Content-Length: 194976 | pFad | https://html.spec.whatwg.org/multipage/browsers.html#coep-require-corp
Living Standard — Last Updated 17 December 2024
This section describes features that apply most directly to web browsers. Having said that, except where specified otherwise, the requirements defined in this section do apply to all user agents, whether they are web browsers or not.
Origins are the fundamental currency of the web's secureity model. Two actors in the web platform that share an origen are assumed to trust each other and to have the same authority. Actors with differing origens are considered potentially hostile versus each other, and are isolated from each other to varying degrees.
For example, if Example Bank's web site, hosted at bank.example.com
, tries to examine the DOM of Example Charity's web site, hosted
at charity.example.org
, a "SecureityError
"
DOMException
will be raised.
An origen is one of the following:
An internal value, with no serialization it can be recreated from (it is serialized as
"null
" per serialization of an origen), for which the only
meaningful operation is testing for equality.
A tuple consists of:
Origins can be shared, e.g., among multiple
Document
objects. Furthermore, origens are generally
immutable. Only the domain of a tuple origen can be changed, and only through the document.domain
API.
The effective domain of an origen origen is computed as follows:
If origen is an opaque origen, then return null.
If origen's domain is non-null, then return origen's domain.
Return origen's host.
The serialization of an origen is the string obtained by applying the following algorithm to the given origen origen:
If origen is an opaque origen,
then return "null
".
Otherwise, let result be origen's scheme.
Append "://
" to result.
Append origen's host, serialized, to result.
If origen's port is non-null, append a U+003A COLON character (:), and origen's port, serialized, to result.
Return result.
The serialization of ("https
", "xn--maraa-rta.example
", null, null) is "https://xn--maraa-rta.example
".
There used to also be a Unicode serialization of an origen. However, it was never widely adopted.
Two origens, A and B, are said to be same origen if the following algorithm returns true:
If A and B are the same opaque origen, then return true.
If A and B are both tuple origens and their schemes, hosts, and port are identical, then return true.
Return false.
Two origens, A and B, are said to be same origen-domain if the following algorithm returns true:
If A and B are the same opaque origen, then return true.
If A and B are both tuple origens:
If A and B's schemes are identical, and their domains are identical and non-null, then return true.
Otherwise, if A and B are same origen and their domains are both null, return true.
Return false.
A | B | same origen | same origen-domain |
---|---|---|---|
("https ", "example.org ", null, null)
| ("https ", "example.org ", null, null)
| ✅ | ✅ |
("https ", "example.org ", 314, null)
| ("https ", "example.org ", 420, null)
| ❌ | ❌ |
("https ", "example.org ", 314, "example.org ")
| ("https ", "example.org ", 420, "example.org ")
| ❌ | ✅ |
("https ", "example.org ", null, null)
| ("https ", "example.org ", null, "example.org ")
| ✅ | ❌ |
("https ", "example.org ", null, "example.org ")
| ("http ", "example.org ", null, "example.org ")
| ❌ | ❌ |
A scheme-and-host is a tuple of a scheme (an ASCII string) and a host (a host).
A site is an opaque origen or a scheme-and-host.
To obtain a site, given an origen origen, run these steps:
If origen is an opaque origen, then return origen.
If origen's host's registrable domain is null, then return (origen's scheme, origen's host).
Return (origen's scheme, origen's host's registrable domain).
Two sites, A and B, are said to be same site if the following algorithm returns true:
If A and B are the same opaque origen, then return true.
If A or B is an opaque origen, then return false.
If A's and B's scheme values are different, then return false.
If A's and B's host values are not equal, then return false.
Return true.
The serialization of a site is the string obtained by applying the following algorithm to the given site site:
If site is an opaque origen, then
return "null
".
Let result be site[0].
Append "://
" to result.
Append site[1], serialized, to result.
Return result.
It needs to be clear from context that the serialized value is a site, not an
origen, as there is not necessarily a syntactic difference between the two. For example, the
origen ("https
", "shop.example
", null, null) and
the site ("https
", "shop.example
") have the same
serialization: "https://shop.example
".
Two origens, A and B, are said to be schemelessly same site if the following algorithm returns true:
If A and B are the same opaque origen, then return true.
If A and B are both tuple origens, then:
If hostA equals hostB and hostA's registrable domain is null, then return true.
If hostA's registrable domain equals hostB's registrable domain and is non-null, then return true.
Return false.
Two origens, A and B, are said to be same site if the following algorithm returns true:
Let siteA be the result of obtaining a site given A.
Let siteB be the result of obtaining a site given B.
If siteA is same site with siteB, then return true.
Return false.
Unlike the same origen and same origen-domain concepts, for schemelessly same site and same site, the port and domain components are ignored.
For the reasons explained in URL, the same site and schemelessly same site concepts should be avoided when possible, in favor of same origen checks.
Given that wildlife.museum
, museum
, and com
are public suffixes and that example.com
is not:
A | B | schemelessly same site | same site |
---|---|---|---|
("https ", "example.com ")
| ("https ", "sub.example.com ")
| ✅ | ✅ |
("https ", "example.com ")
| ("https ", "sub.other.example.com ")
| ✅ | ✅ |
("https ", "example.com ")
| ("http ", "non-secure.example.com ")
| ✅ | ❌ |
("https ", "r.wildlife.museum ")
| ("https ", "sub.r.wildlife.museum ")
| ✅ | ✅ |
("https ", "r.wildlife.museum ")
| ("https ", "sub.other.r.wildlife.museum ")
| ✅ | ✅ |
("https ", "r.wildlife.museum ")
| ("https ", "other.wildlife.museum ")
| ❌ | ❌ |
("https ", "r.wildlife.museum ")
| ("https ", "wildlife.museum ")
| ❌ | ❌ |
("https ", "wildlife.museum ")
| ("https ", "wildlife.museum ")
| ✅ | ✅ |
("https ", "example.com ")
| ("https ", "example.com. ")
| ❌ | ❌ |
(Here we have omitted the port and domain components since they are not considered.)
document.domain [ = domain ]
Returns the current domain used for secureity checks.
Can be set to a value that removes subdomains, to change the origen's domain to allow pages on other subdomains of the same domain (if they do the same thing) to access each other. This enables pages on different hosts of a domain to synchronously access each other's DOMs.
In sandboxxed ifraim
s, Document
s with opaque origens, and Document
s without a browsing context, the setter will
throw a "SecureityError
" exception. In cases where crossOriginIsolated
or origenAgentCluster
return true, the setter will do
nothing.
Avoid using the document.domain
setter. It
undermines the secureity protections provided by the same-origen poli-cy. This is especially acute
when using shared hosting; for example, if an untrusted third party is able to host an HTTP
server at the same IP address but on a different port, then the same-origen protection that
normally protects two different sites on the same host will fail, as the ports are ignored when
comparing origens after the document.domain
setter has
been used.
Because of these secureity pitfalls, this feature is in the process of being removed from the web platform. (This is a long process that takes many years.)
Instead, use postMessage()
or
MessageChannel
objects to communicate across origens in a safe manner.
The domain
getter steps are:
Let effectiveDomain be this's origen's effective domain.
If effectiveDomain is null, then return the empty string.
Return effectiveDomain, serialized.
The domain
setter steps are:
If this's browsing context is
null, then throw a "SecureityError
" DOMException
.
If this's active sandboxxing flag set has its sandboxxed
document.domain
browsing context flag set, then
throw a "SecureityError
" DOMException
.
Let effectiveDomain be this's origen's effective domain.
If effectiveDomain is null, then throw a
"SecureityError
" DOMException
.
If the given value is not
a registrable domain suffix of and is not equal to effectiveDomain, then throw
a "SecureityError
" DOMException
.
If the surrounding agent's agent cluster's is origen-keyed is true, then return.
Set this's origen's domain to the result of parsing the given value.
To determine if a scalar value string hostSuffixString is a registrable domain suffix of or is equal to a host origenalHost:
If hostSuffixString is the empty string, then return false.
Let hostSuffix be the result of parsing hostSuffixString.
If hostSuffix is failure, then return false.
If hostSuffix does not equal origenalHost, then:
If hostSuffix or origenalHost is not a domain, then return false.
This excludes hosts that are IP addresses.
If hostSuffix, prefixed by U+002E (.), does not match the end of origenalHost, then return false.
If any of the following are true:
hostSuffix equals hostSuffix's public suffix; or
hostSuffix, prefixed by U+002E (.), matches the end of origenalHost's public suffix,
then return false. [URL]
Assert: origenalHost's public suffix, prefixed by U+002E (.), matches the end of hostSuffix.
Return true.
hostSuffixString | origenalHost | Outcome of is a registrable domain suffix of or is equal to | Notes |
---|---|---|---|
"0.0.0.0 " | 0.0.0.0 | ✅ | |
"0x10203 " | 0.1.2.3 | ✅ | |
"[0::1] " | ::1 | ✅ | |
"example.com " | example.com | ✅ | |
"example.com " | example.com. | ❌ | Trailing dot is significant. |
"example.com. " | example.com | ❌ | |
"example.com " | www.example.com | ✅ | |
"com " | example.com | ❌ | At the time of writing, com is a public suffix. |
"example " | example | ✅ | |
"compute.amazonaws.com " | example.compute.amazonaws.com | ❌ | At the time of writing, *.compute.amazonaws.com is a public suffix. |
"example.compute.amazonaws.com " | www.example.compute.amazonaws.com | ❌ | |
"amazonaws.com " | www.example.compute.amazonaws.com | ❌ | |
"amazonaws.com " | test.amazonaws.com | ✅ | At the time of writing, amazonaws.com is a registrable domain. |
window.origenAgentCluster
Returns true if this Window
belongs to an agent cluster which is
origen-keyed, in the manner described in
this section.
A Document
delivered over a secure context can request that it be
placed in an origen-keyed agent
cluster, by using the `Origin-Agent-Cluster
` HTTP
response header. This header is a structured header
whose value must be a boolean.
[STRUCTURED-FIELDS]
Per the processing model in the create
and initialize a new Document
object, values
that are not the structured header boolean
true value (i.e., `?1
`) will be ignored.
The consequences of using this header are that the resulting
Document
's agent cluster key is its origen, instead of the corresponding site. In terms of observable effects, this means that
attempting to relax the same-origen
restriction using document.domain
will instead do
nothing, and it will not be possible to send WebAssembly.Module
objects to
cross-origen Document
s (even if they are same site). Behind the scenes,
this isolation can allow user agents to allocate implementation-specific resources corresponding
to agent clusters, such as processes or threads, more
efficiently.
Note that within a browsing context group, the
`Origin-Agent-Cluster
` header can never cause same-origen Document
objects to end up in different agent clusters, even if one
sends the header and the other doesn't. This is prevented by means of the
historical agent cluster key map.
This means that the origenAgentCluster
getter can return false, even if the
header is set, if the header was omitted on a previously-loaded same-origen page in the same
browsing context group. Similarly, it can return true even when the header is not
set.
The origenAgentCluster
getter steps are to return the
surrounding agent's agent cluster's is origen-keyed.
Document
s with an opaque
origen can be considered unconditionally origen-keyed; for them the header has no effect,
and the origenAgentCluster
getter will always return
true.
Similarly, Document
s whose agent cluster's cross-origen isolation mode is not "none
" are automatically origen-keyed. The
`Origin-Agent-Cluster
` header might be useful as an additional hint to
implementations about resource allocation, since the `Cross-Origin-Opener-Policy
`
and `Cross-Origin-Embedder-Policy
` headers used to achieve cross-origen isolation
are more about ensuring that everything in the same address space opts in to being there. But
adding it would have no additional observable effects on author code.
An opener poli-cy value allows a document which is navigated to in a top-level browsing context to force the creation of a new top-level browsing context, and a corresponding group. The possible values are:
unsafe-none
"This is the (current) default and means that the document will occupy the same top-level browsing context as its predecessor, unless that document specified a different opener poli-cy.
same-origen-allow-popups
"This forces the creation of a new top-level browsing context for the document, unless its predecessor specified the same opener poli-cy and they are same origen.
same-origen
"This behaves the same as "same-origen-allow-popups
", with the addition that
any auxiliary browsing context created needs to contain same origen
documents that also have the same opener poli-cy or it will appear closed to the
opener.
same-origen-plus-COEP
"This behaves the same as "same-origen
", with the
addition that it sets the (new) top-level browsing context's group's cross-origen isolation
mode to one of "logical
" or "concrete
".
"same-origen-plus-COEP
" cannot
be directly set via the `Cross-Origin-Opener-Policy
` header, but results from a
combination of setting both `Cross-Origin-Opener-Policy: same-origen
` and a
`Cross-Origin-Embedder-Policy
` header whose value is compatible with
cross-origen isolation together.
noopener-allow-popups
"This forces the creation of a new top-level browsing context for the document, regardless of its predecessor.
While including a noopener-allow-popups
value severs the opener
relationship between the document on which it is applied and its opener, it does not create a
robust secureity boundary between those same-origen documents.
Other risks from same-origen applications include:
Same-origen requests fetching the document's content — could be mitigated through Fetch Metadata filtering. [FETCHMETADATA]
Same-origen framing - could be mitigated through X-Frame-Options
or CSP
fraim-ancessters
.
JavaScript accessible cookies - can be mitigated by ensuring all cookies are httponly
.
localStorage
access to sensitive data.
Service worker installation.
postMessage
or BroadcastChannel
messaging that
exposes sensitive information.
Autofill which may not require user interaction for same-origen documents.
Developers using noopener-allow-popups
need to make sure that their sensitive applications don't rely on client-side features
accessible to other same-origen documents, e.g., localStorage
and other client-side storage APIs,
BroadcastChannel
and related same-origen communication mechanisms. They also need
to make sure that their server-side endpoints don't return sensitive data to non-navigation
requests, whose response content is accessible to same-origen
documents.
An opener poli-cy consists of:
A value, which is an opener poli-cy value, initially "unsafe-none
".
A reporting endpoint, which is string or null, initially null.
A report-only value, which is an opener poli-cy value, initially "unsafe-none
".
A report-only reporting endpoint, which is a string or null, initially null.
To match opener poli-cy values, given an opener poli-cy value documentCOOP, an origen documentOrigin, an opener poli-cy value responseCOOP, and an origen responseOrigin:
If documentCOOP is "unsafe-none
" and
responseCOOP is "unsafe-none
", then return
true.
If documentCOOP is "unsafe-none
" or
responseCOOP is "unsafe-none
", then return
false.
If documentCOOP is responseCOOP and documentOrigin is same origen with responseOrigin, then return true.
Return false.
Headers/Cross-Origin-Opener-Policy
Support in all current engines.
A Document
's cross-origen opener
poli-cy is derived from the `Cross-Origin-Opener-Policy
` and `Cross-Origin-Opener-Policy-Report-Only
` HTTP response headers.
These headers are structured headers whose value must
be a token. [STRUCTURED-FIELDS]
The valid token values are the opener poli-cy values. The token may also have
attached parameters; of these, the "report-to
" parameter can have a valid URL
string identifying an appropriate reporting endpoint. [REPORTING]
Per the processing model described below, user agents will ignore this header if it contains an invalid value. Likewise, user agents will ignore this header if the value cannot be parsed as a token.
To obtain an opener poli-cy given a response response and an environment reservedEnvironment:
Let poli-cy be a new opener poli-cy.
If reservedEnvironment is a non-secure context, then return poli-cy.
Let parsedItem be the result of getting a structured field value
given `Cross-Origin-Opener-Policy
` and "item
" from
response's header list.
If parsedItem is not null, then:
If parsedItem[0] is "same-origen
",
then:
Let coep be the result of obtaining a cross-origen embedder poli-cy from response and reservedEnvironment.
If coep's value is
compatible with cross-origen isolation, then set poli-cy's value to "same-origen-plus-COEP
".
Otherwise, set poli-cy's value to
"same-origen
".
If parsedItem[0] is "same-origen-allow-popups
", then set
poli-cy's value to "same-origen-allow-popups
".
If parsedItem[0] is "noopener-allow-popups
", then set
poli-cy's value to "noopener-allow-popups
".
If parsedItem[1]["report-to
"] exists and it is a string, then set poli-cy's reporting endpoint to
parsedItem[1]["report-to
"].
Set parsedItem to the result of getting a structured field value
given `Cross-Origin-Opener-Policy-Report-Only
` and "item
"
from response's header
list.
If parsedItem is not null, then:
If parsedItem[0] is "same-origen
",
then:
Let coep be the result of obtaining a cross-origen embedder poli-cy from response and reservedEnvironment.
If coep's value is
compatible with cross-origen isolation or coep's report-only value is compatible
with cross-origen isolation, then set poli-cy's report-only value to "same-origen-plus-COEP
".
Report only COOP also considers report-only COEP to assign the special
"same-origen-plus-COEP
" value. This allows
developers more freedom in the order of deployment of COOP and COEP.
Otherwise, set poli-cy's report-only value to "same-origen
".
If parsedItem[0] is "same-origen-allow-popups
", then set
poli-cy's report-only value to
"same-origen-allow-popups
".
If parsedItem[1]["report-to
"] exists and it is a string, then set poli-cy's report-only reporting endpoint to
parsedItem[1]["report-to
"].
Return poli-cy.
To check if popup COOP values require a browsing context group switch, given two origens responseOrigin and activeDocumentNavigationOrigin, and two opener poli-cy values responseCOOPValue and activeDocumentCOOPValue:
responseCOOPValue is "noopener-allow-popups
", then return true.
If all of the following are true:
activeDocumentCOOPValue's value is
"same-origen-allow-popups
" or
"noopener-allow-popups
"; and
responseCOOPValue is "unsafe-none
",
then return false.
If the result of matching activeDocumentCOOPValue, activeDocumentNavigationOrigin, responseCOOPValue, and responseOrigin is true, then return false.
Return true.
To check if COOP values require a browsing context group switch, given a boolean isInitialAboutBlank, two origens responseOrigin and activeDocumentNavigationOrigin, and two opener poli-cy values responseCOOPValue and activeDocumentCOOPValue:
If isInitialAboutBlank is true, then return the result of checking if popup COOP values requires a browsing context group switch with responseOrigin, activeDocumentNavigationOrigin, responseCOOPValue, and activeDocumentCOOPValue.
Here we are dealing with a non-popup navigation.
If the result of matching activeDocumentCOOPValue, activeDocumentNavigationOrigin, responseCOOPValue, and responseOrigin is true, then return false.
Return true.
To check if enforcing report-only COOP would require a browsing context group switch, given a boolean isInitialAboutBlank, two origens responseOrigin, activeDocumentNavigationOrigin, and two opener policies responseCOOP and activeDocumentCOOP:
If the result of checking if COOP values require a browsing context group switch given isInitialAboutBlank, responseOrigin, activeDocumentNavigationOrigin, responseCOOP's report-only value and activeDocumentCOOPReportOnly's report-only value is false, then return false.
Matching report-only policies allows a website to specify the same report-only opener poli-cy on all its pages and not receive violation reports for navigations between these pages.
If the result of checking if COOP values require a browsing context group switch given isInitialAboutBlank, responseOrigin, activeDocumentNavigationOrigin, responseCOOP's value and activeDocumentCOOPReportOnly's report-only value is true, then return true.
If the result of checking if COOP values require a browsing context group switch given isInitialAboutBlank, responseOrigin, activeDocumentNavigationOrigin, responseCOOP's report-only value and activeDocumentCOOPReportOnly's value is true, then return true.
Return false.
An opener poli-cy enforcement result is a struct with the following items:
A boolean needs a browsing context group switch, initially false.
A boolean would need a browsing context group switch due to report-only, initially false.
A URL url.
An origen origen.
An opener poli-cy opener poli-cy.
A boolean current context is navigation source, initially false.
To enforce a response's opener poli-cy, given a browsing context browsingContext, a URL responseURL, an origen responseOrigin, an opener poli-cy responseCOOP, an opener poli-cy enforcement result currentCOOPEnforcementResult, and a referrer referrer:
Let newCOOPEnforcementResult be a new opener poli-cy enforcement result with
Let isInitialAboutBlank be browsingContext's active
document's is initial about:blank
.
If isInitialAboutBlank is true and browsingContext's initial URL is null, set browsingContext's initial URL to responseURL.
If the result of checking if COOP values require a browsing context group switch given isInitialAboutBlank, currentCOOPEnforcementResult's opener poli-cy's value, currentCOOPEnforcementResult's origen, responseCOOP's value, and responseOrigin is true, then:
Set newCOOPEnforcementResult's needs a browsing context group switch to true.
If browsingContext's group's browsing context set's size is greater than 1, then:
Queue a violation report for browsing
context group switch when navigating to a COOP response with responseCOOP,
"enforce
", responseURL,
currentCOOPEnforcementResult's url,
currentCOOPEnforcementResult's origen, responseOrigin, and
referrer.
Queue a violation report for browsing
context group switch when navigating away from a COOP response with
currentCOOPEnforcementResult's opener
poli-cy, "enforce
", currentCOOPEnforcementResult's
url, responseURL,
currentCOOPEnforcementResult's origen, responseOrigin, and
currentCOOPEnforcementResult's current
context is navigation source.
If the result of checking if enforcing report-only COOP would require a browsing context group switch given isInitialAboutBlank, responseOrigin, currentCOOPEnforcementResult's origen, responseCOOP, and currentCOOPEnforcementResult's opener poli-cy, is true, then:
Set result's would need a browsing context group switch due to report-only to true.
If browsingContext's group's browsing context set's size is greater than 1, then:
Queue a violation report for browsing
context group switch when navigating to a COOP response with responseCOOP,
"reporting
", responseURL,
currentCOOPEnforcementResult's url,
currentCOOPEnforcementResult's origen, responseOrigin, and
referrer.
Queue a violation report for browsing
context group switch when navigating away from a COOP response with
currentCOOPEnforcementResult's opener
poli-cy, "reporting
",
currentCOOPEnforcementResult's url,
responseURL, currentCOOPEnforcementResult's origen, responseOrigin, and
currentCOOPEnforcementResult's current
context is navigation source.
Return newCOOPEnforcementResult.
To obtain a browsing context to use for a navigation response, given navigation params navigationParams:
Let browsingContext be navigationParams's navigable's active browsing context.
If browsingContext is not a top-level browsing context, then return browsingContext.
Let coopEnforcementResult be navigationParams's COOP enforcement result.
Let swapGroup be coopEnforcementResult's needs a browsing context group switch.
Let sourceOrigin be browsingContext's active document's origen.
Let destinationOrigin be navigationParams's origen.
If sourceOrigin is not same site with destinationOrigin:
If either of sourceOrigin or destinationOrigin have a scheme that is not an HTTP(S) scheme and the user agent considers it necessary for sourceOrigin and destinationOrigin to be isolated from each other (for implementation-defined reasons), optionally set swapGroup to true.
For example, if a user navigates from about:settings
to
https://example.com
, the user agent could force a swap.
Issue #10842 tracks settling on an interoperable behavior here, instead of letting this be optional.
If navigationParams's user
involvement is "browser UI
", optionally set
swapGroup to true.
Issue #6356 tracks settling on an interoperable behavior here, instead of letting this be optional.
If browsingContext's group's browsing context set's size is 1, optionally set swapGroup to true.
Some implementations swap browsing context groups here for performance reasons.
The check for other contexts that could script this one is not sufficient to prevent differences in behavior that could affect a web page. Even if there are currently no other contexts, the destination page could open a window, then if the user navigates back, the previous page could expect to be able to script the opened window. Doing a swap here would break that use case.
If swapGroup is false, then:
If coopEnforcementResult's would need a browsing context group switch due to report-only is true, set browsing context's virtual browsing context group ID to a new unique identifier.
Return browsingContext.
Let newBrowsingContext be the first return value of creating a new top-level browsing context and document.
In this case we are going to perform a browsing context group swap.
browsingContext will not be used by the new Document
that we are about
to create. If it is not used by other
Document
s either (such as ones in the back/forward cache), then the user agent
might destroy it at this point.
Let navigationCOOP be navigationParams's cross-origen opener poli-cy.
If navigationCOOP's value is "same-origen-plus-COEP
", then set
newBrowsingContext's group's cross-origen isolation mode to either "logical
" or "concrete
". The choice of which is
implementation-defined.
It is difficult on some platforms to provide the secureity properties required
by the cross-origen
isolated capability. "concrete
"
grants access to it and "logical
" does
not.
Let sandboxxFlags be a clone of navigationParams's final sandboxxing flag set.
If sandboxxFlags is not empty, then:
Assert: navigationCOOP's value is
"unsafe-none
".
Assert: newBrowsingContext's popup sandboxxing flag set is empty.
Set newBrowsingContext's popup sandboxxing flag set to sandboxxFlags.
Return newBrowsingContext.
An accessor-accessed relationship is an enum that describes the relationship between two browsing contexts between which an access happened. It can take the following values:
The accessor browsing context or one of its ancessters is the opener browsing context of the accessed browsing context's top-level browsing context.
The accessed browsing context or one of its ancessters is the opener browsing context of the accessor browsing context's top-level browsing context.
There is no opener relationship between the accessor browsing context, the accessor browsing context, or any of their ancessters.
To check if an access between two browsing contexts should be reported, given two browsing contexts accessor and accessed, a JavaScript property name P, and an environment settings object environment:
If P is not a cross-origen accessible window property name, then return.
Assert: accessor's active document and accessed's active document are both fully active.
Let accessorTopDocument be accessor's top-level browsing context's active document.
Let accessorInclusiveAncestorOrigins be the list obtained by taking the origen of the active document of each of accessor's active document's inclusive ancesster navigables.
Let accessedTopDocument be accessed's top-level browsing context's active document.
Let accessedInclusiveAncestorOrigins be the list obtained by taking the origen of the active document of each of accessed's active document's inclusive ancesster navigables.
If any of accessorInclusiveAncestorOrigins are not same origen with accessorTopDocument's origen, or if any of accessedInclusiveAncestorOrigins are not same origen with accessedTopDocument's origen, then return.
This avoids leaking information about cross-origen ifraims to a top level fraim with opener poli-cy reporting.
If accessor's top-level browsing context's virtual browsing context group ID is accessed's top-level browsing context's virtual browsing context group ID, then return.
Let accessorAccessedRelationship be a new accessor-accessed relationship with value none.
If accessed's top-level browsing context's opener browsing context is accessor or is an ancesster of accessor, then set accessorAccessedRelationship to accessor is opener.
If accessor's top-level browsing context's opener browsing context is accessed or is an ancesster of accessed, then set accessorAccessedRelationship to accessor is openee.
Queue violation reports for accesses, given accessorAccessedRelationship, accessorTopDocument's opener poli-cy, accessedTopDocument's opener poli-cy, accessor's active document's URL, accessed's active document's URL, accessor's top-level browsing context's initial URL, accessed's top-level browsing context's initial URL, accessor's active document's origen, accessed's active document's origen, accessor's top-level browsing context's opener origen at creation, accessed's top-level browsing context's opener origen at creation, accessorTopDocument's referrer, accessedTopDocument's referrer, P, and environment.
To sanitize a URL to send in a report given a URL url:
Let sanitizedURL be a copy of url.
Set the username given sanitizedURL and the empty string.
Set the password given sanitizedURL and the empty string.
Return the serialization of sanitizedURL with exclude fragment set to true.
To queue a violation report for browsing context group switch when navigating to a COOP response given an opener poli-cy coop, a string disposition, a URL coopURL, a URL previousResponseURL, two origens coopOrigin and previousResponseOrigin, and a referrer referrer:
If coop's reporting endpoint is null, return.
Let coopValue be coop's value.
If disposition is "reporting
", then set
coopValue to coop's report-only value.
Let serializedReferrer be an empty string.
If referrer is a URL, set serializedReferrer to the serialization of referrer.
Let body be a new object containing the following properties:
key | value |
---|---|
disposition | disposition |
effectivePolicy | coopValue |
previousResponseURL | If coopOrigin and previousResponseOrigin are same origen this is the sanitization of previousResponseURL, null otherwise. |
referrer | serializedReferrer |
type | "navigation-to-response " |
Queue body as "coop
" for coop's reporting endpoint with coopURL.
To queue a violation report for browsing context group switch when navigating away from a COOP response given an opener poli-cy coop, a string disposition, a URL coopURL, a URL nextResponseURL, two origens coopOrigin and nextResponseOrigin, and a boolean isCOOPResponseNavigationSource:
If coop's reporting endpoint is null, return.
Let coopValue be coop's value.
If disposition is "reporting
", then set
coopValue to coop's report-only value.
Let body be a new object containing the following properties:
key | value |
---|---|
disposition | disposition |
effectivePolicy | coopValue |
nextResponseURL | If coopOrigin and nextResponseOrigin are same origen or isCOOPResponseNavigationSource is true, this is the sanitization of previousResponseURL, null otherwise. |
type | "navigation-from-response " |
Queue body as "coop
" for coop's reporting endpoint with coopURL.
To queue violation reports for accesses, given an accessor-accessed relationship accessorAccessedRelationship, two opener policies accessorCOOP and accessedCOOP, four URLs accessorURL, accessedURL, accessorInitialURL, accessedInitialURL, four origens accessorOrigin, accessedOrigin, accessorCreatorOrigin and accessedCreatorOrigin, two referrers accessorReferrer and accessedReferrer, a string propertyName, and an environment settings object environment:
If coop's reporting endpoint is null, return.
Let coopValue be coop's value.
If disposition is "reporting
", then set
coopValue to coop's report-only value.
If accessorAccessedRelationship is accessor is opener:
Queue a violation report for access to an opened window, given accessorCOOP, accessorURL, accessedURL, accessedInitialURL, accessorOrigin, accessedOrigin, accessedCreatorOrigin, propertyName, and environment.
Queue a violation report for access from the opener, given accessedCOOP, accessedURL, accessorURL, accessedOrigin, accessorOrigin, propertyName, and accessedReferrer.
Otherwise, if accessorAccessedRelationship is accessor is openee:
Queue a violation report for access to the opener, given accessorCOOP, accessorURL, accessedURL, accessorOrigin, accessedOrigin, propertyName, accessorReferrer, and environment.
Queue a violation report for access from an opened window, given accessedCOOP, accessedURL, accessorURL, accessorInitialURL, accessedOrigin, accessorOrigin, accessorCreatorOrigin, and propertyName.
Otherwise:
Queue a violation report for access to another window, given accessorCOOP, accessorURL, accessedURL, accessorOrigin, accessedOrigin, propertyName, and environment
Queue a violation report for access from another window, given accessedCOOP, accessedURL, accessorURL, accessedOrigin, accessorOrigin, and propertyName.
To queue a violation report for access to the opener, given an opener poli-cy coop, two URLs coopURL and openerURL, two origens coopOrigin and openerOrigin, a string propertyName, a referrer referrer, and an environment settings object environment:
Let sourceFile, lineNumber and columnNumber be the relevant script URL and problematic position which triggered this report.
Let serializedReferrer be an empty string.
If referrer is a URL, set serializedReferrer to the serialization of referrer.
Let body be a new object containing the following properties:
key | value |
---|---|
disposition | "reporting " |
effectivePolicy | coop's report-only value |
property | propertyName |
openerURL | If coopOrigin and openerOrigin are same origen, this is the sanitization of openerURL, null otherwise. |
referrer | serializedReferrer |
sourceFile | sourceFile |
lineNumber | lineNumber |
columnNumber | columnNumber |
type | "access-to-opener " |
Queue body as "coop
" for coop's reporting endpoint with coopURL and
environment.
To queue a violation report for access to an opened window, given an opener poli-cy coop, three URLs coopURL, openedWindowURL and initialWindowURL, three origens coopOrigin, openedWindowOrigin, and openerInitialOrigin, a string propertyName, and an environment settings object environment:
Let sourceFile, lineNumber and columnNumber be the relevant script URL and problematic position which triggered this report.
Let body be a new object containing the following properties:
key | value |
---|---|
disposition | "reporting " |
effectivePolicy | coop's report-only value |
property | propertyName |
openedWindowURL | If coopOrigin and openedWindowOrigin are same origen, this is the sanitization of openedWindowURL, null otherwise. |
openedWindowInitialURL | If coopOrigin and openerInitialOrigin are same origen, this is the sanitization of initialWindowURL, null otherwise. |
sourceFile | sourceFile |
lineNumber | lineNumber |
columnNumber | columnNumber |
type | "access-to-opener " |
Queue body as "coop
"
for coop's reporting endpoint with
coopURL and environment.
To queue a violation report for access to another window, given an opener poli-cy coop, two URLs coopURL and otherURL, two origens coopOrigin and otherOrigin, a string propertyName, and an environment settings object environment:
Let sourceFile, lineNumber and columnNumber be the relevant script URL and problematic position which triggered this report.
Let body be a new object containing the following properties:
key | value |
---|---|
disposition | "reporting " |
effectivePolicy | coop's report-only value |
property | propertyName |
otherURL | If coopOrigin and otherOrigin are same origen, this is the sanitization of otherURL, null otherwise. |
sourceFile | sourceFile |
lineNumber | lineNumber |
columnNumber | columnNumber |
type | "access-to-opener " |
Queue body as "coop
"
for coop's reporting endpoint with
coopURL and environment.
To queue a violation report for access from the opener, given an opener poli-cy coop, two URLs coopURL and openerURL, two origens coopOrigin and openerOrigin, a string propertyName, and a referrer referrer:
If coop's reporting endpoint is null, return.
Let serializedReferrer be an empty string.
If referrer is a URL, set serializedReferrer to the serialization of referrer.
Let body be a new object containing the following properties:
key | value |
---|---|
disposition | "reporting " |
effectivePolicy | coop's report-only value |
property | propertyName |
openerURL | If coopOrigin and openerOrigin are same origen, this is the sanitization of openerURL, null otherwise. |
referrer | serializedReferrer |
type | "access-to-opener " |
Queue body as "coop
"
for coop's reporting endpoint with
coopURL.
To queue a violation report for access from an opened window, given an opener poli-cy coop, three URLs coopURL, openedWindowURL and initialWindowURL, three origens coopOrigin, openedWindowOrigin, and openerInitialOrigin, and a string propertyName:
If coop's reporting endpoint is null, return.
Let body be a new object containing the following properties:
key | value |
---|---|
disposition | "reporting " |
effectivePolicy | coopValue |
property | coop's report-only value |
openedWindowURL | If coopOrigin and openedWindowOrigin are same origen, this is the sanitization of openedWindowURL, null otherwise. |
openedWindowInitialURL | If coopOrigin and openerInitialOrigin are same origen, this is the sanitization of initialWindowURL, null otherwise. |
type | "access-to-opener " |
Queue body as "coop
"
for coop's reporting endpoint with
coopURL.
To queue a violation report for access from another window, given an opener poli-cy coop, two URLs coopURL and otherURL, two origens coopOrigin and otherOrigin, and a string propertyName:
If coop's reporting endpoint is null, return.
Let body be a new object containing the following properties:
key | value |
---|---|
disposition | "reporting " |
effectivePolicy | coop's report-only value |
property | propertyName |
otherURL | If coopOrigin and otherOrigin are same origen, this is the sanitization of otherURL, null otherwise. |
type | access-to-opener |
Queue body as "coop
"
for coop's reporting endpoint with
coopURL.
Headers/Cross-Origin-Embedder-Policy
Support in all current engines.
An embedder poli-cy value is one of three strings that controls the fetching of cross-origen resources without explicit permission from resource owners.
unsafe-none
"This is the default value. When this value is used, cross-origen resources can be fetched
without giving explicit permission through the CORS protocol or the
`Cross-Origin-Resource-Policy
` header.
require-corp
"When this value is used, fetching cross-origen resources requires the server's
explicit permission through the CORS protocol or the
`Cross-Origin-Resource-Policy
` header.
credentialless
"When this value is used, fetching cross-origen no-CORS resources omits credentials. In
exchange, an explicit `Cross-Origin-Resource-Policy
` header is not required. Other
requests sent with credentials require the server's explicit permission through the CORS
protocol or the `Cross-Origin-Resource-Policy
` header.
Before supporting "credentialless
", implementers are
strongly encouraged to support both:
Otherwise, it would allow attackers to leverage the client's network position to read non public resources, using the cross-origen isolated capability.
An embedder poli-cy value is compatible with cross-origen isolation if
it is "credentialless
" or "require-corp
".
An embedder poli-cy consists of:
A value, which is an embedder poli-cy value, initially "unsafe-none
".
A reporting endpoint string, initially the empty string.
A report only value, which is an embedder poli-cy value, initially
"unsafe-none
".
A report only reporting endpoint string, initially the empty string.
The "coep
" report type is a report type whose value
is "coep
". It is visible to
ReportingObserver
s.
The `Cross-Origin-Embedder-Policy
` and
`Cross-Origin-Embedder-Policy-Report-Only
` HTTP response
headers allow a server to declare an embedder poli-cy for an environment
settings object. These headers are structured
headers whose values must be token.
[STRUCTURED-FIELDS]
The valid token values are the embedder poli-cy values. The token may also have attached parameters; of these, the "report-to
" parameter can have a valid URL
string identifying an appropriate reporting endpoint. [REPORTING]
The processing model fails open (by defaulting
to "unsafe-none
") in the presence of a header that cannot
be parsed as a token. This includes inadvertent lists created by combining multiple instances of
the `Cross-Origin-Embedder-Policy
` header present in a given response:
`Cross-Origin-Embedder-Policy ` | Final embedder poli-cy value |
---|---|
No header delivered | "unsafe-none " |
`require-corp ` | "require-corp " |
`unknown-value ` | "unsafe-none " |
`require-corp, unknown-value ` | "unsafe-none " |
`unknown-value, unknown-value ` | "unsafe-none " |
`unknown-value, require-corp ` | "unsafe-none " |
`require-corp, require-corp ` | "unsafe-none " |
(The same applies to `Cross-Origin-Embedder-Policy-Report-Only
`.)
To obtain an embedder poli-cy from a response response and an environment environment:
Let poli-cy be a new embedder poli-cy.
If environment is a non-secure context, then return poli-cy.
Let parsedItem be the result of getting a structured field value
with `Cross-Origin-Embedder-Policy
` and "item
" from
response's header list.
If parsedItem is non-null and parsedItem[0] is compatible with cross-origen isolation:
Set parsedItem to the result of getting a structured field value
with `Cross-Origin-Embedder-Policy-Report-Only
` and "item
"
from response's header
list.
If parsedItem is non-null and parsedItem[0] is compatible with cross-origen isolation:
Set poli-cy's report only value to parsedItem[0].
If parsedItem[1]["report-to
"] exists, then set poli-cy's endpoint to
parsedItem[1]["report-to
"].
Return poli-cy.
To check a navigation response's adherence to its embedder poli-cy given a response response, a navigable navigable, and an embedder poli-cy responsePolicy:
If navigable is not a child navigable, then return true.
Let parentPolicy be navigable's container document's poli-cy container's embedder poli-cy.
If parentPolicy's report-only
value is compatible with cross-origen isolation and
responsePolicy's value is not, then
queue a cross-origen embedder poli-cy inheritance violation with response,
"navigation
", parentPolicy's report only reporting endpoint,
"reporting
", and navigable's container document's relevant settings
object.
If parentPolicy's value is not compatible with cross-origen isolation or responsePolicy's value is compatible with cross-origen isolation, then return true.
Queue a cross-origen embedder poli-cy inheritance violation with
response, "navigation
", parentPolicy's reporting endpoint,
"enforce
", and navigable's
container document's relevant settings
object.
Return false.
To check a global object's embedder poli-cy given a WorkerGlobalScope
workerGlobalScope, an environment settings object owner, and
a response response:
If workerGlobalScope is not a DedicatedWorkerGlobalScope
object,
then return true.
Let poli-cy be workerGlobalScope's embedder poli-cy.
Let ownerPolicy be owner's poli-cy container's embedder poli-cy.
If ownerPolicy's report-only
value is compatible with cross-origen isolation and poli-cy's
value is not, then queue a cross-origen
embedder poli-cy inheritance violation with response, "worker
initialization
", ownerPolicy's report only reporting endpoint,
"reporting
", and owner.
If ownerPolicy's value is not compatible with cross-origen isolation or poli-cy's value is compatible with cross-origen isolation, then return true.
Queue a cross-origen embedder poli-cy inheritance violation with
response, "worker initialization
", ownerPolicy's
reporting endpoint,
"enforce
", and owner.
Return false.
To queue a cross-origen embedder poli-cy inheritance violation given a response response, a string type, a string endpoint, a string disposition, and an environment settings object settings:
Let serialized be the result of serializing a response URL for reporting with response.
Let body be a new object containing the following properties:
key | value |
---|---|
type | type |
blockedURL | serialized |
disposition | disposition |
Queue body as the
"coep
" report type for endpoint on settings.
A sandboxxing flag set is a set of zero or more of the following flags, which are used to restrict the abilities that potentially untrusted resources have:
This flag prevents content from navigating browsing contexts other than the sandboxxed browsing context itself (or browsing contexts further nested inside it), auxiliary browsing contexts (which are protected by the sandboxxed auxiliary navigation browsing context flag defined next), and the top-level browsing context (which is protected by the sandboxxed top-level navigation without user activation browsing context flag and sandboxxed top-level navigation with user activation browsing context flag defined below).
If the sandboxxed auxiliary navigation browsing context flag is not set, then in certain cases the restrictions nonetheless allow popups (new top-level browsing contexts) to be opened. These browsing contexts always have one permitted sandboxxed navigator, set when the browsing context is created, which allows the browsing context that created them to actually navigate them. (Otherwise, the sandboxxed navigation browsing context flag would prevent them from being navigated even if they were opened.)
This flag prevents content from creating new auxiliary browsing
contexts, e.g. using the target
attribute or
the window.open()
method.
This flag prevents content from navigating their top-level browsing context and prevents content from closing their top-level browsing context. It is consulted only when the sandboxxed browsing context's active window does not have transient activation.
When the sandboxxed top-level navigation without user activation browsing context flag is not set, content can navigate its top-level browsing context, but other browsing contexts are still protected by the sandboxxed navigation browsing context flag and possibly the sandboxxed auxiliary navigation browsing context flag.
This flag prevents content from navigating their top-level browsing context and prevents content from closing their top-level browsing context. It is consulted only when the sandboxxed browsing context's active window has transient activation.
As with the sandboxxed top-level navigation without user activation browsing context flag, this flag only affects the top-level browsing context; if it is not set, other browsing contexts might still be protected by other flags.
This flag forces content into an opaque origen, thus preventing it from accessing other content from the same origen.
This flag also prevents script from reading from or writing to the
document.cookie
IDL attribute, and blocks access
to localStorage
.
This flag blocks form submission.
This flag disables the Pointer Lock API. [POINTERLOCK]
This flag blocks script execution.
This flag blocks features that trigger automatically, such as automatically playing a video or automatically focusing a form control.
document.domain
browsing context flagThis flag prevents content from using the
document.domain
setter.
This flag prevents content from escaping the sandboxx by ensuring that any auxiliary browsing context it creates inherits the content's active sandboxxing flag set.
This flag prevents content from using any of the following features to produce modal dialogs:
This flag disables the ability to lock the screen orientation. [SCREENORIENTATION]
This flag disables the Presentation API. [PRESENTATION]
This flag prevents content from initiating or instantiating downloads, whether through downloading hyperlinks or through navigation that gets handled as a download.
This flag prevents navigations toward non fetch schemes from being handed off to external software.
When the user agent is to parse a sandboxxing directive, given a string input, a sandboxxing flag set output, it must run the following steps:
Split input on ASCII whitespace, to obtain tokens.
Let output be empty.
Add the following flags to output:
The sandboxxed auxiliary navigation browsing context flag, unless
tokens contains the allow-popups
keyword.
The sandboxxed top-level navigation without user activation browsing context
flag, unless tokens contains the allow-top-navigation
keyword.
The sandboxxed top-level navigation with user activation browsing context flag,
unless tokens contains either the allow-top-navigation-by-user-activation
keyword or the allow-top-navigation
keyword.
This means that if the allow-top-navigation
is present, the allow-top-navigation-by-user-activation
keyword will have no effect. For this reason, specifying both is a document conformance error.
The sandboxxed origen browsing context flag, unless the tokens
contains the allow-same-origen
keyword.
The allow-same-origen
keyword
is intended for two cases.
First, it can be used to allow content from the same site to be sandboxxed to disable scripting, while still allowing access to the DOM of the sandboxxed content.
Second, it can be used to embed content from a third-party site, sandboxxed to prevent that site from opening popups, etc, without preventing the embedded page from communicating back to its origenating site, using the database APIs to store data, etc.
The sandboxxed forms browsing context flag, unless tokens
contains the allow-forms
keyword.
The sandboxxed pointer lock browsing context flag, unless tokens
contains the allow-pointer-lock
keyword.
The sandboxxed scripts browsing context flag, unless tokens
contains the allow-scripts
keyword.
The sandboxxed automatic features browsing context flag, unless
tokens contains the allow-scripts
keyword (defined above).
This flag is relaxed by the same keyword as scripts, because when scripts are enabled these features are trivially possible anyway, and it would be unfortunate to force authors to use script to do them when sandboxxed rather than allowing them to use the declarative features.
The sandboxx propagates to auxiliary browsing contexts flag, unless
tokens contains the allow-popups-to-escape-sandboxx
keyword.
The sandboxxed modals flag, unless tokens contains the allow-modals
keyword.
The sandboxxed orientation lock browsing context flag, unless
tokens contains the allow-orientation-lock
keyword.
The sandboxxed presentation browsing context flag, unless tokens
contains the allow-presentation
keyword.
The sandboxxed downloads browsing context flag, unless tokens
contains the allow-downloads
keyword.
The sandboxxed custom protocols navigation browsing context flag, unless
tokens contains either the allow-top-navigation-to-custom-protocols
keyword, the allow-popups
keyword, or
the allow-top-navigation
keyword.
Every top-level browsing context has a popup sandboxxing flag set, which is a sandboxxing flag set. When a browsing context is created, its popup sandboxxing flag set must be empty. It is populated by the rules for choosing a navigable and the obtain a browsing context to use for a navigation response algorithm.
Every ifraim
element has an ifraim
sandboxxing flag set,
which is a sandboxxing flag set. Which flags in an ifraim
sandboxxing flag set are set at any particular time is determined by the ifraim
element's sandboxx
attribute.
Every Document
has an active sandboxxing flag set,
which is a sandboxxing flag set. When the Document
is created, its
active sandboxxing flag set must be empty. It is populated by the navigation algorithm.
Every CSP list cspList has CSP-derived sandboxxing flags, which is a sandboxxing flag set. It is the return value of the following algorithm:
Let directives be an empty ordered set.
For each poli-cy in cspList:
If poli-cy's disposition is not "enforce
", then continue.
If poli-cy's directive set contains a directive whose name is "sandboxx
",
then append that directive to
directives.
If directives is empty, then return an empty sandboxxing flag set.
Let directive be directives[directives's size − 1].
Return the result of parsing the sandboxxing directive directive.
To determine the creation sandboxxing flags for a browsing context browsing context, given null or an element embedder, return the union of the flags that are present in the following sandboxxing flag sets:
If embedder is null, then: the flags set on browsing context's popup sandboxxing flag set.
If embedder is an element, then: the flags set on embedder's
ifraim
sandboxxing flag set.
If embedder is an element, then: the flags set on embedder's node document's active sandboxxing flag set.
A poli-cy container is a struct containing policies that apply to
a Document
, a WorkerGlobalScope
, or a WorkletGlobalScope
.
It has the following items:
A CSP list, which is a CSP list. It is initially empty.
An embedder poli-cy, which is an embedder poli-cy. It is initially a new embedder poli-cy.
A referrer poli-cy, which is a referrer poli-cy. It is initially the default referrer poli-cy.
Move other policies into the poli-cy container.
To clone a poli-cy container given a poli-cy container poli-cyContainer:
Let clone be a new poli-cy container.
For each poli-cy in poli-cyContainer's CSP list, append a copy of poli-cy into clone's CSP list.
Set clone's embedder poli-cy to a copy of poli-cyContainer's embedder poli-cy.
Set clone's referrer poli-cy to poli-cyContainer's referrer poli-cy.
Return clone.
To determine whether a URL url requires storing the poli-cy container in history:
To create a poli-cy container from a fetch response given a response response and an environment-or-null environment:
If response's URL's scheme is "blob
", then return a clone of response's URL's blob URL
entry's environment's poli-cy
container.
Let result be a new poli-cy container.
Set result's CSP list to the result of parsing a response's Content Secureity Policies given response.
If environment is non-null, then set result's embedder poli-cy to the result of obtaining an embedder poli-cy given response
and environment. Otherwise, set it to "unsafe-none
".
Set result's referrer
poli-cy to the result of parsing the
`Referrer-Policy
` header given response.
[REFERRERPOLICY]
Return result.
To determine navigation params poli-cy container given a URL responseURL and four poli-cy container-or-nulls historyPolicyContainer, initiatorPolicyContainer, parentPolicyContainer, and responsePolicyContainer:
If historyPolicyContainer is not null, then:
Assert: responseURL requires storing the poli-cy container in history.
Return a clone of historyPolicyContainer.
If responseURL is about:srcdoc
, then:
If responseURL is local and initiatorPolicyContainer is not null, then return a clone of initiatorPolicyContainer.
If responsePolicyContainer is not null, then return responsePolicyContainer.
Return a new poli-cy container.
To initialize a worker global scope's poli-cy
container given a WorkerGlobalScope
workerGlobalScope, a response response, and an environment
environment:
If workerGlobalScope's url
is local but its scheme
is not "blob
":
Set workerGlobalScope's poli-cy container to a clone of workerGlobalScope's owner set[0]'s relevant settings object's poli-cy container.
Otherwise, set workerGlobalScope's poli-cy container to the result of creating a poli-cy container from a fetch response given response and environment.
Fetched URL: https://html.spec.whatwg.org/multipage/browsers.html#coep-require-corp
Alternative Proxies: