On getting, if the document is a cookie-averse Document
object, then the user agent must return the empty string. Otherwise, if the
- Document's origin is not a tuple, the user agent must throw a SecurityError
- exception. Otherwise, the user agent must return the cookie-string for the
- document's address for a "non-HTTP" API, decoded using UTF-8 decode without
- BOM.
Document's origin is an opaque
+ origin, the user agent must throw a SecurityError exception. Otherwise, the
+ user agent must return the cookie-string for the document's address for
+ a "non-HTTP" API, decoded using UTF-8 decode without BOM.
+
On setting, if the document is a cookie-averse The Document object, then
the user agent must do nothing. Otherwise, if the Document's origin is
- not a tuple, the user agent must throw a
+ an opaque origin, the user agent must throw a
SecurityError exception. Otherwise, the user agent must act as it would when receiving a set-cookie-string for the
document's address via a "non-HTTP" API, consisting of the new value audio</a> test instead.)</p>
contentDocument IDL attribute
must return the Document object of the active document of the
iframe element's nested browsing context, if any and if its
- effective script origin is the same origin as the effective script
- origin specified by the incumbent settings object, or null otherwise.
The The contentWindow IDL attribute must
return the WindowProxy object of the iframe element's nested
@@ -28632,8 +28632,8 @@ attribute, set the browsing context name of the element's nes
contentDocument IDL attribute
must return the Document object of the active document of the
object element's nested browsing context, if any and if its
- effective script origin is the same origin as the effective script
- origin specified by the incumbent settings object, or null otherwise.
The contentWindow IDL attribute must
return the WindowProxy object of the object element's nested
@@ -37905,9 +37905,8 @@ dictionary TrackEventInit : EventInit {
these steps.
If the active document of the nested browsing context does not - have the same effective script origin as the - element's node document, then return null and abort these - steps.
If the nested browsing context's active document was created by the page load processing model for XML files section because @@ -76018,25 +76017,16 @@ dictionary DragEventInit : MouseEventInit { tasks and completely loaded immediately.
Set the origin and effective script - origin of document:
+Set the origin of document:
If the new browsing context has a creator browsing context,
- then the origin of document is a copy of the origin of
- the creator Document and the effective script origin of
- document is the effective script origin of the creator
- Document.
The effective script origin is shared and not copied - purposefully.
-If the new browsing context has a creator browsing context,
+ then the origin of document the origin of the
+ creator Document.
Otherwise, the origin of document is a globally unique - identifier assigned when the new browsing context is created and the - effective script origin of document is a copy of its - origin.
Otherwise, the origin of document is a unique opaque origin assigned when the new browsing + context is created.
Let container be context's browsing context container.
If container's node document does not have the - same effective script origin as the - effective script origin specified by the entry settings object, then - return null and abort these steps.
If container's node document's origin is not + same origin-domain with the entry settings object's + origin, then return null and abort these steps.
Return container.
Each unit of related browsing contexts is then further divided into the smallest
number of groups such that every member of each group has an active document with an
- effective script origin that, through appropriate manipulation of the document.domain attribute, could be made to be the same as
- other members of the group, but could not be made the same as members of any other group. Each
- such group is a unit of related similar-origin browsing contexts.
document.domain attribute, could be made to be same
+ origin-domain with other members of the group, but could not be made the same as members of
+ any other group. Each such group is a unit of related similar-origin browsing
+ contexts.
There is also at most one event loop per unit of related
similar-origin browsing contexts (though several For example, setting document.domain
to "example.com" on www.example.com means user agents can remove all
key-value pairs from the map where part of the key is www.example.com, as that can never be part
- of the effective script origin again and therefore the corresponding value could
- never be retrieved from the map.
Return true if the current settings object's effective script - origin is same origin with O's relevant settings - object's effective script origin, and false otherwise.
Return true if the current settings object's origin is + same origin-domain with O's relevant settings object's + origin, and false otherwise.
Let crossOriginKey be a tuple consisting of the current settings - object's effective script origin, O's relevant settings - object's effective script origin, and P.
Repeat for each e that is an element of @@ -78150,171 +78133,129 @@ callback FrameRequestCallback = void (DOMHighResTimeStamp -
The origin of a resource and the - effective script origin of a resource are each one of the - following:
+An origin is + one of the following:
An internal value, with no serialisation, for which the only meaningful operation is + testing for equality.
A tuple consists of: -
Internal values, with no serialisation, for which the only meaningful operation is testing - for equality.
- +A scheme (a + scheme).
A host (a host).
A port (a port).
A domain (null or a domain). Null unless stated otherwise. -
A Document object's origin's domain can be changed through the document.domain API.
Origins can be shared, e.g., among multiple
+ Document objects.
Tuples consisting of a scheme component, a host component, a port component, and optionally - extra data.
+The effective domain of an + origin origin is computed as follows:
-The extra data could include the certificate of the site when using encrypted - connections, to ensure that if the site's secure certificate changes, the origin is considered to - change as well.
+If origin is an opaque origin, then + return origin.
If origin's domain is non-null, + then return origin's domain.
An effective script origin can be shared, e.g., among multiple
- Document objects, and can be changed through the document.domain API.
Return origin's host.
These characteristics are defined as follows:
+Various specification objects are defined to have an origin. These origins are determined as follows:
The origin and effective script origin of the URL are - the URL origin defined in the WHATWG URL standard.
- -Document objectsDocument's active sandboxing flag set has
- its sandboxed origin browsing context flag setThe origin is a globally unique identifier assigned when the
- Document is created.
Document's active sandboxing flag set
+ has its sandboxed origin browsing context flag setThe effective script origin is initially a copy of the origin of
- the Document.
A unique opaque origin assigned when the
+ Document is created.
Document was served over the network and has an address that uses a URL
+ Document was served over the network and has an address that uses a URL
scheme with a server-based naming authorityThe origin is a copy of the origin of
- the Document's address.
The effective script origin is initially a copy of the origin of
- the Document.
Document is the initial "about:blank" documentA copy of the Document's address's origin.
The origin and effective script origin of the
- Document are those it was assigned when its
- browsing context was created.
Document is the initial "about:blank" documentThe one it was assigned when its browsing context was + created.
Document is a non-initial "about:blank" documentDocument is a non-initial "about:blank" documentDocument was generated from a data: URL found in another Document or in a
scriptThe origin is a copy of the origin specified by the - incumbent settings object when the navigate algorithm was invoked, - or, if no script was involved, of the node - document of the element that initiated the navigation to - that URL.
+The origin of the incumbent settings object when the + navigate algorithm was invoked, or, if no script was involved, the origin of the node + document of the element that initiated the navigation to + that URL.
The effective script origin is the effective script origin of
- that same environment settings object or Document.
Document was created as part of the processing for If the Document was created as part of the processing for javascript: URLsThe origin of the active document of the browsing + context being navigated when the navigate algorithm was invoked.
The origin is a copy of the origin of the active - document of the browsing context being navigated when the - navigate algorithm was invoked.
-The effective script origin is the effective script origin of
- that same Document.
Document is an iframe If the Document is an iframe srcdoc documentThe origin of the Document is a copy of the origin
- of the Document's browsing context's
- browsing context container's node document.
The effective script origin is the effective script origin of the
- Document's browsing context's
- browsing context container's node document.
The origin of the Document's browsing context's browsing context
+ container's node document.
Document was obtained in some other manner (e.g. a data: URL typed in by the user or that was returned as the
location of a redirect, a Document created using the createDocument() API, etc)The default behaviour as defined in the WHATWG DOM standard applies. .
-The origin is a globally unique identifier assigned when the
- Document is created, and the effective script origin is a copy of
- the origin of the Document.
The origin is a unique opaque origin assigned when the Document is
+ created.
The effective script origin of a Document can be
- manipulated using the document.domain IDL
- attribute.
A unique opaque origin assigned when the + image is created.
img
- element's node document.The img element's node document's
+ origin.
Images do not have an effective script origin.
- @@ -78350,20 +78289,17 @@ callback FrameRequestCallback = void (DOMHighResTimeStampIf the media data is CORS-cross-origin -A unique opaque origin assigned when the + media data is fetched.
The media element's node document's + origin.
Media elements do not have an effective script - origin.
- @@ -78371,43 +78307,42 @@ callback FrameRequestCallback = void (DOMHighResTimeStamp -The origin of a downloadable Web font is a copy of the origin of the absolute URL used to obtain the - font (after any redirects).
-The origin of a locally installed system font is a copy of the
- origin of the Document in which that font is being used.
Fonts do not have an effective script origin.
+For a locally installed system font is the origin of the Document
+ in which that font is being used.
Other specifications can override the above definitions by themselves specifying the origin of
- a particular URL, Document, image, media element, or
- font.
Document object, image, media element, or font.
The Unicode serialisation of an origin is the string obtained by applying the - following algorithm to the given origin origin:
+The Unicode serialisation of an origin is the string obtained by + applying the following algorithm to the given origin origin:
If origin is not a tuple, then +
If origin is an opaque origin, then
return "null".
Let host be the host part of origin.
Let host be origin's host.
Let unicodeHost be host if host is not a domain, and the result of applying domain to Unicode to host otherwise.
Let unicodeOrigin be a new tuple - consisting of the scheme part of origin, unicodeHost, and the port part of - origin.
Let unicodeOrigin be a new tuple + origin consisting origin's scheme, + unicodeHost, and origin's port.
Return the ASCII serialisation of an origin, given unicodeOrigin.
@@ -78418,58 +78353,110 @@ callback FrameRequestCallback = void (DOMHighResTimeStampThe Unicode
+ serialisation of ("https", "xn--maraa-rta.example", null, null) is "https://maraña.example".
The ASCII serialisation of an origin is the string obtained by applying the - following algorithm to the given origin origin:
+The ASCII serialisation of an origin is the string obtained by + applying the following algorithm to the given origin origin:
If origin is not a tuple, then +
If origin is an opaque origin, then
return "null".
Otherwise, let result be the scheme part of origin.
Otherwise, let result be origin's scheme.
Append "://" to result.
Append the host part of origin, serialised, to result.
Append origin's host, serialised, to result.
If the port part of origin is non-null, append a U+003A COLON character (:), - and the port part, serialised, to - result.
If origin's port is non-null, append + a U+003A COLON character (:), and origin's port, serialised, + to result.
Return result.
Two origins are said to be the same origin if the - following algorithm returns true:
+Two origins, A and B, are said to be + same origin if the following algorithm returns true:
If A and B are the same opaque + origin, then return true.
Let A be the first origin being compared, and B be the second origin being compared.
If A and B are both tuple + origins and their schemes, hosts, and port are + identical, then return true.
If A and B are both opaque identifiers, and their - value is equal, then return true.
Otherwise, if either A or B or both are opaque - identifiers, return false.
Return false.
If A and B have scheme components that are not - identical, return false.
Two origins, A and B, are said to be + same origin-domain if the following algorithm returns true:
-If A and B have host components that are not - identical, return false.
If A and B are the same opaque + origin, then return true.
If A and B have port components that are not - identical, return false.
If A and B are both tuple + origins, run these substeps:
-If either A or B have additional data, but that - data is not identical for both, return false.
If A and B's schemes + are identical, and their domains are identical and + non-null, then return true.
Return true.
Otherwise, if A and B are same origin and their domains are identical and null, then return + true.
Return false.
| A + | B + | same origin + | same origin-domain + |
|---|---|---|---|
("https", "example.org", null, null)
+ | ("https", "example.org", null, null)
+ | ✅ + | ✅ + |
("https", "example.org", 314, "example.org")
+ | ("https", "example.org", 420, "example.org")
+ | ❌ + | ✅ + |
("https", "example.org", null, null)
+ | ("https", "example.org", null, "example.org")
+ | ✅ + | ❌ + |
("https", "example.org", null, "example.org")
+ | ("http", "example.org", null, "example.org")
+ | ❌ + | ❌ + |
Can be set to a value that removes subdomains, to change the effective script
- origin to allow pages on other subdomains of the same domain (if they do the same thing)
- to access each other. (Can't be set in sandboxed iframes.)
Can be set to a value that removes subdomains, to change the origin's domain to allow pages on other subdomains of the same
+ domain (if they do the same thing) to access each other. (Can't be set in sandboxed
+ iframes.)
Each Document object has an associated domain. Its initial value is the host component of the document's
- origin, if the value of that origin is a tuple and if the Document object has a browsing context, and the empty domain otherwise.
The domain attribute's getter must run
+ these steps:
If this Document object does not have a browsing context, then return the empty string.
+
+
Let effectiveDomain be this Document's origin's effective domain.
-
The domain attribute's getter must return
- this Document's domain,
- serialised.
If effectiveDomain is an opaque + origin, then return the empty string.
Return effectiveDomain, serialised.
The domain attribute's setter must run these
steps:
If this Document object has no browsing
- context, throw a SecurityError exception.
SecurityError exception.If this Document object's active sandboxing flag set has its
sandboxed document.domain browsing context
- flag set, throw a SecurityError exception.
SecurityError exception.
- If the given value is the empty string, throw a SecurityError
+
If the given value is the empty string, then throw a SecurityError
exception.
Let host be the result of parsing the given value.
If host is failure, throw a SecurityError exception.
If host is failure, then throw a SecurityError exception.
Let effectiveDomain be this Document object's
+ origin's effective
+ domain.
If host is not equal to this
- Document object's domain, run these
- substeps:
If host is not equal to + effectiveDomain, then run these substeps:
If host or this Document object's domain is not a domain, throw a
- SecurityError exception.
If host or effectiveDomain is not a domain, then throw a SecurityError exception.
This is meant to exclude hosts that are an - IPv4 address or an IPv6 address.
+This is meant to exclude hosts that are an + IPv4 address or an IPv6 address.
If host, prefixed by a U+002E FULL STOP (.), does not exactly match the end
- of this Document object's domain,
- throw a SecurityError exception.
SecurityError exception.If host matches a suffix in the Public Suffix List, or, if host,
prefixed by a U+002E FULL STOP (.), matches the end of a suffix in the Public Suffix List,
- throw a SecurityError exception.
SecurityError exception.
Suffixes must be compared after applying the host parser algorithm.
Set this Document object's domain
- to host.
Set the host component of the effective script origin tuple of this
- Document to host.
Set the port component of the effective script origin tuple of this
- Document to "manual override" (a value that, for the purposes of comparing origins, is identical to "manual override" but not identical to any
- other value).
Set origin's domain to + host.
This flag prevents content from using the document.domain feature to change the effective script
- origin.
This flag prevents content from using the
+ document.domain setter.
If this Location object's relevant Document's
- effective script origin is not same origin with entry settings
- object's effective script origin, throw a SecurityError
- exception.
SecurityError exception.
Return this Location object's url,
serialised.
If this Location object's relevant Document's
- effective script origin is not same origin with entry settings
- object's effective script origin, throw a SecurityError
- exception.
SecurityError exception.
Return the Unicode serialization
of this If this Location object's url's 1</OUTPUT> <INPUT VALUE="Increment" TYPE=BUTTON O
Location object's relevant Document's
- effective script origin is not same origin with entry settings
- object's effective script origin, throw a SecurityError
- exception.SecurityError exception.
Return this Location object's url's scheme,
@@ -79906,9 +79887,8 @@ State: <OUTPUT NAME=I>1</OUTPUT> <INPUT VALUE="Increment" TYPE=BUTTON O
If this Location object's relevant Document's
- effective script origin is not same origin with entry settings
- object's effective script origin, throw a SecurityError
- exception.
SecurityError exception.Let copyURL be a copy of this Location object's url.
If this Location object's relevant Document's
- effective script origin is not same origin with entry settings
- object's effective script origin, throw a SecurityError
- exception.
SecurityError exception.
Let url be this Location object's url.
If this Location object's relevant Document's
- effective script origin is not same origin with entry settings
- object's effective script origin, throw a SecurityError
- exception.
SecurityError exception.
Let copyURL be a copy of this Location object's url.
If this Location object's relevant Document's
- effective script origin is not same origin with entry settings
- object's effective script origin, throw a SecurityError
- exception.
SecurityError exception.
If this Location object's url's
host is null, return the empty string.
If this Location object's relevant Document's
- effective script origin is not same origin with entry settings
- object's effective script origin, throw a SecurityError
- exception.
SecurityError exception.
Let copyURL be a copy of this Location object's url.
If this Location object's relevant Document's
- effective script origin is not same origin with entry settings
- object's effective script origin, throw a SecurityError
- exception.
SecurityError exception.
If this Location object's url's
port is null, return the empty string.
If this Location object's relevant Document's
- effective script origin is not same origin with entry settings
- object's effective script origin, throw a SecurityError
- exception.
SecurityError exception.
Let copyURL be a copy of this Location object's url.
If this Location object's relevant Document's
- effective script origin is not same origin with entry settings
- object's effective script origin, throw a SecurityError
- exception.
SecurityError exception.
Let url be this Location object's url.
If this Location object's relevant Document's
- effective script origin is not same origin with entry settings
- object's effective script origin, throw a SecurityError
- exception.
SecurityError exception.
Let copyURL be a copy of this Location object's url.
If this Location object's relevant Document's
- effective script origin is not same origin with entry settings
- object's effective script origin, throw a SecurityError
- exception.
SecurityError exception.
If this Location object's url's
query is either null or the empty string, return the
@@ -80119,9 +80090,8 @@ State: <OUTPUT NAME=I>1</OUTPUT> <INPUT VALUE="Increment" TYPE=BUTTON O
If this Location object's relevant Document's
- effective script origin is not same origin with entry settings
- object's effective script origin, throw a SecurityError
- exception.
SecurityError exception.Let copyURL be a copy of this Location object's url.
If this Location object's relevant Document's
- effective script origin is not same origin with entry settings
- object's effective script origin, throw a SecurityError
- exception.
SecurityError exception.
If this Location object's url's
fragment is either null or the empty string, return
@@ -80171,9 +80140,8 @@ State: <OUTPUT NAME=I>1</OUTPUT> <INPUT VALUE="Increment" TYPE=BUTTON O
If this Location object's relevant Document's
- effective script origin is not same origin with entry settings
- object's effective script origin, throw a SecurityError
- exception.
SecurityError exception.Let copyURL be a copy of this Location object's url.
If this Location object's relevant Document's
- effective script origin is not same origin with entry settings
- object's effective script origin, throw a SecurityError
- exception.
SecurityError exception.
Parse url relative to the entry
settings object. If that failed, throw a SyntaxError exception.
Location object's relevant Document's
- effective script origin is not same origin with entry settings
- object's effective script originThrow a SecurityError exception.
If this Location object's relevant Document's
- effective script origin is not same origin with entry settings
- object's effective script origin, throw a SecurityError
- exception.
SecurityError exception.
Otherwise, return this Location object's ancestor origins array.
Return inherited origin.
@@ -95823,9 +95789,9 @@ interface WindowLocalStorage { instead of returning aStorage object if the request violates a policy decision
(e.g. if the user agent is configured to not allow the page to persist data).
- If the Document's origin is not a tuple, then throw a SecurityError exception and
- abort these steps.
If the Document's origin is an opaque origin, then throw a SecurityError
+ exception and abort these steps.
Check to see if the user agent has allocated a local storage area for the
origin of the Document of the Window object on which the
@@ -110629,9 +110595,8 @@ if (s = prompt('What is your name?')) {
The contentDocument IDL attribute of
the frame element must return the Document object of the active
document of the frame element's nested browsing context, if any
- and if its effective script origin is the same origin as the
- effective script origin specified by the incumbent settings object, or
- null otherwise.
The contentWindow IDL attribute must
return the WindowProxy object of the frame element's nested