From 5915ea0f08e450e5614a9dbae80b5f1290e164a7 Mon Sep 17 00:00:00 2001
From: clamy The following terms are defined in Structured Field Values for HTTP: The following terms are defined in MIME Sniffing: The following algorithm is defined in Secure Contexts: The following algorithms are defined in Secure Contexts: The following features is defined in Cooperative Scheduling of Background Tasks:
+ The following features are defined in Cooperative Scheduling of Background Tasks:
The following features are defined in Cross-Origin Embedder Policy: Link
` header
+
+
@@ -2506,6 +2514,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
@@ -3923,6 +3933,19 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
+
+ Cross-Origin-Embedder-Policy
` header
@@ -9013,9 +9036,12 @@ partial interface Document {
data-dfn-for="Document">feature policy, which is a feature policy, which is initially empty.
The Document
has a module map, which is a module map,
- initially empty.
The Document
has a module map,
+ which is a module map, initially empty.
The Document
has a cross-origin opener
+ policy, which is a cross-origin opener policy, initially "unsafe-none
".
DocumentOrShadowRoot
interfaceLet coop be "unsafe-none
".
If creator is non-null and creator's origin is + same origin with creator's relevant settings object's + top-level origin, then set coop to creator's browsing context's top-level browsing context's + active document's cross-origin opener + policy.
Let document be a new Document
, marked as an HTML document in quirks mode, whose content type is "text/html
",
origin is origin, active sandboxing flag set is
sandboxFlags, feature policy is
- feature policy, and which is both ready for post-load tasks and
- completely loaded immediately.
Ensure that document has a single child html
node, which itself
has two empty child nodes: a head
element, and a body
element.
A browsing context group has a cross-origin isolated boolean. It is initially false.
+ +The impact of cross-origin + isolated is under discussion in issue + #4734.
+To create a new browsing context group, run these steps:
@@ -77480,6 +77523,29 @@ console.assert(iframeWindow.frameElement === null);If current's top-level browsing context's active
+ document's cross-origin opener policy is
+ "same-origin
" or "same-origin-plus-COEP
", then:
Let currentDocument be current's active + document.
If currentDocument's origin is not same origin
+ with currentDocument's relevant settings object's top-level
+ origin, then set noopener to true and name to "_blank
".
In the presence of a cross-origin opener policy, nested + documents that are cross-origin with their top-level browsing context's active document + always set noopener to true.
+Set new to true.
If noopener is true, then set chosen to the result @@ -79913,6 +79979,215 @@ interface BarProp { +
A cross-origin opener policy allows a document which is navigated to in a + top-level browsing context to force the creation of a new top-level browsing + context, and a corresponding group. It has one of the + following values:
+ +unsafe-none
"This is the (current) default and means that the document will occupy the same + top-level browsing context as its predecessor, unless that document specified a + different cross-origin opener policy.
same-origin-allow-popups
"This forces the creation of a new top-level browsing context for the + document, unless its predecessor specified the same cross-origin opener policy and + they are same origin.
same-origin
"This behaves the same as "same-origin-allow-popups
", with the addition any
+ auxiliary browsing context created needs to contain same origin
+ documents that also have the same cross-origin opener policy or it will appear
+ closed to the opener.
same-origin-plus-COEP
"This behaves the same as "same-origin
", with the
+ addition that it sets the (new) top-level browsing context's group's cross-origin isolated to
+ true.
"same-origin-plus-COEP
" cannot
+ be directly set via the `Cross-Origin-Opener-Policy
` header, but results
+ from a combination of setting both `Cross-Origin-Opener-Policy: same-origin
` and `Cross-Origin-Embedder-Policy: require-corp
` together.
To match cross-origin opener policies, given a + cross-origin opener policy A, an origin originA, a + cross-origin opener policy B, and an origin + originB:
+ +If A is "unsafe-none
" and B
+ is "unsafe-none
", then return true.
If A is "unsafe-none
" or B is
+ "unsafe-none
", then return false.
If A is B and originA is same origin with + originB, then return true.
Return false.
A Document
's cross-origin opener
+ policy is derived from the `Cross-Origin-Opener-Policy
` HTTP response header.
+ This header is a structured header whose value must
+ be a token.
The valid token values are "unsafe-none
", "same-origin-allow-popups
", and "same-origin
".
Per the processing model described below, user agents will ignore this header if + it contains an invalid value. Likewise, user agents will ignore this header if the value cannot be + parsed as a token.
+ +To obtain a cross-origin opener policy from a response response:
+ +Let securityState be the result of executing Is url potentially + trustworthy? on response's url.
If securityState is "Not Trustworthy
", then return
+ "unsafe-none
".
Let value be the result of getting a structured header
+ given `Cross-Origin-Opener-Policy
` and
+ "item
" from response's header list.
If value is failure or null, then return "unsafe-none
".
If value[0] is not "same-origin
" or
+ "same-origin-allow-popups
", then return
+ "unsafe-none
".
If value[0] is "same-origin
", then:
Let coep be the result of obtaining a cross-origin embedder + policy from response.
If coep is "require-corp
", then return "same-origin-plus-COEP
".
Return value[0].
To check if a response requires a + browsing context group switch, given a browsing context + browsingContext, an origin responseOrigin and a + cross-origin opener policy responseCOOP, run the followign steps:
+ +Let activeDocumentNavigationOrigin be browsingContext's active + document's origin.
Let activeDocumentCOOP be browsingContext's active + document's cross-origin opener + policy.
Let isInitialAboutBlank be false.
If browsingContext's only entry in its session history is the
+ about:blank
Document
that was added when browsingContext was
+ created, then set
+ isInitialAboutBlank to true.
If the result of matching + activeDocumentCOOP, activeDocumentNavigationOrigin, + responseCOOP and responseOrigin is true, then return false.
If all of the following are true:
+ +isInitialAboutBlank
activeDocumentCOOP is "same-origin-allow-popups
".
responseCOOP is "unsafe-none
".
then return false.
+Return true.
To obtain a browsing context to use for a + navigation response, given a browsing context + browsingContext, a sandboxing flag set sandboxFlags, and a + cross-origin opener policy navigationCOOP:
+ +Assert browsingContext is a top-level browsing context.
Let newBrowsingContext be the result of creating a new top-level browsing + context.
If navigationCOOP is "same-origin-plus-COEP
", then set
+ newBrowsingContext's group's cross-origin isolated to true.
If sandboxFlags is not empty, then:
+Assert: navigationCOOP is "unsafe-none
".
Set newBrowsingContext's sandboxing flag set to + sandboxFlags.
Discard browsingContext.
+ +This does not close browsingContext's group, unless browsingContext was its sole top-level browsing + context.
+Return newBrowsingContext.
The impact of swapping browsing context groups following a navigation is not + defined. It is currently under discussion in issue #5350.
+ + +While true:
@@ -81924,6 +82207,43 @@ interface Location { // but see also url, finalSandboxFlags, + incumbentNavigationOrigin, and activeDocumentNavigationOrigin.If browsingContext is a top-level browsing context, then:
+ +Set responseCOOP to the result of obtaining a + cross-origin opener policy given response and + responseOrigin.
If sandboxFlags is not empty and responseCOOP is not "unsafe-none
", then set response to an
+ appropriate network error and return.
This results in a network error as one cannot simultaneously provide a + clean slate to a response using cross-origin opener policy and sandbox the result of + navigating to that response.
+Let responseRequiresBrowsingContexGroupSwitch be the result of checking if the response requires a + browsing context group switch given browsingContext, + responseOrigin, and responseCOOP.
If responseRequiresBrowsingContextGroupSwitch is true, set + browsingContextSwitchNeeded to true.
If response does not have a location URL or the Location { // but see also mailto: URLs and such.
If response is a network error, then break.
An explicitly supported XML MIME type is an XML MIME type for which @@ -82306,18 +82636,16 @@ interface Location { // but see also request request, a response response, a browsing context browsingContext, a sandboxing flag set - sandboxFlags, two origins - incumbentNavigationOrigin, activeDocumentNavigationOrigin, and null or an - environment reservedEnvironment:
+ finalSandboxFlags, three origins origin, + incumbentNavigationOrigin, activeDocumentNavigationOrigin, null or an + environment reservedEnvironment, a cross-origin opener policy + navigationCOOP, and a boolean browsingContextSwitchNeeded:Let finalSandboxFlags be the union of sandboxFlags and - response's forced sandboxing flag set.
Let origin be the result of determining the origin given - browsingContext, request's url, - finalSandboxFlags, incumbentNavigationOrigin, and - activeDocumentNavigationOrigin. +
If browsingContextSwitchNeeded is true, set browsingContext to the + result of the obtain a browsing context to use + for a navigation response algorithm, given browsingContext, + finalSandboxFlagSet, and navigationCOOP.
Let featurePolicy be the result of creating a feature policy from a
@@ -82329,7 +82657,7 @@ interface Location { // but see also document.domain has been used
for the browsingContext container
document, then its origin cannot be same origin-domain with
- >origin, because these steps run before the document is created, so it
+ origin, because these steps run before the document is created, so it
cannot itself yet have used document.domain
. Note
that this means that Feature Policy checks are less permissive compared to doing a same
origin check instead.
Set document's URL to creationURL.
text/event-stream
resources.
+ Cross-Origin-Opener-Policy
`This section describes a header for registration in the Permanent Message Header Field + Registry.
+ +Ping-From
`This section describes a header for registration in the Permanent Message Header Field @@ -120509,6 +120861,9 @@ INSERT INTERFACES HERE