener policy navigationCOOP
, and a cross-origin opener policy enforcement result coopEnforcementResult
:
- If
browsingContext
is not a top-level browsing context, returnbrowsingContext
. If
coopEnforcementResult
's needs a browsing context group switch is false, then:- If
coopEnforcementResult
's would need a browsing context group switch due to report-only is true, setbrowsing context
's virtual browsing context group ID to a new unique identifier. - Return
browsingContext
.
- If
- Let
newBrowsingContext
be the result of creating a new top-level browsing context. If
navigationCOOP
's value is "same-origin-plus-COEP
", then setnewBrowsingContext
's group's cross-origin isolation mode to either "logical
" or "concrete
". The choice of which is implementation-defined.It is difficult on some platforms to provide the security properties required by the cross-origin isolated capability. "
concrete
" grants access to it and "logical
" does not.If
sandboxFlags
is not empty, then:- Assert
navigationCOOP
's value is "unsafe-none
". - Assert:
newBrowsingContext
's popup sandboxing flag set is empty. - Set
newBrowsingContext
's popup sandboxing flag set to a clone ofsandboxFlags
.
- Assert
Discard
browsingContext
.This has no effect on
browsingContext
's group, unlessbrowsingContext
was its sole top-level browsing context. In that case, the user agent might delete the browsing context group which no longer contains any browsing contexts.- Return
newBrowsingContext
.
The impact of swapping browsing context groups following a navigation is not fully defined. It is currently under discussion in issue #5350.
7.7.3 Reporting
An accessor-accessed relationship is an enum that describes the relationship between two browsing contexts between which an access happened. It can take the following values:
accessor is opener
The accessor browsing context or one of its ancestors is the opener browsing context of the accessed browsing context's top-level browsing context.
accessor is openee
The accessed browsing context or one of its ancestors is the opener browsing context of the accessor browsing context's top-level browsing context.
none
There is no opener relationship between the accessor browsing context, the accessor browsing context, or any of their ancestors.
To check if an access between two browsing contexts should be reported, given two browsing contexts accessor
and accessed
, a JavaScript property name P
, and an environment settings object environment
:
- If
P
is not a cross-origin accessible window property name, then return. If
accessor
's active document's origin or any of its ancestors' active document's origins are not same origin withaccessor
's top-level browsing context's active document's origin, or ifaccessed
's active document's origin or any of its ancestors' active document's origins are not same origin withaccessed
's top-level browsing context's active document's origin, then return.This avoids leaking information about cross-origin iframes to a top level frame with cross-origin opener policy reporting.
- If
accessor
's top-level browsing context's virtual browsing context group ID isaccessed
's top-level browsing context's virtual browsing context group ID, then return. - Let
accessorAccessedRelationship
be a new accessor-accessed relationship with value none. - If
accessed
's top-level browsing context's opener browsing context isaccessor
or an ancestor ofaccessor
, then setaccessorAccessedRelationship
to accessor is opener. - If
accessor
's top-level browsing context's opener browsing context isaccessed
or an ancestor ofaccessed
, then setaccessorAccessedRelationship
to accessor is openee. - Queue violation reports for accesses, given
accessorAccessedRelationship
,accessor
's top-level browsing context's active document's cross-origin opener policy,accessed
's top-level browsing context's active document's cross-origin opener policy,accessor
's active document's URL,accessed
's active document's URL,accessor
's top-level browsing context's initial URL,accessed
's top-level browsing context's initial URL,accessor
's active document's origin,accessed
's active document's origin,accessor
's top-level browsing context's opener origin at creation,accessed
's top-level browsing context's opener origin at creation,accessor
's top-level browsing context's active document's referrer,accessed
's top-level browsing context's active document's referrer,P
, andenvironment
.
To sanitize a URL to send in a report given a URL url
:
- Let
sanitizedURL
be a copy ofurl
. - Set the username given
sanitizedURL
and the empty string. - Set the password given
sanitizedURL
and the empty string. - Return the serialization of
sanitizedURL
with exclude fragment set to true.
To queue a violation report for browsing context group switch when navigating to a COOP response given a cross-origin opener policy coop
, a string disposition
, a URL coopURL
, a URL previousResponseURL
, two origins coopOrigin
and previousResponseOrigin
, and a referrer referrer
:
- If
coop
's reporting endpoint is null, return. - Let
coopValue
becoop
's value. - If
disposition
is "reporting
", then setcoopValue
tocoop
's report-only value. - Let
serializedReferrer
be an empty string. - If
referrer
is a URL, setserializedReferrer
to the serialization ofreferrer
. Let
body
be a new object containing the following properties:key value disposition disposition
effectivePolicy coopValue
previousResponseURL If coopOrigin
andpreviousResponseOrigin
are same origin this is the sanitization ofpreviousResponseURL
, null otherwise.referrer serializedReferrer
type " navigation-to-response
"- Queue
body
as "coop
" forcoop
's reporting endpoint withcoopURL
.
To queue a violation report for browsing context group switch when navigating away from a COOP response given a cross-origin opener policy coop
, a string disposition
, a URL coopURL
, a URL nextResponseURL
, two origins coopOrigin
and nextResponseOrigin
, and a boolean isCOOPResponseNavigationSource
:
- If
coop
's reporting endpoint is null, return. - Let
coopValue
becoop
's value. - If
disposition
is "reporting
", then setcoopValue
tocoop
's report-only value. Let
body
be a new object containing the following properties:key value disposition disposition
effectivePolicy coopValue
nextResponseURL If coopOrigin
andnextResponseOrigin
are same origin orisCOOPResponseNavigationSource
is true, this is the sanitization ofpreviousResponseURL
, null otherwise.type " navigation-from-response
"- Queue
body
as "coop
" forcoop
's reporting endpoint withcoopURL
.
To queue violation reports for accesses, given an accessor-accessed relationship accessorAccessedRelationship
, two cross-origin opener policies accessorCOOP
and accessedCOOP
, four URLs accessorURL
, accessedURL
, accessorInitialURL
, accessedInitialURL
, four origins accessorOrigin
, accessedOrigin
, accessorCreatorOrigin
and accessedCreatorOrigin
, two referrers accessorReferrer
and accessedReferrer
, a string propertyName
, and an environment settings object environment
:
- If
coop
's reporting endpoint is null, return. - Let
coopValue
becoop
's value. - If
disposition
is "reporting
", then setcoopValue
tocoop
's report-only value. If
accessorAccessedRelationship
is accessor is opener:- Queue a violation report for access to an opened window, given
accessorCOOP
,accessorURL
,accessedURL
,accessedInitialURL
,accessorOrigin
,accessedOrigin
,accessedCreatorOrigin
,propertyName
, andenvironment
. - Queue a violation report for access from the opener, given
accessedCOOP
,accessedURL
,accessorURL
,accessedOrigin
,accessorOrigin
,propertyName
, andaccessedReferrer
.
- Queue a violation report for access to an opened window, given
Otherwise, if
accessorAccessedRelationship
is accessor is openee:- Queue a violation report for access to the opener, given
accessorCOOP
,accessorURL
,accessedURL
,accessorOrigin
,accessedOrigin
,propertyName
,accessorReferrer
, andenvironment
. - Queue a violation report for access from an opened window, given
accessedCOOP
,accessedURL
,accessorURL
,accessorInitialURL
,accessedOrigin
,accessorOrigin
,accessorCreatorOrigin
, andpropertyName
.
- Queue a violation report for access to the opener, given
Otherwise:
- Queue a violation report for access to another window, given
accessorCOOP
,accessorURL
,accessedURL
,accessorOrigin
,accessedOrigin
,propertyName
, andenvironment
- Queue a violation report for access from another window, given
accessedCOOP
,accessedURL
,accessorURL
,accessedOrigin
,accessorOrigin
, andpropertyName
.
- Queue a violation report for access to another window, given
To queue a violation report for access to the opener, given a cross-origin opener policy coop
, two URLs coopURL
and openerURL
, two origins coopOrigin
and openerOrigin
, a string propertyName
, a referrer referrer
, and an environment settings object environment
:
- Let
sourceFile
,lineNumber
andcolumnNumber
be the relevant script URL and problematic position which triggered this report. - Let
serializedReferrer
be an empty string. - If
referrer
is a URL, setserializedReferrer
to the serialization ofreferrer
. Let
body
be a new object containing the following properties:key value disposition " reporting
"effectivePolicy coop
's report-only valueproperty propertyName
openerURL If coopOrigin
andopenerOrigin
are same origin, this is the sanitization ofopenerURL
, null otherwise.referrer serializedReferrer
sourceFile sourceFile
lineNumber lineNumber
columnNumber columnNumber
type " access-to-opener
"- Queue
body
as "coop
" forcoop
's reporting endpoint withcoopURL
andenvironment
.
To queue a violation report for access to an opened window, given a cross-origin opener policy coop
, three URLs coopURL
, openedWindowURL
and initialWindowURL
, three origins coopOrigin
, openedWindowOrigin
, and openerInitialOrigin
, a string propertyName
, and an environment settings object environment
:
- Let
sourceFile
,lineNumber
andcolumnNumber
be the relevant script URL and problematic position which triggered this report. Let
body
be a new object containing the following properties:key value disposition " reporting
"effectivePolicy coop
's report-only valueproperty propertyName
openedWindowURL If coopOrigin
andopenedWindowOrigin
are same origin, this is the sanitization ofopenedWindowURL
, null otherwise.openedWindowInitialURL If coopOrigin
andopenerInitialOrigin
are same origin, this is the sanitization ofinitialWindowURL
, null otherwise.sourceFile sourceFile
lineNumber lineNumber
columnNumber columnNumber
type " access-to-opener
"- Queue
body
as "coop
" forcoop
's reporting endpoint withcoopURL
andenvironment
.
To queue a violation report for access to another window, given a cross-origin opener policy coop
, two URLs coopURL
and otherURL
, two origins coopOrigin
and otherOrigin
, a string propertyName
, and an environment settings object environment
:
- Let
sourceFile
,lineNumber
andcolumnNumber
be the relevant script URL and problematic position which triggered this report. Let
body
be a new object containing the following properties:key value disposition " reporting
"effectivePolicy coop
's report-only valueproperty propertyName
otherURL If coopOrigin
andotherOrigin
are same origin, this is the sanitization ofotherURL
, null otherwise.sourceFile sourceFile
lineNumber lineNumber
columnNumber columnNumber
type " access-to-opener
"- Queue
body
as "coop
" forcoop
's reporting endpoint withcoopURL
andenvironment
.
To queue a violation report for access from the opener, given a cross-origin opener policy coop
, two URLs coopURL
and openerURL
, two origins coopOrigin
and openerOrigin
, a string propertyName
, and a referrer referrer
:
- If
coop
's reporting endpoint is null, return. - Let
serializedReferrer
be an empty string. - If
referrer
is a URL, setserializedReferrer
to the serialization ofreferrer
. Let
body
be a new object containing the following properties:key value disposition " reporting
"effectivePolicy coop
's report-only valueproperty propertyName
openerURL If coopOrigin
andopenerOrigin
are same origin, this is the sanitization ofopenerURL
, null otherwise.referrer serializedReferrer
type " access-to-opener
"- Queue
body
as "coop
" forcoop
's reporting endpoint withcoopURL
.
To queue a violation report for access from an opened window, given a cross-origin opener policy coop
, three URLs coopURL
, openedWindowURL
and initialWindowURL
, three origins coopOrigin
, openedWindowOrigin
, and openerInitialOrigin
, and a string propertyName
:
- If
coop
's reporting endpoint is null, return. Let
body
be a new object containing the following properties:key value disposition " reporting
"effectivePolicy coopValue
property coop
's report-only valueopenedWindowURL If coopOrigin
andopenedWindowOrigin
are same origin, this is the sanitization ofopenedWindowURL
, null otherwise.openedWindowInitialURL If coopOrigin
andopenerInitialOrigin
are same origin, this is the sanitization ofinitialWindowURL
, null otherwise.type " access-to-opener
"- Queue
body
as "coop
" forcoop
's reporting endpoint withcoopURL
.
To queue a violation report for access from another window, given a cross-origin opener policy coop
, two URLs coopURL
and otherURL
, two origins coopOrigin
and otherOrigin
, and a string propertyName
:
- If
coop
's reporting endpoint is null, return. Let
body
be a new object containing the following properties:key value disposition " reporting
"effectivePolicy coop
's report-only valueproperty propertyName
otherURL If coopOrigin
andotherOrigin
are same origin, this is the sanitization ofotherURL
, null otherwise.type access-to-opener
- Queue
body
as "coop
" forcoop
's reporting endpoint withcoopURL
.
7.8 Cross-origin embedder policies
✔MDN
An embedder policy value is one of three strings that controls the fetching of cross-origin resources without explicit permission from resource owners.
"
unsafe-none
"This is the default value. When this value is used, cross-origin resources can be fetched without giving explicit permission through the CORS protocol or the
Cross-Origin-Resource-Policy
header."
require-corp
"When this value is used, fetching cross-origin resources requires the server's explicit permission through the CORS protocol or the
Cross-Origin-Resource-Policy
header."
credentialless
"When this value is used, fetching cross-origin no-CORS resources omits credentials. In exchange, an explicit
Cross-Origin-Resource-Policy
header is not required. Other requests sent with credentials require the server's explicit permission through the CORS protocol or theCross-Origin-Resource-Policy
header.
Before supporting "credentialless
", implementers are strongly encouraged to support both:
Otherwise, it would allow attackers to leverage the client's network position to read non public resources, using the cross-origin isolated capability.
An embedder policy value is compatible with cross-origin isolation if it is "credentialless
" or "require-corp
".
An embedder policy consists of:
- A value, which is an embedder policy value, initially "
unsafe-none
". - A reporting endpoint string, initially the empty string.
- A report only value, which is an embedder policy value, initially "
unsafe-none
". - A report only reporting endpoint string, initially the empty string.
The "coep
" report type is a report type whose value is "coep
". It is visible to ReportingObserver
s.
7.8.1 The headers
The Cross-Origin-Embedder-Policy`\` and \
Cross-Origin-Embedder-Policy-Report-Only HTTP response headers allow a server to declare an embedder policy for an environment settings object. These headers are structured headers whose values must be token. [[STRUCTURED-FIELDS]](https://html.spec.whatwg.org/multipage/references.html#refsSTRUCTURED-FIELDS)
The valid token values are the embedder policy values. The token may also have attached parameters; of these, the "report-to
" parameter can have a valid URL string identifying an appropriate reporting endpoint. [[REPORTING]](https://html.spec.whatwg.org/multipage/references.html#refsREPORTING)
The processing model fails open (by defaulting to "unsafe-none
") in the presence of a header that cannot be parsed as a token. This includes inadvertent lists created by combining multiple instances of the Cross-Origin-Embedder-Policy
header present in a given response:
Cross-Origin-Embedder-Policy | Final embedder policy value |
---|---|
No header delivered | "unsafe-none " |
require-corp | "require-corp " |
unknown-value | "unsafe-none " |
require-corp, unknown-value | "unsafe-none " |
unknown-value, unknown-value | "unsafe-none " |
unknown-value, require-corp | "unsafe-none " |
require-corp, require-corp | "unsafe-none " |
(The same applies to Cross-Origin-Embedder-Policy-Report-Only
.)
To obtain an embedder policy from a response response
and an environment environment
:
- Let
policy
be a new embedder policy. - If
environment
is a non-secure context, then returnpolicy
. - Let
parsedItem
be the result of getting a structured field value withCross-Origin-Embedder-Policy
and "item
" fromresponse
's header list. If
parsedItem
is non-null andparsedItem
[0] is compatible with cross-origin isolation:- Set
parsedItem
to the result of getting a structured field value withCross-Origin-Embedder-Policy-Report-Only
and "item
" fromresponse
's header list. If
parsedItem
is non-null andparsedItem
[0] is compatible with cross-origin isolation:- Return
policy
.
7.8.2 Embedder policy checks
To check a navigation response's adherence to its embedder policy given a response response
, a browsing context target
, and an embedder policy responsePolicy
:
- If
target
is not a child browsing context, then return true. - Let
parentPolicy
betarget
's container document's policy container's embedder policy. - If
parentPolicy
's report-only value is compatible with cross-origin isolation andresponsePolicy
's value is not, then queue a cross-origin embedder policy inheritance violation withresponse
, "navigation
",parentPolicy
's report only reporting endpoint, "reporting
", andtarget
's container document's relevant settings object. - If
parentPolicy
's value is not compatible with cross-origin isolation orresponsePolicy
's value is compatible with cross-origin isolation, then return true. - Queue a cross-origin embedder policy inheritance violation with
response
, "navigation
",parentPolicy
's reporting endpoint, "enforce
", andtarget
's container document's relevant settings object. - Return false.
To check a global object's embedder policy given a WorkerGlobalScope
workerGlobalScope
, an environment settings object owner
, and a response response
:
- If
workerGlobalScope
is not aDedicatedWorkerGlobalScope
object, then return true. - Let
policy
beworkerGlobalScope
's embedder policy. - Let
ownerPolicy
beowner
's policy container's embedder policy. - If
ownerPolicy
's report-only value is compatible with cross-origin isolation andpolicy
's value is not, then queue a cross-origin embedder policy inheritance violation withresponse
, "worker initialization
",owner's policy
's report only reporting endpoint, "reporting
", andowner
. - If
ownerPolicy
's value is not compatible with cross-origin isolation orpolicy
's value is compatible with cross-origin isolation, then return true. - Queue a cross-origin embedder policy inheritance violation with
response
, "worker initialization
",owner's policy
's reporting endpoint, "enforce
", andowner
. - Return false.
To queue a cross-origin embedder policy inheritance violation given a response response
, a string type
, a string endpoint
, a string disposition
, and an environment settings object settings
:
- Let
serialized
be the result of serializing a response URL for reporting withresponse
. Let
body
be a new object containing the following properties:key value type type
blockedURL serialized
disposition disposition
- Queue
body
as the "coep
" report type forendpoint
onsettings
.
7.9 Policy containers
A policy container is a struct containing policies that apply to a Document
, a WorkerGlobalScope
, or a WorkletGlobalScope
. It has the following items:
- A CSP list, which is a CSP list. It is initially empty.
- An embedder policy, which is an embedder policy. It is initially a new embedder policy.
- A referrer policy, which is a referrer policy. It is initially the default referrer policy.
Move other policies into the policy container.
To clone a policy container given a policy container policyContainer
:
- Let
clone
be a new policy container. - For each
policy
inpolicyContainer
's CSP list, append a copy ofpolicy
intoclone
's CSP list. - Set
clone
's embedder policy to a copy ofpolicyContainer
's embedder policy. - Set
clone
's referrer policy topolicyContainer
's referrer policy. - Return
clone
.
To determine whether a URL url
requires storing the policy container in history:
To create a policy container from a fetch response given a response response
and an environment-or-null environment
:
- If
response
's URL's scheme is "blob
", then return a clone ofresponse
's URL's blob URL entry's environment's policy container. - Let
result
be a new policy container. - Set
result
's CSP list to the result of parsing a response's Content Security Policies givenresponse
. - If
environment
is non-null, then setresult
's embedder policy to the result of obtaining an embedder policy givenresponse
andenvironment
. Otherwise, set it to "unsafe-none
". - Set
result
's referrer policy to the result of parsing theReferrer-Policy
header givenresponse
. [[REFERRERPOLICY]](https://html.spec.whatwg.org/multipage/references.html#refsREFERRERPOLICY) - Return
result
.
To determine navigation params policy container given a URL responseURL
and four policy container-or-nulls historyPolicyContainer
, initiatorPolicyContainer
, parentPolicyContainer
, and responsePolicyContainer
:
If
historyPolicyContainer
is not null, then:- Assert:
responseURL
requires storing the policy container in history. - Return a clone of
historyPolicyContainer
.
- Assert:
If
responseURL
isabout:srcdoc
, then:- Assert:
parentPolicyContainer
is not null. - Return a clone of
parentPolicyContainer
.
- Assert:
- If
responseURL
is local andinitiatorPolicyContainer
is not null, then return a clone ofinitiatorPolicyContainer
. - If
responsePolicyContainer
is not null, then returnresponsePolicyContainer
. - Return a new policy container.
To initialize a worker global scope's policy container given a WorkerGlobalScope
workerGlobalScope
, a response response
, and an environment environment
:
If
workerGlobalScope
's url is local but its scheme is not "blob
":- Assert:
workerGlobalScope
's owner set's size is 1. - Set
workerGlobalScope
's policy container to a clone ofworkerGlobalScope
's owner set[0]'s relevant settings object's policy container.
- Assert:
- Otherwise, set
workerGlobalScope
's policy container to the result of creating a policy container from a fetch response givenresponse
andenvironment
.