From c64d81110fa7bf2cccaf8d9382ec16a7da7b336d Mon Sep 17 00:00:00 2001
From: Arthur Sonzogni <arthursonzogni@chromium.org>
Date: Wed, 9 Mar 2022 18:32:11 +0100
Subject: [PATCH 1/9] Anonymous iframe

Explainer:
https://github.com/camillelamy/explainers/blob/main/anonymous_iframes.md

Chrome status:
https://chromestatus.com/feature/5729461725036544

Summary:
- Define the anonymous flag for iframe and Window.
- Inheritance is defined similarly to sandbox. However it do not propage
  toward popups.
- Popup opened from anonymous Window use 'noopener'.
- Navigation in anonymous iframe are allowed, even if the embedder has
  COEP:require-corp|credentialless and the response do not.
- Define the `page anonymous nonce`, it is used for anonymous Window as
  an additional keys in:
  - network-partition-keys,
  - storage-partition-keys,
  - cookie-partition-keys
  This ensures the document is loaded within a new and ephemeral
  context. This prevents a cross-origin-isolated parent from stealing
  important data from its child, via a Spectre Attack.
- Password autofill must be disabled inside anonymous Window.

XXX: implement the corresponding parts on top of:
- Fetch => network-partition-keys
- StoragePartitioning => storage-partition-keys
- CookieHavingIndependantState => cookie-partition-key
- Worker.
---
 source | 157 +++++++++++++++++++++++++++++++++++++++++++++++----------
 1 file changed, 131 insertions(+), 26 deletions(-)

diff --git a/source b/source
index 12c5dfaef0a..3304ea48ac0 100644
--- a/source
+++ b/source
@@ -2495,6 +2495,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
      <li><dfn data-x="body safely extract" data-x-href="https://fetch.spec.whatwg.org/#bodyinit-safely-extract">safely extracting a body</dfn></li>
      <li><dfn data-x-href="https://fetch.spec.whatwg.org/#process-response-end-of-body">processResponseConsumeBody</dfn></li>
      <li><dfn data-x-href="https://fetch.spec.whatwg.org/#fetch-processresponseendofbody">processResponseEndOfBody</dfn></li>
+     <li><dfn data-x-href="https://fetch.spec.whatwg.org/#network-partition-keys">network-partition-keys</dfn></li>
      <li>
       <dfn data-x="concept-response"
       data-x-href="https://fetch.spec.whatwg.org/#concept-response">response</dfn> and its
@@ -30891,6 +30892,7 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></code></pre>
    <dd><code data-x="attr-dim-height">height</code></dd>
    <dd><code data-x="attr-iframe-referrerpolicy">referrerpolicy</code></dd>
    <dd><code data-x="attr-iframe-loading">loading</code></dd>
+   <dd><code data-x="attr-iframe-anonymous">anonymous</code></dd>
    <dt><span
    data-x="concept-element-accessibility-considerations">Accessibility considerations</span>:</dt>
    <dd><a href="https://w3c.github.io/html-aria/#el-iframe">For authors</a>.</dd>
@@ -31601,6 +31603,12 @@ interface <dfn interface>HTMLIFrameElement</dfn> : <span>HTMLElement</span> {
    <li><p>Invoke <var>resumptionSteps</var>.</p></li>
   </ol>
 
+  <hr> <!-- ANONYMOUS ATTRIBUTE -->
+
+  <p>The <dfn element-attr for="iframe"><code data-x="attr-iframe-anonymous">anonymous</code></dfn>
+  attribute, enables loading documents hosted by the <code>iframe</code> with a new and ephemeral
+  storage partition. It is a boolean value. The default is false.</p>
+
   <hr> <!-- FALLBACK -->
 
   <p>Descendants of <code>iframe</code> elements represent nothing. (In legacy user agents that do
@@ -80362,6 +80370,10 @@ popup4.close();</code></pre></div>
    <li><p>Let <var>sandboxFlags</var> be the result of <span>determining the creation sandboxing
    flags</span> given <var>browsingContext</var> and <var>embedder</var>.</p></li>
 
+   <li><p>Let <var>anonymous</var> be the result of determining the <span
+   data-x="initial-window-anonymous">initial window anonymous</span> flag, given
+   <var>browsingContext</var>.</p></li>
+
    <!--
     This step does not need to use |embedder|, because determining the origin only consults the
     container when the url argument is about:srcdoc. However, here we always pass about:blank.
@@ -80386,7 +80398,8 @@ popup4.close();</code></pre></div>
     realm</span> given <var>agent</var> and the following customizations:</p>
 
     <ul>
-     <li><p>For the global object, create a new <code>Window</code> object.</p></li>
+     <li><p>For the global object, create a new <code>Window</code> object, with <code
+     data-x="attr-iframe-anonymous">anonymous</code> set to <var>anonymous</var>.</p></li>
 
      <li><p>For the global <b>this</b> binding, use <var>browsingContext</var>'s
      <code>WindowProxy</code> object.</li>
@@ -81761,6 +81774,7 @@ interface <dfn interface>Window</dfn> : <span>EventTarget</span> {
   attribute DOMString <span data-x="dom-window-status">status</span>;
   undefined <span data-x="dom-window-close">close</span>();
   readonly attribute boolean <span data-x="dom-window-closed">closed</span>;
+  readonly attribute boolean <span data-x="dom-window-anonymous">anonymous</span>;
   undefined <span data-x="dom-window-stop">stop</span>();
   undefined <span data-x="dom-window-focus">focus</span>();
   undefined <span data-x="dom-window-blur">blur</span>();
@@ -81960,6 +81974,9 @@ dictionary <dfn dictionary>WindowPostMessageOptions</dfn> : <span>StructuredSeri
 
    <li><p>If <var>noreferrer</var> is true, then set <var>noopener</var> to true.</p></li>
 
+   <li><p>If <span>entry global object</span>'s <span data-x="dom-window-anonymous">anonymous</span>
+   flag is true, then set <var>noopener</var> to true.</p></li>
+
    <li>
     <p>Let <var>target browsing context</var> and <var>windowType</var> be the result of applying
     <span>the rules for choosing a browsing context</span> given <var>target</var>, <var>source
@@ -84110,6 +84127,70 @@ interface <dfn interface>BarProp</dfn> {
 
 
 
+  <h3>Anonymous iframe</h3>
+
+  <p>Each <code>iframe</code> element has a mutable <code
+  data-x="attr-iframe-anonymous">anonymous</code> flag attribute.</p>
+
+  <p>Each <code>Window</code> has a constant <dfn attribute for="Window"
+  data-x="dom-window-anonymous"><code>anonymous</code></dfn> flag.</p>
+
+  <p>An <dfn>anonymous Window</dfn> is a <code>Window</code>, whose <code
+  data-x="dom-window-anonymous">anonymous</code> flag is true.</p>
+
+  <p>To compute the <dfn data-x="initial-window-anonymous">initial window anonymous flag</dfn>,
+  given a new <span data-x="concept-document-bc">browsing context</span> <var>browsing
+  context</var>:</p>
+  <ol class="brief">
+   <li><p>Set <var>embedder</var> be <var>browsing context</var>'s <span
+   data-x="bc-container">container</span>.</p>
+   <li><p>If <var>embedder</var> is not an element, return false.</p></li>
+   <li><p>Otherwise, set <var>parentWindow</var> be the <var>embedder</var>'s <span>node
+   document</span>'s <span>relevant global object</span>.</p></li>
+   <li><p>Return the union of:</p>
+    <ul class="brief">
+     <li><p><var>parentWindow</var>'s <code attribute for="Window"
+     data-x="dom-window-anonymous">anonymous</code></p></li>
+     <li><p><var>embedder</var>'s <span><code>iframe</code></span>'s <code
+     data-x="attr-iframe-anonymous">anonymous</code></p></li>
+    </ul>
+   </li>
+  </ol>
+
+  <p>To compute the <dfn data-x="navigation-anonymous">navigation's anonymous flag</dfn>,
+  given <span data-x="concept-document-bc">browsing context</span> <var>browsing
+  context</var>, follows the same steps as in the <span
+  data-x="initial-window-anonymous">initial window anonymous flag</span> algorithm.</p>
+
+  <p class="note">New <code>Window</code>'s <code data-x="dom-window-anonymous">anonymous</code>
+  flag is computed either from the <span data-x="initial-window-anonymous">initial window anonymous
+  flag</span> algorithm for new <span data-x="concept-document-bc">browsing context</span>, or from
+  the <span data-x="navigation-anonymous">navigation's anonymous flag</span> algorithm, executed
+  when the navigation started, for navigations inside pre-existing <span
+  data-x="concept-document-bc">browsing context</span>.</p>
+
+  <p class="note">Popup opened from <span>anonymous Window</span> are always with 'noopener' set</p>
+
+  <p class="note">Top-level <span>anonymous Window</span> do not exist.</p>
+
+  <p>Each top-level <span>Window</span> has an associated <dfn export>page anonymous nonce</dfn>. It
+  is an immutable nonce ("number used once").</p>
+
+  <p class="XXX">The <span>page anonymous nonce</span> is meant to be used for <span>anonymous
+  Window</span> as a key in <span>network-partition-keys</span>, storage-partition-keys, and
+  cookie-partition-keys for <span>anonymous Window</span>. See <a
+  href="https://github.com/whatwg/fetch/issues/904">Network state partitionning</a>, <a
+  href="https://privacycg.github.io/storage-partitioning/">Client-Side Storage Partitioning</a>, and
+  <a href="https://github.com/WICG/CHIPS">CHIPS (Cookies Having Independant Partitioned
+  State</a>.</p>
+
+  <p><dfn>Autofill and anonymous iframe</dfn>: User agents sometimes have features for helping users
+  fill forms in: for example prefilling the user's address, password, or payment informations. User
+  agents must disable those features when the data is both specific to the user and to the website.
+  </p>
+
+
+
   <h3>Cross-origin opener policies</h3>
 
   <p>A <dfn>cross-origin opener policy value</dfn> allows a document which is navigated to in a
@@ -85482,7 +85563,8 @@ interface <dfn interface>BarProp</dfn> {
 
   <p>To <dfn>check a navigation response's adherence to its embedder policy</dfn> given a <span
   data-x="concept-response">response</span> <var>response</var>, a <span>browsing context</span>
-  <var>target</var>, and an <span>embedder policy</span> <var>responsePolicy</var>:</p>
+  <var>target</var>, an <span>embedder policy</span> <var>responsePolicy</var>, and a boolean
+  <var>anonymous</var>:</p>
 
   <ol>
    <li><p>If <var>target</var> is not a <span>child browsing context</span>, then return
@@ -85495,18 +85577,18 @@ interface <dfn interface>BarProp</dfn> {
 
    <li><p>If <var>parentPolicy</var>'s <span data-x="embedder-policy-report-only-value">report-only
    value</span> is <span>compatible with cross-origin isolation</span> and
-   <var>responsePolicy</var>'s <span data-x="embedder-policy-value">value</span> is not, then
-   <span>queue a cross-origin embedder policy inheritance violation</span> with <var>response</var>,
-   "<code data-x="">navigation</code>", <var>parentPolicy</var>'s <span
-   data-x="embedder-policy-report-only-reporting-endpoint">report only reporting endpoint</span>,
-   "<code data-x="">reporting</code>", and <var>target</var>'s <span
+   <var>responsePolicy</var>'s <span data-x="embedder-policy-value">value</span> is not, and
+   <var>anonymous</var> is false, then <span>queue a cross-origin embedder policy inheritance
+   violation</span> with <var>response</var>, "<code data-x="">navigation</code>",
+   <var>parentPolicy</var>'s <span data-x="embedder-policy-report-only-reporting-endpoint">report
+   only reporting endpoint</span>, "<code data-x="">reporting</code>", and <var>target</var>'s <span
    data-x="bc-container-document">container document</span>'s <span>relevant settings
    object</span>.</p></li>
 
    <li><p>If <var>parentPolicy</var>'s <span data-x="embedder-policy-value">value</span> is not
    <span>compatible with cross-origin isolation</span> or <var>responsePolicy</var>'s <span
    data-x="embedder-policy-value">value</span> is <span>compatible with cross-origin
-   isolation</span>, then return true.</p></li>
+   isolation</span>, or <var>anonymous</var> is true, then return true.</p></li>
 
    <li><p><span>Queue a cross-origin embedder policy inheritance violation</span> with
    <var>response</var>, "<code data-x="">navigation</code>", <var>parentPolicy</var>'s <span
@@ -87631,6 +87713,9 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
    <dt><dfn data-x="navigation-params-sandboxing">final sandboxing flag set</dfn></dt>
    <dd>a <span>sandboxing flag set</span> to impose on the new <code>Document</code></dd>
 
+   <dt><dfn data-x="navigation-params-anonymous">anonymous</dfn></dt>
+   <dd>The anonymous flag to impose on the new <code>Window</code></dd>
+
    <dt><dfn data-x="navigation-params-coop">cross-origin opener policy</dfn></dt>
    <dd>a <span>cross-origin opener policy</span> to use for the new <code>Document</code></dd>
 
@@ -87883,6 +87968,10 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
    flags</span> given <var>browsingContext</var> and <var>browsingContext</var>'s <span
    data-x="bc-container">container</span>.</p></li>
 
+   <li><p>Let <var>anonymous</var> be the result of computing the <span
+   data-x="navigation-anonymous">navigation's anonymous flag</span>, given
+   <var>browsingContext.</var></p></li>
+
    <li><p>Let <var>allowedToDownload</var> be the result of running the <span>allowed to
    download</span> algorithm given the <span>source browsing context</span> and
    <var>browsingContext</var>.</p></li>
@@ -87953,8 +88042,9 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
        data-x="navigation-params-policy-container">policy container</span> is
        <var>policyContainer</var>, <span data-x="navigation-params-sandboxing">final sandboxing
        flag set</span> is <var>finalSandboxFlags</var>, <span
-       data-x="navigation-params-coop">cross-origin opener policy</span> is <var>coop</var>, <span
-       data-x="navigation-params-coop-enforcement-result">COOP enforcement result</span> is
+       data-x="navigation-params-anonymous">anonymous</span> is <var>anonymous</var>, <span
+       data-x="navigation-params-coop">cross-origin opener policy</span> is <var>coop</var>,
+       <span data-x="navigation-params-coop-enforcement-result">COOP enforcement result</span> is
        <var>coopEnforcementResult</var>, <span
        data-x="navigation-params-reserved-environment">reserved environment</span> is null, <span
        data-x="navigation-params-browsing-context">browsing context</span> is
@@ -88010,8 +88100,9 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
        data-x="navigation-params-policy-container">policy container</span> is
        <var>browsingContext</var>'s <span>active document</span>'s <span>policy container</span>,
        <span data-x="navigation-params-sandboxing">final sandboxing flag set</span> is
-       <var>finalSandboxFlags</var>, <span data-x="navigation-params-coop">cross-origin opener
-       policy</span> is <var>browsingContext</var>'s <span>active document</span>'s <span
+       <var>finalSandboxFlags</var>, <span data-x="navigation-params-anonymous">anonymous</span> is
+       <var>anonymous</var>, <span data-x="navigation-params-coop">cross-origin opener policy</span>
+       is <var>browsingContext</var>'s <span>active document</span>'s <span
        data-x="concept-document-coop">cross-origin opener policy</span>, <span
        data-x="navigation-params-coop-enforcement-result">COOP enforcement result</span> is
        <var>coopEnforcementResult</var>, <span
@@ -88046,10 +88137,11 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
 
      <dd><p>Run <span>process a navigate fetch</span> given <var>navigationId</var>,
      <var>resource</var>, the <span>source browsing context</span>, <var>browsingContext</var>,
-     <var>navigationType</var>, <var>sandboxFlags</var>, <var>historyPolicyContainer</var>,
-     <var>initiatorPolicyContainer</var>, <var>allowedToDownload</var>,
-     <var>hasTransientActivation</var>, <var>incumbentNavigationOrigin</var>,
-     <var>historyHandling</var>, and <var>unsafeNavigationStartTime</var>.</p></dd>
+     <var>navigationType</var>, <var>sandboxFlags</var>, <var>anonymous</var>,
+     <var>historyPolicyContainer</var>, <var>initiatorPolicyContainer</var>,
+     <var>allowedToDownload</var>, <var>hasTransientActivation</var>,
+     <var>incumbentNavigationOrigin</var>, <var>historyHandling</var>, and
+     <var>unsafeNavigationStartTime</var>.</p></dd>
 
      <dt>Otherwise, <var>resource</var> is a <span data-x="concept-request">request</span> whose
      <span data-x="concept-request-url">URL</span>'s <span data-x="concept-url-scheme">scheme</span>
@@ -88066,12 +88158,12 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
   data-x="navigation-id">navigation id</span> <var>navigationId</var>, <span
   data-x="concept-request">request</span> <var>request</var>, two <span data-x="browsing
   context">browsing contexts</span> <var>sourceBrowsingContext</var> and <var>browsingContext</var>,
-  a string <var>navigationType</var>, a <span>sandboxing flag set</span> <var>sandboxFlags</var>,
-  two <span data-x="policy container">policy containers</span> <var>historyPolicyContainer</var> and
-  <var>initiatorPolicyContainer</var>, a boolean <var>allowedToDownload</var>, a boolean
-  <var>hasTransientActivation</var>, an <span>origin</span> <var>incumbentNavigationOrigin</var>,
-  a <span>history handling behavior</span> <var>historyHandling</var>, and a number
-  <var>unsafeNavigationStartTime</var>:</p>
+  a string <var>navigationType</var>, a <span>sandboxing flag set</span> <var>sandboxFlags</var>, a
+  boolean <var>anonymous</var>, two <span data-x="policy container">policy containers</span>
+  <var>historyPolicyContainer</var> and <var>initiatorPolicyContainer</var>, a boolean
+  <var>allowedToDownload</var>, a boolean <var>hasTransientActivation</var>, an <span>origin</span>
+  <var>incumbentNavigationOrigin</var>, a <span>history handling behavior</span>
+  <var>historyHandling</var>, and a number <var>unsafeNavigationStartTime</var>:</p>
 
   <ol>
    <li><p>Let <var>response</var> be null.</p></li>
@@ -88350,6 +88442,7 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
    data-x="navigation-params-policy-container">policy container</span> is
    <var>resultPolicyContainer</var>, <span data-x="navigation-params-sandboxing">final sandboxing
    flag set</span> is <var>finalSandboxFlags</var>, <span
+   data-x="navigation-params-anonymous">anonymous</span> is <var>anonymous</var>, <span
    data-x="navigation-params-coop">cross-origin opener policy</span> is <var>responseCOOP</var>,
    <span data-x="navigation-params-coop-enforcement-result">COOP enforcement result</span> is
    <var>coopEnforcementResult</var>, <span data-x="navigation-params-reserved-environment">reserved
@@ -88399,8 +88492,9 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
     embedder policy">checking a navigation response's adherence to its embedder policy</span> given
     <var>response</var>, <var>browsingContext</var>, and <var>navigationParams</var>'s <span
     data-x="navigation-params-policy-container">policy container</span>'s <span
-    data-x="policy-container-embedder-policy">embedder policy</span> is false, then set
-    <var>failure</var> to true.</p>
+    data-x="policy-container-embedder-policy">embedder policy</span> and
+    <var>navigationparams</var>'s <span data-x="navigation-params-anonymous">anonymous</span> flag
+    is false, then set <var>failure</var> to true.</p>
 
     <p>Otherwise, if the result of <span data-x="check a navigation response's adherence to
     `X-Frame-Options`">checking a navigation response's adherence to
@@ -88765,7 +88859,10 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
     data-x="hh-replace">replace</code>", and <var>browsingContext</var>'s <span>active
     document</span>'s <span data-x="concept-document-origin">origin</span> is <span>same
     origin-domain</span> with <var>navigationParams</var>'s <span
-    data-x="navigation-params-origin">origin</span>, then do nothing.</p>
+    data-x="navigation-params-origin">origin</span>, and <var>browsingContext</var>'s <span>active
+    window</span>'s <span data-x="dom-window-anonymous">anonymous</span> flag matches
+    <var>navigationParams</var>'s <span data-x="navigation-params-anonymous">anonymous</span> flag,
+    then do nothing.</p>
 
     <p class="note">This means that both the <span data-x="is initial about:blank">initial
     <code>about:blank</code></span> <code>Document</code>, and the new <code>Document</code> that is
@@ -88799,7 +88896,9 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
       realm</span> given <var>agent</var> and the following customizations:</p>
 
       <ul>
-       <li><p>For the global object, create a new <code>Window</code> object.</p></li>
+       <li><p>For the global object, create a new <code>Window</code> object, with <code
+       data-x="attr-iframe-anonymous">anonymous</code> to <var>navigationParams</var>'s <span
+       data-x="navigation-params-anonymous">anonymous</span>.</p></li>
 
        <li><p>For the global <b>this</b> binding, use <var>browsingContext</var>'s
        <code>WindowProxy</code> object.</p></li>
@@ -123905,6 +124004,12 @@ interface <dfn interface>External</dfn> {
           <code data-x="attr-input-alt">input</code>
      <td> Replacement text for use when images are not available
      <td> <a href="#attribute-text">Text</a>*
+    <tr>
+     <th> <code data-x="">anonymous</code>
+     <td> <code data-x="attr-iframe-anonymous">iframe</code>
+     <td> Whether the <code>iframe</code>'s contents to be loaded using a new ephemeral storage
+     partition.
+     <td> <span>Boolean attribute</span>
     <tr>
      <th> <code data-x="">as</code>
      <td> <code data-x="attr-link-as">link</code>

From 4653e0e503c6b022aff2315e0d4da3c7c82e0c84 Mon Sep 17 00:00:00 2001
From: Arthur Sonzogni <arthursonzogni@chromium.org>
Date: Thu, 10 Mar 2022 14:00:14 +0100
Subject: [PATCH 2/9] Fix error about "attribute".

---
 source | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/source b/source
index 3304ea48ac0..f9297a82aed 100644
--- a/source
+++ b/source
@@ -84149,8 +84149,7 @@ interface <dfn interface>BarProp</dfn> {
    document</span>'s <span>relevant global object</span>.</p></li>
    <li><p>Return the union of:</p>
     <ul class="brief">
-     <li><p><var>parentWindow</var>'s <code attribute for="Window"
-     data-x="dom-window-anonymous">anonymous</code></p></li>
+     <li><p><var>parentWindow</var>'s <code data-x="dom-window-anonymous">anonymous</code></p></li>
      <li><p><var>embedder</var>'s <span><code>iframe</code></span>'s <code
      data-x="attr-iframe-anonymous">anonymous</code></p></li>
     </ul>

From 2ff93178501ff26e7c35434c72c03863b071305f Mon Sep 17 00:00:00 2001
From: Arthur Sonzogni <arthursonzogni@chromium.org>
Date: Thu, 17 Mar 2022 10:05:09 +0100
Subject: [PATCH 3/9] Add iframe-dom-anonymous

---
 source | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/source b/source
index f9297a82aed..9e827c64a2c 100644
--- a/source
+++ b/source
@@ -30913,6 +30913,7 @@ interface <dfn interface>HTMLIFrameElement</dfn> : <span>HTMLElement</span> {
   [<span>CEReactions</span>] attribute DOMString <span data-x="dom-dim-height">height</span>;
   [<span>CEReactions</span>] attribute DOMString <span data-x="dom-iframe-referrerPolicy">referrerPolicy</span>;
   [<span>CEReactions</span>] attribute DOMString <span data-x="dom-iframe-loading">loading</span>;
+  attribute boolean  <span data-x="dom-iframe-anonymous">anonymous</span>;
   readonly attribute <span>Document</span>? <span data-x="dom-iframe-contentDocument">contentDocument</span>;
   readonly attribute <span>WindowProxy</span>? <span data-x="dom-iframe-contentWindow">contentWindow</span>;
   <span>Document</span>? <span data-x="dom-media-getSVGDocument">getSVGDocument</span>();
@@ -31627,9 +31628,10 @@ interface <dfn interface>HTMLIFrameElement</dfn> : <span>HTMLElement</span> {
   data-x="dom-iframe-src">src</code></dfn>, <dfn attribute for="HTMLIFrameElement"><code
   data-x="dom-iframe-srcdoc">srcdoc</code></dfn>, <dfn attribute for="HTMLIFrameElement"><code
   data-x="dom-iframe-name">name</code></dfn>, <dfn attribute for="HTMLIFrameElement"><code
-  data-x="dom-iframe-sandbox">sandbox</code></dfn>, and <dfn attribute for="HTMLIFrameElement"><code
-  data-x="dom-iframe-allow">allow</code></dfn> must <span>reflect</span> the respective content
-  attributes of the same name.</p>
+  data-x="dom-iframe-sandbox">sandbox</code></dfn>, <dfn attribute for="HTMLIFrameElement"><code
+  data-x="dom-iframe-allow">allow</code></dfn> , and <dfn attribute for="HTMLIFrameElement"><code
+  data-x="dom-iframe-anonymous">anonymous</code></dfn> , must <span>reflect</span> the respective
+  content attributes of the same name.</p>
 
   <p>The <span data-x="concept-supported-tokens">supported tokens</span> for <code
   data-x="dom-iframe-sandbox">sandbox</code>'s <code>DOMTokenList</code> are the allowed

From 5467e4fea20b809ca16ce1ab46de121e2298f037 Mon Sep 17 00:00:00 2001
From: Arthur Sonzogni <arthursonzogni@chromium.org>
Date: Thu, 17 Mar 2022 10:07:31 +0100
Subject: [PATCH 4/9] Remove useless line.

---
 source | 1 -
 1 file changed, 1 deletion(-)

diff --git a/source b/source
index 9e827c64a2c..6720e0d22bb 100644
--- a/source
+++ b/source
@@ -2495,7 +2495,6 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
      <li><dfn data-x="body safely extract" data-x-href="https://fetch.spec.whatwg.org/#bodyinit-safely-extract">safely extracting a body</dfn></li>
      <li><dfn data-x-href="https://fetch.spec.whatwg.org/#process-response-end-of-body">processResponseConsumeBody</dfn></li>
      <li><dfn data-x-href="https://fetch.spec.whatwg.org/#fetch-processresponseendofbody">processResponseEndOfBody</dfn></li>
-     <li><dfn data-x-href="https://fetch.spec.whatwg.org/#network-partition-keys">network-partition-keys</dfn></li>
      <li>
       <dfn data-x="concept-response"
       data-x-href="https://fetch.spec.whatwg.org/#concept-response">response</dfn> and its

From ffa262317028493b80eb406c04c1b74fc86b112c Mon Sep 17 00:00:00 2001
From: Arthur Sonzogni <arthursonzogni@chromium.org>
Date: Thu, 17 Mar 2022 15:27:19 +0100
Subject: [PATCH 5/9] Remove double-space

---
 source | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source b/source
index 6720e0d22bb..e598c83f8e2 100644
--- a/source
+++ b/source
@@ -30912,7 +30912,7 @@ interface <dfn interface>HTMLIFrameElement</dfn> : <span>HTMLElement</span> {
   [<span>CEReactions</span>] attribute DOMString <span data-x="dom-dim-height">height</span>;
   [<span>CEReactions</span>] attribute DOMString <span data-x="dom-iframe-referrerPolicy">referrerPolicy</span>;
   [<span>CEReactions</span>] attribute DOMString <span data-x="dom-iframe-loading">loading</span>;
-  attribute boolean  <span data-x="dom-iframe-anonymous">anonymous</span>;
+  attribute boolean <span data-x="dom-iframe-anonymous">anonymous</span>;
   readonly attribute <span>Document</span>? <span data-x="dom-iframe-contentDocument">contentDocument</span>;
   readonly attribute <span>WindowProxy</span>? <span data-x="dom-iframe-contentWindow">contentWindow</span>;
   <span>Document</span>? <span data-x="dom-media-getSVGDocument">getSVGDocument</span>();

From bfe4abcd4ad36f07abb19552e4df44e14f71c187 Mon Sep 17 00:00:00 2001
From: Arthur Sonzogni <arthursonzogni@chromium.org>
Date: Thu, 17 Mar 2022 15:27:30 +0100
Subject: [PATCH 6/9] Revert "Remove useless line."

This reverts commit 5467e4fea20b809ca16ce1ab46de121e2298f037.
---
 source | 1 +
 1 file changed, 1 insertion(+)

diff --git a/source b/source
index e598c83f8e2..40a8d52b704 100644
--- a/source
+++ b/source
@@ -2495,6 +2495,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
      <li><dfn data-x="body safely extract" data-x-href="https://fetch.spec.whatwg.org/#bodyinit-safely-extract">safely extracting a body</dfn></li>
      <li><dfn data-x-href="https://fetch.spec.whatwg.org/#process-response-end-of-body">processResponseConsumeBody</dfn></li>
      <li><dfn data-x-href="https://fetch.spec.whatwg.org/#fetch-processresponseendofbody">processResponseEndOfBody</dfn></li>
+     <li><dfn data-x-href="https://fetch.spec.whatwg.org/#network-partition-keys">network-partition-keys</dfn></li>
      <li>
       <dfn data-x="concept-response"
       data-x-href="https://fetch.spec.whatwg.org/#concept-response">response</dfn> and its

From a074a21eaab71f8f437ea755e8f6c5575887a06c Mon Sep 17 00:00:00 2001
From: Arthur Sonzogni <arthursonzogni@chromium.org>
Date: Mon, 21 Mar 2022 13:14:09 +0100
Subject: [PATCH 7/9] Add environment's partition nonce.

---
 source | 44 +++++++++++++++++++++++++++++++++-----------
 1 file changed, 33 insertions(+), 11 deletions(-)

diff --git a/source b/source
index 40a8d52b704..d0e01372359 100644
--- a/source
+++ b/source
@@ -82715,8 +82715,8 @@ interface <dfn interface>BarProp</dfn> {
   <p>To <dfn>set up a window environment settings object</dfn>, given a <span>URL</span>
   <var>creationURL</var>, a <span>JavaScript execution context</span> <var>execution context</var>,
   null or an <span>environment</span> <var>reservedEnvironment</var>, a <span>URL</span>
-  <var>topLevelCreationURL</var>, and an <span>origin</span> <var>topLevelOrigin</var>, run these
-  steps:</p>
+  <var>topLevelCreationURL</var>, an <span>origin</span> <var>topLevelOrigin</var>, and an
+  identifier <var>partitionNonce</var> run these steps:</p>
 
   <ol>
    <li><p>Let <var>realm</var> be the value of <var>execution context</var>'s Realm
@@ -82831,8 +82831,10 @@ interface <dfn interface>BarProp</dfn> {
 
    <li><p>Set <var>settings object</var>'s <span data-x="concept-environment-creation-url">creation
    URL</span> to <var>creationURL</var>, <var>settings object</var>'s <span>top-level creation
-   URL</span> to <var>topLevelCreationURL</var>, and <var>settings object</var>'s <span>top-level
-   origin</span> to <var>topLevelOrigin</var>.</p></li>
+   URL</span> to <var>topLevelCreationURL</var>, <var>settings object</var>'s <span>top-level
+   origin</span> to <var>topLevelOrigin</var>, and <var>settings object</var>'s <span
+   data-x="concept-environment-partition-nonce">partition nonce</span> to
+   <var>partitionNonce</var>.</p></li>
 
    <li><p>Set <var>realm</var>'s [[HostDefined]] field to <var>settings object</var>.</p></li>
   </ol>
@@ -87971,7 +87973,7 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
 
    <li><p>Let <var>anonymous</var> be the result of computing the <span
    data-x="navigation-anonymous">navigation's anonymous flag</span>, given
-   <var>browsingContext.</var></p></li>
+   <var>browsingContext</var>.</p></li>
 
    <li><p>Let <var>allowedToDownload</var> be the result of running the <span>allowed to
    download</span> algorithm given the <span>source browsing context</span> and
@@ -88229,6 +88231,10 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
 
    <li><p>Let <var>hasCrossOriginRedirects</var> be false.</p></li>
 
+   <li><p>If <var>anonymous</var> is true, let <var>partitionNonce</var> be
+   <var>browsingContext</var>'s <span>top-level browsing context</span>'s <span>page anonymous
+   nonce</span>, null otherwise.</p></li>
+
    <li>
     <p>While true:</p>
 
@@ -88293,8 +88299,9 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
         data-x="concept-environment-target-browsing-context">target browsing context</span> is
         <var>browsingContext</var>, <span data-x="concept-environment-creation-url">creation
         URL</span> is <var>currentURL</var>, <span>top-level creation URL</span> is
-        <var>topLevelCreationURL</var>, and <span>top-level origin</span> is
-        <var>topLevelOrigin</var>.</p>
+        <var>topLevelCreationURL</var>, <span>top-level origin</span> is
+        <var>topLevelOrigin</var>, and <span data-x="concept-environment-partition-nonce">partition
+        nonce</span> is <var>partitionNonce</var>.</p>
 
         <p class="note">The created environment's <span
         data-x="concept-environment-active-service-worker">active service worker</span> is set in
@@ -88926,10 +88933,15 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
       </ol>
      </li>
 
+     <li><p>If <var>navigationParams</var>'s <span
+     data-x="navigation-params-anonymous">anonymous</span> is true, let <var>partitionNonce</var> be
+     <var>browsingContext</var>'s <span>top-level browsing context</span>'s <span>page anonymous
+     nonce</span>, null otherwise.</p></li>
+
      <li><p><span>Set up a window environment settings object</span> with <var>creationURL</var>,
      <var>realm execution context</var>, <var>navigationParams</var>'s <span
      data-x="navigation-params-reserved-environment">reserved environment</span>,
-     <var>topLevelCreationURL</var>, and <var>topLevelOrigin</var>.</p></li>
+     <var>topLevelCreationURL</var>, <var>topLevelOrigin</var>, and <var>partitionNonce</var>.</p></li>
     </ol>
 
     <p class="note">This is the usual case, where the new <code>Document</code> we're about to
@@ -91245,6 +91257,11 @@ interface <dfn interface>BeforeUnloadEvent</dfn> : <span>Event</span> {
    for="environment">execution ready flag</dfn></dt>
    <dd><p>A flag that indicates whether the environment setup is done. It is initially
    unset.</p></dd>
+
+   <dt>A <dfn data-x="concept-environment-partition-nonce" export
+   for="environment">partition nonce</dfn></dt>
+   <dd><p>An identifier or null. This is used discriminate and isolate environments further. It is
+   non null for <span>anonymous Window</span></p></dd>
   </dl>
 
   <p>Specifications may define <dfn export>environment discarding steps</dfn> for environments. The
@@ -103351,6 +103368,9 @@ interface <dfn interface>SharedWorkerGlobalScope</dfn> : <span>WorkerGlobalScope
     Storage Partitioning</a> for the latest on properly defining this.</p>
    </li>
 
+   <li><p>Set <var>settings object</var>'s <span data-x="concept-environment-partition-nonce">partition nonce</span> to <var>outside
+   settings</var>'s <span data-x="concept-environment-partition-nonce">partition nonce</span>.</p></li>
+
    <li><p>Set <var>realm</var>'s [[HostDefined]] field to <var>settings object</var>.</p></li>
 
    <li><p>Return <var>settings object</var>.</p></li>
@@ -104497,9 +104517,11 @@ interface <dfn interface>WorkletGlobalScope</dfn> {};</code></pre>
    unique opaque string, <span data-x="concept-environment-creation-url">creation URL</span> to
    <var>inheritedAPIBaseURL</var>, <span>top-level creation URL</span> to null, <span>top-level
    origin</span> to <var>outsideSettings</var>'s <span>top-level origin</span>, <span
-   data-x="concept-environment-target-browsing-context">target browsing context</span> to null, and
-   <span data-x="concept-environment-active-service-worker">active service worker</span> to
-   null.</p></li>
+   data-x="concept-environment-partition-nonce">partition nonce</span> to
+   <var>outsideSettings</var>'s <span data-x="concept-environment-partition-nonce">partition
+   nonce</span>,<span data-x="concept-environment-target-browsing-context">target browsing
+   context</span> to null, and <span data-x="concept-environment-active-service-worker">active
+   service worker</span> to null.</p></li>
 
    <li><p>Set <var>realm</var>'s [[HostDefined]] field to <var>settingsObject</var>.</p></li>
 

From 04f0b2a38d9fe379b6e834ba9d13767f15fbb3a7 Mon Sep 17 00:00:00 2001
From: Arthur Sonzogni <arthursonzogni@chromium.org>
Date: Mon, 21 Mar 2022 13:43:57 +0100
Subject: [PATCH 8/9] Minor nits.

---
 source | 28 +++++++++++++---------------
 1 file changed, 13 insertions(+), 15 deletions(-)

diff --git a/source b/source
index d0e01372359..daa020f07e3 100644
--- a/source
+++ b/source
@@ -82833,8 +82833,7 @@ interface <dfn interface>BarProp</dfn> {
    URL</span> to <var>creationURL</var>, <var>settings object</var>'s <span>top-level creation
    URL</span> to <var>topLevelCreationURL</var>, <var>settings object</var>'s <span>top-level
    origin</span> to <var>topLevelOrigin</var>, and <var>settings object</var>'s <span
-   data-x="concept-environment-partition-nonce">partition nonce</span> to
-   <var>partitionNonce</var>.</p></li>
+   for="environment">partition nonce</span> to <var>partitionNonce</var>.</p></li>
 
    <li><p>Set <var>realm</var>'s [[HostDefined]] field to <var>settings object</var>.</p></li>
   </ol>
@@ -88300,8 +88299,8 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
         <var>browsingContext</var>, <span data-x="concept-environment-creation-url">creation
         URL</span> is <var>currentURL</var>, <span>top-level creation URL</span> is
         <var>topLevelCreationURL</var>, <span>top-level origin</span> is
-        <var>topLevelOrigin</var>, and <span data-x="concept-environment-partition-nonce">partition
-        nonce</span> is <var>partitionNonce</var>.</p>
+        <var>topLevelOrigin</var>, and <span for="environment">partition nonce</span> is
+        <var>partitionNonce</var>.</p>
 
         <p class="note">The created environment's <span
         data-x="concept-environment-active-service-worker">active service worker</span> is set in
@@ -91258,10 +91257,9 @@ interface <dfn interface>BeforeUnloadEvent</dfn> : <span>Event</span> {
    <dd><p>A flag that indicates whether the environment setup is done. It is initially
    unset.</p></dd>
 
-   <dt>A <dfn data-x="concept-environment-partition-nonce" export
-   for="environment">partition nonce</dfn></dt>
-   <dd><p>An identifier or null. This is used discriminate and isolate environments further. It is
-   non null for <span>anonymous Window</span></p></dd>
+   <dt>A <dfn export for="environment">partition nonce</dfn></dt>
+   <dd><p>An identifier or null. This is used discriminate and isolate environments further. Among
+   others, it is non null for <span>anonymous Window</span></p></dd>
   </dl>
 
   <p>Specifications may define <dfn export>environment discarding steps</dfn> for environments. The
@@ -103368,8 +103366,8 @@ interface <dfn interface>SharedWorkerGlobalScope</dfn> : <span>WorkerGlobalScope
     Storage Partitioning</a> for the latest on properly defining this.</p>
    </li>
 
-   <li><p>Set <var>settings object</var>'s <span data-x="concept-environment-partition-nonce">partition nonce</span> to <var>outside
-   settings</var>'s <span data-x="concept-environment-partition-nonce">partition nonce</span>.</p></li>
+   <li><p>Set <var>settings object</var>'s <span for="environment">partition nonce</span> to
+   <var>outside settings</var>'s <span for="environment">partition nonce</span>.</p></li>
 
    <li><p>Set <var>realm</var>'s [[HostDefined]] field to <var>settings object</var>.</p></li>
 
@@ -104517,11 +104515,11 @@ interface <dfn interface>WorkletGlobalScope</dfn> {};</code></pre>
    unique opaque string, <span data-x="concept-environment-creation-url">creation URL</span> to
    <var>inheritedAPIBaseURL</var>, <span>top-level creation URL</span> to null, <span>top-level
    origin</span> to <var>outsideSettings</var>'s <span>top-level origin</span>, <span
-   data-x="concept-environment-partition-nonce">partition nonce</span> to
-   <var>outsideSettings</var>'s <span data-x="concept-environment-partition-nonce">partition
-   nonce</span>,<span data-x="concept-environment-target-browsing-context">target browsing
-   context</span> to null, and <span data-x="concept-environment-active-service-worker">active
-   service worker</span> to null.</p></li>
+   for="environment">partition nonce</span> to <var>outsideSettings</var>'s <span
+   for="environment">partition nonce</span>,<span
+   data-x="concept-environment-target-browsing-context">target browsing context</span> to null, and
+   <span data-x="concept-environment-active-service-worker">active service worker</span> to
+   null.</p></li>
 
    <li><p>Set <var>realm</var>'s [[HostDefined]] field to <var>settingsObject</var>.</p></li>
 

From af2cfacd3002722be6b2395d7a5471bd3923ee31 Mon Sep 17 00:00:00 2001
From: Arthur Sonzogni <arthursonzogni@chromium.org>
Date: Thu, 24 Nov 2022 15:32:56 +0100
Subject: [PATCH 9/9] Rename it into credentialless iframe.

---
 source | 149 ++++++++++++++++++++++++++++++---------------------------
 1 file changed, 78 insertions(+), 71 deletions(-)

diff --git a/source b/source
index daa020f07e3..4a1efaaf0bc 100644
--- a/source
+++ b/source
@@ -30892,7 +30892,7 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></code></pre>
    <dd><code data-x="attr-dim-height">height</code></dd>
    <dd><code data-x="attr-iframe-referrerpolicy">referrerpolicy</code></dd>
    <dd><code data-x="attr-iframe-loading">loading</code></dd>
-   <dd><code data-x="attr-iframe-anonymous">anonymous</code></dd>
+   <dd><code data-x="attr-iframe-credentialless">credentialless</code></dd>
    <dt><span
    data-x="concept-element-accessibility-considerations">Accessibility considerations</span>:</dt>
    <dd><a href="https://w3c.github.io/html-aria/#el-iframe">For authors</a>.</dd>
@@ -30913,7 +30913,7 @@ interface <dfn interface>HTMLIFrameElement</dfn> : <span>HTMLElement</span> {
   [<span>CEReactions</span>] attribute DOMString <span data-x="dom-dim-height">height</span>;
   [<span>CEReactions</span>] attribute DOMString <span data-x="dom-iframe-referrerPolicy">referrerPolicy</span>;
   [<span>CEReactions</span>] attribute DOMString <span data-x="dom-iframe-loading">loading</span>;
-  attribute boolean <span data-x="dom-iframe-anonymous">anonymous</span>;
+  attribute boolean <span data-x="dom-iframe-credentialless">credentialless</span>;
   readonly attribute <span>Document</span>? <span data-x="dom-iframe-contentDocument">contentDocument</span>;
   readonly attribute <span>WindowProxy</span>? <span data-x="dom-iframe-contentWindow">contentWindow</span>;
   <span>Document</span>? <span data-x="dom-media-getSVGDocument">getSVGDocument</span>();
@@ -31604,9 +31604,10 @@ interface <dfn interface>HTMLIFrameElement</dfn> : <span>HTMLElement</span> {
    <li><p>Invoke <var>resumptionSteps</var>.</p></li>
   </ol>
 
-  <hr> <!-- ANONYMOUS ATTRIBUTE -->
+  <hr> <!-- CREDENTIALLESS ATTRIBUTE -->
 
-  <p>The <dfn element-attr for="iframe"><code data-x="attr-iframe-anonymous">anonymous</code></dfn>
+  <p>The <dfn element-attr for="iframe"><code
+  data-x="attr-iframe-credentialless">credentialless</code></dfn>
   attribute, enables loading documents hosted by the <code>iframe</code> with a new and ephemeral
   storage partition. It is a boolean value. The default is false.</p>
 
@@ -31630,8 +31631,8 @@ interface <dfn interface>HTMLIFrameElement</dfn> : <span>HTMLElement</span> {
   data-x="dom-iframe-name">name</code></dfn>, <dfn attribute for="HTMLIFrameElement"><code
   data-x="dom-iframe-sandbox">sandbox</code></dfn>, <dfn attribute for="HTMLIFrameElement"><code
   data-x="dom-iframe-allow">allow</code></dfn> , and <dfn attribute for="HTMLIFrameElement"><code
-  data-x="dom-iframe-anonymous">anonymous</code></dfn> , must <span>reflect</span> the respective
-  content attributes of the same name.</p>
+  data-x="dom-iframe-credentialless">credentialless</code></dfn> , must <span>reflect</span> the
+  respective content attributes of the same name.</p>
 
   <p>The <span data-x="concept-supported-tokens">supported tokens</span> for <code
   data-x="dom-iframe-sandbox">sandbox</code>'s <code>DOMTokenList</code> are the allowed
@@ -80372,8 +80373,8 @@ popup4.close();</code></pre></div>
    <li><p>Let <var>sandboxFlags</var> be the result of <span>determining the creation sandboxing
    flags</span> given <var>browsingContext</var> and <var>embedder</var>.</p></li>
 
-   <li><p>Let <var>anonymous</var> be the result of determining the <span
-   data-x="initial-window-anonymous">initial window anonymous</span> flag, given
+   <li><p>Let <var>credentialless</var> be the result of determining the <span
+   data-x="initial-window-credentialless">initial window credentialless</span> flag, given
    <var>browsingContext</var>.</p></li>
 
    <!--
@@ -80401,7 +80402,8 @@ popup4.close();</code></pre></div>
 
     <ul>
      <li><p>For the global object, create a new <code>Window</code> object, with <code
-     data-x="attr-iframe-anonymous">anonymous</code> set to <var>anonymous</var>.</p></li>
+     data-x="attr-iframe-credentialless">credentialless</code> set to
+     <var>credentialless</var>.</p></li>
 
      <li><p>For the global <b>this</b> binding, use <var>browsingContext</var>'s
      <code>WindowProxy</code> object.</li>
@@ -81776,7 +81778,7 @@ interface <dfn interface>Window</dfn> : <span>EventTarget</span> {
   attribute DOMString <span data-x="dom-window-status">status</span>;
   undefined <span data-x="dom-window-close">close</span>();
   readonly attribute boolean <span data-x="dom-window-closed">closed</span>;
-  readonly attribute boolean <span data-x="dom-window-anonymous">anonymous</span>;
+  readonly attribute boolean <span data-x="dom-window-credentialless">credentialless</span>;
   undefined <span data-x="dom-window-stop">stop</span>();
   undefined <span data-x="dom-window-focus">focus</span>();
   undefined <span data-x="dom-window-blur">blur</span>();
@@ -81976,8 +81978,9 @@ dictionary <dfn dictionary>WindowPostMessageOptions</dfn> : <span>StructuredSeri
 
    <li><p>If <var>noreferrer</var> is true, then set <var>noopener</var> to true.</p></li>
 
-   <li><p>If <span>entry global object</span>'s <span data-x="dom-window-anonymous">anonymous</span>
-   flag is true, then set <var>noopener</var> to true.</p></li>
+   <li><p>If <span>entry global object</span>'s <span
+   data-x="dom-window-credentialless">credentialless</span> flag is true, then set
+   <var>noopener</var> to true.</p></li>
 
    <li>
     <p>Let <var>target browsing context</var> and <var>windowType</var> be the result of applying
@@ -84130,19 +84133,19 @@ interface <dfn interface>BarProp</dfn> {
 
 
 
-  <h3>Anonymous iframe</h3>
+  <h3>Iframe credentialless</h3>
 
   <p>Each <code>iframe</code> element has a mutable <code
-  data-x="attr-iframe-anonymous">anonymous</code> flag attribute.</p>
+  data-x="attr-iframe-credentialless">credentialless</code> flag attribute.</p>
 
   <p>Each <code>Window</code> has a constant <dfn attribute for="Window"
-  data-x="dom-window-anonymous"><code>anonymous</code></dfn> flag.</p>
+  data-x="dom-window-credentialless"><code>credentialless</code></dfn> flag.</p>
 
-  <p>An <dfn>anonymous Window</dfn> is a <code>Window</code>, whose <code
-  data-x="dom-window-anonymous">anonymous</code> flag is true.</p>
+  <p>A <dfn>credentialless Window</dfn> is a <code>Window</code>, whose <code
+  data-x="dom-window-credentialless">credentialless</code> flag is true.</p>
 
-  <p>To compute the <dfn data-x="initial-window-anonymous">initial window anonymous flag</dfn>,
-  given a new <span data-x="concept-document-bc">browsing context</span> <var>browsing
+  <p>To compute the <dfn data-x="initial-window-credentialless">initial window credentialless
+  flag</dfn>, given a new <span data-x="concept-document-bc">browsing context</span> <var>browsing
   context</var>:</p>
   <ol class="brief">
    <li><p>Set <var>embedder</var> be <var>browsing context</var>'s <span
@@ -84152,41 +84155,43 @@ interface <dfn interface>BarProp</dfn> {
    document</span>'s <span>relevant global object</span>.</p></li>
    <li><p>Return the union of:</p>
     <ul class="brief">
-     <li><p><var>parentWindow</var>'s <code data-x="dom-window-anonymous">anonymous</code></p></li>
+     <li><p><var>parentWindow</var>'s <code
+     data-x="dom-window-credentialless">credentialless</code></p></li>
      <li><p><var>embedder</var>'s <span><code>iframe</code></span>'s <code
-     data-x="attr-iframe-anonymous">anonymous</code></p></li>
+     data-x="attr-iframe-credentialless">credentialless</code></p></li>
     </ul>
    </li>
   </ol>
 
-  <p>To compute the <dfn data-x="navigation-anonymous">navigation's anonymous flag</dfn>,
+  <p>To compute the <dfn data-x="navigation-credentialless">navigation's credentialless flag</dfn>,
   given <span data-x="concept-document-bc">browsing context</span> <var>browsing
   context</var>, follows the same steps as in the <span
-  data-x="initial-window-anonymous">initial window anonymous flag</span> algorithm.</p>
+  data-x="initial-window-credentialless">initial window credentialless flag</span> algorithm.</p>
 
-  <p class="note">New <code>Window</code>'s <code data-x="dom-window-anonymous">anonymous</code>
-  flag is computed either from the <span data-x="initial-window-anonymous">initial window anonymous
-  flag</span> algorithm for new <span data-x="concept-document-bc">browsing context</span>, or from
-  the <span data-x="navigation-anonymous">navigation's anonymous flag</span> algorithm, executed
-  when the navigation started, for navigations inside pre-existing <span
-  data-x="concept-document-bc">browsing context</span>.</p>
+  <p class="note">New <code>Window</code>'s <code data-x="dom-window-credentialless">credentialless</code>
+  flag is computed either from the <span data-x="initial-window-credentialless">initial window
+  credentialless flag</span> algorithm for new <span data-x="concept-document-bc">browsing
+  context</span>, or from the <span data-x="navigation-credentialless">navigation's credentialless
+  flag</span> algorithm, executed when the navigation started, for navigations inside pre-existing
+  <span data-x="concept-document-bc">browsing context</span>.</p>
 
-  <p class="note">Popup opened from <span>anonymous Window</span> are always with 'noopener' set</p>
+  <p class="note">Popup opened from <span>credentialless Window</span> are always with 'noopener'
+  set</p>
 
-  <p class="note">Top-level <span>anonymous Window</span> do not exist.</p>
+  <p class="note">Top-level <span>credentialless Window</span> do not exist.</p>
 
-  <p>Each top-level <span>Window</span> has an associated <dfn export>page anonymous nonce</dfn>. It
-  is an immutable nonce ("number used once").</p>
+  <p>Each top-level <span>Window</span> has an associated <dfn export>page credentialless
+  nonce</dfn>. It is an immutable nonce ("number used once").</p>
 
-  <p class="XXX">The <span>page anonymous nonce</span> is meant to be used for <span>anonymous
-  Window</span> as a key in <span>network-partition-keys</span>, storage-partition-keys, and
-  cookie-partition-keys for <span>anonymous Window</span>. See <a
+  <p class="XXX">The <span>page credentialless nonce</span> is meant to be used for
+  <span>credentialless Window</span> as a key in <span>network-partition-keys</span>,
+  storage-partition-keys, and cookie-partition-keys for <span>credentialless Window</span>. See <a
   href="https://github.com/whatwg/fetch/issues/904">Network state partitionning</a>, <a
   href="https://privacycg.github.io/storage-partitioning/">Client-Side Storage Partitioning</a>, and
   <a href="https://github.com/WICG/CHIPS">CHIPS (Cookies Having Independant Partitioned
   State</a>.</p>
 
-  <p><dfn>Autofill and anonymous iframe</dfn>: User agents sometimes have features for helping users
+  <p><dfn>Autofill and iframe credentialless</dfn>: User agents sometimes have features for helping users
   fill forms in: for example prefilling the user's address, password, or payment informations. User
   agents must disable those features when the data is both specific to the user and to the website.
   </p>
@@ -85566,7 +85571,7 @@ interface <dfn interface>BarProp</dfn> {
   <p>To <dfn>check a navigation response's adherence to its embedder policy</dfn> given a <span
   data-x="concept-response">response</span> <var>response</var>, a <span>browsing context</span>
   <var>target</var>, an <span>embedder policy</span> <var>responsePolicy</var>, and a boolean
-  <var>anonymous</var>:</p>
+  <var>credentialless</var>:</p>
 
   <ol>
    <li><p>If <var>target</var> is not a <span>child browsing context</span>, then return
@@ -85580,7 +85585,7 @@ interface <dfn interface>BarProp</dfn> {
    <li><p>If <var>parentPolicy</var>'s <span data-x="embedder-policy-report-only-value">report-only
    value</span> is <span>compatible with cross-origin isolation</span> and
    <var>responsePolicy</var>'s <span data-x="embedder-policy-value">value</span> is not, and
-   <var>anonymous</var> is false, then <span>queue a cross-origin embedder policy inheritance
+   <var>credentialless</var> is false, then <span>queue a cross-origin embedder policy inheritance
    violation</span> with <var>response</var>, "<code data-x="">navigation</code>",
    <var>parentPolicy</var>'s <span data-x="embedder-policy-report-only-reporting-endpoint">report
    only reporting endpoint</span>, "<code data-x="">reporting</code>", and <var>target</var>'s <span
@@ -85590,7 +85595,7 @@ interface <dfn interface>BarProp</dfn> {
    <li><p>If <var>parentPolicy</var>'s <span data-x="embedder-policy-value">value</span> is not
    <span>compatible with cross-origin isolation</span> or <var>responsePolicy</var>'s <span
    data-x="embedder-policy-value">value</span> is <span>compatible with cross-origin
-   isolation</span>, or <var>anonymous</var> is true, then return true.</p></li>
+   isolation</span>, or <var>credentialless</var> is true, then return true.</p></li>
 
    <li><p><span>Queue a cross-origin embedder policy inheritance violation</span> with
    <var>response</var>, "<code data-x="">navigation</code>", <var>parentPolicy</var>'s <span
@@ -87715,8 +87720,8 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
    <dt><dfn data-x="navigation-params-sandboxing">final sandboxing flag set</dfn></dt>
    <dd>a <span>sandboxing flag set</span> to impose on the new <code>Document</code></dd>
 
-   <dt><dfn data-x="navigation-params-anonymous">anonymous</dfn></dt>
-   <dd>The anonymous flag to impose on the new <code>Window</code></dd>
+   <dt><dfn data-x="navigation-params-credentialless">credentialless</dfn></dt>
+   <dd>The credentialless flag to impose on the new <code>Window</code></dd>
 
    <dt><dfn data-x="navigation-params-coop">cross-origin opener policy</dfn></dt>
    <dd>a <span>cross-origin opener policy</span> to use for the new <code>Document</code></dd>
@@ -87970,8 +87975,8 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
    flags</span> given <var>browsingContext</var> and <var>browsingContext</var>'s <span
    data-x="bc-container">container</span>.</p></li>
 
-   <li><p>Let <var>anonymous</var> be the result of computing the <span
-   data-x="navigation-anonymous">navigation's anonymous flag</span>, given
+   <li><p>Let <var>credentialless</var> be the result of computing the <span
+   data-x="navigation-credentialless">navigation's credentialless flag</span>, given
    <var>browsingContext</var>.</p></li>
 
    <li><p>Let <var>allowedToDownload</var> be the result of running the <span>allowed to
@@ -88044,8 +88049,8 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
        data-x="navigation-params-policy-container">policy container</span> is
        <var>policyContainer</var>, <span data-x="navigation-params-sandboxing">final sandboxing
        flag set</span> is <var>finalSandboxFlags</var>, <span
-       data-x="navigation-params-anonymous">anonymous</span> is <var>anonymous</var>, <span
-       data-x="navigation-params-coop">cross-origin opener policy</span> is <var>coop</var>,
+       data-x="navigation-params-credentialless">credentialless</span> is <var>credentialless</var>,
+       <span data-x="navigation-params-coop">cross-origin opener policy</span> is <var>coop</var>,
        <span data-x="navigation-params-coop-enforcement-result">COOP enforcement result</span> is
        <var>coopEnforcementResult</var>, <span
        data-x="navigation-params-reserved-environment">reserved environment</span> is null, <span
@@ -88102,8 +88107,9 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
        data-x="navigation-params-policy-container">policy container</span> is
        <var>browsingContext</var>'s <span>active document</span>'s <span>policy container</span>,
        <span data-x="navigation-params-sandboxing">final sandboxing flag set</span> is
-       <var>finalSandboxFlags</var>, <span data-x="navigation-params-anonymous">anonymous</span> is
-       <var>anonymous</var>, <span data-x="navigation-params-coop">cross-origin opener policy</span>
+       <var>finalSandboxFlags</var>, <span
+       data-x="navigation-params-credentialless">credentialless</span> is <var>credentialless</var>,
+       <span data-x="navigation-params-coop">cross-origin opener policy</span>
        is <var>browsingContext</var>'s <span>active document</span>'s <span
        data-x="concept-document-coop">cross-origin opener policy</span>, <span
        data-x="navigation-params-coop-enforcement-result">COOP enforcement result</span> is
@@ -88139,7 +88145,7 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
 
      <dd><p>Run <span>process a navigate fetch</span> given <var>navigationId</var>,
      <var>resource</var>, the <span>source browsing context</span>, <var>browsingContext</var>,
-     <var>navigationType</var>, <var>sandboxFlags</var>, <var>anonymous</var>,
+     <var>navigationType</var>, <var>sandboxFlags</var>, <var>credentialless</var>,
      <var>historyPolicyContainer</var>, <var>initiatorPolicyContainer</var>,
      <var>allowedToDownload</var>, <var>hasTransientActivation</var>,
      <var>incumbentNavigationOrigin</var>, <var>historyHandling</var>, and
@@ -88161,7 +88167,7 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
   data-x="concept-request">request</span> <var>request</var>, two <span data-x="browsing
   context">browsing contexts</span> <var>sourceBrowsingContext</var> and <var>browsingContext</var>,
   a string <var>navigationType</var>, a <span>sandboxing flag set</span> <var>sandboxFlags</var>, a
-  boolean <var>anonymous</var>, two <span data-x="policy container">policy containers</span>
+  boolean <var>credentialless</var>, two <span data-x="policy container">policy containers</span>
   <var>historyPolicyContainer</var> and <var>initiatorPolicyContainer</var>, a boolean
   <var>allowedToDownload</var>, a boolean <var>hasTransientActivation</var>, an <span>origin</span>
   <var>incumbentNavigationOrigin</var>, a <span>history handling behavior</span>
@@ -88230,8 +88236,8 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
 
    <li><p>Let <var>hasCrossOriginRedirects</var> be false.</p></li>
 
-   <li><p>If <var>anonymous</var> is true, let <var>partitionNonce</var> be
-   <var>browsingContext</var>'s <span>top-level browsing context</span>'s <span>page anonymous
+   <li><p>If <var>credentialless</var> is true, let <var>partitionNonce</var> be
+   <var>browsingContext</var>'s <span>top-level browsing context</span>'s <span>page credentialless
    nonce</span>, null otherwise.</p></li>
 
    <li>
@@ -88449,12 +88455,12 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
    data-x="navigation-params-policy-container">policy container</span> is
    <var>resultPolicyContainer</var>, <span data-x="navigation-params-sandboxing">final sandboxing
    flag set</span> is <var>finalSandboxFlags</var>, <span
-   data-x="navigation-params-anonymous">anonymous</span> is <var>anonymous</var>, <span
-   data-x="navigation-params-coop">cross-origin opener policy</span> is <var>responseCOOP</var>,
-   <span data-x="navigation-params-coop-enforcement-result">COOP enforcement result</span> is
-   <var>coopEnforcementResult</var>, <span data-x="navigation-params-reserved-environment">reserved
-   environment</span> is <var>request</var>'s <span
-   data-x="concept-request-reserved-client">reserved client</span>, <span
+   data-x="navigation-params-credentialless">credentialless</span> is <var>credentialless</var>,
+   <span data-x="navigation-params-coop">cross-origin opener policy</span> is
+   <var>responseCOOP</var>, <span data-x="navigation-params-coop-enforcement-result">COOP
+   enforcement result</span> is <var>coopEnforcementResult</var>, <span
+   data-x="navigation-params-reserved-environment">reserved environment</span> is
+   <var>request</var>'s <span data-x="concept-request-reserved-client">reserved client</span>, <span
    data-x="navigation-params-browsing-context">browsing context</span> is
    <var>browsingContext</var>, <span data-x="navigation-params-hh">history handling</span> is
    <var>historyHandling</var>,
@@ -88500,8 +88506,9 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
     <var>response</var>, <var>browsingContext</var>, and <var>navigationParams</var>'s <span
     data-x="navigation-params-policy-container">policy container</span>'s <span
     data-x="policy-container-embedder-policy">embedder policy</span> and
-    <var>navigationparams</var>'s <span data-x="navigation-params-anonymous">anonymous</span> flag
-    is false, then set <var>failure</var> to true.</p>
+    <var>navigationparams</var>'s <span
+    data-x="navigation-params-credentialless">credentialless</span> flag is false, then set
+    <var>failure</var> to true.</p>
 
     <p>Otherwise, if the result of <span data-x="check a navigation response's adherence to
     `X-Frame-Options`">checking a navigation response's adherence to
@@ -88867,9 +88874,9 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
     document</span>'s <span data-x="concept-document-origin">origin</span> is <span>same
     origin-domain</span> with <var>navigationParams</var>'s <span
     data-x="navigation-params-origin">origin</span>, and <var>browsingContext</var>'s <span>active
-    window</span>'s <span data-x="dom-window-anonymous">anonymous</span> flag matches
-    <var>navigationParams</var>'s <span data-x="navigation-params-anonymous">anonymous</span> flag,
-    then do nothing.</p>
+    window</span>'s <span data-x="dom-window-credentialless">credentialless</span> flag matches
+    <var>navigationParams</var>'s <span
+    data-x="navigation-params-credentialless">credentialless</span> flag, then do nothing.</p>
 
     <p class="note">This means that both the <span data-x="is initial about:blank">initial
     <code>about:blank</code></span> <code>Document</code>, and the new <code>Document</code> that is
@@ -88904,8 +88911,8 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
 
       <ul>
        <li><p>For the global object, create a new <code>Window</code> object, with <code
-       data-x="attr-iframe-anonymous">anonymous</code> to <var>navigationParams</var>'s <span
-       data-x="navigation-params-anonymous">anonymous</span>.</p></li>
+       data-x="attr-iframe-credentialless">credentialless</code> to <var>navigationParams</var>'s
+       <span data-x="navigation-params-credentialless">credentialless</span>.</p></li>
 
        <li><p>For the global <b>this</b> binding, use <var>browsingContext</var>'s
        <code>WindowProxy</code> object.</p></li>
@@ -88933,9 +88940,9 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
      </li>
 
      <li><p>If <var>navigationParams</var>'s <span
-     data-x="navigation-params-anonymous">anonymous</span> is true, let <var>partitionNonce</var> be
-     <var>browsingContext</var>'s <span>top-level browsing context</span>'s <span>page anonymous
-     nonce</span>, null otherwise.</p></li>
+     data-x="navigation-params-credentialless">credentialless</span> is true, let
+     <var>partitionNonce</var> be <var>browsingContext</var>'s <span>top-level browsing
+     context</span>'s <span>page credentialless nonce</span>, null otherwise.</p></li>
 
      <li><p><span>Set up a window environment settings object</span> with <var>creationURL</var>,
      <var>realm execution context</var>, <var>navigationParams</var>'s <span
@@ -91259,7 +91266,7 @@ interface <dfn interface>BeforeUnloadEvent</dfn> : <span>Event</span> {
 
    <dt>A <dfn export for="environment">partition nonce</dfn></dt>
    <dd><p>An identifier or null. This is used discriminate and isolate environments further. Among
-   others, it is non null for <span>anonymous Window</span></p></dd>
+   others, it is non null for <span>credentialless Window</span></p></dd>
   </dl>
 
   <p>Specifications may define <dfn export>environment discarding steps</dfn> for environments. The
@@ -124026,8 +124033,8 @@ interface <dfn interface>External</dfn> {
      <td> Replacement text for use when images are not available
      <td> <a href="#attribute-text">Text</a>*
     <tr>
-     <th> <code data-x="">anonymous</code>
-     <td> <code data-x="attr-iframe-anonymous">iframe</code>
+     <th> <code data-x="">credentialless</code>
+     <td> <code data-x="attr-iframe-credentialless">iframe</code>
      <td> Whether the <code>iframe</code>'s contents to be loaded using a new ephemeral storage
      partition.
      <td> <span>Boolean attribute</span>