7.5 Origin

Origins are the fundamental currency of the web's security model. Two actors in the web platform that share an origin are assumed to trust each other and to have the same authority. Actors with differing origins are considered potentially hostile versus each other, and are isolated from each other to varying degrees.

For example, if Example Bank's web site, hosted at bank.example.com, tries to examine the DOM of Example Charity's web site, hosted at charity.example.org, a "SecurityError" DOMException will be raised.

An origin is one of the following:

  • An opaque origin

    An internal value, with no serialization it can be recreated from (it is serialized as "null" per serialization of an origin), for which the only meaningful operation is testing for equality.

  • A tuple origin

    tuple consists of:

    • A scheme (an ASCII string).
    • A host (a host).
    • A port (null or a 16-bit unsigned integer).
    • A domain (null or a domain). Null unless stated otherwise.

Origins can be shared, e.g., among multiple Document objects. Furthermore, origins are generally immutable. Only the domain of a tuple origin can be changed, and only through the document.domain API.

The effective domain of an origin origin is computed as follows:

  1. If origin is an opaque origin, then return null.
  2. If origin's domain is non-null, then return origin's domain.
  3. Return origin's host.

The serialization of an origin is the string obtained by applying the following algorithm to the given origin origin:

  1. If origin is an opaque origin, then return "null".
  2. Otherwise, let result be origin's scheme.
  3. Append "://" to result.
  4. Append origin's hostserialized, to result.
  5. If origin's port is non-null, append a U+003A COLON character (:), and origin's portserialized, to result.
  6. Return result.

The serialization of ("https", "xn--maraa-rta.example", null, null) is "https://xn--maraa-rta.example".

There used to also be a Unicode serialization of an origin. However, it was never widely adopted.

Two originsA and B, are said to be same origin if the following algorithm returns true:

  1. If A and B are the same opaque origin, then return true.
  2. If A and B are both tuple origins and their schemeshosts, and port are identical, then return true.
  3. Return false.

Two originsA and B, are said to be same origin-domain if the following algorithm returns true:

  1. If A and B are the same opaque origin, then return true.

  2. If A and B are both tuple origins, run these substeps:

    1. If A and B's schemes are identical, and their domains are identical and non-null, then return true.
    2. Otherwise, if A and B are same origin and their domains are identical and null, then return true.
  3. Return false.
ABsame originsame origin-domain
("https", "example.org", null, null)("https", "example.org", null, null)
("https", "example.org", 314, null)("https", "example.org", 420, null)
("https", "example.org", 314, "example.org")("https", "example.org", 420, "example.org")
("https", "example.org", null, null)("https", "example.org", null, "example.org")
("https", "example.org", null, "example.org")("http", "example.org", null, "example.org")

7.5.1 Sites

A scheme-and-host is a tuple of a scheme (an ASCII string) and a host (a host).

A site is an opaque origin or a scheme-and-host.

To obtain a site, given an origin origin, run these steps:

  1. If origin is an opaque origin, then return origin.
  2. If origin's host's registrable domain is null, then return (origin's schemeorigin's host).
  3. Return (origin's schemeorigin's host's registrable domain).

Two sitesA and B, are said to be same site if the following algorithm returns true:

  1. If A and B are the same opaque origin, the return true.
  2. If A or B is an opaque origin, then return false.
  3. If A's and B's scheme values are different, then return false.
  4. If A's and B's host values are not equal, then return false.
  5. Return true.

The serialization of a site is the string obtained by applying the following algorithm to the given site site:

  1. If site is an opaque origin, then return "null".
  2. Let result be site[0].
  3. Append "://" to result.
  4. Append site[1], serialized, to result.
  5. Return result.

It needs to be clear from context that the serialized value is a site, not an origin, as there is not necessarily a syntactic difference between the two. For example, the origin ("https", "shop.example", null, null) and the site ("https", "shop.example") have the same serialization: "https://shop.example".

Two originsA and B, are said to be schemelessly same site if the following algorithm returns true:

  1. If A and B are the same opaque origin, then return true.

  2. If A and B are both tuple origins, then:

    1. Let hostA be A's host, and let hostB be B's host.
    2. If hostA equals hostB and hostA's registrable domain is null, then return true.
    3. If hostA's registrable domain equals hostB's registrable domain and is non-null, then return true.
  3. Return false.

Two originsA and B, are said to be same site if the following algorithm returns true:

  1. Let siteA be the result of obtaining a site given A.
  2. Let siteB be the result of obtaining a site given B.
  3. If siteA is same site with siteB, then return true.
  4. Return false.

Unlike the same origin and same origin-domain concepts, for schemelessly same site and same site, the port and domain components are ignored.

For the reasons explained in URL, the same site and schemelessly same site concepts should be avoided when possible, in favor of same origin checks.

Given that wildlife.museummuseum, and com are public suffixes and that example.com is not:

ABschemelessly same sitesame site
("https", "example.com")("https", "sub.example.com")
("https", "example.com")("https", "sub.other.example.com")
("https", "example.com")("http", "non-secure.example.com")
("https", "r.wildlife.museum")("https", "sub.r.wildlife.museum")
("https", "r.wildlife.museum")("https", "sub.other.r.wildlife.museum")
("https", "r.wildlife.museum")("https", "other.wildlife.museum")
("https", "r.wildlife.museum")("https", "wildlife.museum")
("https", "wildlife.museum")("https", "wildlife.museum")
("https", "example.com")("https", "example.com.")

(Here we have omitted the port and domain components since they are not considered.)

7.5.2 Relaxing the same-origin restriction

  • document.domain [ = domain ]

    Returns the current domain used for security checks.

    Can be set to a value that removes subdomains, to change the origin's domain to allow pages on other subdomains of the same domain (if they do the same thing) to access each other. This enables pages on different hosts of a domain to synchronously access each other's DOMs.

    In sandboxed iframes, Documents with opaque originsDocuments without a browsing context, and when the "document-domain" feature is disabled, the setter will throw a "SecurityError" exception. In cases where crossOriginIsolated or originAgentCluster return true, the setter will do nothing.

Avoid using the document.domain setter. It undermines the security protections provided by the same-origin policy. This is especially acute when using shared hosting; for example, if an untrusted third party is able to host an HTTP server at the same IP address but on a different port, then the same-origin protection that normally protects two different sites on the same host will fail, as the ports are ignored when comparing origins after the document.domain setter has been used.

Because of these security pitfalls, this feature is in the process of being removed from the web platform. (This is a long process that takes many years.)

Instead, use postMessage() or MessageChannel objects to communicate across origins in a safe manner.

The domain getter steps are:

  1. Let effectiveDomain be this's origin's effective domain.
  2. If effectiveDomain is null, then return the empty string.
  3. Return effectiveDomainserialized.

The domain setter steps are:

  1. If this's browsing context is null, then throw a "SecurityError" DOMException.
  2. If this's active sandboxing flag set has its sandboxed document.domain browsing context flag set, then throw a "SecurityError" DOMException.
  3. If this is not allowed to use the "document-domain" feature, then throw a "SecurityError" DOMException.
  4. Let effectiveDomain be this's origin's effective domain.
  5. If effectiveDomain is null, then throw a "SecurityError" DOMException.
  6. If the given value is not a registrable domain suffix of and is not equal to effectiveDomain, then throw a "SecurityError" DOMException.
  7. If the surrounding agent's agent cluster's is origin-keyed is true, then return.
  8. Set this's origin's domain to the result of parsing the given value.

To determine if a string hostSuffixString is a registrable domain suffix of or is equal to a host originalHost, run these steps:

  1. If hostSuffixString is the empty string, then return false.
  2. Let hostSuffix be the result of parsing hostSuffixString.
  3. If hostSuffix is failure, then return false.

  4. If hostSuffix does not equal originalHost, then:

    1. If hostSuffix or originalHost is not a domain, then return false.

    This excludes hosts that are IP addresses.

    1. If hostSuffix, prefixed by U+002E (.), does not match the end of originalHost, then return false.
    2. If one of the following is true
    3. hostSuffix equals hostSuffix's public suffix
    4. hostSuffix, prefixed by U+002E (.), matches the end originalHost's public suffix

    then return false. [[URL]](https://html.spec.whatwg.org/multipage/references.html#refsURL)

    1. Assert: originalHost's public suffix, prefixed by U+002E (.), matches the end of hostSuffix.
  5. Return true.
hostSuffixStringoriginalHostOutcome of is a registrable domain suffix of or is equal toNotes
"0.0.0.0"0.0.0.0
"0x10203"0.1.2.3
"[0::1]"::1
"example.com"example.com
"example.com"example.com.Trailing dot is significant.
"example.com."example.com
"example.com"www.example.com
"com"example.comAt the time of writing, com is a public suffix.
"example"example
"compute.amazonaws.com"example.compute.amazonaws.comAt the time of writing, *.compute.amazonaws.com is a public suffix.
"example.compute.amazonaws.com"www.example.compute.amazonaws.com
"amazonaws.com"www.example.compute.amazonaws.com
"amazonaws.com"test.amazonaws.comAt the time of writing, amazonaws.com is a registrable domain.

7.5.3 Origin-keyed agent clusters

  • window.originAgentCluster

    Returns true if this Window belongs to an agent cluster which is origin-keyed, in the manner described in this section.

Document delivered over a secure context can request that it be placed in an origin-keyed agent cluster, by using the Origin-Agent-Cluster HTTP response header. This header is a structured header whose value must be a boolean. [[STRUCTURED-FIELDS]](https://html.spec.whatwg.org/multipage/references.html#refsSTRUCTURED-FIELDS)

Per the processing model in the create and initialize a new Document object, values that are not the structured header boolean true value (i.e., ?1) will be ignored.

The consequences of using this header are that the resulting Document's agent cluster key is its origin, instead of the corresponding site. In terms of observable effects, this means that attempting to relax the same-origin restriction using document.domain will instead do nothing, and it will not be possible to send WebAssembly.Module objects to cross-origin Documents (even if they are same site). Behind the scenes, this isolation can allow user agents to allocate implementation-specific resources corresponding to agent clusters, such as processes or threads, more efficiently.

Note that within a browsing context group, the Origin-Agent-Cluster header can never cause same-origin Document objects to end up in different agent clusters, even if one sends the header and the other doesn't. This is prevented by means of the historical agent cluster key map.

This means that the originAgentCluster getter can return false, even if the header is set, if the header was omitted on a previously-loaded same-origin page in the same browsing context group. Similarly, it can return true even when the header is not set.

The originAgentCluster getter steps are to return the surrounding agent's agent cluster's is origin-keyed.

Documents with an opaque origin can be considered unconditionally origin-keyed; for them the header has no effect, and the originAgentCluster getter will always return true.

Similarly, Documents whose agent cluster's cross-origin isolation mode is not "none" are automatically origin-keyed. The Origin-Agent-Cluster`\` header might be useful as an additional hint to implementations about resource allocation, since the \Cross-Origin-Opener-Policy\ and ``Cross-Origin-Embedder-Policy headers used to achieve cross-origin isolation are more about ensuring that everything in the same address space opts in to being there. But adding it would have no additional observable effects on author code.

7.6 Sandboxing

A sandboxing flag set is a set of zero or more of the following flags, which are used to restrict the abilities that potentially untrusted resources have:

When the user agent is to parse a sandboxing directive, given a string input, a sandboxing flag set output, it must run the following steps:

  1. Split input on ASCII whitespace, to obtain tokens.
  2. Let output be empty.

  3. Add the following flags to output:

    This means that if the allow-top-navigation is present, the allow-top-navigation-by-user-activation keyword will have no effect. For this reason, specifying both is a document conformance error.

    The allow-same-origin keyword is intended for two cases.

    First, it can be used to allow content from the same site to be sandboxed to disable scripting, while still allowing access to the DOM of the sandboxed content.

    Second, it can be used to embed content from a third-party site, sandboxed to prevent that site from opening popups, etc, without preventing the embedded page from communicating back to its originating site, using the database APIs to store data, etc.

    This flag is relaxed by the same keyword as scripts, because when scripts are enabled these features are trivially possible anyway, and it would be unfortunate to force authors to use script to do them when sandboxed rather than allowing them to use the declarative features.

Every top-level browsing context has a popup sandboxing flag set, which is a sandboxing flag set. When a browsing context is created, its popup sandboxing flag set must be empty. It is populated by the rules for choosing a browsing context and the obtain a browsing context to use for a navigation response algorithm.

Every iframe element has an iframe sandboxing flag set, which is a sandboxing flag set. Which flags in an iframe sandboxing flag set are set at any particular time is determined by the iframe element's sandbox attribute.

Every Document has an active sandboxing flag set, which is a sandboxing flag set. When the Document is created, its active sandboxing flag set must be empty. It is populated by the navigation algorithm.

Every resource that is obtained by the navigation algorithm has a forced sandboxing flag set, which is a sandboxing flag set. A resource by default has no flags set in its forced sandboxing flag set, but other specifications can define that certain flags are set.

In particular, the forced sandboxing flag set is used by Content Security Policy. [[CSP]](https://html.spec.whatwg.org/multipage/references.html#refsCSP)

To determine the creation sandboxing flags for a browsing context browsing context, given null or an element embedder, return the union of the flags that are present in the following sandboxing flag sets:

After creation, the sandboxing flags for a browsing context browsing context are the result of determining the creation sandboxing flags given browsing context and browsing context's container.

7.7 Cross-origin opener policies

A cross-origin opener policy value allows a document which is navigated to in a top-level browsing context to force the creation of a new top-level browsing context, and a corresponding group. The possible values are:

A cross-origin opener policy consists of:

To match cross-origin opener policy values, given a cross-origin opener policy value A, an origin originA, a cross-origin opener policy value B, and an origin originB:

  1. If A is "unsafe-none" and B is "unsafe-none", then return true.
  2. If A is "unsafe-none" or B is "unsafe-none", then return false.
  3. If A is B and originA is same origin with originB, then return true.
  4. Return false.

7.7.1 The headers

MDN

Document's cross-origin opener policy is derived from the Cross-Origin-Opener-Policy`\` and \Cross-Origin-Opener-Policy-Report-Only HTTP response headers. These headers are structured headers whose value must be a token. [[STRUCTURED-FIELDS]](https://html.spec.whatwg.org/multipage/references.html#refsSTRUCTURED-FIELDS)

The valid token values are the opener policy values. The token may also have attached parameters; of these, the "report-to" parameter can have a valid URL string identifying an appropriate reporting endpoint. [[REPORTING]](https://html.spec.whatwg.org/multipage/references.html#refsREPORTING)

Per the processing model described below, user agents will ignore this header if it contains an invalid value. Likewise, user agents will ignore this header if the value cannot be parsed as a token.

To obtain a cross-origin opener policy given a response response and an environment reservedEnvironment:

  1. Let policy be a new cross-origin opener policy.
  2. If reservedEnvironment is a non-secure context, then return policy.
  3. Let value be the result of getting a structured field value given Cross-Origin-Opener-Policy and "item" from response's header list.

  4. If parsedItem is not null, then:

    1. If parsedItem[0] is "same-origin", then:
    2. Let coep be the result of obtaining a cross-origin embedder policy from response and reservedEnvironment.
    3. If coep's value is compatible with cross-origin isolation, then set policy's value to "same-origin-plus-COEP".
    4. Otherwise, set policy's value to "same-origin".
    5. If parsedItem[0] is "same-origin-allow-popups", then set policy's value to "same-origin-allow-popups".
    6. If parsedItem[1]["report-to"] exists and it is a string, then set policy's reporting endpoint to parsedItem[1]["report-to"].
  5. Set parsedItem to the result of getting a structured field value given Cross-Origin-Opener-Policy-Report-Only and "item" from response's header list.

  6. If parsedItem is not null, then:

    1. If parsedItem[0] is "same-origin", then:
    2. Let coep be the result of obtaining a cross-origin embedder policy from response and reservedEnvironment.

    3. If coep's value is compatible with cross-origin isolation or coep's report-only value is compatible with cross-origin isolation, then set policy's report-only value to "same-origin-plus-COEP".

      Report only COOP also considers report-only COEP to assign the special "same-origin-plus-COEP" value. This allows developers more freedom in the order of deployment of COOP and COEP.

    4. Otherwise, set policy's report-only value to "same-origin".
    5. If parsedItem[0] is "same-origin-allow-popups", then set policy's report-only value to "same-origin-allow-popups".
    6. If parsedItem[1]["report-to"] exists and it is a string, then set policy's report-only reporting endpoint to parsedItem[1]["report-to"].
  7. Return policy.

7.7.2 Browsing context group switches due to cross-origin opener policy

To check if COOP values require a browsing context group switch, given a boolean isInitialAboutBlank, two origins responseOrigin and activeDocumentNavigationOrigin, and two cross-origin opener policy values responseCOOPValue and activeDocumentCOOPValue:

  1. If the result of matching activeDocumentCOOPValueactiveDocumentNavigationOriginresponseCOOPValue, and responseOrigin is true, return false.

  2. If all of the following are true:

    • isInitialAboutBlank,
    • activeDocumentCOOPValue's value is "same-origin-allow-popups".
    • responseCOOPValue is "unsafe-none",

    then return false.

  3. Return true.

To check if enforcing report-only COOP would require a browsing context group switch, given a boolean isInitialAboutBlank, two origins responseOriginactiveDocumentNavigationOrigin, and two cross-origin opener policies responseCOOP and activeDocumentCOOP:

  1. If the result of checking if COOP values require a browsing context group switch given isInitialAboutBlankresponseOriginactiveDocumentNavigationOriginresponseCOOP's report-only value and activeDocumentCOOPReportOnly's report-only value is false, then return false.

    Matching report-only policies allows a website to specify the same report-only cross-origin opener policy on all its pages and not receive violation reports for navigations between these pages.

  2. If the result of checking if COOP values require a browsing context group switch given isInitialAboutBlankresponseOriginactiveDocumentNavigationOriginresponseCOOP's value and activeDocumentCOOPReportOnly's report-only value is true, then return true.
  3. If the result of checking if COOP values require a browsing context group switch given isInitialAboutBlankresponseOriginactiveDocumentNavigationOriginresponseCOOP's report-only value and activeDocumentCOOPReportOnly's value is true, then return true.
  4. Return false.

A cross-origin opener policy enforcement result is a struct with the following items:

  • A boolean needs a browsing context group switch, initially false.
  • A boolean would need a browsing context group switch due to report-only, initially false.
  • URL url.
  • An origin origin.
  • cross-origin opener policy cross-origin opener policy.
  • A boolean current context is navigation source.

To enforce a response's cross-origin opener policy, given a browsing context browsingContext, a URL responseURL, an origin responseOrigin, a cross-origin opener policy responseCOOP, a cross-origin opener policy enforcement result currentCOOPEnforcementResult, and a referrer referrer:

  1. Let newCOOPEnforcementResult be a new cross-origin opener policy enforcement result whose needs a browsing context group switch is currentCOOPEnforcementResult's needs a browsing context group switchwould need a browsing context group switch due to report-only is currentCOOPEnforcementResult's would need a browsing context group switch due to report-onlyurl is responseURLorigin is responseOrigincoop is responseCOOP, and current context is navigation source is true.
  2. Let isInitialAboutBlank be true if browsingContext is still on its initial about:blank Document; otherwise, false.
  3. If isInitialAboutBlank is true and browsingContext's initial URL is null, set browsingContext's initial URL to responseURL.

  4. If the result of checking if COOP values require a browsing context group switch given isInitialAboutBlankcurrentCOOPEnforcementResult's cross-origin opener policy's valuecurrentCOOPEnforcementResult's originresponseCOOP's value, and responseOrigin is true, then:

    1. Set newCOOPEnforcementResult's needs a browsing context group switch to true.
    2. If browsingContext's group's browsing context set's size is greater than 1, then:
    3. Queue a violation report for browsing context group switch when navigating to a COOP response with responseCOOP, "enforce", responseURLcurrentCOOPEnforcementResult's urlcurrentCOOPEnforcementResult's originresponseOrigin, and referrer.
    4. Queue a violation report for browsing context group switch when navigating away from a COOP response with currentCOOPEnforcementResult's cross-origin opener policy, "enforce", currentCOOPEnforcementResult's urlresponseURLcurrentCOOPEnforcementResult's originresponseOrigin, and currentCOOPEnforcementResult's current context is navigation source.

  5. If the result of checking if enforcing report-only COOP would require a browsing context group switch given isInitialAboutBlankresponseOrigincurrentCOOPEnforcementResult's originresponseCOOP, and currentCOOPEnforcementResult's cross-origin opener policy, is true, then:

    1. Set result's would need a browsing context group switch due to report-only to true.
    2. If browsingContext's group's browsing context set's size is greater than 1, then:
    3. Queue a violation report for browsing context group switch when navigating to a COOP response with responseCOOP, "reporting", responseURLcurrentCOOPEnforcementResult's urlcurrentCOOPEnforcementResult's originresponseOrigin, and referrer.
    4. Queue a violation report for browsing context group switch when navigating away from a COOP response with currentCOOPEnforcementResult's cross-origin opener policy, "reporting", currentCOOPEnforcementResult's urlresponseURLcurrentCOOPEnforcementResult's originresponseOrigin, and currentCOOPEnforcementResult's current context is navigation source.
  6. Return newCOOPEnforcementResult.

To obtain a browsing context to use for a navigation response, given a browsing context browsingContext, a sandboxing flag set sandboxFlags, a cross-origin opener policy navigationCOOP, and a cross-origin opener policy enforcement result coopEnforcementResult:

  1. If browsingContext is not a top-level browsing context, return browsingContext.

  2. If coopEnforcementResult's needs a browsing context group switch is false, then:

    1. If coopEnforcementResult's would need a browsing context group switch due to report-only is true, set browsing context's virtual browsing context group ID to a new unique identifier.
    2. Return browsingContext.
  3. Let newBrowsingContext be the result of creating a new top-level browsing context.

  4. If navigationCOOP's value is "same-origin-plus-COEP", then set newBrowsingContext's group's cross-origin isolation mode to either "logical" or "concrete". The choice of which is implementation-defined.

    It is difficult on some platforms to provide the security properties required by the cross-origin isolated capability. "concrete" grants access to it and "logical" does not.

  5. If sandboxFlags is not empty, then:

    1. Assert navigationCOOP's value is "unsafe-none".
    2. Assert: newBrowsingContext's popup sandboxing flag set is empty.
    3. Set newBrowsingContext's popup sandboxing flag set to a clone of sandboxFlags.

  6. Discard browsingContext.

    This has no effect on browsingContext's group, unless browsingContext was its sole top-level browsing context. In that case, the user agent might delete the browsing context group which no longer contains any browsing contexts.

  7. Return newBrowsingContext.

The impact of swapping browsing context groups following a navigation is not fully defined. It is currently under discussion in issue #5350.

7.7.3 Reporting

An accessor-accessed relationship is an enum that describes the relationship between two browsing contexts between which an access happened. It can take the following values:

To check if an access between two browsing contexts should be reported, given two browsing contexts accessor and accessed, a JavaScript property name P, and an environment settings object environment:

  1. If P is not a cross-origin accessible window property name, then return.

  2. If accessor's active document's origin or any of its ancestorsactive document's origins are not same origin with accessor's top-level browsing context's active document's origin, or if accessed's active document's origin or any of its ancestorsactive document's origins are not same origin with accessed's top-level browsing context's active document's origin, then return.

    This avoids leaking information about cross-origin iframes to a top level frame with cross-origin opener policy reporting.

  3. If accessor's top-level browsing context's virtual browsing context group ID is accessed's top-level browsing context's virtual browsing context group ID, then return.
  4. Let accessorAccessedRelationship be a new accessor-accessed relationship with value none.
  5. If accessed's top-level browsing context's opener browsing context is accessor or an ancestor of accessor, then set accessorAccessedRelationship to accessor is opener.
  6. If accessor's top-level browsing context's opener browsing context is accessed or an ancestor of accessed, then set accessorAccessedRelationship to accessor is openee.
  7. Queue violation reports for accesses, given accessorAccessedRelationshipaccessor's top-level browsing context's active document's cross-origin opener policyaccessed's top-level browsing context's active document's cross-origin opener policyaccessor's active document's URLaccessed's active document's URLaccessor's top-level browsing context's initial URLaccessed's top-level browsing context's initial URLaccessor's active document's originaccessed's active document's originaccessor's top-level browsing context's opener origin at creationaccessed's top-level browsing context's opener origin at creationaccessor's top-level browsing context's active document's referreraccessed's top-level browsing context's active document's referrerP, and environment.

To sanitize a URL to send in a report given a URL url:

  1. Let sanitizedURL be a copy of url.
  2. Set the username given sanitizedURL and the empty string.
  3. Set the password given sanitizedURL and the empty string.
  4. Return the serialization of sanitizedURL with exclude fragment set to true.

To queue a violation report for browsing context group switch when navigating to a COOP response given a cross-origin opener policy coop, a string disposition, a URL coopURL, a URL previousResponseURL, two origins coopOrigin and previousResponseOrigin, and a referrer referrer:

  1. If coop's reporting endpoint is null, return.
  2. Let coopValue be coop's value.
  3. If disposition is "reporting", then set coopValue to coop's report-only value.
  4. Let serializedReferrer be an empty string.
  5. If referrer is a URL, set serializedReferrer to the serialization of referrer.

  6. Let body be a new object containing the following properties:

    keyvalue
    dispositiondisposition
    effectivePolicycoopValue
    previousResponseURLIf coopOrigin and previousResponseOrigin are same origin this is the sanitization of previousResponseURL, null otherwise.
    referrerserializedReferrer
    type"navigation-to-response"
  7. Queue body as "coop" for coop's reporting endpoint with coopURL.

To queue a violation report for browsing context group switch when navigating away from a COOP response given a cross-origin opener policy coop, a string disposition, a URL coopURL, a URL nextResponseURL, two origins coopOrigin and nextResponseOrigin, and a boolean isCOOPResponseNavigationSource:

  1. If coop's reporting endpoint is null, return.
  2. Let coopValue be coop's value.
  3. If disposition is "reporting", then set coopValue to coop's report-only value.

  4. Let body be a new object containing the following properties:

    keyvalue
    dispositiondisposition
    effectivePolicycoopValue
    nextResponseURLIf coopOrigin and nextResponseOrigin are same origin or isCOOPResponseNavigationSource is true, this is the sanitization of previousResponseURL, null otherwise.
    type"navigation-from-response"
  5. Queue body as "coop" for coop's reporting endpoint with coopURL.

To queue violation reports for accesses, given an accessor-accessed relationship accessorAccessedRelationship, two cross-origin opener policies accessorCOOP and accessedCOOP, four URLs accessorURLaccessedURLaccessorInitialURLaccessedInitialURL, four origins accessorOriginaccessedOriginaccessorCreatorOrigin and accessedCreatorOrigin, two referrers accessorReferrer and accessedReferrer, a string propertyName, and an environment settings object environment:

  1. If coop's reporting endpoint is null, return.
  2. Let coopValue be coop's value.
  3. If disposition is "reporting", then set coopValue to coop's report-only value.

  4. If accessorAccessedRelationship is accessor is opener:

    1. Queue a violation report for access to an opened window, given accessorCOOPaccessorURLaccessedURLaccessedInitialURLaccessorOriginaccessedOriginaccessedCreatorOriginpropertyName, and environment.
    2. Queue a violation report for access from the opener, given accessedCOOPaccessedURLaccessorURLaccessedOriginaccessorOriginpropertyName, and accessedReferrer.

  5. Otherwise, if accessorAccessedRelationship is accessor is openee:

    1. Queue a violation report for access to the opener, given accessorCOOPaccessorURLaccessedURLaccessorOriginaccessedOriginpropertyNameaccessorReferrer, and environment.
    2. Queue a violation report for access from an opened window, given accessedCOOPaccessedURLaccessorURLaccessorInitialURLaccessedOriginaccessorOriginaccessorCreatorOrigin, and propertyName.

  6. Otherwise:

    1. Queue a violation report for access to another window, given accessorCOOPaccessorURLaccessedURLaccessorOriginaccessedOriginpropertyName, and environment
    2. Queue a violation report for access from another window, given accessedCOOPaccessedURLaccessorURLaccessedOriginaccessorOrigin, and propertyName.

To queue a violation report for access to the opener, given a cross-origin opener policy coop, two URLs coopURL and openerURL, two origins coopOrigin and openerOrigin, a string propertyName, a referrer referrer, and an environment settings object environment:

  1. Let sourceFilelineNumber and columnNumber be the relevant script URL and problematic position which triggered this report.
  2. Let serializedReferrer be an empty string.
  3. If referrer is a URL, set serializedReferrer to the serialization of referrer.

  4. Let body be a new object containing the following properties:

    keyvalue
    disposition"reporting"
    effectivePolicycoop's report-only value
    propertypropertyName
    openerURLIf coopOrigin and openerOrigin are same origin, this is the sanitization of openerURL, null otherwise.
    referrerserializedReferrer
    sourceFilesourceFile
    lineNumberlineNumber
    columnNumbercolumnNumber
    type"access-to-opener"
  5. Queue body as "coop" for coop's reporting endpoint with coopURL and environment.

To queue a violation report for access to an opened window, given a cross-origin opener policy coop, three URLs coopURLopenedWindowURL and initialWindowURL, three origins coopOriginopenedWindowOrigin, and openerInitialOrigin, a string propertyName, and an environment settings object environment:

  1. Let sourceFilelineNumber and columnNumber be the relevant script URL and problematic position which triggered this report.

  2. Let body be a new object containing the following properties:

    keyvalue
    disposition"reporting"
    effectivePolicycoop's report-only value
    propertypropertyName
    openedWindowURLIf coopOrigin and openedWindowOrigin are same origin, this is the sanitization of openedWindowURL, null otherwise.
    openedWindowInitialURLIf coopOrigin and openerInitialOrigin are same origin, this is the sanitization of initialWindowURL, null otherwise.
    sourceFilesourceFile
    lineNumberlineNumber
    columnNumbercolumnNumber
    type"access-to-opener"
  3. Queue body as "coop" for coop's reporting endpoint with coopURL and environment.

To queue a violation report for access to another window, given a cross-origin opener policy coop, two URLs coopURL and otherURL, two origins coopOrigin and otherOrigin, a string propertyName, and an environment settings object environment:

  1. Let sourceFilelineNumber and columnNumber be the relevant script URL and problematic position which triggered this report.

  2. Let body be a new object containing the following properties:

    keyvalue
    disposition"reporting"
    effectivePolicycoop's report-only value
    propertypropertyName
    otherURLIf coopOrigin and otherOrigin are same origin, this is the sanitization of otherURL, null otherwise.
    sourceFilesourceFile
    lineNumberlineNumber
    columnNumbercolumnNumber
    type"access-to-opener"
  3. Queue body as "coop" for coop's reporting endpoint with coopURL and environment.

To queue a violation report for access from the opener, given a cross-origin opener policy coop, two URLs coopURL and openerURL, two origins coopOrigin and openerOrigin, a string propertyName, and a referrer referrer:

  1. If coop's reporting endpoint is null, return.
  2. Let serializedReferrer be an empty string.
  3. If referrer is a URL, set serializedReferrer to the serialization of referrer.

  4. Let body be a new object containing the following properties:

    keyvalue
    disposition"reporting"
    effectivePolicycoop's report-only value
    propertypropertyName
    openerURLIf coopOrigin and openerOrigin are same origin, this is the sanitization of openerURL, null otherwise.
    referrerserializedReferrer
    type"access-to-opener"
  5. Queue body as "coop" for coop's reporting endpoint with coopURL.

To queue a violation report for access from an opened window, given a cross-origin opener policy coop, three URLs coopURLopenedWindowURL and initialWindowURL, three origins coopOriginopenedWindowOrigin, and openerInitialOrigin, and a string propertyName:

  1. If coop's reporting endpoint is null, return.

  2. Let body be a new object containing the following properties:

    keyvalue
    disposition"reporting"
    effectivePolicycoopValue
    propertycoop's report-only value
    openedWindowURLIf coopOrigin and openedWindowOrigin are same origin, this is the sanitization of openedWindowURL, null otherwise.
    openedWindowInitialURLIf coopOrigin and openerInitialOrigin are same origin, this is the sanitization of initialWindowURL, null otherwise.
    type"access-to-opener"
  3. Queue body as "coop" for coop's reporting endpoint with coopURL.

To queue a violation report for access from another window, given a cross-origin opener policy coop, two URLs coopURL and otherURL, two origins coopOrigin and otherOrigin, and a string propertyName:

  1. If coop's reporting endpoint is null, return.

  2. Let body be a new object containing the following properties:

    keyvalue
    disposition"reporting"
    effectivePolicycoop's report-only value
    propertypropertyName
    otherURLIf coopOrigin and otherOrigin are same origin, this is the sanitization of otherURL, null otherwise.
    typeaccess-to-opener
  3. Queue body as "coop" for coop's reporting endpoint with coopURL.

7.8 Cross-origin embedder policies

MDN

An embedder policy value is one of three strings that controls the fetching of cross-origin resources without explicit permission from resource owners.

  • "unsafe-none"

    This is the default value. When this value is used, cross-origin resources can be fetched without giving explicit permission through the CORS protocol or the Cross-Origin-Resource-Policy header.

  • "require-corp"

    When this value is used, fetching cross-origin resources requires the server's explicit permission through the CORS protocol or the Cross-Origin-Resource-Policy header.

  • "credentialless"

    When this value is used, fetching cross-origin no-CORS resources omits credentials. In exchange, an explicit Cross-Origin-Resource-Policy header is not required. Other requests sent with credentials require the server's explicit permission through the CORS protocol or the Cross-Origin-Resource-Policy header.

Before supporting "credentialless", implementers are strongly encouraged to support both:

Otherwise, it would allow attackers to leverage the client's network position to read non public resources, using the cross-origin isolated capability.

An embedder policy value is compatible with cross-origin isolation if it is "credentialless" or "require-corp".

An embedder policy consists of:

  • A value, which is an embedder policy value, initially "unsafe-none".
  • A reporting endpoint string, initially the empty string.
  • A report only value, which is an embedder policy value, initially "unsafe-none".
  • A report only reporting endpoint string, initially the empty string.

The "coep" report type is a report type whose value is "coep". It is visible to ReportingObservers.

7.8.1 The headers

The Cross-Origin-Embedder-Policy`\` and \Cross-Origin-Embedder-Policy-Report-Only HTTP response headers allow a server to declare an embedder policy for an environment settings object. These headers are structured headers whose values must be token. [[STRUCTURED-FIELDS]](https://html.spec.whatwg.org/multipage/references.html#refsSTRUCTURED-FIELDS)

The valid token values are the embedder policy values. The token may also have attached parameters; of these, the "report-to" parameter can have a valid URL string identifying an appropriate reporting endpoint. [[REPORTING]](https://html.spec.whatwg.org/multipage/references.html#refsREPORTING)

The processing model fails open (by defaulting to "unsafe-none") in the presence of a header that cannot be parsed as a token. This includes inadvertent lists created by combining multiple instances of the Cross-Origin-Embedder-Policy header present in a given response:

Cross-Origin-Embedder-PolicyFinal embedder policy value
No header delivered"unsafe-none"
require-corp"require-corp"
unknown-value"unsafe-none"
require-corp, unknown-value"unsafe-none"
unknown-value, unknown-value"unsafe-none"
unknown-value, require-corp"unsafe-none"
require-corp, require-corp"unsafe-none"

(The same applies to Cross-Origin-Embedder-Policy-Report-Only.)

To obtain an embedder policy from a response response and an environment environment:

  1. Let policy be a new embedder policy.
  2. If environment is a non-secure context, then return policy.
  3. Let parsedItem be the result of getting a structured field value with Cross-Origin-Embedder-Policy and "item" from response's header list.

  4. If parsedItem is non-null and parsedItem[0] is compatible with cross-origin isolation:

    1. Set policy's value to parsedItem[0].
    2. If parsedItem[1]["report-to"] exists, then set policy's endpoint to parsedItem[1]["report-to"].
  5. Set parsedItem to the result of getting a structured field value with Cross-Origin-Embedder-Policy-Report-Only and "item" from response's header list.

  6. If parsedItem is non-null and parsedItem[0] is compatible with cross-origin isolation:

    1. Set policy's value to parsedItem[0].
    2. If parsedItem[1]["report-to"] exists, then set policy's endpoint to parsedItem[1]["report-to"].
  7. Return policy.

7.8.2 Embedder policy checks

To check a navigation response's adherence to its embedder policy given a response response, a browsing context target, and an embedder policy responsePolicy:

  1. If target is not a child browsing context, then return true.
  2. Let parentPolicy be target's container document's policy container's embedder policy.
  3. If parentPolicy's report-only value is compatible with cross-origin isolation and responsePolicy's value is not, then queue a cross-origin embedder policy inheritance violation with response, "navigation", parentPolicy's report only reporting endpoint, "reporting", and target's container document's relevant settings object.
  4. If parentPolicy's value is not compatible with cross-origin isolation or responsePolicy's value is compatible with cross-origin isolation, then return true.
  5. Queue a cross-origin embedder policy inheritance violation with response, "navigation", parentPolicy's reporting endpoint, "enforce", and target's container document's relevant settings object.
  6. Return false.

To check a global object's embedder policy given a WorkerGlobalScope workerGlobalScope, an environment settings object owner, and a response response:

  1. If workerGlobalScope is not a DedicatedWorkerGlobalScope object, then return true.
  2. Let policy be workerGlobalScope's embedder policy.
  3. Let ownerPolicy be owner's policy container's embedder policy.
  4. If ownerPolicy's report-only value is compatible with cross-origin isolation and policy's value is not, then queue a cross-origin embedder policy inheritance violation with response, "worker initialization", owner's policy's report only reporting endpoint, "reporting", and owner.
  5. If ownerPolicy's value is not compatible with cross-origin isolation or policy's value is compatible with cross-origin isolation, then return true.
  6. Queue a cross-origin embedder policy inheritance violation with response, "worker initialization", owner's policy's reporting endpoint, "enforce", and owner.
  7. Return false.

To queue a cross-origin embedder policy inheritance violation given a response response, a string type, a string endpoint, a string disposition, and an environment settings object settings:

  1. Let serialized be the result of serializing a response URL for reporting with response.

  2. Let body be a new object containing the following properties:

    keyvalue
    typetype
    blockedURLserialized
    dispositiondisposition
  3. Queue body as the "coep" report type for endpoint on settings.

7.9 Policy containers

A policy container is a struct containing policies that apply to a Document, a WorkerGlobalScope, or a WorkletGlobalScope. It has the following items:

Move other policies into the policy container.

To clone a policy container given a policy container policyContainer:

  1. Let clone be a new policy container.
  2. For each policy in policyContainer's CSP listappend a copy of policy into clone's CSP list.
  3. Set clone's embedder policy to a copy of policyContainer's embedder policy.
  4. Set clone's referrer policy to policyContainer's referrer policy.
  5. Return clone.

To determine whether a URL url requires storing the policy container in history:

  1. If url's scheme is "blob", then return false.
  2. If url is local, then return true.
  3. Return false.

To create a policy container from a fetch response given a response response and an environment-or-null environment:

  1. If response's URL's scheme is "blob", then return a clone of response's URL's blob URL entry's environment's policy container.
  2. Let result be a new policy container.
  3. Set result's CSP list to the result of parsing a response's Content Security Policies given response.
  4. If environment is non-null, then set result's embedder policy to the result of obtaining an embedder policy given response and environment. Otherwise, set it to "unsafe-none".
  5. Set result's referrer policy to the result of parsing the Referrer-Policy header given response. [[REFERRERPOLICY]](https://html.spec.whatwg.org/multipage/references.html#refsREFERRERPOLICY)
  6. Return result.

To determine navigation params policy container given a URL responseURL and four policy container-or-nulls historyPolicyContainerinitiatorPolicyContainerparentPolicyContainer, and responsePolicyContainer:

  1. If historyPolicyContainer is not null, then:

    1. Assert: responseURL requires storing the policy container in history.
    2. Return a clone of historyPolicyContainer.

  2. If responseURL is about:srcdoc, then:

    1. Assert: parentPolicyContainer is not null.
    2. Return a clone of parentPolicyContainer.
  3. If responseURL is local and initiatorPolicyContainer is not null, then return a clone of initiatorPolicyContainer.
  4. If responsePolicyContainer is not null, then return responsePolicyContainer.
  5. Return a new policy container.

To initialize a worker global scope's policy container given a WorkerGlobalScope workerGlobalScope, a response response, and an environment environment:

  1. If workerGlobalScope's url is local but its scheme is not "blob":

    1. Assert: workerGlobalScope's owner set's size is 1.
    2. Set workerGlobalScope's policy container to a clone of workerGlobalScope's owner set[0]'s relevant settings object's policy container.
  2. Otherwise, set workerGlobalScope's policy container to the result of creating a policy container from a fetch response given response and environment.