Origin interface
(二)7.1.2 Origin-keyed agent clusters
(三)7.1.3 Cross-origin opener policies
(一)7.1.3.1 The headers
(二)7.1.3.2 Browsing context group
switches due to opener policy
(三)7.1.3.3 Reporting
(四)7.1.4 Cross-origin embedder policies
(一)7.1.4.1 The headers
(二)7.1.4.2 Embedder policy checks
(五)7.1.5 Sandboxing
(六)7.1.6 Policy containers
bank.example.com, tries to examine the DOM of Example Charity's web site, hosted
at charity.example.org, a "SecurityError"
DOMException will be raised.
null" per serialization of an origin), for which the only
meaningful operation is testing for equality.
Atuple origin
Atuple consisting of:
●Ascheme (anASCII
string).
●Ahost (ahost).
●Aport (null or a 16-bit
unsigned integer).
●Adomain (null or a domain). Null unless stated otherwise.
Origins can be shared, e.g., among multiple
Document objects. Furthermore, origins are generally
immutable. Only the domain of a tuple origin can be changed, and only through the document.domain API.
The effective domain of an
origin origin is computed as follows:
Iforigin is an opaque origin,
then return null.
Iforigin's domain is non-null,
then return origin's domain.
Return origin's host.
The serialization of an origin is the string obtained
by applying the following algorithm to the given origin origin:
Iforigin is an opaque origin,
then return "null".
Otherwise, let resultbeorigin's scheme.
Append "://" to result.
Append origin's host, serialized, to result.
Iforigin's port is non-null, append
a U+003A COLON character (:), and origin's port, serialized,
to result.
Return result.
The serialization of ("https", "xn--maraa-rta.example", null, null) is "https://xn--maraa-rta.example".
There used to also be a
Unicode serialization of an origin. However, it was never widely adopted.
| A | B | same origin | same origin-domain |
|---|---|---|---|
("https", "example.org", null, null)
| ("https", "example.org", null, null)
| ✅ | ✅ |
("https", "example.org", 314, null)
| ("https", "example.org", 420, null)
| ❌ | ❌ |
("https", "example.org", 314, "example.org")
| ("https", "example.org", 420, "example.org")
| ❌ | ✅ |
("https", "example.org", null, null)
| ("https", "example.org", null, "example.org")
| ✅ | ❌ |
("https", "example.org", null, "example.org")
| ("http", "example.org", null, "example.org")
| ❌ | ❌ |
null".
Let resultbesite[0].
Append "://" to result.
Append site[1], serialized, to
result.
Return result.
It needs to be clear from context that the serialized value is a site, not an
origin, as there is not necessarily a syntactic difference between the two. For example, the
origin ("https", "shop.example", null, null) and
the site ("https", "shop.example") have the same
serialization: "https://shop.example".
Two origins, Aand B, are said to be schemelessly same site if the following algorithm returns true:
IfAand Bare the same opaque
origin, then return true.
IfAand Bare both tuple
origins, then:
Let hostAbeA's host,
and let hostBbeB's host.
IfhostA equals hostB and
hostA's registrable domain is null, then return true.
IfhostA's registrable domain equals hostB's registrable domain and is non-null, then
return true.
Return false.
Two origins, Aand B, are said to be same site if the following algorithm returns true:
Let siteA be the result of obtaining a
site given A.
Let siteB be the result of obtaining a
site given B.
IfsiteAissame site with
siteB, then return true.
Return false.
Unlike the same origin and same origin-domain concepts,
for schemelessly same site and same site, the port and domain
components are ignored.
For the reasons explained in URL, the
same site and schemelessly same site concepts should be avoided when
possible, in favor of same origin checks.
Given that wildlife.museum, museum, and com are public suffixes and that example.com is not:
| A | B | schemelessly same site | same site |
|---|---|---|---|
("https", "example.com")
| ("https", "sub.example.com")
| ✅ | ✅ |
("https", "example.com")
| ("https", "sub.other.example.com")
| ✅ | ✅ |
("https", "example.com")
| ("http", "non-secure.example.com")
| ✅ | ❌ |
("https", "r.wildlife.museum")
| ("https", "sub.r.wildlife.museum")
| ✅ | ✅ |
("https", "r.wildlife.museum")
| ("https", "sub.other.r.wildlife.museum")
| ✅ | ✅ |
("https", "r.wildlife.museum")
| ("https", "other.wildlife.museum")
| ❌ | ❌ |
("https", "r.wildlife.museum")
| ("https", "wildlife.museum")
| ❌ | ❌ |
("https", "wildlife.museum")
| ("https", "wildlife.museum")
| ✅ | ✅ |
("https", "example.com")
| ("https", "example.com.")
| ❌ | ❌ |
document.domain [ = domain ]
Returns the current domain used for security checks.
Can be set to a value that removes subdomains, to change the origin's domain to allow pages on other subdomains of the same
domain (if they do the same thing) to access each other. This enables pages on different hosts
of a domain to synchronously access each other's DOMs.
In sandboxed iframes, Documents with opaque origins, and Documents without a browsing context, the setter will
throw a "SecurityError" exception. In cases where crossOriginIsolatedororiginAgentCluster return true, the setter will do
nothing.
Avoid using the document.domain setter. It
undermines the security protections provided by the same-origin policy. This is especially acute
when using shared hosting; for example, if an untrusted third party is able to host an HTTP
server at the same IP address but on a different port, then the same-origin protection that
normally protects two different sites on the same host will fail, as the ports are ignored when
comparing origins after the document.domain setter has
been used.
Because of these security pitfalls, this feature is in the process of being removed from the
web platform. (This is a long process that takes many years.)
Instead, use postMessage()orMessageChannel objects to communicate across origins in a safe manner.
The domain
getter steps are:
Let effectiveDomainbethis's origin's effective domain.
IfeffectiveDomain is null, then return the empty string.
Return effectiveDomain, serialized.
The domain setter steps are:
Ifthis's browsing context is
null, then throw a "SecurityError" DOMException.
Ifthis's active sandboxing flag set has its sandboxed
document.domain browsing context flag set, then
throw a "SecurityError" DOMException.
Let effectiveDomainbethis's origin's effective domain.
IfeffectiveDomain is null, then throw a
"SecurityError" DOMException.
If the given value is not
a registrable domain suffix of and is not equal to effectiveDomain, then throw
a "SecurityError" DOMException.
If the surrounding agent's agent cluster's is
origin-keyed is true, then return.
Set this's origin's domain to the result of parsing the given value.
To determine if a scalar value string hostSuffixString is a registrable domain suffix of or is equal toahost originalHost:
IfhostSuffixString is the empty string, then return false.
Let hostSuffix be the result of parsing
hostSuffixString.
IfhostSuffix is failure, then return false.
IfhostSuffix does not equal
originalHost, then:
IfhostSuffixororiginalHost is not a domain, then return false.
This excludes hosts that are IP addresses.
IfhostSuffix, prefixed by U+002E (.), does not match the end of
originalHost, then return false.
If any of the following are true:
hostSuffix equals
hostSuffix's public suffix; or
hostSuffix, prefixed by U+002E (.), matches the end of
originalHost's public suffix,
then return false. [URL]
Assert: originalHost's public suffix, prefixed by
U+002E (.), matches the end of hostSuffix.
Return true.
| hostSuffixString | originalHost | Outcome of is a registrable domain suffix of or is equal to | Notes |
|---|---|---|---|
"0.0.0.0" | 0.0.0.0 | ✅ | |
"0x10203" | 0.1.2.3 | ✅ | |
"[0::1]" | ::1 | ✅ | |
"example.com" | example.com | ✅ | |
"example.com" | example.com. | ❌ | Trailing dot is significant. |
"example.com." | example.com | ❌ | |
"example.com" | www.example.com | ✅ | |
"com" | example.com | ❌ | At the time of writing, com is a public suffix. |
"example" | example | ✅ | |
"compute.amazonaws.com" | example.compute.amazonaws.com | ❌ | At the time of writing, *.compute.amazonaws.com is a public suffix. |
"example.compute.amazonaws.com" | www.example.compute.amazonaws.com | ❌ | |
"amazonaws.com" | www.example.compute.amazonaws.com | ❌ | |
"amazonaws.com" | test.amazonaws.com | ✅ | At the time of writing, amazonaws.com is a registrable domain. |
Origin interface
Origin interface represents an
origin, allowing robust same origin and same site
comparisons.
[Exposed=*]
interface Origin {
constructor ();
static Origin from (any value );
readonly attribute boolean opaque ;
boolean isSameOrigin (Origin other );
boolean isSameSite (Origin other );
};Origin objects have an associated origin, which holds an origin.
Platform objects have an extract an origin operation, which returns null unless otherwise specified.
Objects implementing the Origin interface's
extract an origin steps are to return this's origin.
The new Origin() constructor steps are to set
this's origin to a unique opaque origin.
The static from(value) method steps are:
Ifvalue is a platform object:
Let origin be the result of executing value's extract an
origin operation.
Iforigin is not null, then return a new Origin object whose originisorigin.
Ifvalue is a string:
Let parsedURL be the result of basic URL
parsing value.
IfparsedURL is not failure, then return a new Origin object whose origin is set to parsedURL's origin.
Throw a TypeError.
The opaque getter
steps are to return true if this's origin
is an opaque origin; otherwise false.
The isSameOrigin(other) method steps are to
return true if this's originissame origin with other's origin; otherwise false.
The isSameSite(other) method steps are to
return true if this's originissame site with other's origin;
otherwise false.
window.originAgentCluster
Returns true if this Window belongs to an agent cluster which is
origin-keyed, in the manner described in
this section.
ADocument delivered over a secure context can request that it be
placed in an origin-keyed agent
cluster, by using the `Origin-Agent-Cluster` HTTP
response header. This header is a structured header
whose value must be a boolean.
[STRUCTURED-FIELDS]
Per the processing model in the create
and initialize a new Document object, values
that are not the structured header boolean
true value (i.e., `?1`) will be ignored.
The consequences of using this header are that the resulting
Document's agent cluster key is its origin, instead of the corresponding site. In terms of observable effects, this means that
attempting to relax the same-origin
restriction using document.domain will instead do
nothing, and it will not be possible to send WebAssembly.Module objects to
cross-origin Documents (even if they are same site). Behind the scenes,
this isolation can allow user agents to allocate implementation-specific resources corresponding
to agent clusters, such as processes or threads, more
efficiently.
Note that within a browsing context group, the
`Origin-Agent-Cluster` header can never cause same-origin Document
objects to end up in different agent clusters, even if one
sends the header and the other doesn't. This is prevented by means of the
historical agent cluster key map.
This means that the originAgentCluster getter can return false, even if the
header is set, if the header was omitted on a previously-loaded same-origin page in the same
browsing context group. Similarly, it can return true even when the header is not
set.
The originAgentCluster getter steps are to return the
surrounding agent's agent cluster's is origin-keyed.
Documents with an opaque
origin can be considered unconditionally origin-keyed; for them the header has no effect,
and the originAgentCluster getter will always return
true.
Similarly, Documents whose agent cluster's cross-origin isolation mode is not "none" are automatically origin-keyed. The
`Origin-Agent-Cluster` header might be useful as an additional hint to
implementations about resource allocation, since the `Cross-Origin-Opener-Policy`
and `Cross-Origin-Embedder-Policy` headers used to achieve cross-origin isolation
are more about ensuring that everything in the same address space opts in to being there. But
adding it would have no additional observable effects on author code.
unsafe-none"
This is the (current) default and means that the document will occupy the same
top-level browsing context as its predecessor, unless that document specified a
different opener policy.
"same-origin-allow-popups"
This forces the creation of a new top-level browsing context for the
document, unless its predecessor specified the same opener policy and they are
same origin.
"same-origin"
This behaves the same as "same-origin-allow-popups", with the addition that
any auxiliary browsing context created needs to contain same origin
documents that also have the same opener policy or it will appear closed to the
opener.
"same-origin-plus-COEP"
This behaves the same as "same-origin", with the
addition that it sets the (new) top-level browsing context's group's cross-origin isolation
mode to one of "logical" or "concrete".
"same-origin-plus-COEP" cannot
be directly set via the `Cross-Origin-Opener-Policy` header, but results from a
combination of setting both `Cross-Origin-Opener-Policy: same-origin` and a
`Cross-Origin-Embedder-Policy` header whose value is compatible with
cross-origin isolation together.
"noopener-allow-popups"
This forces the creation of a new top-level browsing context for the document,
regardless of its predecessor.
While including a noopener-allow-popups value severs the opener
relationship between the document on which it is applied and its opener, it does not create a
robust security boundary between those same-origin documents.
Other risks from same-origin applications include:
Same-origin requests fetching the document's content — could be mitigated through
Fetch Metadata filtering. [FETCHMETADATA]
Same-origin framing - could be mitigated through X-Frame-Options or CSP
frame-ancestors.
JavaScript accessible cookies - can be mitigated by ensuring all cookies are httponly.
localStorage access to sensitive data.
Service worker installation.
Cache API manipulation or
access to sensitive data. [SW]
postMessageorBroadcastChannel messaging that
exposes sensitive information.
Autofill which may not require user interaction for same-origin documents.
Developers using noopener-allow-popups
need to make sure that their sensitive applications don't rely on client-side features
accessible to other same-origin documents, e.g., localStorage and other client-side storage APIs,
BroadcastChannel and related same-origin communication mechanisms. They also need
to make sure that their server-side endpoints don't return sensitive data to non-navigation
requests, whose response content is accessible to same-origin
documents.
Anopener policy consists of:
Avalue, which is an opener policy value, initially "unsafe-none".
Areporting endpoint, which is string or
null, initially null.
Areport-only value, which is an opener policy value, initially "unsafe-none".
Areport-only reporting endpoint,
which is a string or null, initially null.
Tomatch opener policy values, given an opener policy
value documentCOOP, an origin documentOrigin, an
opener policy value responseCOOP, and an origin
responseOrigin:
IfdocumentCOOP is "unsafe-none" and
responseCOOP is "unsafe-none", then return
true.
IfdocumentCOOP is "unsafe-none" or
responseCOOP is "unsafe-none", then return
false.
IfdocumentCOOPisresponseCOOP and documentOriginissame origin with responseOrigin, then return true.
Return false.
Document's cross-origin opener
policy is derived from the `Cross-Origin-Opener-Policy` and `Cross-Origin-Opener-Policy-Report-Only` HTTP response headers.
These headers are structured headers whose value must
be a token. [STRUCTURED-FIELDS]
The valid token values are the opener policy values. The token may also have
attached parameters; of these, the "report-to" parameter can have a valid URL
string identifying an appropriate reporting endpoint. [REPORTING]
Per the processing model described below, user agents will ignore this header if it contains an invalid value. Likewise, user
agents will ignore this header if the value cannot be parsed as a token.
Cross-Origin-Opener-Policy` and "item" from
response's header list.
IfparsedItem is not null, then:
IfparsedItem[0] is "same-origin",
then:
Let coep be the result of obtaining a cross-origin embedder policy from response and
reservedEnvironment.
Ifcoep's valueiscompatible with cross-origin isolation, then set policy's value to "same-origin-plus-COEP".
Otherwise, set policy's value to
"same-origin".
IfparsedItem[0] is "same-origin-allow-popups", then set
policy's value to "same-origin-allow-popups".
IfparsedItem[0] is "noopener-allow-popups", then set
policy's value to "noopener-allow-popups".
IfparsedItem[1]["report-to"] exists and it is a string, then set policy's reporting endpointtoparsedItem[1]["report-to"].
Set parsedItem to the result of getting a structured field value
given `Cross-Origin-Opener-Policy-Report-Only` and "item"
from response's header
list.
IfparsedItem is not null, then:
IfparsedItem[0] is "same-origin",
then:
Let coep be the result of obtaining a cross-origin embedder policy from response and
reservedEnvironment.
Ifcoep's valueiscompatible with cross-origin isolationorcoep's report-only valueiscompatible
with cross-origin isolation, then set policy's report-only value to "same-origin-plus-COEP".
Report only COOP also considers report-only COEP to assign the special
"same-origin-plus-COEP" value. This allows
developers more freedom in the order of deployment of COOP and COEP.
Otherwise, set policy's report-only value to "same-origin".
IfparsedItem[0] is "same-origin-allow-popups", then set
policy's report-only value to
"same-origin-allow-popups".
IfparsedItem[1]["report-to"] exists and it is a string, then set policy's report-only reporting endpointtoparsedItem[1]["report-to"].
Return policy.
noopener-allow-popups", then return true.
If all of the following are true:
activeDocumentCOOPValue's value is
"same-origin-allow-popups" or
"noopener-allow-popups"; and
responseCOOPValue is "unsafe-none",
then return false.
If the result of matching
activeDocumentCOOPValue, activeDocumentNavigationOrigin,
responseCOOPValue, and responseOrigin is true, then return false.
Return true.
Tocheck if COOP values require a
browsing context group switch, given a boolean isInitialAboutBlank, two origins responseOrigin and
activeDocumentNavigationOrigin, and two opener policy
values responseCOOPValue and activeDocumentCOOPValue:
IfisInitialAboutBlank is true, then return the result of checking if popup COOP values
requires a browsing context group switch with responseOrigin,
activeDocumentNavigationOrigin, responseCOOPValue, and
activeDocumentCOOPValue.
Here we are dealing with a non-popup navigation.
If the result of matching
activeDocumentCOOPValue, activeDocumentNavigationOrigin,
responseCOOPValue, and responseOrigin is true, then return false.
Return true.
Tocheck if enforcing report-only COOP
would require a browsing context group switch, given a boolean
isInitialAboutBlank, two origins
responseOrigin, activeDocumentNavigationOrigin, and two opener policies responseCOOP and activeDocumentCOOP:
If the result of checking if
COOP values require a browsing context group switch given
isInitialAboutBlank, responseOrigin,
activeDocumentNavigationOrigin, responseCOOP's report-only value, and
activeDocumentCOOPReportOnly's report-only value is false, then return
false.
Matching report-only policies allows a website to specify the same report-only
opener policy on all its pages and not receive violation reports for navigations between these
pages.
If the result of checking
if COOP values require a browsing context group switch given
isInitialAboutBlank, responseOrigin,
activeDocumentNavigationOrigin, responseCOOP's value, and activeDocumentCOOPReportOnly's report-only value is true, then return
true.
If the result of checking
if COOP values require a browsing context group switch given
isInitialAboutBlank, responseOrigin,
activeDocumentNavigationOrigin, responseCOOP's report-only value, and
activeDocumentCOOPReportOnly's value is true,
then return true.
Return false.
Anopener policy enforcement result is a
struct with the following items:
A boolean needs a browsing context group
switch, initially false.
A boolean would need a browsing
context group switch due to report-only, initially false.
AURL url.
Anorigin origin.
Anopener policy opener
policy.
A boolean current context is navigation
source, initially false.
Toenforce a response's opener policy, given a browsing
context browsingContext, a URL responseURL, an
origin responseOrigin, an opener policy
responseCOOP, an opener policy enforcement
result currentCOOPEnforcementResult, and a referrer referrer:
Let newCOOPEnforcementResult be a new opener policy enforcement result with
needs a browsing context group switch
currentCOOPEnforcementResult's needs
a browsing context group switch
would need a browsing context group switch due to report-only
currentCOOPEnforcementResult's would need a browsing context group switch
due to report-only
url
responseURL
origin
responseOrigin
opener policy
responseCOOP
current context is navigation source
true
Let isInitialAboutBlankbebrowsingContext's active
document's is initial about:blank.
IfisInitialAboutBlank is true and browsingContext's initial URL is null, set
browsingContext's initial URLtoresponseURL.
If the result of checking if
COOP values require a browsing context group switch given
isInitialAboutBlank, currentCOOPEnforcementResult's opener policy's value, currentCOOPEnforcementResult's origin, responseCOOP's value, and responseOrigin is true, then:
Set newCOOPEnforcementResult's needs a browsing context group switch to
true.
IfbrowsingContext's group's browsing
context set's size is greater than 1, then:
Queue a violation report for browsing
context group switch when navigating to a COOP response with responseCOOP,
"enforce", responseURL,
currentCOOPEnforcementResult's url,
currentCOOPEnforcementResult's origin, responseOrigin, and
referrer.
Queue a violation report for browsing
context group switch when navigating away from a COOP response with
currentCOOPEnforcementResult's opener
policy, "enforce", currentCOOPEnforcementResult's
url, responseURL,
currentCOOPEnforcementResult's origin, responseOrigin, and
currentCOOPEnforcementResult's current
context is navigation source.
If the result of checking if
enforcing report-only COOP would require a browsing context group switch given
isInitialAboutBlank, responseOrigin,
currentCOOPEnforcementResult's origin,
responseCOOP, and currentCOOPEnforcementResult's opener policy, is true, then:
Set newCOOPEnforcementResult's would
need a browsing context group switch due to report-only to true.
IfbrowsingContext's group's browsing
context set's size is greater than 1, then:
Queue a violation report for browsing
context group switch when navigating to a COOP response with responseCOOP,
"reporting", responseURL,
currentCOOPEnforcementResult's url,
currentCOOPEnforcementResult's origin, responseOrigin, and
referrer.
Queue a violation report for browsing
context group switch when navigating away from a COOP response with
currentCOOPEnforcementResult's opener
policy, "reporting",
currentCOOPEnforcementResult's url,
responseURL, currentCOOPEnforcementResult's origin, responseOrigin, and
currentCOOPEnforcementResult's current
context is navigation source.
Return newCOOPEnforcementResult.
Toobtain a browsing context to use for a
navigation response, given navigation params navigationParams:
Let browsingContextbenavigationParams's navigable's active browsing
context.
IfbrowsingContext is not a top-level browsing context, then
return browsingContext.
Let coopEnforcementResultbenavigationParams's COOP enforcement result.
Let swapGroupbecoopEnforcementResult's needs a browsing context group switch.
Let sourceOriginbebrowsingContext's
active document's origin.
Let destinationOriginbenavigationParams's origin.
IfsourceOrigin is not same site with
destinationOrigin:
If either of sourceOriginordestinationOrigin have a scheme that is not an HTTP(S) scheme and
the user agent considers it necessary for sourceOrigin and
destinationOrigin to be isolated from each other (for
implementation-defined reasons), optionally set swapGroup to true.
For example, if a user navigates from about:settingstohttps://example.com, the user agent could force a swap.
Issue #10842 tracks
settling on an interoperable behavior here, instead of letting this be optional.
IfnavigationParams's user
involvement is "browser UI", optionally set
swapGroup to true.
Issue #6356 tracks
settling on an interoperable behavior here, instead of letting this be optional.
IfbrowsingContext's group's browsing
context set's size is 1, optionally set
swapGroup to true.
Some implementations swap browsing context groups here for performance
reasons.
The check for other contexts that could script this one is not sufficient to
prevent differences in behavior that could affect a web page. Even if there are currently no
other contexts, the destination page could open a window, then if the user navigates back, the
previous page could expect to be able to script the opened window. Doing a swap here would break
that use case.
IfswapGroup is false, then:
IfcoopEnforcementResult's would need a browsing context group switch
due to report-only is true, set browsingContext's virtual browsing context group ID to a new
unique identifier.
Return browsingContext.
Let newBrowsingContext be the first return value of creating a new
top-level browsing context and document.
In this case we are going to perform a browsing context group swap.
browsingContext will not be used by the new Document that we are about
to create. If it is not used by other
Documents either (such as ones in the back/forward cache), then the user agent
might destroy it at this point.
Let navigationCOOPbenavigationParams's cross-origin opener policy.
IfnavigationCOOP's value is "same-origin-plus-COEP", then set
newBrowsingContext's group's cross-origin isolation mode to either "logical" or "concrete". The choice of which is
implementation-defined.
It is difficult on some platforms to provide the security properties required
by the cross-origin
isolated capability. "concrete"
grants access to it and "logical" does
not.
Let sandboxFlags be a cloneofnavigationParams's final sandboxing flag set.
IfsandboxFlags is not empty, then:
Assert: navigationCOOP's value is
"unsafe-none".
Assert: newBrowsingContext's popup sandboxing flag
set is empty.
Set newBrowsingContext's popup sandboxing flag settosandboxFlags.
Return newBrowsingContext.
reporting", then set
coopValuetocoop's report-only value.
Let serializedReferrer be an empty string.
Ifreferrer is a URL, set serializedReferrer to the
serializationofreferrer.
Let body be a new object containing the following properties:
| key | value |
|---|---|
| disposition | disposition |
| effectivePolicy | coopValue |
| previousResponseURL | IfcoopOrigin and previousResponseOrigin are same origin this is the sanitizationofpreviousResponseURL, null otherwise. |
| referrer | serializedReferrer |
| type | "navigation-to-response" |
coop" for coop's reporting endpoint with coopURL.
Toqueue a violation report for browsing context
group switch when navigating away from a COOP response given an opener policy coop, a string disposition, a URL
coopURL, a URL nextResponseURL, two origins coopOrigin and nextResponseOrigin, and a
boolean isCOOPResponseNavigationSource:
Ifcoop's reporting endpoint
is null, return.
Let coopValuebecoop's value.
Ifdisposition is "reporting", then set
coopValuetocoop's report-only value.
Let body be a new object containing the following properties:
| key | value |
|---|---|
| disposition | disposition |
| effectivePolicy | coopValue |
| nextResponseURL | IfcoopOrigin and nextResponseOrigin are same originorisCOOPResponseNavigationSource is true, this is the sanitizationofnextResponseURL, null otherwise. |
| type | "navigation-from-response" |
coop" for coop's reporting endpoint with coopURL.
Toqueue violation reports for accesses, given an
accessor-accessed relationship accessorAccessedRelationship, two opener policies accessorCOOP and accessedCOOP,
four URLs accessorURL, accessedURL,
accessorInitialURL, accessedInitialURL, four origins accessorOrigin, accessedOrigin,
accessorCreatorOrigin and accessedCreatorOrigin, two referrers accessorReferrer and
accessedReferrer, a string propertyName, and an environment settings
object environment:
Ifcoop's reporting endpoint
is null, return.
Let coopValuebecoop's value.
Ifdisposition is "reporting", then set
coopValuetocoop's report-only value.
IfaccessorAccessedRelationshipisaccessor is opener:
Queue a violation report
for access to an opened window, given accessorCOOP, accessorURL,
accessedURL, accessedInitialURL, accessorOrigin,
accessedOrigin, accessedCreatorOrigin, propertyName,
and environment.
Queue a violation report for access
from the opener, given accessedCOOP, accessedURL,
accessorURL, accessedOrigin, accessorOrigin,
propertyName, and accessedReferrer.
Otherwise, if accessorAccessedRelationshipisaccessor is openee:
Queue a violation report for access to
the opener, given accessorCOOP, accessorURL,
accessedURL, accessorOrigin, accessedOrigin,
propertyName, accessorReferrer, and environment.
Queue a violation report for access
from an opened window, given accessedCOOP, accessedURL,
accessorURL, accessorInitialURL, accessedOrigin,
accessorOrigin, accessorCreatorOrigin, and
propertyName.
Otherwise:
Queue a violation report for
access to another window, given accessorCOOP, accessorURL,
accessedURL, accessorOrigin, accessedOrigin,
propertyName, and environment.
Queue a violation report for
access from another window, given accessedCOOP, accessedURL,
accessorURL, accessedOrigin, accessorOrigin, and
propertyName.
Toqueue a violation report for access to the
opener, given an opener policy coop, two
URLs coopURL and openerURL, two origins coopOrigin and openerOrigin, a string
propertyName, a referrer
referrer, and an environment settings object environment:
Let sourceFile, lineNumber, and columnNumber be the
relevant script URL and problematic position which triggered this report.
Let serializedReferrer be an empty string.
Ifreferrer is a URL, set serializedReferrer to the
serializationofreferrer.
Let body be a new object containing the following properties:
| key | value |
|---|---|
| disposition | "reporting" |
| effectivePolicy | coop's report-only value |
| property | propertyName |
| openerURL | IfcoopOrigin and openerOrigin are same origin, this is the sanitizationofopenerURL, null otherwise. |
| referrer | serializedReferrer |
| sourceFile | sourceFile |
| lineNumber | lineNumber |
| columnNumber | columnNumber |
| type | "access-to-opener" |
coop" for coop's reporting endpoint with coopURL and
environment.
Toqueue a violation report for access to an
opened window, given an opener policy coop,
three URLs coopURL, openedWindowURL and
initialWindowURL, three origins coopOrigin,
openedWindowOrigin, and openerInitialOrigin, a string
propertyName, and an environment settings object
environment:
Let sourceFile, lineNumber, and columnNumber be the
relevant script URL and problematic position which triggered this report.
Let body be a new object containing the following properties:
| key | value |
|---|---|
| disposition | "reporting" |
| effectivePolicy | coop's report-only value |
| property | propertyName |
| openedWindowURL | IfcoopOrigin and openedWindowOrigin are same origin, this is the sanitizationofopenedWindowURL, null otherwise. |
| openedWindowInitialURL | IfcoopOrigin and openerInitialOrigin are same origin, this is the sanitizationofinitialWindowURL, null otherwise. |
| sourceFile | sourceFile |
| lineNumber | lineNumber |
| columnNumber | columnNumber |
| type | "access-to-opener" |
coop"
for coop's reporting endpoint with
coopURL and environment.
Toqueue a violation report for access to another
window, given an opener policy coop, two
URLs coopURL and otherURL, two origins coopOrigin and otherOrigin, a string
propertyName, and an environment settings object
environment:
Let sourceFile, lineNumber, and columnNumber be the
relevant script URL and problematic position which triggered this report.
Let body be a new object containing the following properties:
| key | value |
|---|---|
| disposition | "reporting" |
| effectivePolicy | coop's report-only value |
| property | propertyName |
| otherURL | IfcoopOrigin and otherOrigin are same origin, this is the sanitizationofotherURL, null otherwise. |
| sourceFile | sourceFile |
| lineNumber | lineNumber |
| columnNumber | columnNumber |
| type | "access-to-opener" |
coop"
for coop's reporting endpoint with
coopURL and environment.
Toqueue a violation report for access from the
opener, given an opener policy coop, two
URLs coopURL and openerURL, two origins coopOrigin and openerOrigin, a string
propertyName, and a referrer
referrer:
Ifcoop's reporting endpoint
is null, return.
Let serializedReferrer be an empty string.
Ifreferrer is a URL, set serializedReferrer to the
serializationofreferrer.
Let body be a new object containing the following properties:
| key | value |
|---|---|
| disposition | "reporting" |
| effectivePolicy | coop's report-only value |
| property | propertyName |
| openerURL | IfcoopOrigin and openerOrigin are same origin, this is the sanitizationofopenerURL, null otherwise. |
| referrer | serializedReferrer |
| type | "access-to-opener" |
coop"
for coop's reporting endpoint with
coopURL.
Toqueue a violation report for access from an
opened window, given an opener policy coop,
three URLs coopURL, openedWindowURL and
initialWindowURL, three origins coopOrigin,
openedWindowOrigin, and openerInitialOrigin, and a string
propertyName:
Ifcoop's reporting endpoint
is null, return.
Let body be a new object containing the following properties:
| key | value |
|---|---|
| disposition | "reporting" |
| effectivePolicy | coopValue |
| property | coop's report-only value |
| openedWindowURL | IfcoopOrigin and openedWindowOrigin are same origin, this is the sanitizationofopenedWindowURL, null otherwise. |
| openedWindowInitialURL | IfcoopOrigin and openerInitialOrigin are same origin, this is the sanitizationofinitialWindowURL, null otherwise. |
| type | "access-to-opener" |
coop"
for coop's reporting endpoint with
coopURL.
Toqueue a violation report for access from
another window, given an opener policy coop,
two URLs coopURL and otherURL, two origins coopOrigin and otherOrigin, and a string
propertyName:
Ifcoop's reporting endpoint
is null, return.
Let body be a new object containing the following properties:
| key | value |
|---|---|
| disposition | "reporting" |
| effectivePolicy | coop's report-only value |
| property | propertyName |
| otherURL | IfcoopOrigin and otherOrigin are same origin, this is the sanitizationofotherURL, null otherwise. |
| type | access-to-opener |
coop"
for coop's reporting endpoint with
coopURL.
unsafe-none"
This is the default value. When this value is used, cross-origin resources can be fetched
without giving explicit permission through the CORS protocol or the
`Cross-Origin-Resource-Policy` header.
"require-corp"
When this value is used, fetching cross-origin resources requires the server's
explicit permission through the CORS protocol or the
`Cross-Origin-Resource-Policy` header.
"credentialless"
When this value is used, fetching cross-origin no-CORS resources omits credentials. In
exchange, an explicit `Cross-Origin-Resource-Policy` header is not required. Other
requests sent with credentials require the server's explicit permission through the CORS
protocol or the `Cross-Origin-Resource-Policy` header.
Before supporting "credentialless", implementers are
strongly encouraged to support both:
●Private Network Access
●Opaque Response Blocking
Otherwise, it would allow attackers to leverage the client's network position to read non
public resources, using the cross-origin isolated
capability.
Anembedder policy valueiscompatible with cross-origin isolation if
it is "credentialless" or "require-corp".
Anembedder policy consists of:
Avalue, which is an embedder policy value, initially "unsafe-none".
Areporting endpoint string, initially the empty string.
Areport only value, which is an embedder policy value, initially
"unsafe-none".
Areport only reporting endpoint string, initially the empty
string.
The "coep" report type is a report type whose value
is "coep". It is visible to
ReportingObservers.
Cross-Origin-Embedder-Policy` and
`Cross-Origin-Embedder-Policy-Report-Only` HTTP response
headers allow a server to declare an embedder policy for an environment
settings object. These headers are structured
headers whose values must be token.
[STRUCTURED-FIELDS]
The valid token values are the embedder policy values. The token may also have attached parameters; of these, the "report-to" parameter can have a valid URL
string identifying an appropriate reporting endpoint. [REPORTING]
The processing model fails open (by defaulting
to "unsafe-none") in the presence of a header that cannot
be parsed as a token. This includes inadvertent lists created by combining multiple instances of
the `Cross-Origin-Embedder-Policy` header present in a given response:
`Cross-Origin-Embedder-Policy` | Final embedder policy value |
|---|---|
| No header delivered | "unsafe-none" |
`require-corp` | "require-corp" |
`unknown-value` | "unsafe-none" |
`require-corp, unknown-value` | "unsafe-none" |
`unknown-value, unknown-value` | "unsafe-none" |
`unknown-value, require-corp` | "unsafe-none" |
`require-corp, require-corp` | "unsafe-none" |
Cross-Origin-Embedder-Policy-Report-Only`.)
Cross-Origin-Embedder-Policy` and "item" from
response's header list.
IfparsedItem is non-null and parsedItem[0] is compatible with
cross-origin isolation:
Set policy's valuetoparsedItem[0].
IfparsedItem[1]["report-to"] exists, then set policy's endpointtoparsedItem[1]["report-to"].
Set parsedItem to the result of getting a structured field value
with `Cross-Origin-Embedder-Policy-Report-Only` and "item"
from response's header
list.
IfparsedItem is non-null and parsedItem[0] is compatible with
cross-origin isolation:
Set policy's report only valuetoparsedItem[0].
IfparsedItem[1]["report-to"] exists, then set policy's endpointtoparsedItem[1]["report-to"].
Return policy.
navigation", parentPolicy's report only reporting endpoint,
"reporting", and navigable's container document's relevant settings
object.
IfparentPolicy's value is not
compatible with cross-origin isolationorresponsePolicy's valueiscompatible with cross-origin
isolation, then return true.
Queue a cross-origin embedder policy inheritance violation with
response, "navigation", parentPolicy's reporting endpoint,
"enforce", and navigable's
container document's relevant settings
object.
Return false.
Tocheck a global object's embedder policy given a WorkerGlobalScope
workerGlobalScope, an environment settings object owner, and
a response response:
IfworkerGlobalScope is not a DedicatedWorkerGlobalScope object,
then return true.
Let policybeworkerGlobalScope's embedder policy.
Let ownerPolicybeowner's policy container's embedder policy.
IfownerPolicy's report-only
valueiscompatible with cross-origin isolation and policy's
value is not, then queue a cross-origin
embedder policy inheritance violation with response, "worker
initialization", ownerPolicy's report only reporting endpoint,
"reporting", and owner.
IfownerPolicy's value is not
compatible with cross-origin isolationorpolicy's valueiscompatible with cross-origin
isolation, then return true.
Queue a cross-origin embedder policy inheritance violation with
response, "worker initialization", ownerPolicy's
reporting endpoint,
"enforce", and owner.
Return false.
Toqueue a cross-origin embedder policy inheritance violation given a response response, a string type, a string
endpoint, a string disposition, and an environment settings
object settings:
Let serialized be the result of serializing a response URL for
reporting with response.
Let body be a new object containing the following properties:
| key | value |
|---|---|
| type | type |
| blockedURL | serialized |
| disposition | disposition |
coep" report type for endpointonsettings.
target attribute or
the window.open() method.
The sandboxed top-level navigation without user activation browsing
context flag
This flag prevents content from navigating their top-level
browsing context and prevents content from closing their
top-level browsing context. It is consulted only when the sandboxed browsing
context's active window does not have transient activation.
When the sandboxed top-level navigation without user activation browsing context
flagisnot set, content can navigate its top-level browsing
context, but other browsing contexts are still
protected by the sandboxed navigation browsing context flag and possibly
the sandboxed auxiliary navigation browsing context flag.
The sandboxed top-level navigation with user activation browsing context
flag
This flag prevents content from navigating their top-level
browsing context and prevents content from closing their
top-level browsing context. It is consulted only when the sandboxed browsing
context's active window has transient activation.
As with the sandboxed top-level navigation without user activation browsing context
flag, this flag only affects the top-level browsing context; if it is not
set, other browsing contexts might still be protected by
other flags.
The sandboxed origin browsing context flag
This flag forces content into an opaque origin, thus preventing
it from accessing other content from the same origin.
This flag also prevents script from reading from or writing to the
document.cookie IDL attribute, and blocks access
to localStorage.
The sandboxed forms browsing context flag
This flag blocks form submission.
The sandboxed pointer lock browsing context flag
This flag disables the Pointer Lock API. [POINTERLOCK]
The sandboxed scripts browsing context flag
This flag blocks script execution.
The sandboxed automatic features browsing context flag
This flag blocks features that trigger automatically, such as automatically playing a videoorautomatically focusing a form control.
The sandboxed document.domain
browsing context flag
This flag prevents content from using the
document.domain setter.
The sandbox propagates to auxiliary browsing contexts flag
This flag prevents content from escaping the sandbox by ensuring that any
auxiliary browsing context it creates inherits the content's
active sandboxing flag set.
The sandboxed modals flag
This flag prevents content from using any of the following features to produce modal
dialogs:
●window.alert()
●window.confirm()
●window.print()
●window.prompt()
●the beforeunload event
The sandboxed orientation lock browsing context flag
This flag disables the ability to lock the screen orientation.
[SCREENORIENTATION]
The sandboxed presentation browsing context flag
This flag disables the Presentation API. [PRESENTATION]
The sandboxed downloads browsing context flag
This flag prevents content from initiating or instantiating downloads, whether through downloading hyperlinks or through navigation that gets handled as a download.
The sandboxed custom protocols navigation browsing context flag
This flag prevents navigations toward non fetch schemes
from being handed off to external
software.
When the user agent is to parse a sandboxing directive, given a string
input and a sandboxing flag set output, it must run the following
steps:
Split input on ASCII
whitespace, to obtain tokens.
Let output be empty.
Add the following flags to output:
The sandboxed navigation browsing context flag.
The sandboxed auxiliary navigation browsing context flag, unless
tokens contains the allow-popups keyword.
The sandboxed top-level navigation without user activation browsing context
flag, unless tokens contains the allow-top-navigation
keyword.
The sandboxed top-level navigation with user activation browsing context flag,
unless tokens contains either the allow-top-navigation-by-user-activation
keyword or the allow-top-navigation keyword.
This means that if the allow-top-navigation is present, the allow-top-navigation-by-user-activation
keyword will have no effect. For this reason, specifying both is a document conformance error.
The sandboxed origin browsing context flag, unless the tokens
contains the allow-same-origin keyword.
The allow-same-origin keyword
is intended for two cases.
First, it can be used to allow content from the same site to be sandboxed to disable
scripting, while still allowing access to the DOM of the sandboxed content.
Second, it can be used to embed content from a third-party site, sandboxed to prevent that
site from opening popups, etc, without preventing the embedded page from communicating back
to its originating site, using the database APIs to store data, etc.
The sandboxed forms browsing context flag, unless tokens
contains the allow-forms keyword.
The sandboxed pointer lock browsing context flag, unless tokens
contains the allow-pointer-lock
keyword.
The sandboxed scripts browsing context flag, unless tokens
contains the allow-scripts keyword.
The sandboxed automatic features browsing context flag, unless
tokens contains the allow-scripts keyword (defined above).
This flag is relaxed by the same keyword as scripts, because when scripts are
enabled these features are trivially possible anyway, and it would be unfortunate to force
authors to use script to do them when sandboxed rather than allowing them to use the
declarative features.
The sandboxed document.domain browsing
context flag.
The sandbox propagates to auxiliary browsing contexts flag, unless
tokens contains the allow-popups-to-escape-sandbox
keyword.
The sandboxed modals flag, unless tokens contains the allow-modals keyword.
The sandboxed orientation lock browsing context flag, unless
tokens contains the allow-orientation-lock
keyword.
The sandboxed presentation browsing context flag, unless tokens
contains the allow-presentation
keyword.
The sandboxed downloads browsing context flag, unless tokens
contains the allow-downloads keyword.
The sandboxed custom protocols navigation browsing context flag, unless
tokens contains either the allow-top-navigation-to-custom-protocols
keyword, the allow-popups keyword, or
the allow-top-navigation
keyword.
iframe element has an iframe sandboxing flag set,
which is a sandboxing flag set. Which flags in an iframe
sandboxing flag set are set at any particular time is determined by the iframe
element's sandbox attribute.
Every Document has an active sandboxing flag set,
which is a sandboxing flag set. When the Document is created, its
active sandboxing flag set must be empty. It is populated by the navigation algorithm.
Every CSP list
cspList has CSP-derived sandboxing flags, which is a sandboxing flag
set. It is the return value of the following algorithm:
Let directives be an empty ordered set.
For each policy in cspList:
Ifpolicy's disposition is not "enforce", then continue.
Ifpolicy's directive set containsadirective whose name is "sandbox",
then append that directive to
directives.
Ifdirectives is empty, then return an empty sandboxing flag
set.
Let directivebedirectives[directives's size − 1].
Return the result of parsing the sandboxing
directive directive.
iframe sandboxing flag set.
Ifembedder is an element, then: the flags set on embedder's
node document's active sandboxing flag set.
Document, a WorkerGlobalScope, or a WorkletGlobalScope.
It has the following items:
ACSP list,
which is a CSP list. It is initially empty.
Anembedder
policy, which is an embedder policy. It is initially a new embedder
policy.
Areferrer
policy, which is a referrer policy. It is initially the default referrer
policy.
Anintegrity
policy, which is an integrity policy, initially a new
integrity policy.
Areport only integrity policy, which
is an integrity policy, initially a new integrity policy.
Move other policies into the policy container.
Toclone a policy container given a policy container
policyContainer:
Let clone be a new policy container.
For each policyinpolicyContainer's CSP list, append a copy of policy into clone's CSP list.
Set clone's embedder
policy to a copy of policyContainer's embedder policy.
Set clone's referrer
policytopolicyContainer's referrer policy.
Set clone's integrity
policy to a copy of policyContainer's integrity policy.
Return clone.
To determine whether a URL url requires storing the policy
container in history:
Ifurl's scheme is "blob", then return false.
Ifurl is local, then return true.
Return false.
Tocreate a policy container from a fetch response
given a response response and an
environment-or-null environment:
Ifresponse's URL's scheme is "blob", then return a cloneofresponse's URL's blob URL
entry's environment's policy
container.
Let result be a new policy container.
Set result's CSP list to the
result of parsing a response's Content Security Policies
given response.
Ifenvironment is non-null, then set result's embedder policy to the result of obtaining an embedder policy given response
and environment. Otherwise, set it to "unsafe-none".
Set result's referrer
policy to the result of parsing the
`Referrer-Policy` header given response.
[REFERRERPOLICY]
Parse Integrity-Policy headers with
response and result.
Return result.
Todetermine navigation params
policy container given a URL responseURL and four policy container-or-nulls historyPolicyContainer,
initiatorPolicyContainer, parentPolicyContainer, and
responsePolicyContainer:
IfhistoryPolicyContainer is not null, then:
Assert: responseURL requires storing the policy container
in history.
Return a cloneofhistoryPolicyContainer.
IfresponseURLisabout:srcdoc, then:
Assert: parentPolicyContainer is not null.
Return a cloneofparentPolicyContainer.
IfresponseURL is local and
initiatorPolicyContainer is not null, then return a cloneofinitiatorPolicyContainer.
IfresponsePolicyContainer is not null, then return
responsePolicyContainer.
Return a new policy container.
Toinitialize a worker global scope's policy
container given a WorkerGlobalScope workerGlobalScope, a response response, and an environment
environment:
IfworkerGlobalScope's url
is local but its scheme
is not "blob":
Assert: workerGlobalScope's owner set's size is 1.
Set workerGlobalScope's policy container to a cloneofworkerGlobalScope's owner
set[0]'s relevant settings object's policy container.
Otherwise, set workerGlobalScope's policy container to the result of
creating a policy container from a fetch response given
response and environment.
12 The popover attribute — Table of Contents — 7.2 APIs related to navigation and
session history →