From 06b4d8a61d8f431f85681b709e03dabcfad1eb89 Mon Sep 17 00:00:00 2001
From: clamy <clamy@chromium.org>
Date: Mon, 4 May 2020 16:39:04 +0200
Subject: [PATCH 1/9] Add the Cross-Origin-Opener-Policy header

Fixes #3740. Closes #4580.

Need to check again if it closes them:

* #4921
* #5168
* #5172
* #5198 (probably not?)

Co-authored-by: Anne van Kesteren <annevk@annevk.nl>
---
 source | 438 +++++++++++++++++++++++++++++++++++++++++++++++++++------
 1 file changed, 398 insertions(+), 40 deletions(-)

diff --git a/source b/source
index 06deb36ff95..527654e0dd4 100644
--- a/source
+++ b/source
@@ -2455,6 +2455,14 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
      <li>`<dfn data-x="http-link" data-x-href="https://tools.ietf.org/html/rfc8288#section-3"><code>Link</code></dfn>` header</li>
     </ul>
 
+    <p>The following terms are defined in <cite>Structured Field Values for HTTP</cite>: <ref
+    spec=STRUCTURED-HEADERS></p>
+
+    <ul class="brief">
+     <li><dfn data-x="http-structured-header" data-x-href="https://httpwg.org/http-extensions/draft-ietf-httpbis-header-structure.html">structured header</dfn></li>
+     <li><dfn data-x="http-structured-header-token" data-x-href="https://httpwg.org/http-extensions/draft-ietf-httpbis-header-structure.html#token">structured header tokens</dfn></li>
+    </ul>
+
     <p>The following terms are defined in <cite>MIME Sniffing</cite>: <ref spec=MIMESNIFF></p>
 
     <ul class="brief">
@@ -2506,6 +2514,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
        <li><dfn data-x="concept-response-url-list" data-x-href="https://fetch.spec.whatwg.org/#concept-response-url-list">url list</dfn></li>
        <li><dfn data-x="concept-response-status" data-x-href="https://fetch.spec.whatwg.org/#concept-response-status">status</dfn></li>
        <li><dfn data-x="concept-response-header-list" data-x-href="https://fetch.spec.whatwg.org/#concept-response-header-list">header list</dfn></li>
+       <li><dfn data-x="concept-response-header-list-get-structured-header" data-x-href="https://fetch.spec.whatwg.org/#concept-header-list-get-structured-header">getting a structured header</dfn></li>
        <li><dfn data-x="concept-response-body" data-x-href="https://fetch.spec.whatwg.org/#concept-response-body">body</dfn></li>
        <li><dfn data-x="concept-internal-response" data-x-href="https://fetch.spec.whatwg.org/#concept-internal-response">internal response</dfn></li>
        <li><dfn data-x="concept-response-csp-list" data-x-href="https://fetch.spec.whatwg.org/#concept-response-csp-list">CSP list</dfn></li>
@@ -3797,11 +3806,12 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
    <dt>Secure Contexts</dt>
 
    <dd>
-    <p>The following algorithm is defined in <cite>Secure Contexts</cite>: <ref
+    <p>The following algorithms are defined in <cite>Secure Contexts</cite>: <ref
     spec="SECURE-CONTEXTS"></p>
 
     <ul class="brief">
      <li><dfn data-x-href="https://w3c.github.io/webappsec-secure-contexts/#settings-object">Is environment settings object a secure context?</dfn></li>
+     <li><dfn data-x-href="https://w3c.github.io/webappsec-secure-contexts/#potentially-trustworthy-url">Is url potentially trustworthy?</dfn></li>
     </ul>
    </dd>
 
@@ -3915,7 +3925,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
    <dt>Cooperative Scheduling of Background Tasks</dt>
 
    <dd>
-    <p>The following features is defined in <cite>Cooperative Scheduling of Background Tasks</cite>:
+    <p>The following features are defined in <cite>Cooperative Scheduling of Background Tasks</cite>:
     <ref spec=REQUESTIDLECALLBACK></p>
 
     <ul class="brief">
@@ -3923,6 +3933,19 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
      <li><dfn data-x-href="https://w3c.github.io/requestidlecallback/#start-an-idle-period-algorithm">start an idle period algorithm</dfn></li>
     </ul>
    </dd>
+
+   <dt>Cross-Origin Embedder Policy</dt>
+
+   <dd>
+    <p>The following features are defined in <cite>Cross-Origin Embedder Policy</cite>: <ref
+    spec=COEP></p>
+
+    <ul class="brief">
+     <li>`<dfn data-x-href="https://wicg.github.io/cross-origin-embedder-policy/#http-headerdef-cross-origin-embedder-policy"><code>Cross-Origin-Embedder-Policy</code></dfn>` header</li>
+     <li><dfn data-x="obtain-cross-origin-embedder-policy" data-x-href="https://wicg.github.io/cross-origin-embedder-policy/#abstract-opdef-obtain-a-responses-embedder-policy">obtain a response's embedder policy</dfn></li>
+    </ul>
+   </dd>
+
   </dl>
 
   <hr>
@@ -9013,9 +9036,12 @@ partial interface <dfn id="document" data-lt="">Document</dfn> {
   data-dfn-for="Document">feature policy</dfn>, which is a <span
   data-x="concept-feature-policy">feature policy</span>, which is initially empty.</p>
 
-  <p>The <code>Document</code> has a <dfn data-dfn-for="Document"
-  data-x="concept-document-module-map">module map</dfn>, which is a <span>module map</span>,
-  initially empty.</p>
+  <p>The <code>Document</code> has a <dfn data-x="concept-document-module-map">module map</dfn>,
+  which is a <span>module map</span>, initially empty.</p>
+
+  <p>The <code>Document</code> has a <dfn data-x="concept-document-coop">cross-origin opener
+  policy</dfn>, which is a <span>cross-origin opener policy</span>, initially "<code
+  data-x="coop-unsafe-none">unsafe-none</code>".</p>
 
   <h4>The <code>DocumentOrShadowRoot</code> interface</h4>
 
@@ -76617,13 +76643,23 @@ popup4.close();</code></pre></div>
    settings object">setting up a window environment settings object</span> with <var>realm execution
    context</var>, null, <var>topLevelCreationURL</var>, and <var>topLevelOrigin</var>.</p></li>
 
+   <li><p>Let <var>coop</var> be "<code data-x="coop-unsafe-none">unsafe-none</code>".</p></li>
+
+   <li><p>If <var>creator</var> is non-null and <var>creator</var>'s <span>origin</span> is
+   <span>same origin</span> with <var>creator</var>'s <span>relevant settings object</span>'s
+   <span>top-level origin</span>, then set <var>coop</var> to <var>creator</var>'s <span
+   data-x="concept-document-bc">browsing context</span>'s <span>top-level browsing context</span>'s
+   <span>active document</span>'s <span data-x="concept-document-coop">cross-origin opener
+   policy</span>.</p></li>
+
    <li><p>Let <var>document</var> be a new <code>Document</code>, marked as an <span data-x="HTML
    documents">HTML document</span> in <span>quirks mode</span>, whose <span
    data-x="concept-document-content-type">content type</span> is "<code data-x="">text/html</code>",
    <span>origin</span> is <var>origin</var>, <span>active sandboxing flag set</span> is
    <var>sandboxFlags</var>, <span data-x="concept-document-feature-policy">feature policy</span> is
-   <var>feature policy</var>, and which is both <span>ready for post-load tasks</span> and
-   <span>completely loaded</span> immediately.</p></li>
+   <var>feature policy</var>, <span data-x="concept-document-coop">cross-origin opener policy</span>
+   is <var>coop</var>, and which is both <span>ready for post-load tasks</span> and <span>completely
+   loaded</span> immediately.</p></li>
 
    <li><p>Ensure that <var>document</var> has a single child <code>html</code> node, which itself
    has two empty child nodes: a <code>head</code> element, and a <code>body</code> element.</p></li>
@@ -77169,6 +77205,13 @@ console.assert(iframeWindow.frameElement === null);
   keys</span> to <span data-x="agent cluster">agent clusters</span>). User agents are responsible
   for collecting agent clusters when it is deemed that nothing can access them anymore.</p>
 
+  <p>A <span>browsing context group</span> has a <dfn data-x="bcg cross-origin
+  isolated">cross-origin isolated</dfn> boolean. It is initially false.</p>
+
+  <p class="XXX">The impact of <span data-x="bcg cross-origin isolated">cross-origin
+  isolated</span> is under discussion in <a href="https://github.com/whatwg/html/pull/4734">issue
+  #4734</a>.</p>
+
   <p>To <dfn data-x="creating a new browsing context group">create a new browsing context
   group</dfn>, run these steps:</p>
 
@@ -77467,6 +77510,29 @@ console.assert(iframeWindow.frameElement === null);
 
      <dd>
       <ol>
+       <li>
+        <p>If <var>current</var>'s <span>top-level browsing context</span>'s <span>active
+        document</span>'s <span data-x="concept-document-coop">cross-origin opener policy</span> is
+        "<code data-x="coop-same-origin">same-origin</code>" or "<code
+        data-x="coop-same-origin-plus-COEP">same-origin-plus-COEP</code>", then:</p>
+
+        <ol>
+         <li><p>Let <var>currentDocument</var> be <var>current</var>'s <span>active
+         document</span>.</p></li>
+
+         <li>
+          <p>If <var>currentDocument</var>'s <span>origin</span> is not <span>same origin</span>
+          with <var>currentDocument</var>'s <span>relevant settings object</span>'s <span>top-level
+          origin</span>, then set <var>noopener</var> to true and <var>name</var> to "<code
+          data-x="">_blank</code>".</p>
+
+          <p class="note">In the presence of a <span>cross-origin opener policy</span>, nested
+          documents that are cross-origin with their top-level browsing context's active document
+          always set <var>noopener</var> to true.</p>
+         </li>
+        </ol>
+       </li>
+
        <li><p>Set <var>new</var> to true.</p></li>
 
        <li id="noopener"><p>If <var>noopener</var> is true, then set <var>chosen</var> to the result
@@ -79900,6 +79966,215 @@ interface <dfn>BarProp</dfn> {
 
 
 
+  <h3>Cross-origin opener policies</h3>
+
+  <p>A <dfn>cross-origin opener policy</dfn> allows a document which is navigated to in a
+  <span>top-level browsing context</span> to force the creation of a new <span>top-level browsing
+  context</span>, and a corresponding <span data-x="tlbc group">group</span>. It has one of the
+  following values:</p>
+
+  <dl>
+   <dt>"<dfn><code data-x="coop-unsafe-none">unsafe-none</code></dfn>"</dt>
+   <dd><p>This is the (current) default and means that the document will occupy the same
+   <span>top-level browsing context</span> as its predecessor, unless that document specified a
+   different <span>cross-origin opener policy</span>.</p></dd>
+
+   <dt>"<dfn><code data-x="coop-same-origin-allow-popups">same-origin-allow-popups</code></dfn>"</dt>
+   <dd><p>This forces the creation of a new <span>top-level browsing context</span> for the
+   document, unless its predecessor specified the same <span>cross-origin opener policy</span> and
+   they are <span>same origin</span>.</p></dd>
+
+   <dt>"<dfn><code data-x="coop-same-origin">same-origin</code></dfn>"</dt>
+   <dd><p>This behaves the same as "<code
+   data-x="coop-same-origin-allow-popups">same-origin-allow-popups</code>", with the addition any
+   <span>auxiliary browsing context</span> created needs to contain <span>same origin</span>
+   documents that also have the same <span>cross-origin opener policy</span> or it will appear
+   closed to the opener.</p></dd>
+
+   <dt>"<dfn><code data-x="coop-same-origin-plus-COEP">same-origin-plus-COEP</code></dfn>"</dt>
+   <dd>
+    <p>This behaves the same as "<code data-x="coop-same-origin">same-origin</code>", with the
+    addition that it sets the (new) <span>top-level browsing context</span>'s <span data-x="tlbc
+    group">group</span>'s <span data-x="bcg cross-origin isolated">cross-origin isolated</span> to
+    true.</p>
+
+    <p class="note">"<code data-x="coop-same-origin-plus-COEP">same-origin-plus-COEP</code>" cannot
+    be directly set via the `<code
+    data-x="http-cross-origin-opener-policy">Cross-Origin-Opener-Policy</code>` header, but results
+    from a combination of setting both `<code data-x=""><span
+    data-x="http-cross-origin-opener-policy">Cross-Origin-Opener-Policy</span>: <span
+    data-x="coop-same-origin">same-origin</span></code>` and `<code
+    data-x=""><span>Cross-Origin-Embedder-Policy</span>: require-corp</code>` together.</p>
+   </dd>
+  </dl>
+
+  <p>To <dfn data-x="matching-coop">match cross-origin opener policies</dfn>, given a
+  <span>cross-origin opener policy</span> <var>A</var>, an <span>origin</span> <var>originA</var>, a
+  <span>cross-origin opener policy</span> <var>B</var>, and an <span>origin</span>
+  <var>originB</var>:</p>
+
+  <ol>
+   <li><p>If <var>A</var> is "<code data-x="coop-unsafe-none">unsafe-none</code>" and <var>B</var>
+   is "<code data-x="coop-unsafe-none">unsafe-none</code>", then return true.</p></li>
+
+   <li><p>If <var>A</var> is "<code data-x="coop-unsafe-none">unsafe-none</code>" or <var>B</var> is
+   "<code data-x="coop-unsafe-none">unsafe-none</code>", then return false.</p></li>
+
+   <li><p>If <var>A</var> is <var>B</var> and <var>originA</var> is <span>same origin</span> with
+   <var>originB</var>, then return true.</p></li>
+
+   <li><p>Return false.</p></li>
+  </ol>
+
+  <h4>Cross-Origin-Opener-Policy header</h4>
+
+  <p>A <code>Document</code>'s <span data-x="concept-document-coop">cross-origin opener
+  policy</span> is derived from the `<code
+  data-x="http-cross-origin-opener-policy">Cross-Origin-Opener-Policy</code>` HTTP response header.
+  This header is a <span data-x="http-structured-header">structured header</span> whose value must
+  be a <span data-x="http-structured-header-token">token</span>. <ref spec=STRUCTURED-HEADERS></p>
+
+  <p>The valid <span data-x="http-structured-header-token">token</span> values are "<code
+  data-x="coop-unsafe-none">unsafe-none</code>", "<code
+  data-x="coop-same-origin-allow-popups">same-origin-allow-popups</code>", and "<code
+  data-x="coop-same-origin">same-origin</code>".</p>
+
+  <p class="note">Per the processing model described below, user agents will ignore this header if
+  it contains an invalid value. Likewise, user agents will ignore this header if the value cannot be
+  parsed as a <span data-x="http-structured-header-token">token</span>.</p>
+
+  <hr>
+
+  <p>To <dfn data-x="obtain-coop">obtain a cross-origin opener policy</dfn> from a <span
+  data-x="concept-response">response</span> <var>response</var>:</p>
+
+  <ol>
+   <li><p>Let <var>securityState</var> be the result of executing <span>Is url potentially
+   trustworthy?</span> on <var>response</var>'s <span
+   data-x="concept-response-url">url</span>.</p></li>
+   <!-- See https://github.com/whatwg/html/issues/5558 about refactoring this. -->
+
+   <li><p>If <var>securityState</var> is "<code data-x="">Not Trustworthy</code>", then return
+   "<code data-x="coop-unsafe-none">unsafe-none</code>".</p> </li>
+
+   <li><p>Let <var>value</var> be the result of <span
+   data-x="concept-response-header-list-get-structured-header">getting a structured header</span>
+   given `<code data-x="http-cross-origin-opener-policy">Cross-Origin-Opener-Policy</code>` and
+   "<code data-x="">item</code>" from <var>response</var>'s <span
+   data-x="concept-response-header-list">header list</span>.</p></li>
+
+   <li><p>If <var>value</var> is failure or null, then return "<code
+   data-x="coop-unsafe-none">unsafe-none</code>".</p></li>
+
+   <li><p>If <var>value</var>[0] is not "<code data-x="coop-same-origin">same-origin</code>" or
+   "<code data-x="coop-same-origin-allow-popups">same-origin-allow-popups</code>", then return
+   "<code data-x="coop-unsafe-none">unsafe-none</code>".</p></li>
+
+   <li>
+    <p>If <var>value</var>[0] is "<code data-x="coop-same-origin">same-origin</code>", then:</p>
+
+    <ol>
+     <li><p>Let <var>coep</var> be the result of <span
+     data-x="obtain-cross-origin-embedder-policy">obtaining a cross-origin embedder
+     policy</span> from <var>response</var>.</p></li>
+
+     <li><p>If <var>coep</var> is "<code data-x="">require-corp</code>", then return "<code
+     data-x="coop-same-origin-plus-COEP">same-origin-plus-COEP</code>".</p></li>
+    </ol>
+   </li>
+
+   <li><p>Return <var>value</var>[0].</p></li>
+  </ol>
+
+  <h4>Browsing context group switches due to cross-origin opener policy</h4>
+
+  <p>To <dfn data-x="check-browsing-context-group-switch-response">check if a response requires a
+  browsing context group switch</dfn>, given a <span>browsing context</span>
+  <var>browsingContext</var>, an <span>origin</span> <var>responseOrigin</var> and a
+  <span>cross-origin opener policy</span> <var>responseCOOP</var>, run the followign steps:</p>
+
+  <ol>
+   <li><p>Let <var>activeDocumentNavigationOrigin</var> be <var>browsingContext</var>'s <span>active
+   document</span>'s <span>origin</span>.</p></li>
+
+   <li><p>Let <var>activeDocumentCOOP</var> be <var>browsingContext</var>'s <span>active
+   document</span>'s <span data-x="concept-document-coop"> cross-origin opener
+   policy</span>.</p></li>
+
+   <li><p>Let <var>isInitialAboutBlank</var> be false.</p></li>
+
+   <li><p>If <var>browsingContext</var>'s only entry in its <span>session history</span> is the
+   <code>about:blank</code> <code>Document</code> that was added when <var>browsingContext</var> was
+   <span data-x="creating a new browsing context">created</span>, then set
+   <var>isInitialAboutBlank</var> to true.</p></li>
+
+   <li><p>If the result of <span data-x="matching-coop">matching</span>
+   <var>activeDocumentCOOP</var>, <var>activeDocumentNavigationOrigin</var>,
+   <var>responseCOOP</var> and <var>responseOrigin</var> is true, then return false.</p></li>
+
+   <li>
+    <p>If all of the following are true:</p>
+
+    <ul>
+     <li><p><var>isInitialAboutBlank</var></p></li>
+
+     <li><p><var>activeDocumentCOOP</var> is "<code
+     data-x="coop-same-origin-allow-popups">same-origin-allow-popups</code>".</p></li>
+
+     <li><p><var>responseCOOP</var> is "<code
+     data-x="coop-unsafe-none">unsafe-none</code>".</p></li>
+    </ul>
+
+    <p>then return false.</p>
+   </li>
+
+   <li><p>Return true.</p></li>
+  </ol>
+
+  <p>To <dfn data-x="obtain-browsing-context-navigation">obtain a browsing context to use for a
+  navigation response</dfn>, given a <span data-x="browsing context">browsing context</span>
+  <var>browsingContext</var>, a <span>sandboxing flag set</span> <var>sandboxFlags</var>, and a
+  <span>cross-origin opener policy</span> <var>navigationCOOP</var>:</p>
+
+  <ol>
+   <li><p>Assert <var>browsingContext</var> is a <span>top-level browsing context</span>.</p></li>
+
+   <li><p>Let <var>newBrowsingContext</var> be the result of <span>creating a new top-level browsing
+   context</span>.</p></li>
+
+   <li><p>If <var>navigationCOOP</var> is "<code
+   data-x="coop-same-origin-plus-COEP">same-origin-plus-COEP</code>", then set
+   <var>newBrowsingContext</var>'s <span data-x="tlbc group">group</span>'s <span data-x="bcg
+   cross-origin isolated">cross-origin isolated</span> to true.</p></li>
+
+   <li>
+    <p>If <var>sandboxFlags</var> is not empty, then:</p>
+    <ol>
+     <li><p>Assert: <var>navigationCOOP</var> is "<code
+     data-x="coop-unsafe-none">unsafe-none</code>".</p></li>
+
+     <li><p>Set <var>newBrowsingContext</var>'s <span>sandboxing flag set</span> to
+     <var>sandboxFlags</var>.</p></li>
+    </ol>
+   </li>
+
+   <li>
+    <p><span data-x="a browsing context is discarded">Discard</span> <var>browsingContext</var>.</p>
+
+    <p class="note">This does not close <var>browsingContext</var>'s <span data-x="tlbc
+    group">group</span>, unless <var>browsingContext</var> was its sole <span>top-level browsing
+    context</span>.</p>
+   </li>
+
+   <li><p>Return <var>newBrowsingContext</var>.</p></li>
+  </ol>
+
+  <p class="XXX">The impact of swapping browsing context groups following a navigation is not
+  defined. It is currently under discussion in <a
+  href="https://github.com/whatwg/html/issues/5350">issue #5350</a>.</p>
+
+
+
   <h3 split-filename="history" id="history">Session history and navigation</h3>
 
   <h4>Browsing sessions</h4>
@@ -81826,6 +82101,14 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
 
    <li><p>Let <var>reservedEnvironment</var> be null.</p></li>
 
+   <li><p>Let <var>responseOrigin</var> be null.
+
+   <li><p>Let <var>browsingContextSwitchNeeded</var> be false.</p></li>
+
+   <li><p>Let <var>finalSandboxFlags</var> be an empty <span>sandboxing flag set</span>.</p></li>
+
+   <li><p>Let <var>responseCOOP</var> be "<code data-x="">unsafe-none</code>".</p></li>
+
    <li>
     <p>While true:</p>
 
@@ -81911,6 +82194,43 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
        source</span> to <span>process response</span> and set <var>response</var> to the
        result.</p></li>
 
+       <li><p>Set <var>finalSandboxFlags</var> to the union of <var>browsingContext</var>'s
+       <span>sandboxing flag set</span> and <var>response</var>'s <span>forced sandboxing flag
+       set</span>.</p></li>
+
+       <li><p>Set <var>responseOrigin</var> to the result of <span>determining the origin</span>
+       given <var>browsingContext</var>, <var>request's</var> <span
+       data-x="concept-request-url">url</span>, <var>finalSandboxFlags</var>,
+       <var>incumbentNavigationOrigin</var>, and <var>activeDocumentNavigationOrigin</var>.</p></li>
+
+       <li>
+        <p>If <var>browsingContext</var> is a <span>top-level browsing context</span>, then: </p>
+
+        <ol>
+         <li><p>Set <var>responseCOOP</var> to the result of <span data-x="obtain-coop">obtaining a
+         cross-origin opener policy</span> given <var>response</var> and
+         <var>responseOrigin</var>.</p></li>
+
+         <li>
+          <p>If <var>sandboxFlags</var> is not empty and <var>responseCOOP</var> is not "<code
+	  data-x="coop-unsafe-none">unsafe-none</code>", then set <var>response</var> to an
+          appropriate <span>network error</span> and return.</p>
+
+	  <p class="note">This results in a network error as one cannot simultaneously provide a
+	  clean slate to a response using cross-origin opener policy and sandbox the result of
+          navigating to that response.</p>
+         </li>
+
+         <li><p>Let <var>responseRequiresBrowsingContexGroupSwitch</var> be the result of <span
+	 data-x="check-browsing-context-group-switch-response">checking if the response requires a
+	 browsing context group switch</span> given <var>browsingContext</var>,
+         <var>responseOrigin</var>, and <var>responseCOOP</var>.</p></li>
+
+         <li><p>If <var>responseRequiresBrowsingContextGroupSwitch</var> is true, set
+         <var>browsingContextSwitchNeeded</var> to true.</p></li>
+        </ol>
+       </li>
+
        <li>
         <p>If <var>response</var> does not have a <span
         data-x="concept-response-location-url">location URL</span> or the <span
@@ -81922,6 +82242,8 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
         the web platform that cares for redirects to <code data-x="mailto protocol">mailto:</code>
         URLs and such.</p>
        </li>
+
+       <li><p>If <var>response</var> is a <span>network error</span>, then <span>break</span>.
       </ol>
      </li>
     </ol>
@@ -82010,17 +82332,20 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
 
    <li><p>Run <span>process a navigate response</span> given <var>request</var>,
    <var>response</var>, <var>navigationType</var>, the <span>source browsing context</span>,
-   <var>browsingContext</var>, <var>incumbentNavigationOrigin</var>,
-   <var>activeDocumentNavigationOrigin</var>, and <var>reservedEnvironment</var>.</p></li>
+   <var>browsingContext</var>, <var>finalSandboxFlages</var>, <var>responseOrigin</var>, <var>incumbentNavigationOrigin</var>,
+   <var>activeDocumentNavigationOrigin</var>, <var>responseCOOP</var>,
+   <var>browsingContextSwitchNeeded</var> and <var>reservedEnvironment</var>.</p></li>
   </ol>
 
   <p>To <dfn data-export="">process a navigate response</dfn>, given null or a <span
   data-x="concept-request">request</span> <var>request</var>, a <span
   data-x="concept-response">response</span> <var>response</var>, a string <var>navigationType</var>,
   two <span data-x="browsing context">browsing contexts</span> <var>source</var> and
-  <var>browsingContext</var>, a <span>sandboxing flag set</span> <var>sandboxFlags</var>, two
-  <span data-x="origin">origins</span> <var>incumbentNavigationOrigin</var> and
-  <var>activeDocumentNavigationOrigin</var>, and null or an <span>environment</span>
+  <var>browsingContext</var>, a <span>sandboxing flag set</span> <var>finalSandboxFlags</var>, three
+  <span data-x="origin">origins</span> <var>finalResponseOrigin</var>,
+  <var>incumbentNavigationOrigin</var> and <var>activeDocumentNavigationOrigin</var>, a
+  <span>cross-origin opener policy</span> <var>responseCOOP</var>, a boolean
+  <var>browsingContextSwitchNeeded</var>, and null or an <span>environment</span>
   <var>reservedEnvironment</var>, run these steps:</p>
 
   <ol>
@@ -82075,17 +82400,19 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
      <dt>an <span>HTML MIME type</span></dt>
      <dd>Follow the steps given in the <span data-x="navigate-html">HTML document</span> section
      providing <var>browsingContext</var>, <var>request</var>, <var>response</var>,
-     <var>sandboxFlags</var>, <var>incumbentNavigationOrigin</var>,
-     <var>activeDocumentNavigationOrigin</var>, and <var>reservedEnvironment</var>. Once the steps
-     have completed, return.</dd>
+     <var>finalSandboxFlags</var>, <var>finalResponseOrigin</var>,
+     <var>incumbentNavigationOrigin</var>, <var>activeDocumentNavigationOrigin</var>,
+     <var>reservedEnvironment</var>, <var>responseCOOP</var>, and
+     <var>browsingContextSwitchNeeded</var>. Once the steps have completed, return.</dd>
 
      <dt>an <span>XML MIME type</span> that is not an <span>explicitly supported XML MIME
      type</span></dt>
      <dd>Follow the steps given in the <span data-x="navigate-xml">XML document</span> section
      providing <var>browsingContext</var>, <var>type</var>, <var>request</var>, <var>response</var>,
-     <var>sandboxFlags</var>, <var>incumbentNavigationOrigin</var>,
-     <var>activeDocumentNavigationOrigin</var>, and <var>reservedEnvironment</var>. Once the steps
-     have completed, return.</dd>
+     <var>finalSandboxFlags</var>, <var>finalResponseOrigin</var>,
+     <var>incumbentNavigationOrigin</var>, <var>activeDocumentNavigationOrigin</var>,
+     <var>reservedEnvironment</var>, <var>responseCOOP</var>, and
+     <var>browsingContextSwitchNeeded</var>. Once the steps have completed, return.</dd>
 
      <dt>a <span>JavaScript MIME type</span></dt>
      <dt>a <span>JSON MIME type</span> that is not an <span>explicitly supported JSON MIME
@@ -82104,24 +82431,27 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
      <dd>Follow the steps given in the <span
      data-x="navigate-multipart-x-mixed-replace">multipart/x-mixed-replace</span> section providing
      <var>browsingContext</var>, <var>type</var>, <var>request</var>, <var>response</var>,
-     <var>sandboxFlags</var>, <var>incumbentNavigationOrigin</var>,
-     <var>activeDocumentNavigationOrigin</var>, and <var>reservedEnvironment</var>. Once the steps
-     have completed, return.</dd>
+     <var>finalSandboxFlags</var>, <var>finalResponseOrigin</var>,
+     <var>incumbentNavigationOrigin</var>, <var>activeDocumentNavigationOrigin</var>,
+     <var>reservedEnvironment</var>, <var>responseCOOP</var>, and
+     <var>browsingContextSwitchNeeded</var>. Once the steps have completed, return.</dd>
 
      <dt>A supported image, video, or audio type</dt>
      <dd>Follow the steps given in the <span data-x="navigate-media">media</span> section providing
      <var>browsingContext</var>, <var>type</var>, <var>request</var>, <var>response</var>,
-     <var>sandboxFlags</var>, <var>incumbentNavigationOrigin</var>,
-     <var>activeDocumentNavigationOrigin</var>, and <var>reservedEnvironment</var>. Once the steps
-     have completed, return.</dd>
+     <var>finalSandboxFlags</var>, <var>finalResponseOrigin</var>,
+     <var>incumbentNavigationOrigin</var>, <var>activeDocumentNavigationOrigin</var>,
+     <var>reservedEnvironment</var>, <var>responseCOOP</var>, and
+     <var>browsingContextSwitchNeeded</var>. Once the steps have completed, return.</dd>
 
      <dt>A type that will use an external application to render the content in
      <var>browsingContext</var></dt>
      <dd>Follow the steps given in the <span data-x="navigate-plugin">plugin</span> section
      providing <var>browsingContext</var>, <var>type</var>, <var>request</var>, <var>response</var>,
-     <var>sandboxFlags</var>, <var>incumbentNavigationOrigin</var>,
-     <var>activeDocumentNavigationOrigin</var>, and <var>reservedEnvironment</var>. Once the steps
-     have completed, return.</dd>
+     <var>finalSandboxFlags</var>, <var>finalResponseOrigin</var>,
+     <var>incumbentNavigationOrigin</var>, <var>activeDocumentNavigationOrigin</var>,
+     <var>reservedEnvironment</var>, <var>responseCOOP</var>, and
+     <var>browsingContextSwitchNeeded</var>. Once the steps have completed, return.</dd>
     </dl>
 
     <p>An <dfn>explicitly supported XML MIME type</dfn> is an <span>XML MIME type</span> for which
@@ -82293,18 +82623,16 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
   data-x="concept-request">request</span> <var>request</var>, a <span
   data-x="concept-response">response</span> <var>response</var>, a <span data-x="browsing
   context">browsing context</span> <var>browsingContext</var>, a <span>sandboxing flag set</span>
-  <var>sandboxFlags</var>, two <span data-x="origin">origins</span>
-  <var>incumbentNavigationOrigin</var>, <var>activeDocumentNavigationOrigin</var>, and null or an
-  <span>environment</span> <var>reservedEnvironment</var>:</p>
+  <var>finalSandboxFlags</var>, three <span data-x="origin">origins</span> <var>origin</var>,
+  <var>incumbentNavigationOrigin</var>, <var>activeDocumentNavigationOrigin</var>, null or an
+  <span>environment</span> <var>reservedEnvironment</var>, a <span>cross-origin opener policy</span>
+  <var>navigationCOOP</var>, and a boolean <var>browsingContextSwitchNeeded</var>:</p>
 
   <ol>
-   <li><p>Let <var>finalSandboxFlags</var> be the union of <var>sandboxFlags</var> and
-   <var>response</var>'s <span>forced sandboxing flag set</span>.</p></li>
-
-   <li><p>Let <var>origin</var> be the result of <span>determining the origin</span> given
-   <var>browsingContext</var>, <var>request's</var> <span data-x="concept-request-url">url</span>,
-   <var>finalSandboxFlags</var>, <var>incumbentNavigationOrigin</var>, and
-   <var>activeDocumentNavigationOrigin</var>.
+   <li><p>If <var>browsingContextSwitchNeeded</var> is true, set <var>browsingContext</var> to the
+   result of the <span data-x="obtain-browsing-context-navigation">obtain a browsing context to use
+   for a navigation response</span> algorithm, given <var>browsingContext</var>,
+   <var>finalSandboxFlagSet</var>, and <var>navigationCOOP</var>.</p></li>
 
    <li>
     <p>Let <var>featurePolicy</var> be the result of <span>creating a feature policy from a
@@ -82316,7 +82644,7 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
      <var>origin</var>. If <code data-x="dom-document-domain">document.domain</code> has been used
      for the <var>browsingContext</var> <span data-x="bc-container-document">container
      document</span>, then its <span>origin</span> cannot be <span>same origin-domain</span> with
-     <var>>origin</var>, because these steps run before the <var>document</var> is created, so it
+     <var>origin</var>, because these steps run before the <var>document</var> is created, so it
      cannot itself yet have used <code data-x="dom-document-domain">document.domain</code>. Note
      that this means that Feature Policy checks are less permissive compared to doing a <span>same
      origin</span> check instead.</p>
@@ -82388,8 +82716,9 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
    data-x="concept-document-type">type</span> is <var>type</var>, <span
    data-x="concept-document-content-type">content type</span> is <var>contentType</var>,
    <span>origin</span> is <var>origin</var>, <span data-x="concept-document-feature-policy">feature
-   policy</span> is <var>featurePolicy</var>, and <span>active sandboxing flag set</span> is
-   <var>finalSandboxFlags</var>.</p></li>
+   policy</span> is <var>featurePolicy</var>, <span>active sandboxing flag set</span> is
+   <var>finalSandboxFlags</var>, and <span data-x="concept-document-coop">cross-origin opener
+   policy</span> is <var>navigationCOOP</var>.</p></li>
 
    <li id="set-the-document's-address"><p>Set <var>document</var>'s <span
    data-x="concept-document-url">URL</span> to <var>creationURL</var>.</p></li>
@@ -115822,6 +116151,29 @@ interface <dfn>External</dfn> {
   <code>text/event-stream</code> resources.</p>
 
 
+  <h3>`<dfn><code data-x="http-cross-origin-opener-policy">Cross-Origin-Opener-Policy</code></dfn>`</h3>
+
+  <p>This section describes a header for registration in the Permanent Message Header Field
+  Registry. <ref spec=RFC3864></p>
+
+  <dl>
+   <dt>Header field name:</dt>
+   <dd>Cross-Origin-Opener-Policy</dd>
+   <dt>Applicable protocol:</dt>
+   <dd>http</dd>
+   <dt>Status:</dt>
+   <dd>standard</dd>
+   <dt>Author/Change controller:</dt>
+   <dd>WHATWG</dd>
+   <dt>Specification document(s):</dt>
+   <dd>
+    This document is the relevant specification.
+   </dd>
+   <dt>Related information:</dt>
+   <dd>None.</dd>
+  </dl>
+
+
   <h3 id="ping-from">`<dfn><code data-x="http-ping-from">Ping-From</code></dfn>`</h3>
 
   <p>This section describes a header for registration in the Permanent Message Header Field
@@ -120496,6 +120848,9 @@ INSERT INTERFACES HERE
    <dt id="refsCOMPUTABLE">[COMPUTABLE]</dt>
    <dd>(Non-normative) <cite><a href="http://www.turingarchive.org/browse.php/B/12">On computable numbers, with an application to the Entscheidungsproblem</a></cite>, A. Turing. In <cite>Proceedings of the London Mathematical Society</cite>, series 2, volume 42, pages 230-265. London Mathematical Society, 1937.</dd>
 
+   <dt id="refsCOEP">[COEP]</dt>
+   <dd><cite><a href="https://wicg.github.io/cross-origin-embedder-policy/">Cross-Origin Embedder Policy</a></cite>, M. West. WICG.</dd>
+
    <dt id="refsCOOKIES">[COOKIES]</dt>
    <dd><cite><a href="https://tools.ietf.org/html/rfc6265">HTTP State Management Mechanism</a></cite>, A. Barth. IETF.</dd>
 
@@ -120884,6 +121239,9 @@ INSERT INTERFACES HERE
    <dt id="refsSMS">[SMS]</dt>
    <dd>(Non-normative) <cite><a href="https://tools.ietf.org/html/rfc5724">URI Scheme for Global System for Mobile Communications (GSM) Short Message Service (SMS)</a></cite>, E. Wilde, A. Vaha-Sipila. IETF.</dd>
 
+   <dt id="refsSTRUCTURED-HEADERS">[STRUCTURED-HEADERS]</dt>
+   <dd><cite><a href="https://httpwg.org/http-extensions/draft-ietf-httpbis-header-structure.html">Structured Field Values for HTTP</a></cite>, M. Nottingham, P. Kamp. IETF.</dd>
+
    <dt id="refsSRGB">[SRGB]</dt>
    <dd><cite lang="en-GB"><a href="https://webstore.iec.ch/publication/6169">IEC 61966-2-1: Multimedia systems and equipment &mdash; Colour measurement and management &mdash; Part 2-1: Colour management &mdash; Default RGB colour space &mdash; sRGB</a></cite>. IEC.</dd>
 

From 01597c5cc3d4341319cf657c81f11d1eca7f2699 Mon Sep 17 00:00:00 2001
From: clamy <clamy@chromium.org>
Date: Wed, 10 Jun 2020 14:38:11 +0200
Subject: [PATCH 2/9] Fix plumbing of extra parameters in processing models

---
 source | 87 +++++++++++++++++++++++++++++++++-------------------------
 1 file changed, 49 insertions(+), 38 deletions(-)

diff --git a/source b/source
index 527654e0dd4..2c3c57a51b1 100644
--- a/source
+++ b/source
@@ -82423,9 +82423,10 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
      <dt>"<code>text/vtt</code>"</dt>
      <dd>Follow the steps given in the <span data-x="navigate-text">plain text file</span> section
      providing <var>browsingContext</var>, <var>type</var>, <var>request</var>, <var>response</var>,
-     <var>sandboxFlags</var>, <var>incumbentNavigationOrigin</var>,
-     <var>activeDocumentNavigationOrigin</var>, and <var>reservedEnvironment</var>. Once the steps
-     have completed, return.</dd>
+     <var>finalSandboxFlags</var>,<var>finalResponseOrigin</var>,
+     <var>incumbentNavigationOrigin</var>, <var>activeDocumentNavigationOrigin</var>,
+     <var>reservedEnvironment</var>, <var>responseCOOP</var>, and
+     <var>browsingContextSwitchNeeded</var>. Once the steps have completed, return.</dd>
 
      <dt>"<code>multipart/x-mixed-replace</code>"</dt>
      <dd>Follow the steps given in the <span
@@ -82918,18 +82919,20 @@ new PaymentRequest(&hellip;); // Allowed to use
   <h4 id="read-html">Page load processing model for HTML files</h4>
 
   <p>When <dfn data-x="navigate-html">an HTML document is to be loaded</dfn>, given a
-  <var>browsingContext</var>, <var>request</var>, <var>response</var>, <var>sandboxFlags</var>,
-  <var>incumbentNavigationOrigin</var>, <var>activeDocumentNavigationOrigin</var>, and
-  <var>environment</var>, the user agent must <span>queue a task</span> on the <span>networking task
-  source</span> to:</p>
+  <var>browsingContext</var>, <var>request</var>, <var>response</var>, <var>finalSandboxFlags</var>,
+  <var>finalResponseOrigin</var>, <var>incumbentNavigationOrigin</var>,
+  <var>activeDocumentNavigationOrigin</var>, <var>environment</var>, <var>responseCOOP</var>, and
+  <var>browsingContextSwitchNeeded</var> the user agent must <span>queue a task</span> on the
+  <span>networking task source</span> to:</p>
 
   <ol>
    <li><p>Let <var>document</var> be the result of <span
    data-x="create-the-document-object">creating and initializing a <code>Document</code>
    object</span> providing "<code data-x="">html</code>", "<code data-x="">text/html</code>",
-   <var>request</var>, <var>response</var>, <var>browsingContext</var>, <var>sandboxFlags</var>,
-   <var>incumbentNavigationOrigin</var>, <var>activeDocumentNavigationOrigin</var>, and
-   <var>environment</var>.</p></li>
+   <var>request</var>, <var>response</var>, <var>browsingContext</var>, <var>finalSandboxFlags</var>,
+   <var>finalResponseOrigin</var>, <var>incumbentNavigationOrigin</var>,
+   <var>activeDocumentNavigationOrigin</var>, <var>environment</var>, <var>responseCOOP</var>, and
+   <var>browsingContextSwitchNeeded</var>.</p></li>
 
    <li>
     <p>Create an <span>HTML parser</span> and associate it with the <var>document</var>.  Each
@@ -82963,16 +82966,18 @@ new PaymentRequest(&hellip;); // Allowed to use
   <h4 id="read-xml"><dfn data-x="navigate-xml">Page load processing model for XML files</dfn></h4>
 
   <p>When faced with displaying an XML file inline, provided <var>browsingContext</var>,
-  <var>request</var>, <var>response</var>, <var>sandboxFlags</var>,
-  <var>incumbentNavigationOrigin</var>, <var>activeDocumentNavigationOrigin</var>, and
-  <var>environment</var>, user agents must follow the requirements defined in <cite>XML</cite> and
-  <cite>Namespaces in XML</cite>, <cite>XML Media Types</cite>, <cite>DOM</cite>, and other relevant
-  specifications to <span data-x="create-the-document-object">create and initialize a
-  <code>Document</code> object</span> providing "<code data-x="">xml</code>", <var>type</var>,
-  <var>request</var>, <var>response</var>, <var>browsingContext</var>, <var>sandboxFlags</var>,
-  <var>incumbentNavigationOrigin</var>, <var>activeDocumentNavigationOrigin</var>, and
-  <var>environment</var>. It must also create and a corresponding <span>XML parser</span>. <ref
-  spec=XML> <ref spec=XMLNS> <ref spec=RFC7303> <ref spec=DOM></p>
+  <var>request</var>, <var>response</var>, <var>finalSandboxFlags</var>,
+  <var>finalResponseOrigin</var>, <var>incumbentNavigationOrigin</var>,
+  <var>activeDocumentNavigationOrigin</var>, <var>environment</var>,<var>responseCOOP</var>, and
+  <var>browsingContextSwitchNeeded</var> user agents must follow the requirements defined in
+  <cite>XML</cite> and <cite>Namespaces in XML</cite>, <cite>XML Media Types</cite>, <cite>DOM</cite>,
+  and other relevant specifications to <span data-x="create-the-document-object">create and
+  initialize a <code>Document</code> object</span> providing "<code data-x="">xml</code>",
+  <var>type</var>, <var>request</var>, <var>response</var>, <var>browsingContext</var>,
+  <var>finalSandboxFlags</var>, <var>finalResponseOrigin</var> <var>incumbentNavigationOrigin</var>,
+  <var>activeDocumentNavigationOrigin</var>, <var>environment</var>, <var>responseCOOP</var>. and
+  <var>browsingContextSwitchNeeded</var>. It must also create and a corresponding <span>XML
+  parser</span>. <ref spec=XML> <ref spec=XMLNS> <ref spec=RFC7303> <ref spec=DOM></p>
 
   <p class="note">At the time of writing, the XML specification community had not actually yet
   specified how XML and the DOM interact.</p> <!--XMLPARSE-->
@@ -83017,18 +83022,20 @@ new PaymentRequest(&hellip;); // Allowed to use
   <h4 id="read-text"><dfn data-x="navigate-text">Page load processing model for text files</dfn></h4>
 
   <p>When a plain text document is to be loaded, provided a <var>browsingContext</var>,
-  <var>request</var>, <var>response</var>, <var>sandboxFlags</var>,
-  <var>incumbentNavigationOrigin</var>, <var>activeDocumentNavigationOrigin</var>, and
-  <var>environment</var>, the user agent must <span>queue a task</span> on the <span>networking task
-  source</span> to:
+  <var>request</var>, <var>response</var>, <var>finalSandboxFlags</var>,
+  <var>finalResponseOrigin</var>, <var>incumbentNavigationOrigin</var>,
+  <var>activeDocumentNavigationOrigin</var>, <var>environment</var>,<var>responseCOOP</var>, and
+  <var>browsingContextSwitchNeeded</var> the user agent must <span>queue a task</span> on the
+  <span>networking task source</span> to:
 
   <ol>
    <li><p>Let <var>document</var> be the result of <span
    data-x="create-the-document-object">creating and initialize a <code>Document</code> object</span>
    providing "<code data-x="">html</code>", <var>type</var>, <var>request</var>,
-   <var>response</var>, <var>browsingContext</var>, <var>sandboxFlags</var>,
-   <var>incumbentNavigationOrigin</var>, <var>activeDocumentNavigationOrigin</var>, and
-   <var>environment</var>.</p></li>
+   <var>response</var>, <var>browsingContext</var>, <var>finalSandboxFlags</var>,
+   <var>finalResponseOrigin</var>, <var>incumbentNavigationOrigin</var>,
+   <var>activeDocumentNavigationOrigin</var>, <var>environment</var>, <var>responseCOOP</var>, and
+   <var>browsingContextSwitchNeeded</var>.</p></li>
 
    <li><p>Create an <span>HTML parser</span> and associate it with the <var>document</var>. Act as
    if the tokenizer had emitted a start tag token with the tag name "pre" followed by a single
@@ -83096,17 +83103,19 @@ new PaymentRequest(&hellip;); // Allowed to use
   <h4 id="read-media"><dfn data-x="navigate-media">Page load processing model for media</dfn></h4>
 
   <p>When an image, video, or audio resource is to be loaded, provided a <var>browsingContext</var>,
-  <var>request</var>, <var>response</var>, <var>sandboxFlags</var>,
-  <var>incumbentNavigationOrigin</var>, <var>activeDocumentNavigationOrigin</var>, and
-  <var>environment</var>, the user agent should:
+  <var>request</var>, <var>response</var>, <var>finalSandboxFlags</var>,
+  <var>finalResponseOrigin</var>, <var>incumbentNavigationOrigin</var>,
+  <var>activeDocumentNavigationOrigin</var>, <var>environment</var>, <var>responseCOOP</var>,
+  <var>browsingContextSwitchNeeded</var>, the user agent should:
 
   <ol>
    <li><p>Let <var>document</var> be the result of <span
    data-x="create-the-document-object">creating and initialize a <code>Document</code> object</span>
    providing "<code data-x="">html</code>", <var>type</var>, <var>request</var>,
-   <var>response</var>, <var>browsingContext</var>, <var>sandboxFlags</var>,
-   <var>incumbentNavigationOrigin</var>, <var>activeDocumentNavigationOrigin</var>, and
-   <var>environment</var>.</p></li>
+   <var>response</var>, <var>browsingContext</var>, <var>finalSandboxFlags</var>,
+   <var>finalResponseOrigin</var>, <var>incumbentNavigationOrigin</var>,
+   <var>activeDocumentNavigationOrigin</var>, <var>environment</var>, <var>responseCOOP</var>, and
+   <var>browsingContextSwitchNeeded</var>.</p></li>
 
    <li><p>Append an <code>html</code> element to <var>document</var>.</p></li>
 
@@ -83164,16 +83173,18 @@ new PaymentRequest(&hellip;); // Allowed to use
 
   <p>When a resource that requires an external resource to be rendered is to be loaded, provided a
   <var>browsingContext</var>, <var>request</var>, <var>response</var>, <var>sandboxFlags</var>,
-  <var>incumbentNavigationOrigin</var>, <var>activeDocumentNavigationOrigin</var>, and
-  <var>environment</var>, the user agent should:
+  <var>finalResponseOrigin</var>, <var>incumbentNavigationOrigin</var>,
+  <var>activeDocumentNavigationOrigin</var>, <var>environment</var>, <var>responseCOOP</var>, and
+  <var>browsingContextSwitchNeeded</var>, the user agent should:
 
   <ol>
    <li><p>Let <var>document</var> be the result of <span
    data-x="create-the-document-object">creating and initialize a <code>Document</code> object</span>
    providing "<code data-x="">html</code>", <var>type</var>, <var>request</var>,
-   <var>response</var>, <var>browsingContext</var>, <var>sandboxFlags</var>,
-   <var>incumbentNavigationOrigin</var>, <var>activeDocumentNavigationOrigin</var>, and
-   <var>environment</var>.</p></li>
+   <var>response</var>, <var>browsingContext</var>, <var>finalSandboxFlags</var>,
+   <var>finalResponseOrigin</var>, <var>incumbentNavigationOrigin</var>,
+   <var>activeDocumentNavigationOrigin</var>, <var>environment</var>, <var>responseCOOP</var>, and
+   <var>browsingContextSwitchNeeded</var>.</p></li>
 
    <li><p>Mark <var>document</var> as being a <dfn>plugin document</dfn></p></li>
 

From 84ec089fb13b32ed1d5ce878eae574edc88ba22c Mon Sep 17 00:00:00 2001
From: clamy <clamy@chromium.org>
Date: Wed, 10 Jun 2020 14:56:30 +0200
Subject: [PATCH 3/9] Add correct plumbing of COOP when navigating to a
 response

---
 source | 45 +++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 41 insertions(+), 4 deletions(-)

diff --git a/source b/source
index 2c3c57a51b1..94aa48805c7 100644
--- a/source
+++ b/source
@@ -81984,10 +81984,47 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
 
     <dl>
      <dt>If <var>resource</var> is a <span data-x="concept-response">response</span></dt>
-     <dd><p>Run <span>process a navigate response</span> with null, <var>resource</var>,
-     <var>navigationType</var>, the <span>source browsing context</span>,
-     <var>browsingContext</var>, <var>sandboxFlags</var>, <var>incumbentNavigationOrigin</var>,
-     <var>activeDocumentNavigationOrigin</var>, and null.</p></dd>
+     <dd>
+      <ol>
+       <li><p>Let <var>finalSandboxFlags</var> be the union of <var>browsingContext</var>'s
+       <span>sandboxing flag set</span> and <var>resource</var>'s <span>forced sandboxing flag
+       set</span>.</p></li>
+
+       <li><p>Let <var>responseOrigin</var> be the result of <span>determining the origin</span>
+       given <var>browsingContext</var>, <var>request's</var> <span
+       data-x="concept-request-url">url</span>, <var>finalSandboxFlags</var>,
+       <var>incumbentNavigationOrigin</var>, and <var>activeDocumentNavigationOrigin</var>.</p></li>
+
+       <li><p>Let <var>responseCOOP</var> be "<code data-x="">unsafe-none</code>".</p></li>
+
+       <li><p>Let <var>browsingContextSwitchNeeded</var> be false.</p></li>
+
+       <li>
+        <p>If <var>browsingContext</var> is a <span>top-level browsing context</span>, then: </p>
+
+        <ol>
+         <li><p>Set <var>responseCOOP</var> to the result of <span data-x="obtain-coop">obtaining a
+         cross-origin opener policy</span> given <var>resource</var> and
+         <var>responseOrigin</var>.</p></li>.
+
+         <li><p>If <var>sandboxFlags</var> is not empty and <var>responseCOOP</var> is not "<code
+         data-x="coop-unsafe-none">unsafe-none</code>", then set <var>resource</var> to an
+         appropriate <span>network error</span> and proceed.</p></li>
+
+         <li><p>Set <var>browsingContexSwitchNeeded</var> be the result of <span
+         data-x="check-browsing-context-group-switch-response">checking if the response requires a
+         browsing context group switch</span> given <var>browsingContext</var>,
+         <var>responseOrigin</var>, and <var>responseCOOP</var>.</p></li>
+        </ol>
+       </li>
+
+       <li><p>Run <span>process a navigate response</span> with null, <var>resource</var>,
+       <var>navigationType</var>, the <span>source browsing context</span>,
+       <var>browsingContext</var>, <var>finalSandboxFlags</var>, <var>responseOrigin</var>,
+       <var>incumbentNavigationOrigin</var>, <var>activeDocumentNavigationOrigin</var>, null,
+       <var>responseCOOP</var>, and <var>browsingContextSwitchNeeded</var>.</p></li>
+      </ol>
+     </dd>
 
      <dt>If <var>resource</var> is a <span data-x="concept-request">request</span> whose <span
      data-x="concept-request-url">url</span>'s <span data-x="concept-url-scheme">scheme</span>

From 93b468067c84fe094758def6c71ea979020a2b53 Mon Sep 17 00:00:00 2001
From: clamy <clamy@chromium.org>
Date: Wed, 10 Jun 2020 15:16:11 +0200
Subject: [PATCH 4/9] Add COOP plumbing for JavaScript navigation

---
 source | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/source b/source
index 94aa48805c7..2149ffc3110 100644
--- a/source
+++ b/source
@@ -82039,10 +82039,17 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
        a <code>javascript:</code> URL request</span> given <var>resource</var>, the <span>source
        browsing context</span>, and <var>browsingContext</var>.</p></li>
 
+       <li><p>Let <var>finalSandboxFlags</var> be the union of <var>browsingContext</var>'s
+       <span>sandboxing flag set</span> and <var>response</var>'s <span>forced sandboxing flag
+       set</span>.</p></li>
+
        <li><p>Run <span>process a navigate response</span> with <var>resource</var>,
        <var>response</var>, <var>navigationType</var>, the <span>source browsing context</span>,
-       <var>browsingContext</var>, <var>sandboxFlags</var>, <var>incumbentNavigationOrigin</var>,
-       <var>activeDocumentNavigationOrigin</var>, and null.</p></li>
+       <var>browsingContext</var>, <var>finalSandboxFlags</var>,
+       <var>activeDocumentNavigationOrigin</var>, <var>incumbentNavigationOrigin</var>,
+       <var>activeDocumentNavigationOrigin</var>, null, <var>browsingContext</var>'s <span>active
+       document</span>'s <span data-x="concept-document-coop"> cross-origin opener
+       policy</span>, and false.</p></li>
       </ol>
 
       <p class="example">So for example a <span data-x="javascript

From 6eca6f08b49d94cdd3aa37458c5fcfc98fb45e59 Mon Sep 17 00:00:00 2001
From: clamy <clamy@chromium.org>
Date: Wed, 17 Jun 2020 11:58:43 +0200
Subject: [PATCH 5/9] Fix navigate to response case

---
 source | 22 +++-------------------
 1 file changed, 3 insertions(+), 19 deletions(-)

diff --git a/source b/source
index 2149ffc3110..20d3fec3367 100644
--- a/source
+++ b/source
@@ -81986,6 +81986,9 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
      <dt>If <var>resource</var> is a <span data-x="concept-response">response</span></dt>
      <dd>
       <ol>
+       <li><p>Assert <var>browsingContext</var> is not a <span>top-level browsing
+       context</span>.</p></li>
+
        <li><p>Let <var>finalSandboxFlags</var> be the union of <var>browsingContext</var>'s
        <span>sandboxing flag set</span> and <var>resource</var>'s <span>forced sandboxing flag
        set</span>.</p></li>
@@ -81999,25 +82002,6 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
 
        <li><p>Let <var>browsingContextSwitchNeeded</var> be false.</p></li>
 
-       <li>
-        <p>If <var>browsingContext</var> is a <span>top-level browsing context</span>, then: </p>
-
-        <ol>
-         <li><p>Set <var>responseCOOP</var> to the result of <span data-x="obtain-coop">obtaining a
-         cross-origin opener policy</span> given <var>resource</var> and
-         <var>responseOrigin</var>.</p></li>.
-
-         <li><p>If <var>sandboxFlags</var> is not empty and <var>responseCOOP</var> is not "<code
-         data-x="coop-unsafe-none">unsafe-none</code>", then set <var>resource</var> to an
-         appropriate <span>network error</span> and proceed.</p></li>
-
-         <li><p>Set <var>browsingContexSwitchNeeded</var> be the result of <span
-         data-x="check-browsing-context-group-switch-response">checking if the response requires a
-         browsing context group switch</span> given <var>browsingContext</var>,
-         <var>responseOrigin</var>, and <var>responseCOOP</var>.</p></li>
-        </ol>
-       </li>
-
        <li><p>Run <span>process a navigate response</span> with null, <var>resource</var>,
        <var>navigationType</var>, the <span>source browsing context</span>,
        <var>browsingContext</var>, <var>finalSandboxFlags</var>, <var>responseOrigin</var>,

From 68534cd5aaa54b3b0bd0f2d81d1e143b8e83d9d3 Mon Sep 17 00:00:00 2001
From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 18 Jun 2020 15:41:04 +0200
Subject: [PATCH 6/9] address some argument mismatches

---
 source | 30 +++++++++++++++++-------------
 1 file changed, 17 insertions(+), 13 deletions(-)

diff --git a/source b/source
index 20d3fec3367..7eb125bf5f6 100644
--- a/source
+++ b/source
@@ -80098,7 +80098,7 @@ interface <dfn>BarProp</dfn> {
    document</span>'s <span>origin</span>.</p></li>
 
    <li><p>Let <var>activeDocumentCOOP</var> be <var>browsingContext</var>'s <span>active
-   document</span>'s <span data-x="concept-document-coop"> cross-origin opener
+   document</span>'s <span data-x="concept-document-coop">cross-origin opener
    policy</span>.</p></li>
 
    <li><p>Let <var>isInitialAboutBlank</var> be false.</p></li>
@@ -80137,7 +80137,7 @@ interface <dfn>BarProp</dfn> {
   <span>cross-origin opener policy</span> <var>navigationCOOP</var>:</p>
 
   <ol>
-   <li><p>Assert <var>browsingContext</var> is a <span>top-level browsing context</span>.</p></li>
+   <li><p>Assert: <var>browsingContext</var> is a <span>top-level browsing context</span>.</p></li>
 
    <li><p>Let <var>newBrowsingContext</var> be the result of <span>creating a new top-level browsing
    context</span>.</p></li>
@@ -81986,8 +81986,10 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
      <dt>If <var>resource</var> is a <span data-x="concept-response">response</span></dt>
      <dd>
       <ol>
-       <li><p>Assert <var>browsingContext</var> is not a <span>top-level browsing
+       <li><p>Assert: <var>browsingContext</var> is not a <span>top-level browsing
        context</span>.</p></li>
+       <!-- TODO: this is probably not true for multipart/x-mixed-replace, though it's not clear how
+            close to reality its current definition is. -->
 
        <li><p>Let <var>finalSandboxFlags</var> be the union of <var>browsingContext</var>'s
        <span>sandboxing flag set</span> and <var>resource</var>'s <span>forced sandboxing flag
@@ -82032,8 +82034,8 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
        <var>browsingContext</var>, <var>finalSandboxFlags</var>,
        <var>activeDocumentNavigationOrigin</var>, <var>incumbentNavigationOrigin</var>,
        <var>activeDocumentNavigationOrigin</var>, null, <var>browsingContext</var>'s <span>active
-       document</span>'s <span data-x="concept-document-coop"> cross-origin opener
-       policy</span>, and false.</p></li>
+       document</span>'s <span data-x="concept-document-coop">cross-origin opener policy</span>, and
+       false.</p></li>
       </ol>
 
       <p class="example">So for example a <span data-x="javascript
@@ -82093,9 +82095,9 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
   <p>To <dfn data-export="">process a navigate fetch</dfn>, given a <span
   data-x="concept-request">request</span> <var>request</var>, two <span data-x="browsing
   context">browsing contexts</span> <var>sourceBrowsingContext</var> and <var>browsingContext</var>,
-  a string <var>navigationType</var>, and two <span data-x="origin">origins</span>
-  <var>incumbentNavigationOrigin</var> and <var>activeDocumentNavigationOrigin</var>, run these
-  steps:</p>
+  a string <var>navigationType</var>, a <span>sandboxing flag set</span> <var>sandboxFlags</var>,
+  and two <span data-x="origin">origins</span> <var>incumbentNavigationOrigin</var> and
+  <var>activeDocumentNavigationOrigin</var>, run these steps:</p>
 
   <ol>
    <li><p>Let <var>response</var> be null.</p></li>
@@ -82293,7 +82295,8 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
    <span>process a navigate fetch</span> with a new <span data-x="concept-request">request</span>
    whose <span data-x="concept-request-url">url</span> is <var>response</var>'s <span
    data-x="concept-response-location-url">location URL</span>, <var>sourceBrowsingContext</var>,
-   <var>browsingContext</var>, and <var>navigationType</var>, and return.
+   <var>browsingContext</var>, <var>navigationType</var>, <var>sandboxFlags</var>,
+   <var>incumbentNavigationOrigin</var>, and <var>activeDocumentNavigationOrigin</var>, and return.
 
    <li><p>Otherwise, if <var>response</var> has a <span
    data-x="concept-response-location-url">location URL</span> that is a <span>URL</span>, run the
@@ -82360,9 +82363,10 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
 
    <li><p>Run <span>process a navigate response</span> given <var>request</var>,
    <var>response</var>, <var>navigationType</var>, the <span>source browsing context</span>,
-   <var>browsingContext</var>, <var>finalSandboxFlages</var>, <var>responseOrigin</var>, <var>incumbentNavigationOrigin</var>,
-   <var>activeDocumentNavigationOrigin</var>, <var>responseCOOP</var>,
-   <var>browsingContextSwitchNeeded</var> and <var>reservedEnvironment</var>.</p></li>
+   <var>browsingContext</var>, <var>finalSandboxFlages</var>, <var>responseOrigin</var>,
+   <var>incumbentNavigationOrigin</var>, <var>activeDocumentNavigationOrigin</var>,
+   <var>responseCOOP</var>, <var>browsingContextSwitchNeeded</var>, and
+   <var>reservedEnvironment</var>.</p></li>
   </ol>
 
   <p>To <dfn data-export="">process a navigate response</dfn>, given null or a <span
@@ -82371,7 +82375,7 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
   two <span data-x="browsing context">browsing contexts</span> <var>source</var> and
   <var>browsingContext</var>, a <span>sandboxing flag set</span> <var>finalSandboxFlags</var>, three
   <span data-x="origin">origins</span> <var>finalResponseOrigin</var>,
-  <var>incumbentNavigationOrigin</var> and <var>activeDocumentNavigationOrigin</var>, a
+  <var>incumbentNavigationOrigin</var>, and <var>activeDocumentNavigationOrigin</var>, a
   <span>cross-origin opener policy</span> <var>responseCOOP</var>, a boolean
   <var>browsingContextSwitchNeeded</var>, and null or an <span>environment</span>
   <var>reservedEnvironment</var>, run these steps:</p>

From 2ecb2433039e8c47d3e447795b06f86a72260897 Mon Sep 17 00:00:00 2001
From: Domenic Denicola <d@domenic.me>
Date: Fri, 19 Jun 2020 12:57:59 -0400
Subject: [PATCH 7/9] Editorial fixes

---
 source | 34 ++++++++++++++++++----------------
 1 file changed, 18 insertions(+), 16 deletions(-)

diff --git a/source b/source
index 7eb125bf5f6..eedd19b0a26 100644
--- a/source
+++ b/source
@@ -79986,8 +79986,8 @@ interface <dfn>BarProp</dfn> {
 
    <dt>"<dfn><code data-x="coop-same-origin">same-origin</code></dfn>"</dt>
    <dd><p>This behaves the same as "<code
-   data-x="coop-same-origin-allow-popups">same-origin-allow-popups</code>", with the addition any
-   <span>auxiliary browsing context</span> created needs to contain <span>same origin</span>
+   data-x="coop-same-origin-allow-popups">same-origin-allow-popups</code>", with the addition that
+   any <span>auxiliary browsing context</span> created needs to contain <span>same origin</span>
    documents that also have the same <span>cross-origin opener policy</span> or it will appear
    closed to the opener.</p></dd>
 
@@ -80026,7 +80026,8 @@ interface <dfn>BarProp</dfn> {
    <li><p>Return false.</p></li>
   </ol>
 
-  <h4>Cross-Origin-Opener-Policy header</h4>
+  <h4>The `<code data-x="http-cross-origin-opener-policy">Cross-Origin-Opener-Policy</code>`
+  header</h4>
 
   <p>A <code>Document</code>'s <span data-x="concept-document-coop">cross-origin opener
   policy</span> is derived from the `<code
@@ -80091,7 +80092,7 @@ interface <dfn>BarProp</dfn> {
   <p>To <dfn data-x="check-browsing-context-group-switch-response">check if a response requires a
   browsing context group switch</dfn>, given a <span>browsing context</span>
   <var>browsingContext</var>, an <span>origin</span> <var>responseOrigin</var> and a
-  <span>cross-origin opener policy</span> <var>responseCOOP</var>, run the followign steps:</p>
+  <span>cross-origin opener policy</span> <var>responseCOOP</var>:</p>
 
   <ol>
    <li><p>Let <var>activeDocumentNavigationOrigin</var> be <var>browsingContext</var>'s <span>active
@@ -80186,7 +80187,8 @@ interface <dfn>BarProp</dfn> {
   href="https://github.com/whatwg/html/issues/5350">whatwg/html issue #5350</a> for defining
   <span>browsing session</span>. It is roughly analogous to a <span>top-level browsing
   context</span> except that it cannot be replaced due to a `<code
-  data-x="">Cross-Origin-Opener-Policy</code>` header or navigation.</p>
+  data-x="http-cross-origin-opener-policy">Cross-Origin-Opener-Policy</code>` header or
+  navigation.</p>
 
   <p>A <span>top-level browsing context</span> has an associated <dfn  data-export="" data-x="tlbc
   browsing session" data-dfn-for="top-level browsing context">browsing session</dfn> which is a
@@ -82000,7 +82002,8 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
        data-x="concept-request-url">url</span>, <var>finalSandboxFlags</var>,
        <var>incumbentNavigationOrigin</var>, and <var>activeDocumentNavigationOrigin</var>.</p></li>
 
-       <li><p>Let <var>responseCOOP</var> be "<code data-x="">unsafe-none</code>".</p></li>
+       <li><p>Let <var>responseCOOP</var> be "<code
+       data-x="coop-unsafe-none">unsafe-none</code>".</p></li>
 
        <li><p>Let <var>browsingContextSwitchNeeded</var> be false.</p></li>
 
@@ -82137,7 +82140,8 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
 
    <li><p>Let <var>finalSandboxFlags</var> be an empty <span>sandboxing flag set</span>.</p></li>
 
-   <li><p>Let <var>responseCOOP</var> be "<code data-x="">unsafe-none</code>".</p></li>
+   <li><p>Let <var>responseCOOP</var> be "<code
+   data-x="coop-unsafe-none">unsafe-none</code>".</p></li>
 
    <li>
     <p>While true:</p>
@@ -82234,7 +82238,7 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
        <var>incumbentNavigationOrigin</var>, and <var>activeDocumentNavigationOrigin</var>.</p></li>
 
        <li>
-        <p>If <var>browsingContext</var> is a <span>top-level browsing context</span>, then: </p>
+        <p>If <var>browsingContext</var> is a <span>top-level browsing context</span>, then:</p>
 
         <ol>
          <li><p>Set <var>responseCOOP</var> to the result of <span data-x="obtain-coop">obtaining a
@@ -82243,17 +82247,17 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
 
          <li>
           <p>If <var>sandboxFlags</var> is not empty and <var>responseCOOP</var> is not "<code
-	  data-x="coop-unsafe-none">unsafe-none</code>", then set <var>response</var> to an
-          appropriate <span>network error</span> and return.</p>
+          data-x="coop-unsafe-none">unsafe-none</code>", then set <var>response</var> to an
+          appropriate <span>network error</span> and <span>break</span>.</p>
 
-	  <p class="note">This results in a network error as one cannot simultaneously provide a
-	  clean slate to a response using cross-origin opener policy and sandbox the result of
+          <p class="note">This results in a network error as one cannot simultaneously provide a
+          clean slate to a response using cross-origin opener policy and sandbox the result of
           navigating to that response.</p>
          </li>
 
          <li><p>Let <var>responseRequiresBrowsingContexGroupSwitch</var> be the result of <span
-	 data-x="check-browsing-context-group-switch-response">checking if the response requires a
-	 browsing context group switch</span> given <var>browsingContext</var>,
+          data-x="check-browsing-context-group-switch-response">checking if the response requires a
+          browsing context group switch</span> given <var>browsingContext</var>,
          <var>responseOrigin</var>, and <var>responseCOOP</var>.</p></li>
 
          <li><p>If <var>responseRequiresBrowsingContextGroupSwitch</var> is true, set
@@ -82272,8 +82276,6 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
         the web platform that cares for redirects to <code data-x="mailto protocol">mailto:</code>
         URLs and such.</p>
        </li>
-
-       <li><p>If <var>response</var> is a <span>network error</span>, then <span>break</span>.
       </ol>
      </li>
     </ol>

From 97550180e57b22d13a167b526c6518cba63986c0 Mon Sep 17 00:00:00 2001
From: clamy <clamy@chromium.org>
Date: Wed, 24 Jun 2020 14:25:59 +0200
Subject: [PATCH 8/9] Rephrase comments

---
 source | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/source b/source
index eedd19b0a26..7756795287d 100644
--- a/source
+++ b/source
@@ -80162,16 +80162,18 @@ interface <dfn>BarProp</dfn> {
    <li>
     <p><span data-x="a browsing context is discarded">Discard</span> <var>browsingContext</var>.</p>
 
-    <p class="note">This does not close <var>browsingContext</var>'s <span data-x="tlbc
+    <p class="note">This has no effect on <var>browsingContext</var>'s <span data-x="tlbc
     group">group</span>, unless <var>browsingContext</var> was its sole <span>top-level browsing
-    context</span>.</p>
+    context</span>. In that case, the user agent might delete the <span>browsing context
+    group</span> which no longer contains any <span data-x="browsing context">browsing
+    contexts</span>.</p>
    </li>
 
    <li><p>Return <var>newBrowsingContext</var>.</p></li>
   </ol>
 
   <p class="XXX">The impact of swapping browsing context groups following a navigation is not
-  defined. It is currently under discussion in <a
+  fully defined. It is currently under discussion in <a
   href="https://github.com/whatwg/html/issues/5350">issue #5350</a>.</p>
 
 

From 2803530daa3d2008e8cc8ae6ad0a8581437b6e5a Mon Sep 17 00:00:00 2001
From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 24 Jun 2020 16:55:16 +0200
Subject: [PATCH 9/9] nit

---
 source | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/source b/source
index 7756795287d..70016ca4101 100644
--- a/source
+++ b/source
@@ -82258,8 +82258,8 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
          </li>
 
          <li><p>Let <var>responseRequiresBrowsingContexGroupSwitch</var> be the result of <span
-          data-x="check-browsing-context-group-switch-response">checking if the response requires a
-          browsing context group switch</span> given <var>browsingContext</var>,
+         data-x="check-browsing-context-group-switch-response">checking if the response requires a
+         browsing context group switch</span> given <var>browsingContext</var>,
          <var>responseOrigin</var>, and <var>responseCOOP</var>.</p></li>
 
          <li><p>If <var>responseRequiresBrowsingContextGroupSwitch</var> is true, set