From a31a802713844b394fdf650bf5309d064bf210ec Mon Sep 17 00:00:00 2001
From: clamy <clamy@chromium.org>
Date: Mon, 4 May 2020 16:39:04 +0200
Subject: [PATCH] Add the Cross-Origin-Opener-Policy header

Fixes #3740. Closes #4580.

Need to check again if it closes them:

* #4921
* #5168
* #5172
* #5198 (probably not?)

Co-authored-by: Anne van Kesteren <annevk@annevk.nl>
---
 source | 438 +++++++++++++++++++++++++++++++++++++++++++++++++++------
 1 file changed, 398 insertions(+), 40 deletions(-)

diff --git a/source b/source
index d252657c301..78578b50620 100644
--- a/source
+++ b/source
@@ -2455,6 +2455,14 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
      <li>`<dfn data-x="http-link" data-x-href="https://tools.ietf.org/html/rfc8288#section-3"><code>Link</code></dfn>` header</li>
     </ul>
 
+    <p>The following terms are defined in <cite>Structured Field Values for HTTP</cite>: <ref
+    spec=STRUCTURED-HEADERS></p>
+
+    <ul class="brief">
+     <li><dfn data-x="http-structured-header" data-x-href="https://httpwg.org/http-extensions/draft-ietf-httpbis-header-structure.html">structured header</dfn></li>
+     <li><dfn data-x="http-structured-header-token" data-x-href="https://httpwg.org/http-extensions/draft-ietf-httpbis-header-structure.html#token">structured header tokens</dfn></li>
+    </ul>
+
     <p>The following terms are defined in <cite>MIME Sniffing</cite>: <ref spec=MIMESNIFF></p>
 
     <ul class="brief">
@@ -2506,6 +2514,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
        <li><dfn data-x="concept-response-url-list" data-x-href="https://fetch.spec.whatwg.org/#concept-response-url-list">url list</dfn></li>
        <li><dfn data-x="concept-response-status" data-x-href="https://fetch.spec.whatwg.org/#concept-response-status">status</dfn></li>
        <li><dfn data-x="concept-response-header-list" data-x-href="https://fetch.spec.whatwg.org/#concept-response-header-list">header list</dfn></li>
+       <li><dfn data-x="concept-response-header-list-get-structured-header" data-x-href="https://fetch.spec.whatwg.org/#concept-header-list-get-structured-header">getting a structured header</dfn></li>
        <li><dfn data-x="concept-response-body" data-x-href="https://fetch.spec.whatwg.org/#concept-response-body">body</dfn></li>
        <li><dfn data-x="concept-internal-response" data-x-href="https://fetch.spec.whatwg.org/#concept-internal-response">internal response</dfn></li>
        <li><dfn data-x="concept-response-csp-list" data-x-href="https://fetch.spec.whatwg.org/#concept-response-csp-list">CSP list</dfn></li>
@@ -3797,11 +3806,12 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
    <dt>Secure Contexts</dt>
 
    <dd>
-    <p>The following algorithm is defined in <cite>Secure Contexts</cite>: <ref
+    <p>The following algorithms are defined in <cite>Secure Contexts</cite>: <ref
     spec="SECURE-CONTEXTS"></p>
 
     <ul class="brief">
      <li><dfn data-x-href="https://w3c.github.io/webappsec-secure-contexts/#settings-object">Is environment settings object a secure context?</dfn></li>
+     <li><dfn data-x-href="https://w3c.github.io/webappsec-secure-contexts/#potentially-trustworthy-url">Is url potentially trustworthy?</dfn></li>
     </ul>
    </dd>
 
@@ -3915,7 +3925,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
    <dt>Cooperative Scheduling of Background Tasks</dt>
 
    <dd>
-    <p>The following features is defined in <cite>Cooperative Scheduling of Background Tasks</cite>:
+    <p>The following features are defined in <cite>Cooperative Scheduling of Background Tasks</cite>:
     <ref spec=REQUESTIDLECALLBACK></p>
 
     <ul class="brief">
@@ -3923,6 +3933,19 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
      <li><dfn data-x-href="https://w3c.github.io/requestidlecallback/#start-an-idle-period-algorithm">start an idle period algorithm</dfn></li>
     </ul>
    </dd>
+
+   <dt>Cross-Origin Embedder Policy</dt>
+
+   <dd>
+    <p>The following features are defined in <cite>Cross-Origin Embedder Policy</cite>: <ref
+    spec=COEP></p>
+
+    <ul class="brief">
+     <li>`<dfn data-x-href="https://wicg.github.io/cross-origin-embedder-policy/#http-headerdef-cross-origin-embedder-policy"><code>Cross-Origin-Embedder-Policy</code></dfn>` header</li>
+     <li><dfn data-x="obtain-cross-origin-embedder-policy" data-x-href="https://wicg.github.io/cross-origin-embedder-policy/#abstract-opdef-obtain-a-responses-embedder-policy">obtain a response's embedder policy</dfn></li>
+    </ul>
+   </dd>
+
   </dl>
 
   <hr>
@@ -9013,9 +9036,12 @@ partial interface <dfn id="document" data-lt="">Document</dfn> {
   data-dfn-for="Document">feature policy</dfn>, which is a <span
   data-x="concept-feature-policy">feature policy</span>, which is initially empty.</p>
 
-  <p>The <code>Document</code> has a <dfn data-dfn-for="Document"
-  data-x="concept-document-module-map">module map</dfn>, which is a <span>module map</span>,
-  initially empty.</p>
+  <p>The <code>Document</code> has a <dfn data-x="concept-document-module-map">module map</dfn>,
+  which is a <span>module map</span>, initially empty.</p>
+
+  <p>The <code>Document</code> has a <dfn data-x="concept-document-coop">cross-origin opener
+  policy</dfn>, which is a <span>cross-origin opener policy</span>, initially "<code
+  data-x="coop-unsafe-none">unsafe-none</code>".</p>
 
   <h4>The <code>DocumentOrShadowRoot</code> interface</h4>
 
@@ -76617,13 +76643,23 @@ popup4.close();</code></pre></div>
    settings object">setting up a window environment settings object</span> with <var>realm execution
    context</var>, null, <var>topLevelCreationURL</var>, and <var>topLevelOrigin</var>.</p></li>
 
+   <li><p>Let <var>coop</var> be "<code data-x="coop-unsafe-none">unsafe-none</code>".</p></li>
+
+   <li><p>If <var>creator</var> is non-null and <var>creator</var>'s <span>origin</span> is
+   <span>same origin</span> with <var>creator</var>'s <span>relevant settings object</span>'s
+   <span>top-level origin</span>, then set <var>coop</var> to <var>creator</var>'s <span
+   data-x="concept-document-bc">browsing context</span>'s <span>top-level browsing context</span>'s
+   <span>active document</span>'s <span data-x="concept-document-coop">cross-origin opener
+   policy</span>.</p></li>
+
    <li><p>Let <var>document</var> be a new <code>Document</code>, marked as an <span data-x="HTML
    documents">HTML document</span> in <span>quirks mode</span>, whose <span
    data-x="concept-document-content-type">content type</span> is "<code data-x="">text/html</code>",
    <span>origin</span> is <var>origin</var>, <span>active sandboxing flag set</span> is
    <var>sandboxFlags</var>, <span data-x="concept-document-feature-policy">feature policy</span> is
-   <var>feature policy</var>, and which is both <span>ready for post-load tasks</span> and
-   <span>completely loaded</span> immediately.</p></li>
+   <var>feature policy</var>, <span data-x="concept-document-coop">cross-origin opener policy</span>
+   is <var>coop</var>, and which is both <span>ready for post-load tasks</span> and <span>completely
+   loaded</span> immediately.</p></li>
 
    <li><p>Ensure that <var>document</var> has a single child <code>html</code> node, which itself
    has two empty child nodes: a <code>head</code> element, and a <code>body</code> element.</p></li>
@@ -77169,6 +77205,13 @@ console.assert(iframeWindow.frameElement === null);
   keys</span> to <span data-x="agent cluster">agent clusters</span>). User agents are responsible
   for collecting agent clusters when it is deemed that nothing can access them anymore.</p>
 
+  <p>A <span>browsing context group</span> has a <dfn data-x="bcg cross-origin
+  isolated">cross-origin isolated</dfn> boolean. It is initially false.</p>
+
+  <p class="XXX">The impact of <span data-x="bcg cross-origin isolated">cross-origin
+  isolated</span> is under discussion in <a href="https://github.com/whatwg/html/pull/4734">issue
+  #4734</a>.</p>
+
   <p>To <dfn data-x="creating a new browsing context group">create a new browsing context
   group</dfn>, run these steps:</p>
 
@@ -77467,6 +77510,29 @@ console.assert(iframeWindow.frameElement === null);
 
      <dd>
       <ol>
+       <li>
+        <p>If <var>current</var>'s <span>top-level browsing context</span>'s <span>active
+        document</span>'s <span data-x="concept-document-coop">cross-origin opener policy</span> is
+        "<code data-x="coop-same-origin">same-origin</code>" or "<code
+        data-x="coop-same-origin-plus-COEP">same-origin-plus-COEP</code>", then:</p>
+
+        <ol>
+         <li><p>Let <var>currentDocument</var> be <var>current</var>'s <span>active
+         document</span>.</p></li>
+
+         <li>
+          <p>If <var>currentDocument</var>'s <span>origin</span> is not <span>same origin</span>
+          with <var>currentDocument</var>'s <span>relevant settings object</span>'s <span>top-level
+          origin</span>, then set <var>noopener</var> to true and <var>name</var> to "<code
+          data-x="">_blank</code>".</p>
+
+          <p class="note">In the presence of a <span>cross-origin opener policy</span>, nested
+          documents that are cross-origin with their top-level browsing context's active document
+          always set <var>noopener</var> to true.</p>
+         </li>
+        </ol>
+       </li>
+
        <li><p>Set <var>new</var> to true.</p></li>
 
        <li id="noopener"><p>If <var>noopener</var> is true, then set <var>chosen</var> to the result
@@ -79900,6 +79966,215 @@ interface <dfn>BarProp</dfn> {
 
 
 
+  <h3>Cross-origin opener policies</h3>
+
+  <p>A <dfn>cross-origin opener policy</dfn> allows a document which is navigated to in a
+  <span>top-level browsing context</span> to force the creation of a new <span>top-level browsing
+  context</span>, and a corresponding <span data-x="tlbc group">group</span>. It has one of the
+  following values:</p>
+
+  <dl>
+   <dt>"<dfn><code data-x="coop-unsafe-none">unsafe-none</code></dfn>"</dt>
+   <dd><p>This is the (current) default and means that the document will occupy the same
+   <span>top-level browsing context</span> as its predecessor, unless that document specified a
+   different <span>cross-origin opener policy</span>.</p></dd>
+
+   <dt>"<dfn><code data-x="coop-same-origin-allow-popups">same-origin-allow-popups</code></dfn>"</dt>
+   <dd><p>This forces the creation of a new <span>top-level browsing context</span> for the
+   document, unless its predecessor specified the same <span>cross-origin opener policy</span> and
+   they are <span>same origin</span>.</p></dd>
+
+   <dt>"<dfn><code data-x="coop-same-origin">same-origin</code></dfn>"</dt>
+   <dd><p>This behaves the same as "<code
+   data-x="coop-same-origin-allow-popups">same-origin-allow-popups</code>", with the addition any
+   <span>auxiliary browsing context</span> created needs to contain <span>same origin</span>
+   documents that also have the same <span>cross-origin opener policy</span> or it will appear
+   closed to the opener.</p></dd>
+
+   <dt>"<dfn><code data-x="coop-same-origin-plus-COEP">same-origin-plus-COEP</code></dfn>"</dt>
+   <dd>
+    <p>This behaves the same as "<code data-x="coop-same-origin">same-origin</code>", with the
+    addition that it sets the (new) <span>top-level browsing context</span>'s <span data-x="tlbc
+    group">group</span>'s <span data-x="bcg cross-origin isolated">cross-origin isolated</span> to
+    true.</p>
+
+    <p class="note">"<code data-x="coop-same-origin-plus-COEP">same-origin-plus-COEP</code>" cannot
+    be directly set via the `<code
+    data-x="http-cross-origin-opener-policy">Cross-Origin-Opener-Policy</code>` header, but results
+    from a combination of setting both `<code data-x=""><span
+    data-x="http-cross-origin-opener-policy">Cross-Origin-Opener-Policy</span>: <span
+    data-x="coop-same-origin">same-origin</span></code>` and `<code
+    data-x=""><span>Cross-Origin-Embedder-Policy</span>: require-corp</code>` together.</p>
+   </dd>
+  </dl>
+
+  <p>To <dfn data-x="matching-coop">match cross-origin opener policies</dfn>, given a
+  <span>cross-origin opener policy</span> <var>A</var>, an <span>origin</span> <var>originA</var>, a
+  <span>cross-origin opener policy</span> <var>B</var>, and an <span>origin</span>
+  <var>originB</var>:</p>
+
+  <ol>
+   <li><p>If <var>A</var> is "<code data-x="coop-unsafe-none">unsafe-none</code>" and <var>B</var>
+   is "<code data-x="coop-unsafe-none">unsafe-none</code>", then return true.</p></li>
+
+   <li><p>If <var>A</var> is "<code data-x="coop-unsafe-none">unsafe-none</code>" or <var>B</var> is
+   "<code data-x="coop-unsafe-none">unsafe-none</code>", then return false.</p></li>
+
+   <li><p>If <var>A</var> is <var>B</var> and <var>originA</var> is <span>same origin</span> with
+   <var>originB</var>, then return true.</p></li>
+
+   <li><p>Return false.</p></li>
+  </ol>
+
+  <h4>Cross-Origin-Opener-Policy header</h4>
+
+  <p>A <code>Document</code>'s <span data-x="concept-document-coop">cross-origin opener
+  policy</span> is derived from the `<code
+  data-x="http-cross-origin-opener-policy">Cross-Origin-Opener-Policy</code>` HTTP response header.
+  This header is a <span data-x="http-structured-header">structured header</span> whose value must
+  be a <span data-x="http-structured-header-token">token</span>. <ref spec=STRUCTURED-HEADERS></p>
+
+  <p>The valid <span data-x="http-structured-header-token">token</span> values are "<code
+  data-x="coop-unsafe-none">unsafe-none</code>", "<code
+  data-x="coop-same-origin-allow-popups">same-origin-allow-popups</code>", and "<code
+  data-x="coop-same-origin">same-origin</code>".</p>
+
+  <p class="note">Per the processing model described below, user agents will ignore this header if
+  it contains an invalid value. Likewise, user agents will ignore this header if the value cannot be
+  parsed as a <span data-x="http-structured-header-token">token</span>.</p>
+
+  <hr>
+
+  <p>To <dfn data-x="obtain-coop">obtain a cross-origin opener policy</dfn> from a <span
+  data-x="concept-response">response</span> <var>response</var>:</p>
+
+  <ol>
+   <li><p>Let <var>securityState</var> be the result of executing <span>Is url potentially
+   trustworthy?</span> on <var>response</var>'s <span
+   data-x="concept-response-url">url</span>.</p></li>
+   <!-- See https://github.com/whatwg/html/issues/5558 about refactoring this. -->
+
+   <li><p>If <var>securityState</var> is "<code data-x="">Not Trustworthy</code>", then return
+   "<code data-x="coop-unsafe-none">unsafe-none</code>".</p> </li>
+
+   <li><p>Let <var>value</var> be the result of <span
+   data-x="concept-response-header-list-get-structured-header">getting a structured header</span>
+   given `<code data-x="http-cross-origin-opener-policy">Cross-Origin-Opener-Policy</code>` and
+   "<code data-x="">item</code>" from <var>response</var>'s <span
+   data-x="concept-response-header-list">header list</span>.</p></li>
+
+   <li><p>If <var>value</var> is failure or null, then return "<code
+   data-x="coop-unsafe-none">unsafe-none</code>".</p></li>
+
+   <li><p>If <var>value</var>[0] is not "<code data-x="coop-same-origin">same-origin</code>" or
+   "<code data-x="coop-same-origin-allow-popups">same-origin-allow-popups</code>", then return
+   "<code data-x="coop-unsafe-none">unsafe-none</code>".</p></li>
+
+   <li>
+    <p>If <var>value</var>[0] is "<code data-x="coop-same-origin">same-origin</code>", then:</p>
+
+    <ol>
+     <li><p>Let <var>coep</var> be the result of <span
+     data-x="obtain-cross-origin-embedder-policy">obtaining a cross-origin embedder
+     policy</span> from <var>response</var>.</p></li>
+
+     <li><p>If <var>coep</var> is "<code data-x="">require-corp</code>", then return "<code
+     data-x="coop-same-origin-plus-COEP">same-origin-plus-COEP</code>".</p></li>
+    </ol>
+   </li>
+
+   <li><p>Return <var>value</var>[0].</p></li>
+  </ol>
+
+  <h4>Browsing context group switches due to cross-origin opener policy</h4>
+
+  <p>To <dfn data-x="check-browsing-context-group-switch-response">check if a response requires a
+  browsing context group switch</dfn>, given a <span>browsing context</span>
+  <var>browsingContext</var>, an <span>origin</span> <var>responseOrigin</var> and a
+  <span>cross-origin opener policy</span> <var>responseCOOP</var>, run the followign steps:</p>
+
+  <ol>
+   <li><p>Let <var>activeDocumentNavigationOrigin</var> be <var>browsingContext</var>'s <span>active
+   document</span>'s <span>origin</span>.</p></li>
+
+   <li><p>Let <var>activeDocumentCOOP</var> be <var>browsingContext</var>'s <span>active
+   document</span>'s <span data-x="concept-document-coop"> cross-origin opener
+   policy</span>.</p></li>
+
+   <li><p>Let <var>isInitialAboutBlank</var> be false.</p></li>
+
+   <li><p>If <var>browsingContext</var>'s only entry in its <span>session history</span> is the
+   <code>about:blank</code> <code>Document</code> that was added when <var>browsingContext</var> was
+   <span data-x="creating a new browsing context">created</span>, then set
+   <var>isInitialAboutBlank</var> to true.</p></li>
+
+   <li><p>If the result of <span data-x="matching-coop">matching</span>
+   <var>activeDocumentCOOP</var>, <var>activeDocumentNavigationOrigin</var>,
+   <var>responseCOOP</var> and <var>responseOrigin</var> is true, then return false.</p></li>
+
+   <li>
+    <p>If all of the following are true:</p>
+
+    <ul>
+     <li><p><var>isInitialAboutBlank</var></p></li>
+
+     <li><p><var>activeDocumentCOOP</var> is "<code
+     data-x="coop-same-origin-allow-popups">same-origin-allow-popups</code>".</p></li>
+
+     <li><p><var>responseCOOP</var> is "<code
+     data-x="coop-unsafe-none">unsafe-none</code>".</p></li>
+    </ul>
+
+    <p>then return false.</p>
+   </li>
+
+   <li><p>Return true.</p></li>
+  </ol>
+
+  <p>To <dfn data-x="obtain-browsing-context-navigation">obtain a browsing context to use for a
+  navigation response</dfn>, given a <span data-x="browsing context">browsing context</span>
+  <var>browsingContext</var>, a <span>sandboxing flag set</span> <var>sandboxFlags</var>, and a
+  <span>cross-origin opener policy</span> <var>navigationCOOP</var>:</p>
+
+  <ol>
+   <li><p>Assert <var>browsingContext</var> is a <span>top-level browsing context</span>.</p></li>
+
+   <li><p>Let <var>newBrowsingContext</var> be the result of <span>creating a new top-level browsing
+   context</span>.</p></li>
+
+   <li><p>If <var>navigationCOOP</var> is "<code
+   data-x="coop-same-origin-plus-COEP">same-origin-plus-COEP</code>", then set
+   <var>newBrowsingContext</var>'s <span data-x="tlbc group">group</span>'s <span data-x="bcg
+   cross-origin isolated">cross-origin isolated</span> to true.</p></li>
+
+   <li>
+    <p>If <var>sandboxFlags</var> is not empty, then:</p>
+    <ol>
+     <li><p>Assert: <var>navigationCOOP</var> is "<code
+     data-x="coop-unsafe-none">unsafe-none</code>".</p></li>
+
+     <li><p>Set <var>newBrowsingContext</var>'s <span>sandboxing flag set</span> to
+     <var>sandboxFlags</var>.</p></li>
+    </ol>
+   </li>
+
+   <li>
+    <p><span data-x="a browsing context is discarded">Discard</span> <var>browsingContext</var>.</p>
+
+    <p class="note">This does not close <var>browsingContext</var>'s <span data-x="tlbc
+    group">group</span>, unless <var>browsingContext</var> was its sole <span>top-level browsing
+    context</span>.</p>
+   </li>
+
+   <li><p>Return <var>newBrowsingContext</var>.</p></li>
+  </ol>
+
+  <p class="XXX">The impact of swapping browsing context groups following a navigation is not
+  defined. It is currently under discussion in <a
+  href="https://github.com/whatwg/html/issues/5350">issue #5350</a>.</p>
+
+
+
   <h3 split-filename="history" id="history">Session history and navigation</h3>
 
   <h4>Browsing sessions</h4>
@@ -81826,6 +82101,14 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
 
    <li><p>Let <var>reservedEnvironment</var> be null.</p></li>
 
+   <li><p>Let <var>responseOrigin</var> be null.
+
+   <li><p>Let <var>browsingContextSwitchNeeded</var> be false.</p></li>
+
+   <li><p>Let <var>finalSandboxFlags</var> be an empty <span>sandboxing flag set</span>.</p></li>
+
+   <li><p>Let <var>responseCOOP</var> be "<code data-x="">unsafe-none</code>".</p></li>
+
    <li>
     <p>While true:</p>
 
@@ -81911,6 +82194,43 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
        source</span> to <span>process response</span> and set <var>response</var> to the
        result.</p></li>
 
+       <li><p>Set <var>finalSandboxFlags</var> to the union of <var>browsingContext</var>'s
+       <span>sandboxing flag set</span> and <var>response</var>'s <span>forced sandboxing flag
+       set</span>.</p></li>
+
+       <li><p>Set <var>responseOrigin</var> to the result of <span>determining the origin</span>
+       given <var>browsingContext</var>, <var>request's</var> <span
+       data-x="concept-request-url">url</span>, <var>finalSandboxFlags</var>,
+       <var>incumbentNavigationOrigin</var>, and <var>activeDocumentNavigationOrigin</var>.</p></li>
+
+       <li>
+        <p>If <var>browsingContext</var> is a <span>top-level browsing context</span>, then: </p>
+
+        <ol>
+         <li><p>Set <var>responseCOOP</var> to the result of <span data-x="obtain-coop">obtaining a
+         cross-origin opener policy</span> given <var>response</var> and
+         <var>responseOrigin</var>.</p></li>
+
+         <li>
+          <p>If <var>sandboxFlags</var> is not empty and <var>responseCOOP</var> is not "<code
+	  data-x="coop-unsafe-none">unsafe-none</code>", then set <var>response</var> to an
+          appropriate <span>network error</span> and return.</p>
+
+	  <p class="note">This results in a network error as one cannot simultaneously provide a
+	  clean slate to a response using cross-origin opener policy and sandbox the result of
+          navigating to that response.</p>
+         </li>
+
+         <li><p>Let <var>responseRequiresBrowsingContexGroupSwitch</var> be the result of <span
+	 data-x="check-browsing-context-group-switch-response">checking if the response requires a
+	 browsing context group switch</span> given <var>browsingContext</var>,
+         <var>responseOrigin</var>, and <var>responseCOOP</var>.</p></li>
+
+         <li><p>If <var>responseRequiresBrowsingContextGroupSwitch</var> is true, set
+         <var>browsingContextSwitchNeeded</var> to true.</p></li>
+        </ol>
+       </li>
+
        <li>
         <p>If <var>response</var> does not have a <span
         data-x="concept-response-location-url">location URL</span> or the <span
@@ -81922,6 +82242,8 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
         the web platform that cares for redirects to <code data-x="mailto protocol">mailto:</code>
         URLs and such.</p>
        </li>
+
+       <li><p>If <var>response</var> is a <span>network error</span>, then <span>break</span>.
       </ol>
      </li>
     </ol>
@@ -82010,17 +82332,20 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
 
    <li><p>Run <span>process a navigate response</span> given <var>request</var>,
    <var>response</var>, <var>navigationType</var>, the <span>source browsing context</span>,
-   <var>browsingContext</var>, <var>incumbentNavigationOrigin</var>,
-   <var>activeDocumentNavigationOrigin</var>, and <var>reservedEnvironment</var>.</p></li>
+   <var>browsingContext</var>, <var>finalSandboxFlages</var>, <var>responseOrigin</var>, <var>incumbentNavigationOrigin</var>,
+   <var>activeDocumentNavigationOrigin</var>, <var>responseCOOP</var>,
+   <var>browsingContextSwitchNeeded</var> and <var>reservedEnvironment</var>.</p></li>
   </ol>
 
   <p>To <dfn data-export="">process a navigate response</dfn>, given null or a <span
   data-x="concept-request">request</span> <var>request</var>, a <span
   data-x="concept-response">response</span> <var>response</var>, a string <var>navigationType</var>,
   two <span data-x="browsing context">browsing contexts</span> <var>source</var> and
-  <var>browsingContext</var>, a <span>sandboxing flag set</span> <var>sandboxFlags</var>, two
-  <span data-x="origin">origins</span> <var>incumbentNavigationOrigin</var> and
-  <var>activeDocumentNavigationOrigin</var>, and null or an <span>environment</span>
+  <var>browsingContext</var>, a <span>sandboxing flag set</span> <var>finalSandboxFlags</var>, three
+  <span data-x="origin">origins</span> <var>finalResponseOrigin</var>,
+  <var>incumbentNavigationOrigin</var> and <var>activeDocumentNavigationOrigin</var>, a
+  <span>cross-origin opener policy</span> <var>responseCOOP</var>, a boolean
+  <var>browsingContextSwitchNeeded</var>, and null or an <span>environment</span>
   <var>reservedEnvironment</var>, run these steps:</p>
 
   <ol>
@@ -82075,17 +82400,19 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
      <dt>an <span>HTML MIME type</span></dt>
      <dd>Follow the steps given in the <span data-x="navigate-html">HTML document</span> section
      providing <var>browsingContext</var>, <var>request</var>, <var>response</var>,
-     <var>sandboxFlags</var>, <var>incumbentNavigationOrigin</var>,
-     <var>activeDocumentNavigationOrigin</var>, and <var>reservedEnvironment</var>. Once the steps
-     have completed, return.</dd>
+     <var>finalSandboxFlags</var>, <var>finalResponseOrigin</var>,
+     <var>incumbentNavigationOrigin</var>, <var>activeDocumentNavigationOrigin</var>,
+     <var>reservedEnvironment</var>, <var>responseCOOP</var>, and
+     <var>browsingContextSwitchNeeded</var>. Once the steps have completed, return.</dd>
 
      <dt>an <span>XML MIME type</span> that is not an <span>explicitly supported XML MIME
      type</span></dt>
      <dd>Follow the steps given in the <span data-x="navigate-xml">XML document</span> section
      providing <var>browsingContext</var>, <var>type</var>, <var>request</var>, <var>response</var>,
-     <var>sandboxFlags</var>, <var>incumbentNavigationOrigin</var>,
-     <var>activeDocumentNavigationOrigin</var>, and <var>reservedEnvironment</var>. Once the steps
-     have completed, return.</dd>
+     <var>finalSandboxFlags</var>, <var>finalResponseOrigin</var>,
+     <var>incumbentNavigationOrigin</var>, <var>activeDocumentNavigationOrigin</var>,
+     <var>reservedEnvironment</var>, <var>responseCOOP</var>, and
+     <var>browsingContextSwitchNeeded</var>. Once the steps have completed, return.</dd>
 
      <dt>a <span>JavaScript MIME type</span></dt>
      <dt>a <span>JSON MIME type</span> that is not an <span>explicitly supported JSON MIME
@@ -82104,24 +82431,27 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
      <dd>Follow the steps given in the <span
      data-x="navigate-multipart-x-mixed-replace">multipart/x-mixed-replace</span> section providing
      <var>browsingContext</var>, <var>type</var>, <var>request</var>, <var>response</var>,
-     <var>sandboxFlags</var>, <var>incumbentNavigationOrigin</var>,
-     <var>activeDocumentNavigationOrigin</var>, and <var>reservedEnvironment</var>. Once the steps
-     have completed, return.</dd>
+     <var>finalSandboxFlags</var>, <var>finalResponseOrigin</var>,
+     <var>incumbentNavigationOrigin</var>, <var>activeDocumentNavigationOrigin</var>,
+     <var>reservedEnvironment</var>, <var>responseCOOP</var>, and
+     <var>browsingContextSwitchNeeded</var>. Once the steps have completed, return.</dd>
 
      <dt>A supported image, video, or audio type</dt>
      <dd>Follow the steps given in the <span data-x="navigate-media">media</span> section providing
      <var>browsingContext</var>, <var>type</var>, <var>request</var>, <var>response</var>,
-     <var>sandboxFlags</var>, <var>incumbentNavigationOrigin</var>,
-     <var>activeDocumentNavigationOrigin</var>, and <var>reservedEnvironment</var>. Once the steps
-     have completed, return.</dd>
+     <var>finalSandboxFlags</var>, <var>finalResponseOrigin</var>,
+     <var>incumbentNavigationOrigin</var>, <var>activeDocumentNavigationOrigin</var>,
+     <var>reservedEnvironment</var>, <var>responseCOOP</var>, and
+     <var>browsingContextSwitchNeeded</var>. Once the steps have completed, return.</dd>
 
      <dt>A type that will use an external application to render the content in
      <var>browsingContext</var></dt>
      <dd>Follow the steps given in the <span data-x="navigate-plugin">plugin</span> section
      providing <var>browsingContext</var>, <var>type</var>, <var>request</var>, <var>response</var>,
-     <var>sandboxFlags</var>, <var>incumbentNavigationOrigin</var>,
-     <var>activeDocumentNavigationOrigin</var>, and <var>reservedEnvironment</var>. Once the steps
-     have completed, return.</dd>
+     <var>finalSandboxFlags</var>, <var>finalResponseOrigin</var>,
+     <var>incumbentNavigationOrigin</var>, <var>activeDocumentNavigationOrigin</var>,
+     <var>reservedEnvironment</var>, <var>responseCOOP</var>, and
+     <var>browsingContextSwitchNeeded</var>. Once the steps have completed, return.</dd>
     </dl>
 
     <p>An <dfn>explicitly supported XML MIME type</dfn> is an <span>XML MIME type</span> for which
@@ -82293,18 +82623,16 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
   data-x="concept-request">request</span> <var>request</var>, a <span
   data-x="concept-response">response</span> <var>response</var>, a <span data-x="browsing
   context">browsing context</span> <var>browsingContext</var>, a <span>sandboxing flag set</span>
-  <var>sandboxFlags</var>, two <span data-x="origin">origins</span>
-  <var>incumbentNavigationOrigin</var>, <var>activeDocumentNavigationOrigin</var>, and null or an
-  <span>environment</span> <var>reservedEnvironment</var>:</p>
+  <var>finalSandboxFlags</var>, three <span data-x="origin">origins</span> <var>origin</var>,
+  <var>incumbentNavigationOrigin</var>, <var>activeDocumentNavigationOrigin</var>, null or an
+  <span>environment</span> <var>reservedEnvironment</var>, a <span>cross-origin opener policy</span>
+  <var>navigationCOOP</var>, and a boolean <var>browsingContextSwitchNeeded</var>:</p>
 
   <ol>
-   <li><p>Let <var>finalSandboxFlags</var> be the union of <var>sandboxFlags</var> and
-   <var>response</var>'s <span>forced sandboxing flag set</span>.</p></li>
-
-   <li><p>Let <var>origin</var> be the result of <span>determining the origin</span> given
-   <var>browsingContext</var>, <var>request's</var> <span data-x="concept-request-url">url</span>,
-   <var>finalSandboxFlags</var>, <var>incumbentNavigationOrigin</var>, and
-   <var>activeDocumentNavigationOrigin</var>.
+   <li><p>If <var>browsingContextSwitchNeeded</var> is true, set <var>browsingContext</var> to the
+   result of the <span data-x="obtain-browsing-context-navigation">obtain a browsing context to use
+   for a navigation response</span> algorithm, given <var>browsingContext</var>,
+   <var>finalSandboxFlagSet</var>, and <var>navigationCOOP</var>.</p></li>
 
    <li>
     <p>Let <var>featurePolicy</var> be the result of <span>creating a feature policy from a
@@ -82316,7 +82644,7 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
      <var>origin</var>. If <code data-x="dom-document-domain">document.domain</code> has been used
      for the <var>browsingContext</var> <span data-x="bc-container-document">container
      document</span>, then its <span>origin</span> cannot be <span>same origin-domain</span> with
-     <var>>origin</var>, because these steps run before the <var>document</var> is created, so it
+     <var>origin</var>, because these steps run before the <var>document</var> is created, so it
      cannot itself yet have used <code data-x="dom-document-domain">document.domain</code>. Note
      that this means that Feature Policy checks are less permissive compared to doing a <span>same
      origin</span> check instead.</p>
@@ -82388,8 +82716,9 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
    data-x="concept-document-type">type</span> is <var>type</var>, <span
    data-x="concept-document-content-type">content type</span> is <var>contentType</var>,
    <span>origin</span> is <var>origin</var>, <span data-x="concept-document-feature-policy">feature
-   policy</span> is <var>featurePolicy</var>, and <span>active sandboxing flag set</span> is
-   <var>finalSandboxFlags</var>.</p></li>
+   policy</span> is <var>featurePolicy</var>, <span>active sandboxing flag set</span> is
+   <var>finalSandboxFlags</var>, and <span data-x="concept-document-coop">cross-origin opener
+   policy</span> is <var>navigationCOOP</var>.</p></li>
 
    <li id="set-the-document's-address"><p>Set <var>document</var>'s <span
    data-x="concept-document-url">URL</span> to <var>creationURL</var>.</p></li>
@@ -115822,6 +116151,29 @@ interface <dfn>External</dfn> {
   <code>text/event-stream</code> resources.</p>
 
 
+  <h3>`<dfn><code data-x="http-cross-origin-opener-policy">Cross-Origin-Opener-Policy</code></dfn>`</h3>
+
+  <p>This section describes a header for registration in the Permanent Message Header Field
+  Registry. <ref spec=RFC3864></p>
+
+  <dl>
+   <dt>Header field name:</dt>
+   <dd>Cross-Origin-Opener-Policy</dd>
+   <dt>Applicable protocol:</dt>
+   <dd>http</dd>
+   <dt>Status:</dt>
+   <dd>standard</dd>
+   <dt>Author/Change controller:</dt>
+   <dd>WHATWG</dd>
+   <dt>Specification document(s):</dt>
+   <dd>
+    This document is the relevant specification.
+   </dd>
+   <dt>Related information:</dt>
+   <dd>None.</dd>
+  </dl>
+
+
   <h3 id="ping-from">`<dfn><code data-x="http-ping-from">Ping-From</code></dfn>`</h3>
 
   <p>This section describes a header for registration in the Permanent Message Header Field
@@ -120496,6 +120848,9 @@ INSERT INTERFACES HERE
    <dt id="refsCOMPUTABLE">[COMPUTABLE]</dt>
    <dd>(Non-normative) <cite><a href="http://www.turingarchive.org/browse.php/B/12">On computable numbers, with an application to the Entscheidungsproblem</a></cite>, A. Turing. In <cite>Proceedings of the London Mathematical Society</cite>, series 2, volume 42, pages 230-265. London Mathematical Society, 1937.</dd>
 
+   <dt id="refsCOEP">[COEP]</dt>
+   <dd><cite><a href="https://wicg.github.io/cross-origin-embedder-policy/">Cross-Origin Embedder Policy</a></cite>, M. West. WICG.</dd>
+
    <dt id="refsCOOKIES">[COOKIES]</dt>
    <dd><cite><a href="https://tools.ietf.org/html/rfc6265">HTTP State Management Mechanism</a></cite>, A. Barth. IETF.</dd>
 
@@ -120884,6 +121239,9 @@ INSERT INTERFACES HERE
    <dt id="refsSMS">[SMS]</dt>
    <dd>(Non-normative) <cite><a href="https://tools.ietf.org/html/rfc5724">URI Scheme for Global System for Mobile Communications (GSM) Short Message Service (SMS)</a></cite>, E. Wilde, A. Vaha-Sipila. IETF.</dd>
 
+   <dt id="refsSTRUCTURED-HEADERS">[STRUCTURED-HEADERS]</dt>
+   <dd><cite><a href="https://httpwg.org/http-extensions/draft-ietf-httpbis-header-structure.html">Structured Field Values for HTTP</a></cite>, M. Nottingham, P. Kamp. IETF.</dd>
+
    <dt id="refsSRGB">[SRGB]</dt>
    <dd><cite lang="en-GB"><a href="https://webstore.iec.ch/publication/6169">IEC 61966-2-1: Multimedia systems and equipment &mdash; Colour measurement and management &mdash; Part 2-1: Colour management &mdash; Default RGB colour space &mdash; sRGB</a></cite>. IEC.</dd>