Living Standard — Last Updated 31 May 2023
This section describes features that apply most directly to web browsers. Having said that, except where specified otherwise, the requirements defined in this section do apply to all user agents, whether they are web browsers or not.
Origins are the fundamental currency of the web's security model. Two actors in the web platform that share an origin are assumed to trust each other and to have the same authority. Actors with differing origins are considered potentially hostile versus each other, and are isolated from each other to varying degrees.
For example, if Example Bank's web site, hosted at An origin is one of the following: An internal value, with no serialization it can be recreated from (it is serialized as
" A tuple consists of:
Origins can be shared, e.g., among multiple
The effective domain of an
origin origin is computed as follows: If origin is an opaque origin,
then return null. If origin's domain is non-null,
then return origin's domain. Return origin's host. The serialization of an origin is the string obtained
by applying the following algorithm to the given origin origin: If origin is an opaque origin,
then return " Otherwise, let result be origin's scheme. Append " Append origin's host, serialized, to result. If origin's port is non-null, append
a U+003A COLON character (:), and origin's port, serialized,
to result. Return result. The serialization of (" There used to also be a
Unicode serialization of an origin. However, it was never widely adopted. Two origins, A and B, are said to be same origin if the following algorithm returns true: If A and B are the same opaque
origin, then return true. If A and B are both tuple
origins and their schemes, hosts, and port
are identical, then return true. Return false. Two origins, A and B, are said to be same origin-domain if the following algorithm returns true: If A and B are the same opaque
origin, then return true. If A and B are both tuple
origins, run these substeps: If A and B's schemes
are identical, and their domains are identical and
non-null, then return true. Otherwise, if A and B are same origin and their
domains are identical and null, then return
true. Return false. A scheme-and-host is a tuple of a scheme (an ASCII string) and a host (a host). A site is an opaque origin or a
scheme-and-host. To obtain a site, given an origin origin, run these steps: If origin is an opaque origin,
then return origin. If origin's host's registrable
domain is null, then return (origin's scheme, origin's host). Return (origin's scheme,
origin's host's registrable
domain). Two sites, A and B, are said to be same site if the following algorithm
returns true: If A and B are the same opaque
origin, the return true. If A or B is an opaque
origin, then return false. If A's and B's scheme values are different, then return
false. If A's and B's host values are not equal, then return false. Return true. The serialization of a site is the string obtained by applying the following
algorithm to the given site site: If site is an opaque origin, then
return " Let result be site[0]. Append " Append site[1], serialized, to
result. Return result. It needs to be clear from context that the serialized value is a site, not an
origin, as there is not necessarily a syntactic difference between the two. For example, the
origin (" Two origins, A and B, are said to be schemelessly same site if the following algorithm returns true: If A and B are the same opaque
origin, then return true. If A and B are both tuple
origins, then: If hostA equals hostB and
hostA's registrable domain is null, then return true. If hostA's registrable domain equals hostB's registrable domain and is non-null, then
return true. Return false. Two origins, A and B, are said to be same site if the following algorithm returns true: Let siteA be the result of obtaining a
site given A. Let siteB be the result of obtaining a
site given B. If siteA is same site with
siteB, then return true. Return false. Unlike the same origin and same origin-domain concepts,
for schemelessly same site and same site, the port and domain
components are ignored. For the reasons URL, the
same site and schemelessly same site concepts should be avoided when
possible, in favor of same origin checks. Given that (Here we have omitted the port and domain components since they are not considered.) Returns the current domain used for security checks. Can be set to a value that removes subdomains, to change the origin's domain to allow pages on other subdomains of the same
domain (if they do the same thing) to access each other. This enables pages on different hosts
of a domain to synchronously access each other's DOMs. In sandboxed Avoid using the Because of these security pitfalls, this feature is in the process of being removed from the
web platform. (This is a long process that takes many years.) Instead, use The Let effectiveDomain be this's origin's effective domain.
If effectiveDomain is null, then return the empty string. Return effectiveDomain, serialized. The If this's browsing context is
null, then throw a " If effectiveDomain is null, then throw a
" Set this's origin's domain to the result of parsing the given value. To determine if a scalar value string hostSuffixString is a registrable domain suffix of or is equal to a host originalHost: If hostSuffixString is the empty string, then return false. Let hostSuffix be the result of parsing
hostSuffixString. If hostSuffix is failure, then return false. If hostSuffix does not equal
originalHost, then: If hostSuffix or originalHost is not a domain, then return false. This excludes hosts that are IP addresses. If hostSuffix, prefixed by U+002E (.), does not match the end of
originalHost, then return false. If one of the following is true hostSuffix equals
hostSuffix's public suffix hostSuffix, prefixed by U+002E (.), matches the end
originalHost's public suffix then return false. [URL] Assert: originalHost's public suffix, prefixed by
U+002E (.), matches the end of hostSuffix. Return true. Returns true if this A Per the processing model in the create
and initialize a new The consequences of using this header are that the resulting
Note that within a browsing context group, the
` This means that the The Similarly, A cross-origin opener policy value allows a document which is navigated to in a
top-level browsing context to force the creation of a new top-level browsing
context, and a corresponding group. The possible values
are: This is the (current) default and means that the document will occupy the same
top-level browsing context as its predecessor, unless that document specified a
different cross-origin opener policy. This forces the creation of a new top-level browsing context for the
document, unless its predecessor specified the same cross-origin opener policy and
they are same origin. This behaves the same as " This behaves the same as " "
A cross-origin opener policy consists of: A value, which is a cross-origin opener policy value, initially " A reporting endpoint, which is string or
null, initially null. A report-only value, which is a cross-origin opener policy value, initially
" A report-only reporting endpoint,
which is a string or null, initially null. To match cross-origin opener policy values, given a
cross-origin opener policy value A, an origin
originA, a cross-origin opener policy value B, and an
origin originB: If A is " If A is " If A is B and originA is same origin with
originB, then return true. Return false. Headers/Cross-Origin-Opener-Policy Support in all current engines. A The valid token values are the opener policy values. The token may also have
attached parameters; of these, the " Per the processing model described below, user agents will ignore this header if it contains an invalid value. Likewise, user
agents will ignore this header if the value cannot be parsed as a token. To obtain a cross-origin opener policy given a response response and an environment
reservedEnvironment: Let policy be a new cross-origin opener policy. If reservedEnvironment is a non-secure context, then return
policy. Let parsedItem be the result of getting a structured field value
given ` If parsedItem is not null, then: If parsedItem[0] is " Let coep be the result of obtaining a cross-origin embedder policy from response and
reservedEnvironment. If coep's value is
compatible with cross-origin isolation, then set policy's value to " Otherwise, set policy's value to
" If parsedItem[0] is " If parsedItem[1][" Set parsedItem to the result of getting a structured field value
given ` If parsedItem is not null, then: If parsedItem[0] is " Let coep be the result of obtaining a cross-origin embedder policy from response and
reservedEnvironment. If coep's value is
compatible with cross-origin isolation or coep's report-only value is compatible
with cross-origin isolation, then set policy's report-only value to " Report only COOP also considers report-only COEP to assign the special
" Otherwise, set policy's report-only value to " If parsedItem[0] is " If parsedItem[1][" Return policy. To check if COOP values require a
browsing context group switch, given a boolean isInitialAboutBlank, two origins responseOrigin and
activeDocumentNavigationOrigin, and two cross-origin
opener policy values responseCOOPValue and
activeDocumentCOOPValue: If the result of matching
activeDocumentCOOPValue, activeDocumentNavigationOrigin,
responseCOOPValue, and responseOrigin is true, return false. If all of the following are true: isInitialAboutBlank; activeDocumentCOOPValue's value is
" responseCOOPValue is " then return false. Return true. To check if enforcing report-only COOP
would require a browsing context group switch, given a boolean
isInitialAboutBlank, two origins
responseOrigin, activeDocumentNavigationOrigin, and two cross-origin opener policies responseCOOP
and activeDocumentCOOP: If the result of checking if
COOP values require a browsing context group switch given
isInitialAboutBlank, responseOrigin,
activeDocumentNavigationOrigin, responseCOOP's report-only value and
activeDocumentCOOPReportOnly's report-only value is false, then return
false. Matching report-only policies allows a website to specify the same report-only
cross-origin opener policy on all its pages and not receive violation reports for navigations
between these pages. If the result of checking
if COOP values require a browsing context group switch given
isInitialAboutBlank, responseOrigin,
activeDocumentNavigationOrigin, responseCOOP's value and activeDocumentCOOPReportOnly's report-only value is true, then return
true. If the result of checking
if COOP values require a browsing context group switch given
isInitialAboutBlank, responseOrigin,
activeDocumentNavigationOrigin, responseCOOP's report-only value and
activeDocumentCOOPReportOnly's value is true,
then return true. Return false. A cross-origin opener policy enforcement result is
a struct with the following items: A boolean needs a browsing context group
switch, initially false. A boolean would need a browsing
context group switch due to report-only, initially false. A URL url. An origin origin. A cross-origin opener policy cross-origin opener policy. A boolean current context is navigation
source, initially false. To enforce a response's cross-origin opener policy, given a
browsing context browsingContext, a URL
responseURL, an origin responseOrigin, a cross-origin
opener policy responseCOOP, a cross-origin opener policy enforcement result
currentCOOPEnforcementResult, and a referrer referrer: Let newCOOPEnforcementResult be a new cross-origin opener policy enforcement result with Let isInitialAboutBlank be browsingContext's active
document's is initial If isInitialAboutBlank is true and browsingContext's initial URL is null, set
browsingContext's initial URL to
responseURL. If the result of checking if
COOP values require a browsing context group switch given
isInitialAboutBlank, currentCOOPEnforcementResult's cross-origin opener policy's value, currentCOOPEnforcementResult's origin, responseCOOP's value, and responseOrigin is true, then: Set newCOOPEnforcementResult's needs a browsing context group switch to
true. If browsingContext's group's browsing
context set's size is greater than 1, then: Queue a violation report for browsing
context group switch when navigating to a COOP response with responseCOOP,
" Queue a violation report for browsing
context group switch when navigating away from a COOP response with
currentCOOPEnforcementResult's cross-origin
opener policy, " If the result of checking if
enforcing report-only COOP would require a browsing context group switch given
isInitialAboutBlank, responseOrigin,
currentCOOPEnforcementResult's origin,
responseCOOP, and currentCOOPEnforcementResult's cross-origin opener policy, is true, then: Set result's would
need a browsing context group switch due to report-only to true. If browsingContext's group's browsing
context set's size is greater than 1, then: Queue a violation report for browsing
context group switch when navigating to a COOP response with responseCOOP,
" Queue a violation report for browsing
context group switch when navigating away from a COOP response with
currentCOOPEnforcementResult's cross-origin
opener policy, " Return newCOOPEnforcementResult. To obtain a browsing context to use for a
navigation response, given a browsing context browsingContext, a
sandboxing flag set sandboxFlags, a cross-origin opener
policy navigationCOOP, and a cross-origin opener policy enforcement result
coopEnforcementResult: If browsingContext is not a top-level browsing context, then
return browsingContext. If coopEnforcementResult's needs a
browsing context group switch is false, then: If coopEnforcementResult's would need a browsing context group switch
due to report-only is true, set browsing context's virtual browsing context group ID to a new
unique identifier. Return browsingContext. Let newBrowsingContext be the first return value of creating a new
top-level browsing context and document. In this case we are going to perform a browsing context group swap.
browsingContext will not be used by the new If navigationCOOP's value is " It is difficult on some platforms to provide the security properties required
by the cross-origin
isolated capability. " If sandboxFlags is not empty, then: Assert navigationCOOP's value is
" Assert: newBrowsingContext's popup sandboxing flag
set is empty. Set newBrowsingContext's popup sandboxing flag set to a clone of sandboxFlags. Return newBrowsingContext. An accessor-accessed relationship is an enum that describes the relationship
between two browsing contexts between which an access
happened. It can take the following values: The accessor browsing context or one of its ancestors is the opener browsing context of the accessed
browsing context's top-level browsing
context. The accessed browsing context or one of its ancestors is the opener browsing context of the accessor
browsing context's top-level browsing
context. There is no opener relationship between the accessor browsing context, the
accessor browsing context, or any of their ancestors. To check if an access between two browsing contexts
should be reported, given two browsing contexts
accessor and accessed, a JavaScript property name P, and an
environment settings object environment: If P is not a cross-origin accessible window property name, then
return. Assert: accessor's active document and
accessed's active document are both fully active. Let accessorTopDocument be accessor's top-level browsing context's active document. Let accessorInclusiveAncestorOrigins be the list obtained by taking the origin of the active
document of each of accessor's active document's inclusive
ancestor navigables. Let accessedTopDocument be accessed's top-level browsing context's active document. Let accessedInclusiveAncestorOrigins be the list obtained by taking the origin of the active
document of each of accessed's active document's inclusive
ancestor navigables. If any of accessorInclusiveAncestorOrigins are not same origin with
accessorTopDocument's origin, or if
any of accessedInclusiveAncestorOrigins are not same origin with
accessedTopDocument's origin, then
return. This avoids leaking information about cross-origin iframes to a top level frame
with cross-origin opener policy reporting. If accessor's top-level browsing context's virtual browsing context group ID is
accessed's top-level browsing context's virtual browsing context group ID, then
return. Let accessorAccessedRelationship be a new accessor-accessed
relationship with value none. If accessed's top-level browsing context's
opener browsing context is accessor or is an ancestor of accessor, then set
accessorAccessedRelationship to accessor is
opener. If accessor's top-level browsing context's
opener browsing context is accessed or is an ancestor of accessed, then set
accessorAccessedRelationship to accessor is
openee. Queue violation reports for accesses, given
accessorAccessedRelationship, accessorTopDocument's cross-origin opener policy,
accessedTopDocument's cross-origin opener
policy, accessor's active document's URL, accessed's active document's
URL, accessor's top-level browsing context's initial URL, accessed's top-level browsing context's initial URL, accessor's active
document's origin, accessed's
active document's origin,
accessor's top-level browsing context's opener origin at creation, accessed's top-level browsing context's opener origin at creation,
accessorTopDocument's referrer,
accessedTopDocument's referrer,
P, and environment. To sanitize a URL to send in a report given a
URL url: Let sanitizedURL be a copy of url. Set the username given sanitizedURL and
the empty string.
Set the password given sanitizedURL and
the empty string.
Return the serialization of
sanitizedURL with exclude
fragment set to true. To queue a violation report for browsing context
group switch when navigating to a COOP response given a cross-origin opener policy coop, a string disposition, a
URL coopURL, a URL previousResponseURL, two origins coopOrigin and previousResponseOrigin, and a
referrer referrer: If coop's reporting endpoint
is null, return. Let coopValue be coop's value. If disposition is " Let serializedReferrer be an empty string. If referrer is a URL, set serializedReferrer to the
serialization of referrer.
Let body be a new object containing the following properties: Queue body as " To queue a violation report for browsing context
group switch when navigating away from a COOP response given a cross-origin opener policy coop, a string
disposition, a URL coopURL, a URL
nextResponseURL, two origins coopOrigin and
nextResponseOrigin, and a boolean isCOOPResponseNavigationSource: If coop's reporting endpoint
is null, return. Let coopValue be coop's value. If disposition is " Let body be a new object containing the following properties: Queue body as " To queue violation reports for accesses, given an
accessor-accessed relationship accessorAccessedRelationship, two
cross-origin opener policies
accessorCOOP and accessedCOOP, four URLs
accessorURL, accessedURL, accessorInitialURL,
accessedInitialURL, four origins
accessorOrigin, accessedOrigin, accessorCreatorOrigin and
accessedCreatorOrigin, two referrers
accessorReferrer and accessedReferrer, a string propertyName, and
an environment settings object environment: If coop's reporting endpoint
is null, return. Let coopValue be coop's value. If disposition is " If accessorAccessedRelationship is accessor is opener: Queue a violation report
for access to an opened window, given accessorCOOP, accessorURL,
accessedURL, accessedInitialURL, accessorOrigin,
accessedOrigin, accessedCreatorOrigin, propertyName,
and environment. Queue a violation report for access
from the opener, given accessedCOOP, accessedURL,
accessorURL, accessedOrigin, accessorOrigin,
propertyName, and accessedReferrer. Otherwise, if accessorAccessedRelationship is accessor is openee: Queue a violation report for access to
the opener, given accessorCOOP, accessorURL,
accessedURL, accessorOrigin, accessedOrigin,
propertyName, accessorReferrer, and environment. Queue a violation report for access
from an opened window, given accessedCOOP, accessedURL,
accessorURL, accessorInitialURL, accessedOrigin,
accessorOrigin, accessorCreatorOrigin, and
propertyName. Otherwise: Queue a violation report for
access to another window, given accessorCOOP, accessorURL,
accessedURL, accessorOrigin, accessedOrigin,
propertyName, and environment Queue a violation report for
access from another window, given accessedCOOP, accessedURL,
accessorURL, accessedOrigin, accessorOrigin, and
propertyName. To queue a violation report for access to the
opener, given a cross-origin opener
policy coop, two URLs coopURL and
openerURL, two origins coopOrigin and
openerOrigin, a string propertyName, a referrer referrer, and an environment
settings object environment: Let sourceFile, lineNumber and columnNumber be the
relevant script URL and problematic position which triggered this report. Let serializedReferrer be an empty string. If referrer is a URL, set serializedReferrer to the
serialization of referrer.
Let body be a new object containing the following properties: Queue body as " To queue a violation report for access to an
opened window, given a cross-origin opener
policy coop, three URLs coopURL,
openedWindowURL and initialWindowURL, three origins coopOrigin, openedWindowOrigin, and
openerInitialOrigin, a string propertyName, and an environment
settings object environment: Let sourceFile, lineNumber and columnNumber be the
relevant script URL and problematic position which triggered this report. Let body be a new object containing the following properties: Queue body as " To queue a violation report for access to another
window, given a cross-origin opener policy
coop, two URLs coopURL and
otherURL, two origins coopOrigin and
otherOrigin, a string propertyName, and an environment settings
object environment: Let sourceFile, lineNumber and columnNumber be the
relevant script URL and problematic position which triggered this report. Let body be a new object containing the following properties: Queue body as " To queue a violation report for access from the
opener, given a cross-origin opener policy
coop, two URLs coopURL and
openerURL, two origins coopOrigin and
openerOrigin, a string propertyName, and a referrer referrer: If coop's reporting endpoint
is null, return. Let serializedReferrer be an empty string. If referrer is a URL, set serializedReferrer to the
serialization of referrer.
Let body be a new object containing the following properties: Queue body as " To queue a violation report for access from an
opened window, given a cross-origin opener
policy coop, three URLs coopURL,
openedWindowURL and initialWindowURL, three origins coopOrigin, openedWindowOrigin, and
openerInitialOrigin, and a string propertyName: If coop's reporting endpoint
is null, return. Let body be a new object containing the following properties: Queue body as " To queue a violation report for access from another
window, given a cross-origin opener policy
coop, two URLs coopURL and otherURL, two
origins coopOrigin and otherOrigin, and a string
propertyName: If coop's reporting endpoint
is null, return. Let body be a new object containing the following properties: Queue body as " Headers/Cross-Origin-Embedder-Policy Support in all current engines. An embedder policy value is one of three strings that controls the fetching
of cross-origin resources without explicit permission from resource owners. This is the default value. When this value is used, cross-origin resources can be fetched
without giving explicit permission through the CORS protocol or the
` When this value is used, fetching cross-origin resources requires the server's
explicit permission through the CORS protocol or the
` When this value is used, fetching cross-origin no-CORS resources omits credentials. In
exchange, an explicit ` Before supporting " Otherwise, it would allow attackers to leverage the client's network position to read non
public resources, using the cross-origin isolated
capability. An embedder policy value is compatible with cross-origin isolation if
it is " An embedder policy consists of: A value, which is an embedder policy value, initially " A reporting endpoint string, initially the empty string. A report only value, which is an embedder policy value, initially
" A report only reporting endpoint string, initially the empty
string. The " The ` The valid token values are the embedder policy values. The token may also have attached parameters; of these, the " The processing model fails open (by defaulting
to " (The same applies to ` To obtain an embedder policy from a response response and an environment
environment: Let policy be a new embedder policy. If environment is a non-secure context, then return
policy. Let parsedItem be the result of getting a structured field value
with ` If parsedItem is non-null and parsedItem[0] is compatible with
cross-origin isolation: Set parsedItem to the result of getting a structured field value
with ` If parsedItem is non-null and parsedItem[0] is compatible with
cross-origin isolation: Set policy's report only value to
parsedItem[0]. If parsedItem[1][" Return policy. To check a navigation response's adherence to its embedder policy given a response response, a navigable
navigable, and an embedder policy responsePolicy: If navigable is not a child navigable, then return
true. Let parentPolicy be navigable's container document's policy container's embedder policy. If parentPolicy's report-only
value is compatible with cross-origin isolation and
responsePolicy's value is not, then
queue a cross-origin embedder policy inheritance violation with response,
" If parentPolicy's value is not
compatible with cross-origin isolation or responsePolicy's value is compatible with cross-origin
isolation, then return true. Queue a cross-origin embedder policy inheritance violation with
response, " Return false. To check a global object's embedder policy given a If workerGlobalScope is not a Let policy be workerGlobalScope's embedder policy.
Let ownerPolicy be owner's policy container's embedder policy.
If ownerPolicy's report-only
value is compatible with cross-origin isolation and policy's
value is not, then queue a cross-origin
embedder policy inheritance violation with response, " If ownerPolicy's value is not
compatible with cross-origin isolation or policy's value is compatible with cross-origin
isolation, then return true. Queue a cross-origin embedder policy inheritance violation with
response, " Return false. To queue a cross-origin embedder policy inheritance violation given a response response, a string type, a string
endpoint, a string disposition, and an environment settings
object settings: Let serialized be the result of serializing a response URL for
reporting with response. Let body be a new object containing the following properties: Queue body as the
" A sandboxing flag set is a set of zero or more of the following flags, which
are used to restrict the abilities that potentially untrusted resources have: This flag prevents content from navigating browsing contexts other
than the sandboxed browsing context itself (or browsing contexts further nested inside it),
auxiliary browsing contexts (which are protected
by the sandboxed auxiliary navigation browsing context flag defined next), and the
top-level browsing context (which is protected by the sandboxed top-level
navigation without user activation browsing context flag and sandboxed top-level
navigation with user activation browsing context flag defined below). If the sandboxed auxiliary navigation browsing context flag is not set, then in
certain cases the restrictions nonetheless allow popups (new top-level browsing contexts) to be opened. These browsing contexts always have one permitted sandboxed navigator, set
when the browsing context is created, which allows the browsing context that
created them to actually navigate them. (Otherwise, the sandboxed navigation browsing
context flag would prevent them from being navigated even if they were opened.) This flag prevents content from creating new auxiliary browsing
contexts, e.g. using the This flag prevents content from navigating their top-level
browsing context and prevents content from closing their
top-level browsing context. It is consulted only when the sandboxed browsing
context's active window does not have transient activation. When the sandboxed top-level navigation without user activation browsing context
flag is not set, content can navigate its top-level browsing
context, but other browsing contexts are still
protected by the sandboxed navigation browsing context flag and possibly
the sandboxed auxiliary navigation browsing context flag. This flag prevents content from navigating their top-level
browsing context and prevents content from closing their
top-level browsing context. It is consulted only when the sandboxed browsing
context's active window has transient activation. As with the sandboxed top-level navigation without user activation browsing context
flag, this flag only affects the top-level browsing context; if it is not
set, other browsing contexts might still be protected by
other flags. This flag forces content into a unique origin, thus preventing
it from accessing other content from the same origin. This flag also prevents script from reading from or writing to the
This flag blocks form submission. This flag disables the Pointer Lock API. [POINTERLOCK] This flag blocks script execution. This flag blocks features that trigger automatically, such as automatically playing a video or automatically focusing a form control. This flag prevents content from using the
This flag prevents content from escaping the sandbox by ensuring that any
auxiliary browsing context it creates inherits the content's
active sandboxing flag set. This flag prevents content from using any of the following features to produce modal
dialogs: This flag disables the ability to lock the screen orientation. [SCREENORIENTATION] This flag disables the Presentation API. [PRESENTATION] This flag prevents content from initiating or instantiating downloads, whether through downloading hyperlinks or through navigation that gets handled as a
download. This flag prevents navigations toward non fetch schemes
from being handed off to external
software. When the user agent is to parse a sandboxing directive, given a string
input, a sandboxing flag set output, it must run the following
steps: Split input on ASCII
whitespace, to obtain tokens. Let output be empty. Add the following flags to output: The sandboxed auxiliary navigation browsing context flag, unless
tokens contains the The sandboxed top-level navigation without user activation browsing context
flag, unless tokens contains the The sandboxed top-level navigation with user activation browsing context flag,
unless tokens contains either the This means that if the The sandboxed origin browsing context flag, unless the tokens
contains the The First, it can be used to allow content from the same site to be sandboxed to disable
scripting, while still allowing access to the DOM of the sandboxed content. Second, it can be used to embed content from a third-party site, sandboxed to prevent that
site from opening popups, etc, without preventing the embedded page from communicating back
to its originating site, using the database APIs to store data, etc. The sandboxed forms browsing context flag, unless tokens
contains the The sandboxed pointer lock browsing context flag, unless tokens
contains the The sandboxed scripts browsing context flag, unless tokens
contains the The sandboxed automatic features browsing context flag, unless
tokens contains the This flag is relaxed by the same keyword as scripts, because when scripts are
enabled these features are trivially possible anyway, and it would be unfortunate to force
authors to use script to do them when sandboxed rather than allowing them to use the
declarative features. The sandbox propagates to auxiliary browsing contexts flag, unless
tokens contains the The sandboxed modals flag, unless tokens contains the The sandboxed orientation lock browsing context flag, unless
tokens contains the The sandboxed presentation browsing context flag, unless tokens
contains the The sandboxed downloads browsing context flag, unless tokens
contains the The sandboxed custom protocols navigation browsing context flag, unless
tokens contains either the Every top-level browsing context has a popup sandboxing flag set, which
is a sandboxing flag set. When a browsing context is created, its
popup sandboxing flag set must be empty. It is populated by the rules for
choosing a navigable and the obtain
a browsing context to use for a navigation response algorithm. Every Every Every CSP list
cspList has CSP-derived sandboxing flags, which is a sandboxing flag
set. It is the return value of the following algorithm: Let directives be an empty ordered set. For each policy in cspList: If policy's disposition is not " If policy's directive set contains a directive whose name is " If directives is empty, then return an empty sandboxing flag
set. Let directive be directives[directives's size − 1]. Return the result of parsing the sandboxing
directive directive. To determine the creation sandboxing
flags for a browsing context browsing
context, given null or an element embedder, return the union of the flags that are present in the following sandboxing flag sets: If embedder is null, then: the flags set on browsing context's
popup sandboxing flag set. If embedder is an element, then: the flags set on embedder's
If embedder is an element, then: the flags set on embedder's
node document's active sandboxing flag set. A policy container is a struct containing policies that apply to
a A CSP list,
which is a CSP list. It is initially empty. An embedder
policy, which is an embedder policy. It is initially a new embedder
policy. A referrer
policy, which is a referrer policy. It is initially the default referrer
policy. Move other policies into the policy container. To clone a policy container given a policy container
policyContainer: Let clone be a new policy container. For each policy in
policyContainer's CSP list, append a copy of policy into clone's CSP list. Set clone's embedder
policy to a copy of policyContainer's embedder policy. Set clone's referrer
policy to policyContainer's referrer policy. Return clone. To determine whether a URL url requires storing the policy
container in history: To create a policy container from a fetch response
given a response response and an
environment-or-null environment: If response's URL's scheme is " Let result be a new policy container. Set result's CSP list to the
result of parsing a response's Content Security Policies
given response. If environment is non-null, then set result's embedder policy to the result of obtaining an embedder policy given response
and environment. Otherwise, set it to " Set result's referrer
policy to the result of parsing the
` Return result. To determine navigation params
policy container given a URL responseURL and four policy container-or-nulls historyPolicyContainer,
initiatorPolicyContainer, parentPolicyContainer, and
responsePolicyContainer: If historyPolicyContainer is not null, then: Assert: responseURL requires storing the policy container
in history. Return a clone of
historyPolicyContainer. If responseURL is If responseURL is local and
initiatorPolicyContainer is not null, then return a clone of initiatorPolicyContainer. If responsePolicyContainer is not null, then return
responsePolicyContainer. Return a new policy container. To initialize a worker global scope's policy
container given a If workerGlobalScope's url
is local but its scheme
is not " Set workerGlobalScope's policy container to a clone of workerGlobalScope's owner
set[0]'s relevant settings object's policy container. Otherwise, set workerGlobalScope's policy container to the result of
creating a policy container from a fetch response given
response and environment.bank.example.com, tries to examine the DOM of Example Charity's web site, hosted
at charity.example.org, a "SecurityError"
null" per serialization of an origin), for which the only
meaningful operation is testing for equality.Document objects. Furthermore, origins are generally
immutable. Only the domain of a tuple origin can be changed, and only through the document.domain API.null".://" to result.https", "xn--maraa-rta.example", null, null) is "https://xn--maraa-rta.example".
A
B
same origin
same origin-domain
(" https", "example.org", null, null)
(" https", "example.org", null, null)
✅
✅
(" https", "example.org", 314, null)
(" https", "example.org", 420, null)
❌
❌
(" https", "example.org", 314, "example.org")
(" https", "example.org", 420, "example.org")
❌
✅
(" https", "example.org", null, null)
(" https", "example.org", null, "example.org")
✅
❌
(" https", "example.org", null, "example.org")
(" http", "example.org", null, "example.org")
❌
❌
7.1.1.1 Sites
null".://" to result.https", "shop.example", null, null) and
the site ("https", "shop.example") have the same
serialization: "https://shop.example".
wildlife.museum, museum, and com are public suffixes and that example.com is not:A
B
schemelessly same site
same site
(" https", "example.com")
(" https", "sub.example.com")
✅
✅
(" https", "example.com")
(" https", "sub.other.example.com")
✅
✅
(" https", "example.com")
(" http", "non-secure.example.com")
✅
❌
(" https", "r.wildlife.museum")
(" https", "sub.r.wildlife.museum")
✅
✅
(" https", "r.wildlife.museum")
(" https", "sub.other.r.wildlife.museum")
✅
✅
(" https", "r.wildlife.museum")
(" https", "other.wildlife.museum")
❌
❌
(" https", "r.wildlife.museum")
(" https", "wildlife.museum")
❌
❌
(" https", "wildlife.museum")
(" https", "wildlife.museum")
✅
✅
(" https", "example.com")
(" https", "example.com.")
❌
❌
7.1.1.2 Relaxing the same-origin restriction
document.domain [ = domain ]iframes, Documents with opaque origins, and Documents without a browsing context, the setter will
throw a "SecurityError" exception. In cases where crossOriginIsolated or originAgentCluster return true, the setter will do
nothing.
document.domain setter. It
undermines the security protections provided by the same-origin policy. This is especially acute
when using shared hosting; for example, if an untrusted third party is able to host an HTTP
server at the same IP address but on a different port, then the same-origin protection that
normally protects two different sites on the same host will fail, as the ports are ignored when
comparing origins after the document.domain setter has
been used.postMessage() or
MessageChannel objects to communicate across origins in a safe manner.domain
getter steps are:domain setter steps are:SecurityError" this's active sandboxing flag set has its sandboxed
document.domain browsing context flag set, then
throw a "SecurityError" effectiveDomain be this's origin's effective domain.
SecurityError" is not
a registrable domain suffix of and is not equal to effectiveDomain, then throw
a "SecurityError" surrounding agent's agent cluster's is
origin-keyed is true, then return.
hostSuffixString originalHost Outcome of is a registrable domain suffix of or is equal to Notes " 0.0.0.0"0.0.0.0✅ " 0x10203"0.1.2.3✅ " [0::1]"::1✅ " example.com"example.com✅ " example.com"example.com.❌ Trailing dot is significant. " example.com."example.com❌ " example.com"www.example.com✅ " com"example.com❌ At the time of writing, com is a public suffix." example"example✅ " compute.amazonaws.com"example.compute.amazonaws.com❌ At the time of writing, *.compute.amazonaws.com is a public suffix." example.compute.amazonaws.com"www.example.compute.amazonaws.com❌ " amazonaws.com"www.example.compute.amazonaws.com❌ " amazonaws.com"test.amazonaws.com✅ At the time of writing, amazonaws.com is a registrable domain.7.1.2 Origin-keyed agent clusters
window.originAgentClusterWindow belongs to an agent cluster which is
origin-keyed, in the manner described in
this section.Document delivered over a secure context can request that it be
placed in an origin-keyed agent
cluster, by using the `Origin-Agent-Cluster` HTTP
response header. This header is a structured header
whose value must be a boolean. [STRUCTURED-FIELDS]Document object, values
that are not the structured header boolean
true value (i.e., `?1`) will be ignored.Document's agent cluster key is its origin, instead of the corresponding site. In terms of observable effects, this means that
attempting to relax the same-origin
restriction using document.domain will instead do
nothing, and it will not be possible to send WebAssembly.Module objects to
cross-origin Documents (even if they are same site). Behind the scenes,
this isolation can allow user agents to allocate implementation-specific resources corresponding
to agent clusters, such as processes or threads, more
efficiently.Origin-Agent-Cluster` header can never cause same-origin Document
objects to end up in different agent clusters, even if one
sends the header and the other doesn't. This is prevented by means of the
historical agent cluster key map.originAgentCluster getter can return false, even if the
header is set, if the header was omitted on a previously-loaded same-origin page in the same
browsing context group. Similarly, it can return true even when the header is not
set.originAgentCluster getter steps are to return the
surrounding agent's agent cluster's is origin-keyed.Documents with an opaque
origin can be considered unconditionally origin-keyed; for them the header has no effect,
and the originAgentCluster getter will always return
true.Documents whose agent cluster's cross-origin isolation mode is not "none" are automatically origin-keyed. The
`Origin-Agent-Cluster` header might be useful as an additional hint to
implementations about resource allocation, since the `Cross-Origin-Opener-Policy`
and `Cross-Origin-Embedder-Policy` headers used to achieve cross-origin isolation
are more about ensuring that everything in the same address space opts in to being there. But
adding it would have no additional observable effects on author code.7.1.3 Cross-origin opener policies
unsafe-none"same-origin-allow-popups"same-origin"same-origin-allow-popups", with the addition that
any auxiliary browsing context created needs to contain same origin
documents that also have the same cross-origin opener policy or it will appear
closed to the opener.same-origin-plus-COEP"same-origin", with the
addition that it sets the (new) top-level browsing context's group's cross-origin isolation
mode to one of "logical" or "concrete".same-origin-plus-COEP" cannot
be directly set via the `Cross-Origin-Opener-Policy` header, but results from a
combination of setting both `Cross-Origin-Opener-Policy: same-origin` and a
`Cross-Origin-Embedder-Policy` header whose value is compatible with
cross-origin isolation together.unsafe-none".unsafe-none".unsafe-none" and B
is "unsafe-none", then return true.unsafe-none" or B
is "unsafe-none", then return false.7.1.3.1 The headers
Firefox79+Safari15.2+Chrome83+
OperaNoEdge83+
Edge (Legacy)?Internet ExplorerNo
Firefox Android?Safari iOS?Chrome Android?WebView AndroidNoSamsung Internet?Opera AndroidNoDocument's cross-origin opener
policy is derived from the `Cross-Origin-Opener-Policy` and `Cross-Origin-Opener-Policy-Report-Only` HTTP response headers.
These headers are structured headers whose value
must be a token. [STRUCTURED-FIELDS]report-to" parameter can have a valid URL
string identifying an appropriate reporting endpoint. [REPORTING]
Cross-Origin-Opener-Policy` and "item" from
response's header list.same-origin",
then:same-origin-plus-COEP".same-origin".same-origin-allow-popups", then set
policy's value to "same-origin-allow-popups".report-to"] exists and it is a string, then set policy's reporting endpoint to
parsedItem[1]["report-to"].Cross-Origin-Opener-Policy-Report-Only` and "item"
from response's header
list.same-origin",
then:same-origin-plus-COEP".same-origin-plus-COEP" value. This allows
developers more freedom in the order of deployment of COOP and COEP.same-origin".same-origin-allow-popups", then set
policy's report-only value to
"same-origin-allow-popups".report-to"] exists and it is a string, then set policy's report-only reporting endpoint to
parsedItem[1]["report-to"].7.1.3.2 Browsing context group switches due to cross-origin opener policy
same-origin-allow-popups"; andunsafe-none"about:blank.enforce", responseURL,
currentCOOPEnforcementResult's url,
currentCOOPEnforcementResult's origin, responseOrigin, and
referrer.enforce",
currentCOOPEnforcementResult's url,
responseURL, currentCOOPEnforcementResult's origin, responseOrigin, and
currentCOOPEnforcementResult's current
context is navigation source.reporting", responseURL,
currentCOOPEnforcementResult's url,
currentCOOPEnforcementResult's origin, responseOrigin, and
referrer.reporting",
currentCOOPEnforcementResult's url,
responseURL, currentCOOPEnforcementResult's origin, responseOrigin, and
currentCOOPEnforcementResult's current
context is navigation source.Document that we are about
to create. If it is not used by other
Documents either (such as ones in the back/forward cache), then the user agent
might destroy it at this point.same-origin-plus-COEP", then set
newBrowsingContext's group's cross-origin isolation mode to either "logical" or "concrete". The choice of which is
implementation-defined.concrete"
grants access to it and "logical" does
not.unsafe-none".7.1.3.3 Reporting
reporting", then set
coopValue to coop's report-only value.key value disposition disposition effectivePolicy coopValue previousResponseURL If coopOrigin and previousResponseOrigin are same origin this is the sanitization of previousResponseURL, null otherwise. referrer serializedReferrer type " navigation-to-response"coop" for coop's reporting endpoint with coopURL.reporting", then set
coopValue to coop's report-only value.key value disposition disposition effectivePolicy coopValue nextResponseURL If coopOrigin and nextResponseOrigin are same origin or isCOOPResponseNavigationSource is true, this is the sanitization of previousResponseURL, null otherwise. type " navigation-from-response"coop" for coop's reporting endpoint with coopURL.reporting", then set
coopValue to coop's report-only value.key value disposition " reporting"effectivePolicy coop's report-only
value property propertyName openerURL If coopOrigin and openerOrigin are same origin, this
is the sanitization of openerURL, null
otherwise. referrer serializedReferrer sourceFile sourceFile lineNumber lineNumber columnNumber columnNumber type " access-to-opener"coop" for coop's reporting endpoint with coopURL and
environment.key value disposition " reporting"effectivePolicy coop's report-only
value property propertyName openedWindowURL If coopOrigin and openedWindowOrigin are same origin, this
is the sanitization of openedWindowURL,
null otherwise. openedWindowInitialURL If coopOrigin and openerInitialOrigin are same origin,
this is the sanitization of
initialWindowURL, null otherwise. sourceFile sourceFile lineNumber lineNumber columnNumber columnNumber type " access-to-opener"coop"
for coop's reporting endpoint with
coopURL and environment.key value disposition " reporting"effectivePolicy coop's report-only
value property propertyName otherURL If coopOrigin and otherOrigin are same origin, this
is the sanitization of otherURL, null
otherwise. sourceFile sourceFile lineNumber lineNumber columnNumber columnNumber type " access-to-opener"coop"
for coop's reporting endpoint with
coopURL and environment.key value disposition " reporting"effectivePolicy coop's report-only
value property propertyName openerURL If coopOrigin and openerOrigin are same origin, this
is the sanitization of openerURL, null
otherwise. referrer serializedReferrer type " access-to-opener"coop"
for coop's reporting endpoint with
coopURL.key value disposition " reporting"effectivePolicy coopValue property coop's report-only
value openedWindowURL If coopOrigin and openedWindowOrigin are same origin, this
is the sanitization of openedWindowURL,
null otherwise. openedWindowInitialURL If coopOrigin and openerInitialOrigin are same origin,
this is the sanitization of
initialWindowURL, null otherwise. type " access-to-opener"coop"
for coop's reporting endpoint with
coopURL.key value disposition " reporting"effectivePolicy coop's report-only
value property propertyName otherURL If coopOrigin and otherOrigin are same origin, this
is the sanitization of otherURL, null
otherwise. type access-to-openercoop"
for coop's reporting endpoint with
coopURL.7.1.4 Cross-origin embedder policies
Firefox79+Safari15.2+Chrome83+
Opera?Edge83+
Edge (Legacy)?Internet ExplorerNo
Firefox Android?Safari iOS?Chrome Android?WebView Android86+Samsung Internet?Opera Android?unsafe-none""require-corp""credentialless"CORS
protocol or the `
credentialless", implementers are
strongly encouraged to support both:
credentialless" or "require-corp".unsafe-none".unsafe-none".coep" report type is a report type whose value
is "coep". It is visible to
ReportingObservers.7.1.4.1 The headers
Cross-Origin-Embedder-Policy` and
`Cross-Origin-Embedder-Policy-Report-Only` HTTP response
headers allow a server to declare an embedder policy for an environment
settings object. These headers are structured
headers whose values must be token. [STRUCTURED-FIELDS]
report-to" parameter can have a valid URL
string identifying an appropriate reporting endpoint. [REPORTING]
unsafe-none") in the presence of a header that cannot
be parsed as a token. This includes inadvertent lists created by combining multiple instances of
the `Cross-Origin-Embedder-Policy` header present in a given response:` Cross-Origin-Embedder-Policy`Final embedder policy value No header delivered " unsafe-none"` require-corp`" require-corp"` unknown-value`" unsafe-none"` require-corp, unknown-value`" unsafe-none"` unknown-value, unknown-value`" unsafe-none"` unknown-value, require-corp`" unsafe-none"` require-corp, require-corp`" unsafe-none"Cross-Origin-Embedder-Policy-Report-Only`.)
Cross-Origin-Embedder-Policy` and "item" from
response's header list.Cross-Origin-Embedder-Policy-Report-Only` and "item"
from response's header
list.report-to"] exists, then set policy's endpoint to
parsedItem[1]["report-to"].7.1.4.2 Embedder policy checks
navigation", parentPolicy's report only reporting endpoint,
"reporting", and navigable's container document's relevant settings
object.navigation", parentPolicy's reporting endpoint,
"enforce", and navigable's
container document's relevant settings
object.WorkerGlobalScope
workerGlobalScope, an environment settings object owner, and
a response response:DedicatedWorkerGlobalScope object,
then return true.worker
initialization", owner's policy's report only reporting endpoint,
"reporting", and owner.worker initialization", owner's policy's
reporting endpoint,
"enforce", and owner.key value type type blockedURL serialized disposition disposition coep" report type for endpoint on settings.
7.1.5 Sandboxing
target attribute or
the window.open() method.document.cookie IDL attribute, and blocks access
to localStorage.document.domain
browsing context flagdocument.domain setter.allow-popups keyword.allow-top-navigation
keyword.allow-top-navigation-by-user-activation
keyword or the allow-top-navigation keyword.allow-top-navigation is present, the allow-top-navigation-by-user-activation
keyword will have no effect. For this reason, specifying both is a document conformance error.allow-same-origin keyword.
allow-same-origin keyword
is intended for two cases.allow-forms keyword.allow-pointer-lock
keyword.allow-scripts keyword.allow-scripts keyword (defined above).allow-popups-to-escape-sandbox
keyword.allow-modals keyword.allow-orientation-lock
keyword.allow-presentation
keyword.allow-downloads keyword.allow-top-navigation-to-custom-protocols
keyword, the allow-popups keyword, or
the allow-top-navigation
keyword.
iframe element has an iframe sandboxing flag set,
which is a sandboxing flag set. Which flags in an iframe
sandboxing flag set are set at any particular time is determined by the iframe
element's sandbox attribute.Document has an active sandboxing flag set,
which is a sandboxing flag set. When the Document is created, its
active sandboxing flag set must be empty. It is populated by the navigation algorithm.enforce", then continue.sandbox",
then append that directive to
directives.
iframe sandboxing flag set.7.1.6 Policy containers
Document, a WorkerGlobalScope, or a WorkletGlobalScope.
It has the following items:blob", then return a clone of response's URL's blob URL
entry's environment's policy
container.unsafe-none".Referrer-Policy` header given response. [REFERRERPOLICY]about:srcdoc, then:WorkerGlobalScope workerGlobalScope, a response response, and an environment
environment:blob":