HTML Standard

HTML Standard
Loading web pages
7.1
Supporting concepts
7.1.1
Origins
7.1.1.1
Sites
7.1.1.2
Relaxing the same-origin restriction
7.1.1.3
The
Origin
interface
7.1.2
Origin-keyed agent clusters
7.1.3
Cross-origin opener policies
7.1.3.1
The headers
7.1.3.2
Browsing context group
switches due to opener policy
7.1.3.3
Reporting
7.1.4
Cross-origin embedder policies
7.1.4.1
The headers
7.1.4.2
Embedder policy checks
7.1.5
Sandboxing
7.1.6
iframe
element referrer policy
7.1.7
Policy containers
Loading web pages
This section describes features that apply most directly to web browsers. Having said that,
except where specified otherwise, the requirements defined in this section
do
apply to
all user agents, whether they are web browsers or not.
7.1
Supporting concepts
7.1.1
Origins
Origins are the fundamental currency of the web's security model. Two actors in the web
platform that share an origin are assumed to trust each other and to have the same authority.
Actors with differing origins are considered potentially hostile versus each other, and are
isolated from each other to varying degrees.
For example, if Example Bank's web site, hosted at
bank.example.com
, tries to examine the DOM of Example Charity's web site, hosted
at
charity.example.org
, a
SecurityError
DOMException
will be raised.
An
origin
is one of the following:
An
opaque origin
An internal value, with no serialization it can be recreated from (it is serialized as
null
" per
serialization of an origin
), for which the only
meaningful operation is testing for equality.
tuple origin
tuple
consisting of:
scheme
(an
ASCII
string
).
host
(a
host
).
port
(null or a 16-bit
unsigned integer).
domain
(null or a
domain
). Null unless stated otherwise.
Origins
can be shared, e.g., among multiple
Document
objects. Furthermore,
origins
are generally
immutable. Only the
domain
of a
tuple origin
can be changed, and only through the
document.domain
API.
The
effective domain
of an
origin
origin
is computed as follows:
If
origin
is an
opaque origin
then return null.
If
origin
's
domain
is non-null,
then return
origin
's
domain
Return
origin
's
host
The
serialization of an origin
is the string obtained
by applying the following algorithm to the given
origin
origin
If
origin
is an
opaque origin
then return "
null
".
Otherwise, let
result
be
origin
's
scheme
Append "
://
" to
result
Append
origin
's
host
serialized
, to
result
If
origin
's
port
is non-null, append
a U+003A COLON character (:), and
origin
's
port
serialized
to
result
Return
result
The
serialization
of ("
https
", "
xn--maraa-rta.example
", null, null) is "
".
There used to also be a
Unicode serialization of an origin
. However, it was never widely adopted.
Two
origins
and
, are said to be
same origin
if the following algorithm returns true:
If
and
are the same
opaque
origin
, then return true.
If
and
are both
tuple
origins
and their
schemes
hosts
, and
port
are identical, then return true.
Return false.
Two
origins
and
, are said to be
same origin-domain
if the following algorithm returns true:
If
and
are the same
opaque
origin
, then return true.
If
and
are both
tuple
origins
If
and
's
schemes
are identical, and their
domains
are identical and
non-null, then return true.
Otherwise, if
and
are
same origin
and their
domains
are both null, return true.
Return false.
same origin
same origin-domain
("
https
", "
example.org
", null, null)
("
https
", "
example.org
", null, null)
("
https
", "
example.org
", 314, null)
("
https
", "
example.org
", 420, null)
("
https
", "
example.org
", 314, "
example.org
")
("
https
", "
example.org
", 420, "
example.org
")
("
https
", "
example.org
", null, null)
("
https
", "
example.org
", null, "
example.org
")
("
https
", "
example.org
", null, "
example.org
")
("
http
", "
example.org
", null, "
example.org
")
7.1.1.1
Sites
scheme-and-host
is a
tuple
of a
scheme
(an
ASCII string
) and a
host
(a
host
).
site
is an
opaque origin
or a
scheme-and-host
To
obtain a site
, given an origin
origin
, run these steps:
If
origin
is an
opaque origin
then return
origin
If
origin
's
host
's
registrable
domain
is null, then return (
origin
's
scheme
origin
's
host
).
Return (
origin
's
scheme
origin
's
host
's
registrable
domain
).
Two
sites
and
, are said to be
same site
if the following algorithm
returns true:
If
and
are the same
opaque
origin
, then return true.
If
or
is an
opaque
origin
, then return false.
If
's and
's
scheme
values are different, then return
false.
If
's and
's
host
values are not
equal
, then return false.
Return true.
The
serialization of a site
is the string obtained by applying the following
algorithm to the given
site
site
If
site
is an
opaque origin
, then
return "
null
".
Let
result
be
site
[0].
Append "
://
" to
result
Append
site
[1],
serialized
, to
result
Return
result
It needs to be clear from context that the serialized value is a site, not an
origin, as there is not necessarily a syntactic difference between the two. For example, the
origin ("
https
", "
shop.example
", null, null) and
the site ("
https
", "
shop.example
") have the same
serialization: "
".
Two
origins
and
, are said to be
schemelessly same site
if the following algorithm returns true:
If
and
are the same
opaque
origin
, then return true.
If
and
are both
tuple
origins
, then:
Let
hostA
be
's
host
and let
hostB
be
's
host
If
hostA
equals
hostB
and
hostA
's
registrable domain
is null, then return true.
If
hostA
's
registrable domain
equals
hostB
's
registrable domain
and is non-null, then
return true.
Return false.
Two
origins
and
, are said to be
same site
if the following algorithm returns true:
Let
siteA
be the result of
obtaining a
site
given
Let
siteB
be the result of
obtaining a
site
given
If
siteA
is
same site
with
siteB
, then return true.
Return false.
Unlike the
same origin
and
same origin-domain
concepts,
for
schemelessly same site
and
same site
, the
port
and
domain
components are ignored.
For the reasons
explained in
URL
, the
same site
and
schemelessly same site
concepts should be avoided when
possible, in favor of
same origin
checks.
Given that
wildlife.museum
museum
, and
com
are
public suffixes
and that
example.com
is not:
schemelessly same site
same site
("
https
", "
example.com
")
("
https
", "
sub.example.com
")
("
https
", "
example.com
")
("
https
", "
sub.other.example.com
")
("
https
", "
example.com
")
("
http
", "
non-secure.example.com
")
("
https
", "
r.wildlife.museum
")
("
https
", "
sub.r.wildlife.museum
")
("
https
", "
r.wildlife.museum
")
("
https
", "
sub.other.r.wildlife.museum
")
("
https
", "
r.wildlife.museum
")
("
https
", "
other.wildlife.museum
")
("
https
", "
r.wildlife.museum
")
("
https
", "
wildlife.museum
")
("
https
", "
wildlife.museum
")
("
https
", "
wildlife.museum
")
("
https
", "
example.com
")
("
https
", "
example.com.
")
(Here we have omitted the
port
and
domain
components since they are not considered.)
7.1.1.2
Relaxing the same-origin restriction
document
domain
[ =
domain
Returns the current domain used for security checks.
Can be set to a value that removes subdomains, to change the
origin
's
domain
to allow pages on other subdomains of the same
domain (if they do the same thing) to access each other. This enables pages on different hosts
of a domain to synchronously access each other's DOMs.
In sandboxed
iframe
s,
Document
s with
opaque origins
, and
Document
s without a
browsing context
, the setter will
throw a
SecurityError
exception. In cases where
crossOriginIsolated
or
originAgentCluster
return true, the setter will do
nothing.
Avoid using the
document.domain
setter. It
undermines the security protections provided by the same-origin policy. This is especially acute
when using shared hosting; for example, if an untrusted third party is able to host an HTTP
server at the same IP address but on a different port, then the same-origin protection that
normally protects two different sites on the same host will fail, as the ports are ignored when
comparing origins after the
document.domain
setter has
been used.
Because of these security pitfalls, this feature is in the process of being removed from the
web platform. (This is a long process that takes many years.)
Instead, use
postMessage()
or
MessageChannel
objects to communicate across origins in a safe manner.
The
domain
getter steps are:
Let
effectiveDomain
be
this
's
origin
's
effective domain
If
effectiveDomain
is null, then return the empty string.
Return
effectiveDomain
serialized
The
domain
setter steps are:
If
this
's
browsing context
is
null, then throw a
SecurityError
DOMException
If
this
's
active sandboxing flag set
has its
sandboxed
document.domain
browsing context flag
set, then
throw a
SecurityError
DOMException
Let
effectiveDomain
be
this
's
origin
's
effective domain
If
effectiveDomain
is null, then throw a
SecurityError
DOMException
If the given value
is not
a registrable domain suffix of and is not equal to
effectiveDomain
, then throw
SecurityError
DOMException
If the
surrounding agent
's
agent cluster
's
is
origin-keyed
is true, then return.
Set
this
's
origin
's
domain
to the result of
parsing
the given value.
To determine if a
scalar value string
hostSuffixString
is a registrable domain suffix of or is equal to
host
originalHost
If
hostSuffixString
is the empty string, then return false.
Let
hostSuffix
be the result of
parsing
hostSuffixString
If
hostSuffix
is failure, then return false.
If
hostSuffix
does not
equal
originalHost
, then:
If
hostSuffix
or
originalHost
is not a
domain
, then return false.
This excludes
hosts
that are
IP addresses
If
hostSuffix
, prefixed by U+002E (.), does not match the end of
originalHost
, then return false.
If any of the following are true:
hostSuffix
equals
hostSuffix
's
public suffix
; or
hostSuffix
, prefixed by U+002E (.), matches the end of
originalHost
's
public suffix
then return false.
[URL]
Assert
originalHost
's
public suffix
, prefixed by
U+002E (.), matches the end of
hostSuffix
Return true.
hostSuffixString
originalHost
Outcome of
is a registrable domain suffix of or is equal to
Notes
0.0.0.0
0.0.0.0
0x10203
0.1.2.3
[0::1]
::1
example.com
example.com
example.com
example.com.
Trailing dot is significant.
example.com.
example.com
example.com
www.example.com
com
example.com
At the time of writing,
com
is a public suffix.
example
example
compute.amazonaws.com
example.compute.amazonaws.com
At the time of writing,
.compute.amazonaws.com
is a public suffix.
example.compute.amazonaws.com
www.example.compute.amazonaws.com
amazonaws.com
www.example.compute.amazonaws.com
amazonaws.com
test.amazonaws.com
At the time of writing,
amazonaws.com
is a registrable domain.
7.1.1.3
The
Origin
interface
The
Origin
interface represents an
origin
, allowing robust
same origin
and
same site
comparisons.
[Exposed=*]
interface
Origin
constructor
();
static
Origin
from
any
value
);
readonly
attribute
boolean
opaque
boolean
isSameOrigin
Origin
other
);
boolean
isSameSite
Origin
other
);
};
Origin
objects have an associated
origin
, which holds an
origin
Platform objects
have an
extract an origin
operation, which returns null unless otherwise specified.
Objects implementing the
Origin
interface's
extract an origin
steps are to return
this
's
origin
The
new Origin()
constructor steps are to set
this
's
origin
to a unique
opaque origin
The static
from(
value
method steps are:
If
value
is a
platform object
Let
origin
be the result of executing
value
's
extract an
origin
operation.
If
origin
is not null, then return a new
Origin
object whose
origin
is
origin
If
value
is a
string
Let
parsedURL
be the result of
basic URL
parsing
value
If
parsedURL
is not failure, then return a new
Origin
object whose
origin
is set to
parsedURL
's
origin
Throw a
TypeError
The
opaque
getter
steps are to return true if
this
's
origin
is an
opaque origin
; otherwise false.
The
isSameOrigin(
other
method steps are to
return true if
this
's
origin
is
same origin
with
other
's
origin
; otherwise false.
The
isSameSite(
other
method steps are to
return true if
this
's
origin
is
same site
with
other
's
origin
otherwise false.
7.1.2
Origin-keyed agent clusters
window.
originAgentCluster
Returns true if this
Window
belongs to an
agent cluster
which is
origin
keyed
, in the manner described in
this section.
Document
delivered over a
secure context
can request that it be
placed in an
origin
keyed
agent
cluster
, by using the `
Origin-Agent-Cluster
` HTTP
response header. This header is a
structured header
whose value must be a
boolean
[STRUCTURED-FIELDS]
Per the processing model in the
create
and initialize a new
Document
object
, values
that are not the
structured header boolean
true value (i.e., `
?1
`) will be ignored.
The consequences of using this header are that the resulting
Document
's
agent cluster key
is its
origin
, instead of the
corresponding site
. In terms of observable effects, this means that
attempting to
relax the same-origin
restriction
using
document.domain
will instead do
nothing, and it will not be possible to send
WebAssembly.Module
objects to
cross-origin
Document
s (even if they are
same site
). Behind the scenes,
this isolation can allow user agents to allocate implementation-specific resources corresponding
to
agent clusters
, such as processes or threads, more
efficiently.
Note that within a
browsing context group
, the
Origin-Agent-Cluster
` header can never cause same-origin
Document
objects to end up in different
agent clusters
, even if one
sends the header and the other doesn't. This is prevented by means of the
historical agent cluster key map
This means that the
originAgentCluster
getter can return false, even if the
header is set, if the header was omitted on a previously-loaded same-origin page in the same
browsing context group
. Similarly, it can return true even when the header is not
set.
The
originAgentCluster
getter steps are to return the
surrounding agent
's
agent cluster
's
is origin-keyed
Document
s with an
opaque
origin
can be considered unconditionally origin-keyed; for them the header has no effect,
and the
originAgentCluster
getter will always return
true.
Similarly,
Document
s whose
agent cluster
's
cross-origin isolation mode
is not "
none
" are automatically origin-keyed. The
Origin-Agent-Cluster
` header might be useful as an additional hint to
implementations about resource allocation, since the `
Cross-Origin-Opener-Policy
and `
Cross-Origin-Embedder-Policy
` headers used to achieve cross-origin isolation
are more about ensuring that everything in the same address space opts in to being there. But
adding it would have no additional observable effects on author code.
7.1.3
Cross-origin opener policies
An
opener policy value
allows a document which
is navigated to in a
top-level browsing context
to force the creation of a new
top-level browsing context
, and a corresponding
group
. The possible values are:
unsafe-none
This is the (current) default and means that the document will occupy the same
top-level browsing context
as its predecessor, unless that document specified a
different
opener policy
same-origin-allow-popups
This forces the creation of a new
top-level browsing context
for the
document, unless its predecessor specified the same
opener policy
and they are
same origin
same-origin
This behaves the same as "
same-origin-allow-popups
", with the addition that
any
auxiliary browsing context
created needs to contain
same origin
documents that also have the same
opener policy
or it will appear closed to the
opener.
same-origin-plus-COEP
This behaves the same as "
same-origin
", with the
addition that it sets the (new)
top-level browsing context
's
group
's
cross-origin isolation
mode
to one of "
logical
" or "
concrete
".
same-origin-plus-COEP
" cannot
be directly set via the `
Cross-Origin-Opener-Policy
` header, but results from a
combination of setting both `
Cross-Origin-Opener-Policy
same-origin
` and a
Cross-Origin-Embedder-Policy
` header whose value is
compatible with
cross-origin isolation
together.
noopener-allow-popups
This forces the creation of a new
top-level browsing context
for the document,
regardless of its predecessor.
While including a
noopener-allow-popups
value severs the opener
relationship between the document on which it is applied and its opener, it does not create a
robust security boundary between those same-origin documents.
Other risks from same-origin applications include:
Same-origin requests fetching the document's content — could be mitigated through
Fetch Metadata filtering.
[FETCHMETADATA]
Same-origin framing - could be mitigated through
X-Frame-Options
or CSP
frame-ancestors
JavaScript accessible cookies - can be mitigated by ensuring all cookies are
httponly
localStorage
access to sensitive data.
Service worker installation.
Cache API
manipulation or
access to sensitive data.
[SW]
postMessage
or
BroadcastChannel
messaging that
exposes sensitive information.
Autofill which may not require user interaction for same-origin documents.
Developers using
noopener-allow-popups
need to make sure that their sensitive applications don't rely on client-side features
accessible to other same-origin documents, e.g.,
localStorage
and other client-side storage APIs,
BroadcastChannel
and related same-origin communication mechanisms. They also need
to make sure that their server-side endpoints don't return sensitive data to non-navigation
requests, whose response content is accessible to same-origin
documents.
An
opener policy
consists of:
value
, which is an
opener policy value
, initially "
unsafe-none
".
reporting endpoint
, which is string or
null, initially null.
report-only value
, which is an
opener policy value
, initially "
unsafe-none
".
report-only reporting endpoint
which is a string or null, initially null.
To
match opener policy values
, given an
opener policy
value
documentCOOP
, an
origin
documentOrigin
, an
opener policy value
responseCOOP
, and an
origin
responseOrigin
If
documentCOOP
is "
unsafe-none
" and
responseCOOP
is "
unsafe-none
", then return
true.
If
documentCOOP
is "
unsafe-none
" or
responseCOOP
is "
unsafe-none
", then return
false.
If
documentCOOP
is
responseCOOP
and
documentOrigin
is
same origin
with
responseOrigin
, then return true.
Return false.
7.1.3.1
The headers
Headers/Cross-Origin-Opener-Policy
Support in all current engines.
Firefox
79+
Safari
15.2+
Chrome
83+
Opera
No
Edge
83+
Edge (Legacy)
Internet Explorer
No
Firefox Android
Safari iOS
Chrome Android
WebView Android
No
Samsung Internet
Opera Android
No
Document
's
cross-origin opener
policy
is derived from the `
Cross-Origin-Opener-Policy
` and `
Cross-Origin-Opener-Policy-Report-Only
` HTTP response headers.
These headers are
structured headers
whose value must
be a
token
[STRUCTURED-FIELDS]
The valid
token
values are the
opener policy values
. The token may also have
attached
parameters
; of these, the "
report-to
" parameter can have a
valid URL
string
identifying an appropriate reporting endpoint.
[REPORTING]
Per the processing model described below, user agents will ignore this header if it contains an invalid value. Likewise, user
agents will ignore this header if the value cannot be parsed as a
token
To
obtain an opener policy
given a
response
response
and an
environment
reservedEnvironment
Let
policy
be a new
opener policy
If
reservedEnvironment
is a
non-secure context
, then return
policy
Let
parsedItem
be the result of
getting a structured field value
given `
Cross-Origin-Opener-Policy
` and "
item
" from
response
's
header list
If
parsedItem
is not null, then:
If
parsedItem
[0] is "
same-origin
",
then:
Let
coep
be the result of
obtaining a cross-origin embedder policy
from
response
and
reservedEnvironment
If
coep
's
value
is
compatible with cross-origin isolation
, then set
policy
's
value
to "
same-origin-plus-COEP
".
Otherwise, set
policy
's
value
to
same-origin
".
If
parsedItem
[0] is "
same-origin-allow-popups
", then set
policy
's
value
to "
same-origin-allow-popups
".
If
parsedItem
[0] is "
noopener-allow-popups
", then set
policy
's
value
to "
noopener-allow-popups
".
If
parsedItem
[1]["
report-to
"]
exists
and it is a string, then set
policy
's
reporting endpoint
to
parsedItem
[1]["
report-to
"].
Set
parsedItem
to the result of
getting a structured field value
given `
Cross-Origin-Opener-Policy-Report-Only
` and "
item
from
response
's
header
list
If
parsedItem
is not null, then:
If
parsedItem
[0] is "
same-origin
",
then:
Let
coep
be the result of
obtaining a cross-origin embedder policy
from
response
and
reservedEnvironment
If
coep
's
value
is
compatible with cross-origin isolation
or
coep
's
report-only value
is
compatible
with cross-origin isolation
, then set
policy
's
report-only value
to "
same-origin-plus-COEP
".
Report only COOP also considers report-only COEP to assign the special
same-origin-plus-COEP
" value. This allows
developers more freedom in the order of deployment of COOP and COEP.
Otherwise, set
policy
's
report-only value
to "
same-origin
".
If
parsedItem
[0] is "
same-origin-allow-popups
", then set
policy
's
report-only value
to
same-origin-allow-popups
".
If
parsedItem
[1]["
report-to
"]
exists
and it is a string, then set
policy
's
report-only reporting endpoint
to
parsedItem
[1]["
report-to
"].
Return
policy
7.1.3.2
Browsing context group
switches due to opener policy
To
check if popup COOP
values require a browsing context group switch
, given two
origins
responseOrigin
and
activeDocumentNavigationOrigin
, and two
opener policy
values
responseCOOPValue
and
activeDocumentCOOPValue
If
responseCOOPValue
is "
noopener-allow-popups
", then return true.
If all of the following are true:
activeDocumentCOOPValue
's
value
is
same-origin-allow-popups
" or
noopener-allow-popups
"; and
responseCOOPValue
is "
unsafe-none
",
then return false.
If the result of
matching
activeDocumentCOOPValue
activeDocumentNavigationOrigin
responseCOOPValue
, and
responseOrigin
is true, then return false.
Return true.
To
check if COOP values require a
browsing context group switch
, given a boolean
isInitialAboutBlank
, two
origins
responseOrigin
and
activeDocumentNavigationOrigin
, and two
opener policy
values
responseCOOPValue
and
activeDocumentCOOPValue
If
isInitialAboutBlank
is true, then return the result of
checking if popup COOP values
requires a browsing context group switch
with
responseOrigin
activeDocumentNavigationOrigin
responseCOOPValue
, and
activeDocumentCOOPValue
Here we are dealing with a non-popup navigation.
If the result of
matching
activeDocumentCOOPValue
activeDocumentNavigationOrigin
responseCOOPValue
, and
responseOrigin
is true, then return false.
Return true.
To
check if enforcing report-only COOP
would require a browsing context group switch
, given a boolean
isInitialAboutBlank
, two
origins
responseOrigin
activeDocumentNavigationOrigin
, and two
opener policies
responseCOOP
and
activeDocumentCOOP
If the result of
checking if
COOP values require a browsing context group switch
given
isInitialAboutBlank
responseOrigin
activeDocumentNavigationOrigin
responseCOOP
's
report-only value
, and
activeDocumentCOOPReportOnly
's
report-only value
is false, then return
false.
Matching report-only policies allows a website to specify the same report-only
opener policy on all its pages and not receive violation reports for navigations between these
pages.
If the result of
checking
if COOP values require a browsing context group switch
given
isInitialAboutBlank
responseOrigin
activeDocumentNavigationOrigin
responseCOOP
's
value
, and
activeDocumentCOOPReportOnly
's
report-only value
is true, then return
true.
If the result of
checking
if COOP values require a browsing context group switch
given
isInitialAboutBlank
responseOrigin
activeDocumentNavigationOrigin
responseCOOP
's
report-only value
, and
activeDocumentCOOPReportOnly
's
value
is true,
then return true.
Return false.
An
opener policy enforcement result
is a
struct
with the following
items
A boolean
needs a browsing context group
switch
, initially false.
A boolean
would need a browsing
context group switch due to report-only
, initially false.
URL
url
An
origin
origin
An
opener policy
opener
policy
A boolean
current context is navigation
source
, initially false.
To
enforce a response's opener policy
, given a
browsing
context
browsingContext
, a
URL
responseURL
, an
origin
responseOrigin
, an
opener policy
responseCOOP
, an
opener policy enforcement
result
currentCOOPEnforcementResult
, and a
referrer
referrer
Let
newCOOPEnforcementResult
be a new
opener policy enforcement result
with
needs a browsing context group switch
currentCOOPEnforcementResult
's
needs
a browsing context group switch
would need a browsing context group switch due to report-only
currentCOOPEnforcementResult
's
would need a browsing context group switch
due to report-only
url
responseURL
origin
responseOrigin
opener policy
responseCOOP
current context is navigation source
true
Let
isInitialAboutBlank
be
browsingContext
's
active
document
's
is initial
about:blank
If
isInitialAboutBlank
is true and
browsingContext
's
initial URL
is null, set
browsingContext
's
initial URL
to
responseURL
If the result of
checking if
COOP values require a browsing context group switch
given
isInitialAboutBlank
currentCOOPEnforcementResult
's
opener policy
's
value
currentCOOPEnforcementResult
's
origin
responseCOOP
's
value
, and
responseOrigin
is true, then:
Set
newCOOPEnforcementResult
's
needs a browsing context group switch
to
true.
If
browsingContext
's
group
's
browsing
context set
's
size
is greater than 1, then:
Queue a violation report for browsing
context group switch when navigating to a COOP response
with
responseCOOP
enforce
",
responseURL
currentCOOPEnforcementResult
's
url
currentCOOPEnforcementResult
's
origin
responseOrigin
, and
referrer
Queue a violation report for browsing
context group switch when navigating away from a COOP response
with
currentCOOPEnforcementResult
's
opener
policy
, "
enforce
",
currentCOOPEnforcementResult
's
url
responseURL
currentCOOPEnforcementResult
's
origin
responseOrigin
, and
currentCOOPEnforcementResult
's
current
context is navigation source
If the result of
checking if
enforcing report-only COOP would require a browsing context group switch
given
isInitialAboutBlank
responseOrigin
currentCOOPEnforcementResult
's
origin
responseCOOP
, and
currentCOOPEnforcementResult
's
opener policy
, is true, then:
Set
newCOOPEnforcementResult
's
would
need a browsing context group switch due to report-only
to true.
If
browsingContext
's
group
's
browsing
context set
's
size
is greater than 1, then:
Queue a violation report for browsing
context group switch when navigating to a COOP response
with
responseCOOP
reporting
",
responseURL
currentCOOPEnforcementResult
's
url
currentCOOPEnforcementResult
's
origin
responseOrigin
, and
referrer
Queue a violation report for browsing
context group switch when navigating away from a COOP response
with
currentCOOPEnforcementResult
's
opener
policy
, "
reporting
",
currentCOOPEnforcementResult
's
url
responseURL
currentCOOPEnforcementResult
's
origin
responseOrigin
, and
currentCOOPEnforcementResult
's
current
context is navigation source
Return
newCOOPEnforcementResult
To
obtain a browsing context to use for a
navigation response
, given
navigation params
navigationParams
Let
browsingContext
be
navigationParams
's
navigable
's
active browsing
context
If
browsingContext
is not a
top-level browsing context
, then
return
browsingContext
Let
coopEnforcementResult
be
navigationParams
's
COOP enforcement result
Let
swapGroup
be
coopEnforcementResult
's
needs a browsing context group switch
Let
sourceOrigin
be
browsingContext
's
active document
's
origin
Let
destinationOrigin
be
navigationParams
's
origin
If
sourceOrigin
is not
same site
with
destinationOrigin
If either of
sourceOrigin
or
destinationOrigin
have a
scheme
that is not an
HTTP(S) scheme
and
the user agent considers it necessary for
sourceOrigin
and
destinationOrigin
to be isolated from each other (for
implementation-defined
reasons), optionally set
swapGroup
to true.
For example, if a user navigates from
about:settings
to
, the user agent could force a swap.
Issue #10842
tracks
settling on an interoperable behavior here, instead of letting this be optional.
If
navigationParams
's
user
involvement
is "
browser UI
", optionally set
swapGroup
to true.
Issue #6356
tracks
settling on an interoperable behavior here, instead of letting this be optional.
If
browsingContext
's
group
's
browsing
context set
's
size
is 1, optionally set
swapGroup
to true.
Some implementations swap browsing context groups here for performance
reasons.
The check for other contexts that could script this one is not sufficient to
prevent differences in behavior that could affect a web page. Even if there are currently no
other contexts, the destination page could open a window, then if the user navigates back, the
previous page could expect to be able to script the opened window. Doing a swap here would break
that use case.
If
swapGroup
is false, then:
If
coopEnforcementResult
's
would need a browsing context group switch
due to report-only
is true, set
browsingContext
's
virtual browsing context group ID
to a new
unique identifier.
Return
browsingContext
Let
newBrowsingContext
be the first return value of
creating a new
top-level browsing context and document
In this case we are going to perform a browsing context group swap.
browsingContext
will not be used by the new
Document
that we are about
to
create
. If it is not used by other
Document
s either (such as ones in the back/forward cache), then the user agent
might
destroy it
at this point.
Let
navigationCOOP
be
navigationParams
's
cross-origin opener policy
If
navigationCOOP
's
value
is "
same-origin-plus-COEP
", then set
newBrowsingContext
's
group
's
cross-origin isolation mode
to either "
logical
" or "
concrete
". The choice of which is
implementation-defined
It is difficult on some platforms to provide the security properties required
by the
cross-origin
isolated capability
. "
concrete
grants access to it and "
logical
" does
not.
Let
sandboxFlags
be a
clone
of
navigationParams
's
final sandboxing flag set
If
sandboxFlags
is not empty, then:
Assert
navigationCOOP
's
value
is
unsafe-none
".
Assert
newBrowsingContext
's
popup sandboxing flag
set
is empty
Set
newBrowsingContext
's
popup sandboxing flag set
to
sandboxFlags
Return
newBrowsingContext
7.1.3.3
Reporting
An
accessor-accessed relationship
is an enum that describes the relationship
between two
browsing contexts
between which an access
happened. It can take the following values:
accessor is opener
The accessor
browsing context
or one of its
ancestors
is the
opener browsing context
of the accessed
browsing context
's
top-level browsing
context
accessor is openee
The accessed
browsing context
or one of its
ancestors
is the
opener browsing context
of the accessor
browsing context
's
top-level browsing
context
none
There is no opener relationship between the accessor
browsing context
, the
accessor
browsing context
, or any of their
ancestors
To
check if an access between two browsing contexts
should be reported
, given two
browsing contexts
accessor
and
accessed
, a JavaScript property name
, and an
environment settings object
environment
If
is not a
cross-origin accessible window property name
, then
return.
Assert
accessor
's
active document
and
accessed
's
active document
are both
fully active
Let
accessorTopDocument
be
accessor
's
top-level browsing context
's
active document
Let
accessorInclusiveAncestorOrigins
be the list obtained by taking the
origin
of the
active
document
of each of
accessor
's
active document
's
inclusive
ancestor navigables
Let
accessedTopDocument
be
accessed
's
top-level browsing context
's
active document
Let
accessedInclusiveAncestorOrigins
be the list obtained by taking the
origin
of the
active
document
of each of
accessed
's
active document
's
inclusive
ancestor navigables
If any of
accessorInclusiveAncestorOrigins
are not
same origin
with
accessorTopDocument
's
origin
, or if
any of
accessedInclusiveAncestorOrigins
are not
same origin
with
accessedTopDocument
's
origin
, then
return.
This avoids leaking information about cross-origin iframes to a top level frame
with opener policy reporting.
If
accessor
's
top-level browsing context
's
virtual browsing context group ID
is
accessed
's
top-level browsing context
's
virtual browsing context group ID
, then
return.
Let
accessorAccessedRelationship
be a new
accessor-accessed
relationship
with value
none
If
accessed
's
top-level browsing context
's
opener browsing context
is
accessor
or is an
ancestor
of
accessor
, then set
accessorAccessedRelationship
to
accessor is
opener
If
accessor
's
top-level browsing context
's
opener browsing context
is
accessed
or is an
ancestor
of
accessed
, then set
accessorAccessedRelationship
to
accessor is
openee
Queue violation reports for accesses
, given
accessorAccessedRelationship
accessorTopDocument
's
opener policy
accessedTopDocument
's
opener policy
accessor
's
active
document
's
URL
accessed
's
active document
's
URL
accessor
's
top-level browsing context
's
initial URL
accessed
's
top-level browsing context
's
initial URL
accessor
's
active
document
's
origin
accessed
's
active document
's
origin
accessor
's
top-level browsing context
's
opener origin at creation
accessed
's
top-level browsing context
's
opener origin at creation
accessorTopDocument
's
referrer
accessedTopDocument
's
referrer
, and
environment
To
sanitize a URL to send in a report
given a
URL
url
Let
sanitizedURL
be a copy of
url
Set the username
given
sanitizedURL
and
the empty string.
Set the password
given
sanitizedURL
and
the empty string.
Return the
serialization
of
sanitizedURL
with
exclude
fragment
set to true.
To
queue a violation report for browsing context
group switch when navigating to a COOP response
given an
opener
policy
coop
, a string
disposition
, a
URL
coopURL
, a
URL
previousResponseURL
, two
origins
coopOrigin
and
previousResponseOrigin
, and a
referrer
referrer
If
coop
's
reporting endpoint
is null, return.
Let
coopValue
be
coop
's
value
If
disposition
is "
reporting
", then set
coopValue
to
coop
's
report-only value
Let
serializedReferrer
be an empty string.
If
referrer
is a
URL
, set
serializedReferrer
to the
serialization
of
referrer
Let
body
be a new object containing the following properties:
key
value
disposition
disposition
effectivePolicy
coopValue
previousResponseURL
If
coopOrigin
and
previousResponseOrigin
are
same origin
this is the
sanitization
of
previousResponseURL
, null otherwise.
referrer
serializedReferrer
type
navigation-to-response
Queue
body
as "
coop
" for
coop
's
reporting endpoint
with
coopURL
To
queue a violation report for browsing context
group switch when navigating away from a COOP response
given an
opener policy
coop
, a string
disposition
, a
URL
coopURL
, a
URL
nextResponseURL
, two
origins
coopOrigin
and
nextResponseOrigin
, and a
boolean
isCOOPResponseNavigationSource
If
coop
's
reporting endpoint
is null, return.
Let
coopValue
be
coop
's
value
If
disposition
is "
reporting
", then set
coopValue
to
coop
's
report-only value
Let
body
be a new object containing the following properties:
key
value
disposition
disposition
effectivePolicy
coopValue
nextResponseURL
If
coopOrigin
and
nextResponseOrigin
are
same origin
or
isCOOPResponseNavigationSource
is true, this is the
sanitization
of
nextResponseURL
, null otherwise.
type
navigation-from-response
Queue
body
as "
coop
" for
coop
's
reporting endpoint
with
coopURL
To
queue violation reports for accesses
, given an
accessor-accessed relationship
accessorAccessedRelationship
, two
opener policies
accessorCOOP
and
accessedCOOP
four
URLs
accessorURL
accessedURL
accessorInitialURL
accessedInitialURL
, four
origins
accessorOrigin
accessedOrigin
accessorCreatorOrigin
and
accessedCreatorOrigin
, two
referrers
accessorReferrer
and
accessedReferrer
, a string
propertyName
, and an
environment settings
object
environment
If
coop
's
reporting endpoint
is null, return.
Let
coopValue
be
coop
's
value
If
disposition
is "
reporting
", then set
coopValue
to
coop
's
report-only value
If
accessorAccessedRelationship
is
accessor is opener
Queue a violation report
for access to an opened window
, given
accessorCOOP
accessorURL
accessedURL
accessedInitialURL
accessorOrigin
accessedOrigin
accessedCreatorOrigin
propertyName
and
environment
Queue a violation report for access
from the opener
, given
accessedCOOP
accessedURL
accessorURL
accessedOrigin
accessorOrigin
propertyName
, and
accessedReferrer
Otherwise, if
accessorAccessedRelationship
is
accessor is openee
Queue a violation report for access to
the opener
, given
accessorCOOP
accessorURL
accessedURL
accessorOrigin
accessedOrigin
propertyName
accessorReferrer
, and
environment
Queue a violation report for access
from an opened window
, given
accessedCOOP
accessedURL
accessorURL
accessorInitialURL
accessedOrigin
accessorOrigin
accessorCreatorOrigin
, and
propertyName
Otherwise:
Queue a violation report for
access to another window
, given
accessorCOOP
accessorURL
accessedURL
accessorOrigin
accessedOrigin
propertyName
, and
environment
Queue a violation report for
access from another window
, given
accessedCOOP
accessedURL
accessorURL
accessedOrigin
accessorOrigin
, and
propertyName
To
queue a violation report for access to the
opener
, given an
opener policy
coop
, two
URLs
coopURL
and
openerURL
, two
origins
coopOrigin
and
openerOrigin
, a string
propertyName
, a
referrer
referrer
, and an
environment settings object
environment
Let
sourceFile
lineNumber
, and
columnNumber
be the
relevant script URL and problematic position which triggered this report.
Let
serializedReferrer
be an empty string.
If
referrer
is a
URL
, set
serializedReferrer
to the
serialization
of
referrer
Let
body
be a new object containing the following properties:
key
value
disposition
reporting
effectivePolicy
coop
's
report-only
value
property
propertyName
openerURL
If
coopOrigin
and
openerOrigin
are
same origin
, this
is the
sanitization
of
openerURL
, null
otherwise.
referrer
serializedReferrer
sourceFile
sourceFile
lineNumber
lineNumber
columnNumber
columnNumber
type
access-to-opener
Queue
body
as "
coop
" for
coop
's
reporting endpoint
with
coopURL
and
environment
To
queue a violation report for access to an
opened window
, given an
opener policy
coop
three
URLs
coopURL
openedWindowURL
and
initialWindowURL
, three
origins
coopOrigin
openedWindowOrigin
, and
openerInitialOrigin
, a string
propertyName
, and an
environment settings object
environment
Let
sourceFile
lineNumber
, and
columnNumber
be the
relevant script URL and problematic position which triggered this report.
Let
body
be a new object containing the following properties:
key
value
disposition
reporting
effectivePolicy
coop
's
report-only
value
property
propertyName
openedWindowURL
If
coopOrigin
and
openedWindowOrigin
are
same origin
, this
is the
sanitization
of
openedWindowURL
null otherwise.
openedWindowInitialURL
If
coopOrigin
and
openerInitialOrigin
are
same origin
this is the
sanitization
of
initialWindowURL
, null otherwise.
sourceFile
sourceFile
lineNumber
lineNumber
columnNumber
columnNumber
type
access-to-opener
Queue
body
as "
coop
for
coop
's
reporting endpoint
with
coopURL
and
environment
To
queue a violation report for access to another
window
, given an
opener policy
coop
, two
URLs
coopURL
and
otherURL
, two
origins
coopOrigin
and
otherOrigin
, a string
propertyName
, and an
environment settings object
environment
Let
sourceFile
lineNumber
, and
columnNumber
be the
relevant script URL and problematic position which triggered this report.
Let
body
be a new object containing the following properties:
key
value
disposition
reporting
effectivePolicy
coop
's
report-only
value
property
propertyName
otherURL
If
coopOrigin
and
otherOrigin
are
same origin
, this
is the
sanitization
of
otherURL
, null
otherwise.
sourceFile
sourceFile
lineNumber
lineNumber
columnNumber
columnNumber
type
access-to-opener
Queue
body
as "
coop
for
coop
's
reporting endpoint
with
coopURL
and
environment
To
queue a violation report for access from the
opener
, given an
opener policy
coop
, two
URLs
coopURL
and
openerURL
, two
origins
coopOrigin
and
openerOrigin
, a string
propertyName
, and a
referrer
referrer
If
coop
's
reporting endpoint
is null, return.
Let
serializedReferrer
be an empty string.
If
referrer
is a
URL
, set
serializedReferrer
to the
serialization
of
referrer
Let
body
be a new object containing the following properties:
key
value
disposition
reporting
effectivePolicy
coop
's
report-only
value
property
propertyName
openerURL
If
coopOrigin
and
openerOrigin
are
same origin
, this
is the
sanitization
of
openerURL
, null
otherwise.
referrer
serializedReferrer
type
access-to-opener
Queue
body
as "
coop
for
coop
's
reporting endpoint
with
coopURL
To
queue a violation report for access from an
opened window
, given an
opener policy
coop
three
URLs
coopURL
openedWindowURL
and
initialWindowURL
, three
origins
coopOrigin
openedWindowOrigin
, and
openerInitialOrigin
, and a string
propertyName
If
coop
's
reporting endpoint
is null, return.
Let
body
be a new object containing the following properties:
key
value
disposition
reporting
effectivePolicy
coopValue
property
coop
's
report-only
value
openedWindowURL
If
coopOrigin
and
openedWindowOrigin
are
same origin
, this
is the
sanitization
of
openedWindowURL
null otherwise.
openedWindowInitialURL
If
coopOrigin
and
openerInitialOrigin
are
same origin
this is the
sanitization
of
initialWindowURL
, null otherwise.
type
access-to-opener
Queue
body
as "
coop
for
coop
's
reporting endpoint
with
coopURL
To
queue a violation report for access from
another window
, given an
opener policy
coop
two
URLs
coopURL
and
otherURL
, two
origins
coopOrigin
and
otherOrigin
, and a string
propertyName
If
coop
's
reporting endpoint
is null, return.
Let
body
be a new object containing the following properties:
key
value
disposition
reporting
effectivePolicy
coop
's
report-only
value
property
propertyName
otherURL
If
coopOrigin
and
otherOrigin
are
same origin
, this
is the
sanitization
of
otherURL
, null
otherwise.
type
access-to-opener
Queue
body
as "
coop
for
coop
's
reporting endpoint
with
coopURL
7.1.4
Cross-origin embedder policies
Headers/Cross-Origin-Embedder-Policy
Support in all current engines.
Firefox
79+
Safari
15.2+
Chrome
83+
Opera
Edge
83+
Edge (Legacy)
Internet Explorer
No
Firefox Android
Safari iOS
Chrome Android
WebView Android
86+
Samsung Internet
Opera Android
An
embedder policy value
is one of three strings that controls the fetching
of cross-origin resources without explicit permission from resource owners.
unsafe-none
This is the default value. When this value is used, cross-origin resources can be fetched
without giving explicit permission through the
CORS protocol
or the
Cross-Origin-Resource-Policy
` header.
require-corp
When this value is used, fetching cross-origin resources requires the server's
explicit permission through the
CORS protocol
or the
Cross-Origin-Resource-Policy
` header.
credentialless
When this value is used, fetching cross-origin no-CORS resources omits credentials. In
exchange, an explicit `
Cross-Origin-Resource-Policy
` header is not required. Other
requests sent with credentials require the server's explicit permission through the
CORS
protocol
or the `
Cross-Origin-Resource-Policy
` header.
Before supporting "
credentialless
", implementers are
strongly encouraged to support both:
Private Network Access
Opaque Response Blocking
Otherwise, it would allow attackers to leverage the client's network position to read non
public resources, using the
cross-origin isolated
capability
An
embedder policy value
is
compatible with cross-origin isolation
if
it is "
credentialless
" or "
require-corp
".
An
embedder policy
consists of:
value
, which is an
embedder policy value
, initially "
unsafe-none
".
reporting endpoint
string, initially the empty string.
report only value
, which is an
embedder policy value
, initially
unsafe-none
".
report only reporting endpoint
string, initially the empty
string.
The
coep
" report type
is a
report type
whose value
is "
coep
". It is
visible to
ReportingObserver
7.1.4.1
The headers
The `
Cross-Origin-Embedder-Policy
` and
Cross-Origin-Embedder-Policy-Report-Only
` HTTP response
headers allow a server to declare an
embedder policy
for an
environment
settings object
. These headers are
structured
headers
whose values must be
token
[STRUCTURED-FIELDS]
The valid
token
values are the
embedder policy values
. The token may also have attached
parameters
; of these, the "
report-to
" parameter can have a
valid URL
string
identifying an appropriate reporting endpoint.
[REPORTING]
The
processing model
fails open (by defaulting
to "
unsafe-none
") in the presence of a header that cannot
be parsed as a token. This includes inadvertent lists created by combining multiple instances of
the `
Cross-Origin-Embedder-Policy
` header present in a given response:
Cross-Origin-Embedder-Policy
Final
embedder policy value
No header delivered
unsafe-none
require-corp
require-corp
unknown-value
unsafe-none
require-corp, unknown-value
unsafe-none
unknown-value, unknown-value
unsafe-none
unknown-value, require-corp
unsafe-none
require-corp, require-corp
unsafe-none
(The same applies to `
Cross-Origin-Embedder-Policy-Report-Only
`.)
To
obtain an embedder policy
from a
response
response
and an
environment
environment
Let
policy
be a new
embedder policy
If
environment
is a
non-secure context
, then return
policy
Let
parsedItem
be the result of
getting a structured field value
with `
Cross-Origin-Embedder-Policy
` and "
item
" from
response
's
header list
If
parsedItem
is non-null and
parsedItem
[0] is
compatible with
cross-origin isolation
Set
policy
's
value
to
parsedItem
[0].
If
parsedItem
[1]["
report-to
"]
exists
, then set
policy
's
endpoint
to
parsedItem
[1]["
report-to
"].
Set
parsedItem
to the result of
getting a structured field value
with `
Cross-Origin-Embedder-Policy-Report-Only
` and "
item
from
response
's
header
list
If
parsedItem
is non-null and
parsedItem
[0] is
compatible with
cross-origin isolation
Set
policy
's
report only value
to
parsedItem
[0].
If
parsedItem
[1]["
report-to
"]
exists
, then set
policy
's
endpoint
to
parsedItem
[1]["
report-to
"].
Return
policy
7.1.4.2
Embedder policy checks
To
check a navigation response's adherence to its embedder policy
given a
response
response
, a
navigable
navigable
, and an
embedder policy
responsePolicy
If
navigable
is not a
child navigable
, then return
true.
Let
parentPolicy
be
navigable
's
container document
's
policy container
's
embedder policy
If
parentPolicy
's
report-only
value
is
compatible with cross-origin isolation
and
responsePolicy
's
value
is not, then
queue a cross-origin embedder policy inheritance violation
with
response
",
parentPolicy
's
report only reporting endpoint
reporting
", and
navigable
's
container document
's
relevant settings
object
If
parentPolicy
's
value
is not
compatible with cross-origin isolation
or
responsePolicy
's
value
is
compatible with cross-origin
isolation
, then return true.
Queue a cross-origin embedder policy inheritance violation
with
response
, "
",
parentPolicy
's
reporting endpoint
enforce
", and
navigable
's
container document
's
relevant settings
object
Return false.
To
check a global object's embedder policy
given a
WorkerGlobalScope
workerGlobalScope
, an
environment settings object
owner
, and
response
response
If
workerGlobalScope
is not a
DedicatedWorkerGlobalScope
object,
then return true.
Let
policy
be
workerGlobalScope
's
embedder policy
Let
ownerPolicy
be
owner
's
policy container
's
embedder policy
If
ownerPolicy
's
report-only
value
is
compatible with cross-origin isolation
and
policy
's
value
is not, then
queue a cross-origin
embedder policy inheritance violation
with
response
, "
worker
initialization
",
ownerPolicy
's
report only reporting endpoint
reporting
", and
owner
If
ownerPolicy
's
value
is not
compatible with cross-origin isolation
or
policy
's
value
is
compatible with cross-origin
isolation
, then return true.
Queue a cross-origin embedder policy inheritance violation
with
response
, "
worker initialization
",
ownerPolicy
's
reporting endpoint
enforce
", and
owner
Return false.
To
queue a cross-origin embedder policy inheritance violation
given a
response
response
, a string
type
, a string
endpoint
, a string
disposition
, and an
environment settings
object
settings
Let
serialized
be the result of
serializing a response URL for
reporting
with
response
Let
body
be a new object containing the following properties:
key
value
type
type
blockedURL
serialized
disposition
disposition
Queue
body
as the
coep
" report type
for
endpoint
on
settings
7.1.5
Sandboxing
sandboxing flag set
is a set of zero or more of the following flags, which
are used to restrict the abilities that potentially untrusted resources have:
The
sandboxed navigation browsing context flag
This flag
prevents content from navigating browsing contexts other
than the sandboxed browsing context itself
(or browsing contexts further nested inside it),
auxiliary browsing contexts
(which are protected
by the
sandboxed auxiliary navigation browsing context flag
defined next), and the
top-level browsing context
(which is protected by the
sandboxed top-level
navigation without user activation browsing context flag
and
sandboxed top-level
navigation with user activation browsing context flag
defined below).
If the
sandboxed auxiliary navigation browsing context flag
is not set, then in
certain cases the restrictions nonetheless allow popups (new
top-level browsing contexts
) to be opened. These
browsing contexts
always have
one permitted sandboxed navigator
, set
when the browsing context is created, which allows the
browsing context
that
created them to actually navigate them. (Otherwise, the
sandboxed navigation browsing
context flag
would prevent them from being navigated even if they were opened.)
The
sandboxed auxiliary navigation browsing context flag
This flag
prevents content from creating new auxiliary browsing
contexts
, e.g. using the
target
attribute or
the
window.open()
method.
The
sandboxed top-level navigation without user activation browsing
context flag
This flag
prevents content from navigating their
top-level
browsing context
and
prevents content from closing their
top-level browsing context
. It is consulted only when the sandboxed browsing
context's
active window
does not have
transient activation
When the
sandboxed top-level navigation without user activation browsing context
flag
is
not
set, content can navigate its
top-level browsing
context
, but other
browsing contexts
are still
protected by the
sandboxed navigation browsing context flag
and possibly
the
sandboxed auxiliary navigation browsing context flag
The
sandboxed top-level navigation with user activation browsing context
flag
This flag
prevents content from navigating their
top-level
browsing context
and
prevents content from closing their
top-level browsing context
. It is consulted only when the sandboxed browsing
context's
active window
has
transient activation
As with the
sandboxed top-level navigation without user activation browsing context
flag
, this flag only affects the
top-level browsing context
; if it is not
set, other
browsing contexts
might still be protected by
other flags.
The
sandboxed origin browsing context flag
This flag
forces content into an opaque origin
, thus preventing
it from accessing other content from the same
origin
This flag also
prevents script from reading from or writing to the
document.cookie
IDL attribute
, and blocks access
to
localStorage
The
sandboxed forms browsing context flag
This flag
blocks form submission
The
sandboxed pointer lock browsing context flag
This flag disables the Pointer Lock API.
[POINTERLOCK]
The
sandboxed scripts browsing context flag
This flag
blocks script execution
The
sandboxed automatic features browsing context flag
This flag blocks features that trigger automatically, such as
automatically playing a video
or
automatically focusing a form control
The
sandboxed
document.domain
browsing context flag
This flag prevents content from using the
document.domain
setter.
The
sandbox propagates to auxiliary browsing contexts flag
This flag prevents content from escaping the sandbox by ensuring that any
auxiliary browsing context
it creates inherits the content's
active sandboxing flag set
The
sandboxed modals flag
This flag prevents content from using any of the following features to produce modal
dialogs:
window.alert()
window.confirm()
window.print()
window.prompt()
the
beforeunload
event
The
sandboxed orientation lock browsing context flag
This flag disables the ability to lock the screen orientation.
[SCREENORIENTATION]
The
sandboxed presentation browsing context flag
This flag disables the Presentation API.
[PRESENTATION]
The
sandboxed downloads browsing context flag
This flag prevents content from initiating or instantiating downloads, whether through
downloading hyperlinks
or through
that gets
handled as a download
The
sandboxed custom protocols navigation browsing context flag
This flag prevents navigations toward non
fetch schemes
from being
handed off to external
software
When the user agent is to
parse a sandboxing directive
, given a string
input
and a
sandboxing flag set
output
, it must run the following
steps:
Split
input
on ASCII
whitespace
, to obtain
tokens
Let
output
be empty.
Add the following flags to
output
The
sandboxed navigation browsing context flag
The
sandboxed auxiliary navigation browsing context flag
, unless
tokens
contains the
allow-popups
keyword.
The
sandboxed top-level navigation without user activation browsing context
flag
, unless
tokens
contains the
allow-top-navigation
keyword.
The
sandboxed top-level navigation with user activation browsing context flag
unless
tokens
contains either the
allow-top-navigation-by-user-activation
keyword or the
allow-top-navigation
keyword.
This means that if the
allow-top-navigation
is present, the
allow-top-navigation-by-user-activation
keyword will have no effect. For this reason, specifying both is a document conformance error.
The
sandboxed origin browsing context flag
, unless the
tokens
contains the
allow-same-origin
keyword.
The
allow-same-origin
keyword
is intended for two cases.
First, it can be used to allow content from the same site to be sandboxed to disable
scripting, while still allowing access to the DOM of the sandboxed content.
Second, it can be used to embed content from a third-party site, sandboxed to prevent that
site from opening popups, etc, without preventing the embedded page from communicating back
to its originating site, using the database APIs to store data, etc.
The
sandboxed forms browsing context flag
, unless
tokens
contains the
allow-forms
keyword.
The
sandboxed pointer lock browsing context flag
, unless
tokens
contains the
allow-pointer-lock
keyword.
The
sandboxed scripts browsing context flag
, unless
tokens
contains the
allow-scripts
keyword.
The
sandboxed automatic features browsing context flag
, unless
tokens
contains the
allow-scripts
keyword (defined above).
This flag is relaxed by the same keyword as scripts, because when scripts are
enabled these features are trivially possible anyway, and it would be unfortunate to force
authors to use script to do them when sandboxed rather than allowing them to use the
declarative features.
The
sandboxed
document.domain
browsing
context flag
The
sandbox propagates to auxiliary browsing contexts flag
, unless
tokens
contains the
allow-popups-to-escape-sandbox
keyword.
The
sandboxed modals flag
, unless
tokens
contains the
allow-modals
keyword.
The
sandboxed orientation lock browsing context flag
, unless
tokens
contains the
allow-orientation-lock
keyword.
The
sandboxed presentation browsing context flag
, unless
tokens
contains the
allow-presentation
keyword.
The
sandboxed downloads browsing context flag
, unless
tokens
contains the
allow-downloads
keyword.
The
sandboxed custom protocols navigation browsing context flag
, unless
tokens
contains either the
allow-top-navigation-to-custom-protocols
keyword, the
allow-popups
keyword, or
the
allow-top-navigation
keyword.
Every
top-level browsing context
has a
popup sandboxing flag set
, which
is a
sandboxing flag set
. When a
browsing context
is created, its
popup sandboxing flag set
must be empty. It is populated by
the rules for
choosing a navigable
and the
obtain
a browsing context to use for a navigation response
algorithm.
Every
iframe
element has an
iframe
sandboxing flag set
which is a
sandboxing flag set
. Which flags in an
iframe
sandboxing flag set
are set at any particular time is determined by the
iframe
element's
sandbox
attribute.
Every
Document
has an
active sandboxing flag set
which is a
sandboxing flag set
. When the
Document
is created, its
active sandboxing flag set
must be empty. It is populated by the
navigation algorithm
Every
CSP list
cspList
has
CSP-derived sandboxing flags
, which is a
sandboxing flag
set
. It is the return value of the following algorithm:
Let
directives
be an empty
ordered set
For each
policy in
cspList
If
policy
's
disposition
is not "
enforce
", then
continue
If
policy
's
directive set
contains
directive
whose name is "
sandbox
",
then
append
that directive to
directives
If
directives
is empty, then return an empty
sandboxing flag
set
Let
directive
be
directives
directives
's
size
− 1].
Return the result of
parsing the sandboxing
directive
directive
To
determine the creation sandboxing
flags
for a
browsing context
browsing
context
, given null or an element
embedder
, return the
union
of the flags that are present in the following
sandboxing flag sets
If
embedder
is null, then: the flags set on
browsing context
's
popup sandboxing flag set
If
embedder
is an element, then: the flags set on
embedder
's
iframe
sandboxing flag set
If
embedder
is an element, then: the flags set on
embedder
's
node document
's
active sandboxing flag set
7.1.6
iframe
element referrer policy
To
determine the
iframe
element referrer policy
given an element-or-null
embedder
If
embedder
is an
iframe
element, then return
embedder
's
referrerpolicy
attribute's
state's corresponding keyword.
Return the empty string.
This is used for allowing masking of some
origins
in the
internal ancestor origin objects list
creation steps
7.1.7
Policy containers
policy container
is a
struct
containing policies that apply to
Document
, a
WorkerGlobalScope
, or a
WorkletGlobalScope
It has the following
items
CSP list
which is a
CSP list
. It is initially empty.
An
embedder
policy
, which is an
embedder policy
. It is initially a new
embedder
policy
referrer
policy
, which is a
referrer policy
. It is initially the
default referrer
policy
An
integrity
policy
, which is an
integrity policy
, initially a new
integrity policy
report only integrity policy
, which
is an
integrity policy
, initially a new
integrity policy
Move other policies into the policy container.
To
clone a policy container
given a
policy container
policyContainer
Let
clone
be a new
policy container
For each
policy
in
policyContainer
's
CSP list
append
a copy of
policy
into
clone
's
CSP list
Set
clone
's
embedder
policy
to a copy of
policyContainer
's
embedder policy
Set
clone
's
referrer
policy
to
policyContainer
's
referrer policy
Set
clone
's
integrity
policy
to a copy of
policyContainer
's
integrity policy
Return
clone
To determine whether a
URL
url
requires storing the policy
container in history
If
url
's
scheme
is "
blob
", then return false.
If
url
is local
, then return true.
Return false.
To
create a policy container from a fetch response
given a
response
response
and an
environment
-or-null
environment
If
response
's
URL
's
scheme
is "
blob
", then return a
clone
of
response
's
URL
's
blob URL
entry
's
environment
's
policy
container
Let
result
be a new
policy container
Set
result
's
CSP list
to the
result of
parsing a response's Content Security Policies
given
response
If
environment
is non-null, then set
result
's
embedder policy
to the result of
obtaining an embedder policy
given
response
and
environment
. Otherwise, set it to "
unsafe-none
".
Set
result
's
referrer
policy
to the result of
parsing the
Referrer-Policy
` header
given
response
[REFERRERPOLICY]
Parse Integrity-Policy headers
with
response
and
result
Return
result
To
determine navigation params
policy container
given a
URL
responseURL
and four
policy container
-or-nulls
historyPolicyContainer
initiatorPolicyContainer
parentPolicyContainer
, and
responsePolicyContainer
If
historyPolicyContainer
is not null, then:
Assert
responseURL
requires storing the policy container
in history
Return a
clone
of
historyPolicyContainer
If
responseURL
is
about:srcdoc
, then:
Assert
parentPolicyContainer
is not null.
Return a
clone
of
parentPolicyContainer
If
responseURL
is local
and
initiatorPolicyContainer
is not null, then return a
clone
of
initiatorPolicyContainer
If
responsePolicyContainer
is not null, then return
responsePolicyContainer
Return a new
policy container
To
initialize a worker global scope's policy
container
given a
WorkerGlobalScope
workerGlobalScope
, a
response
response
, and an
environment
environment
If
workerGlobalScope
's
url
is local
but its
scheme
is not "
blob
":
Assert
workerGlobalScope
's
owner set
's
size
is 1.
Set
workerGlobalScope
's
policy container
to a
clone
of
workerGlobalScope
's
owner
set
[0]'s
relevant settings object
's
policy container
Otherwise, set
workerGlobalScope
's
policy container
to the result of
creating a policy container from a fetch response
given
response
and
environment