1. 7 ウェブページの読み込み
    1. 7.1 ブラウジングコンテキスト
      1. 7.1.1 ブラウジングコンテキストを作成する
      2. 7.1.2 関連するブラウジングコンテキスト
        1. 7.1.2.1 DOMで関連するブラウジングコンテキストをナビゲートする
      3. 7.1.3 Security
      4. 7.1.4 Groupings of browsing contexts
      5. 7.1.5 ブラウジングコンテキスト名
    2. 7.2 Security infrastructure for Window, WindowProxy, and Location objects
      1. 7.2.1 Integration with IDL
      2. 7.2.2 Shared internal slot: [[CrossOriginPropertyDescriptorMap]]
      3. 7.2.3 Shared abstract operations
        1. 7.2.3.1 CrossOriginProperties ( O )
        2. 7.2.3.2 CrossOriginPropertyFallback ( P )
        3. 7.2.3.3 IsPlatformObjectSameOrigin ( O )
        4. 7.2.3.4 CrossOriginGetOwnPropertyHelper ( O, P )
        5. 7.2.3.5 CrossOriginGet ( O, P, Receiver )
        6. 7.2.3.6 CrossOriginSet ( O, P, V, Receiver )
        7. 7.2.3.7 CrossOriginOwnPropertyKeys ( O )

7 ウェブページの読み込み

このセクションは、ウェブブラウザーに最も直接的に適用される機能について説明する。それでもやはり、特に指定しない限り、このセクションで定義されている要件は、ウェブブラウザーであるかどうかに関わらず、すべてのユーザーエージェントに適用される

7.1 ブラウジングコンテキスト

ブラウジングコンテキストDocumentオブジェクトがユーザーに提示される環境である。

ウェブブラウザーのタブまたはウィンドウは通常、iframeまたはframeset内のframeを含む、ブラウジングコンテキストを含む。

ブラウジングコンテキストは、対応するWindowProxyオブジェクトを持つ。

A browsing context has an opener browsing context, which is null or a browsing context. It is initially null.

A browsing context has a disowned boolean. 最初はfalseである。

A browsing context has an is closing boolean. 最初はfalseである。

ブラウジングコンテキストは、ブラウジングコンテキストが提示されていた、している、またはするだろうDocumentオブジェクトを一覧表示するセッション履歴を持つ。ブラウジングコンテキストアクティブ文書は、そのWindowProxyオブジェクトの[[Window]]内部スロット値に関連付けられたDocumentである。A Document's browsing context is the browsing context whose session history contains the Document, if any such browsing context exists and has not been discarded, and null otherwise.

In general, there is a 1-to-1 mapping from the Window object to the Document object, as long as the Document object has a non-null browsing context. There is one exception. A Window can be reused for the presentation of a second Document in the same browsing context, such that the mapping is then 1-to-2. 交換が有効なブラウジングコンテキストが初期about:blank Documentから別のものにナビゲートしたとき、これは起こる。

A Document does not necessarily have a non-null browsing context. 具体的には、データマイニングツールはブラウジングコンテキストをインスタンス化できないだろう。A Document created using an API such as createDocument() never has a non-null browsing context. 文書から削除されて以来、iframe要素で当初は作成されたDocumentは、そのブラウジングコンテキストが破棄されたので、関連付けられたブラウジングコンテキストを持たない。

7.1.1 ブラウジングコンテキストを作成する

To set the active document of a browsing context browsingContext to a Document object document, run these steps:

  1. Let window be document's relevant global object.

    Per this standard document can be created before window, which does not make much sense. See issue #2688.

  2. Set browsingContext's WindowProxy object's [[Window]] internal slot value to window.

  3. Set window's associated Document to document.

  4. Set window's relevant settings object's execution ready flag.


A browsing context has an associated creator origin (null or returns an origin), creator URL (null or returns a URL), creator base URL (null or returns a URL), and creator referrer policy (null or returns a referrer policy). These are all initially null.

To create a new browsing context, given null or a Document object creator:

  1. Let browsingContext be a new browsing context.

  2. If creator is non-null, then set browsingContext's creator origin to return creator's origin, browsingContext's creator URL to return creator's URL, browsingContext's creator base URL to return creator's base URL, and browsingContext's creator referrer policy to return creator's referrer policy.

  3. Let realm execution context be the result of creating a new JavaScript realm with the following customizations:

  4. Set up a window environment settings object with realm execution context, and let settingsObject be the result.

  5. Let document be a new Document, marked as an HTML document in quirks mode, whose content type is "text/html", and which is both ready for post-load tasks and completely loaded immediately.

  6. Ensure that document has a single child html node, which itself has two empty child nodes: a head element, and a body element.

  7. Set the active document of browsingContext to document.

  8. If browsingContext's creator origin is non-null, then set document's origin to it.

  9. Otherwise, set document's origin to a unique opaque origin.

  10. If browsingContext's creator URL is non-null, then set document's referrer to the serialization of it.

  11. If browsingContext's creator referrer policy is non-null, then set document's referrer policy to it.

  12. Implement the sandboxing for document.

  13. Initialize a document's feature policy given document. [FEATUREPOLICY]

  14. Add document to browsingContext's session history.

  15. Return browsingContext.

To create a new top-level browsing context:

  1. Let group be the result of creating a new browsing context group.

  2. Return group's browsing context set[0].

This creates a top-level browsing context.

To create a new auxiliary browsing context, given a browsing context opener:

  1. Let browsingContext be the result of creating a new browsing context with opener's active document.

  2. Assert: opener's top-level browsing context's group is non-null, as navigating invokes this directly.

  3. Append browsingContext to opener's top-level browsing context's group.

  4. Set browsingContext's opener browsing context to opener.

  5. Assert: browsingContext's creator origin is non-null.

  6. If browsingContext's creator origin is same origin with browsingContext's active document's origin, then copy the sessionStorage storage area of opener into browsingContext's set of session storage areas. These areas must be considered separate, not affecting each other in any way.

  7. Return browsingContext.

This creates a top-level browsing context that is also an auxiliary browsing context.

To create a new nested browsing context, given an element element:

  1. Let browsingContext be the result of creating a new browsing context with element's node document.

  2. Set element's nested browsing context to browsingContext.

  3. If element has a name attribute, then set browsingContext's name to the value of this attribute.

7.1.2 関連するブラウジングコンテキスト

特定の要素(たとえば、iframe要素)は、ブラウジングコンテキストをさらにインスタンス化できる。この要素は、ブラウジングコンテキストコンテナと呼ばれる。

ブラウジングコンテキストコンテナは、ブラウジングコンテキストまたはnullのいずれとなる、ネストされたブラウジングコンテキストを持つ。

ブラウジングコンテキストブラウジングコンテキストコンテナネストされたブラウジングコンテキストである場合、ブラウジングコンテキストは、ブラウジングコンテキストコンテナノード文書経由してネストされると呼ばれる。

次の条件のすべてを保持する場合、ブラウジングコンテキストchildは、別のブラウジングコンテキストparent子ブラウジングコンテキストであると言われる:

ブラウジング コンテキストchildが、子ブラウジングコンテキストでありかつそのブラウジングコンテキストコンテナに単に接続されないだけでなく文書ツリー内である場合、parent文書ツリー子ブラウジングコンテキストである。

ブラウジングコンテキストchild親ブラウジングコンテキストを持ってもよい。もしそのようなブラウジングコンテキストが存在すれば、これは子ブラウジングコンテキストとしてchildを持つ一意なブラウジングコンテキストである。そうでなければ、ブラウジングコンテキストは、親ブラウジングコンテキストを持たない。

ブラウジングコンテキストAA子ブラウジングコンテキストであり、かつB祖先自身であるブラウジングコンテキストA'が存在する場合、またはブラウジングコンテキストAB親ブラウジングコンテキストである場合、ブラウジングコンテキストB祖先であると言われる。

A browsing context that has no parent browsing context is the top-level browsing context for itself and all of the browsing contexts for which it is an ancestor browsing context.

A top-level browsing context has an associated group (null or a browsing context group). It is initially null.

要素を通じてネストせずにトップレベルブラウジングコンテキストに関連する新しいブラウジングコンテキストを作成することが可能である。このようなブラウジングコンテキストは、補助ブラウジングコンテキストと呼ばれる。補助ブラウジングコンテキストは常にトップレベルブラウジングコンテキストである。

ネストされたブラウジングコンテキストであるブラウジングコンテキストに対する親ブラウジングコンテキストの推移的クロージャは、祖先ブラウジングコンテキストをのリストを与える。

Document d子孫ブラウジングコンテキストのリストは、以下のアルゴリズムによって返される(順序の)リストである:

  1. listを空にする。

  2. dの各子ブラウジングコンテキストd Document存在する要素を介してネストされるので、要素のこれらブラウジングコンテキストをネストするツリー順に、次のサブステップを実行する:

    1. リストlistにその子ブラウジングコンテキストを追加する。

    2. リストlistにその子ブラウジングコンテキストアクティブドキュメントに属する子孫ブラウジングコンテキストのリストを追加する。

  3. 構築されたlistを返す。

A Document is said to be fully active when its browsing context is non-null and it is the active document of that browsing context, and either its browsing context is a top-level browsing context, or it has a parent browsing context and the Document through which it is nested is itself fully active.

Because they are associated with an element, child browsing contexts are always tied to a specific Document in their parent browsing context. ユーザーエージェントは、ユーザーにがいない自身が完全にアクティブでないDocumentにある要素の子ブラウジングコンテキストと対話することを許可してはならない。

The following example illustrates the differences between active and fully active Document objects. Here a.html is loaded into a browser window, b-1.html starts out loaded into an iframe as shown, and b-2.html and c.html are omitted (they can simply be an empty document).

<!-- a.html -->
<!DOCTYPE html>
<html lang="en">
<title>Browsing context A</title>

<iframe src="b-1.html"></iframe>
<button onclick="frames[0].location.href = 'b-2.html'">Click me</button>

<!-- b-1.html -->
<!DOCTYPE html>
<html lang="en">
<title>Browsing context B</title>

<iframe src="c.html"></iframe>

At this point, the documents given by a.html, b-1.html, and c.html are all the active documents of their respective browsing contexts. They are also all fully active.

After clicking on the button, and thus loading a new Document from b-2.html into browsing context B, we have the following results:

For more explorations of the complexities involved here, especially as it impacts the session history, see A Model of Navigation History. [NAVMODEL]

A browsing context that is a nested browsing context can be put into a delaying load events mode. This is used when it is navigated, to delay the load event of its browsing context container before the new Document is created.

ブラウジングコンテキストドキュメントファミリーは、そのブラウジングコンテキストセッション履歴ですべてのDocumentオブジェクト およびすべてのそれらDocumentオブジェクトのドキュメントファミリーの結合で構成される。Documentオブジェクトのドキュメントファミリーは、Documentオブジェクトを介してネストされるブラウジングコンテキストの所有するすべてのドキュメントファミリーの結合で構成される。

The content document of a browsing context container container is the result of the following algorithm:

  1. If container's nested browsing context is null, then return null.

  2. Let context be container's nested browsing context.

  3. Let document be context's active document.

  4. If document's origin and the origin specified by the current settings object are not same origin-domain, then return null.

  5. Return document.

window . top

トップレベルブラウジングコンテキストWindowProxyを返す。

window . opener [ = value ]

Returns the WindowProxy for the opener browsing context.

Returns null if there isn't one or if it has been set to null.

Can be set to null.

window . parent

親ブラウジングコンテキストに対するWindowProxyを返す。

window . frameElement

ブラウジングコンテキストコンテナElementを返す。

存在しない場合、クロスオリジンの状況でnullを返す。

The top attribute's getter must run these steps:

  1. If this Window object's browsing context is null, then return null.

  2. Return this Window object's browsing context's top-level browsing context's WindowProxy object.

The opener attribute's getter must run these steps:

  1. Let current be this Window object's browsing context.

  2. If current is null, then return null.

  3. If current's disowned is true, then return null.

  4. If current's opener browsing context is null, then return null.

  5. Return current's opener browsing context's WindowProxy object.

The opener attribute's setter must run these steps:

  1. If the given value is null and this Window object's browsing context is non-null, then set this Window object's browsing context's disowned to true.

  2. If the given value is non-null, then return ? OrdinaryDefineOwnProperty(this Window object, "opener", { [[Value]]: the given value, [[Writable]]: true, [[Enumerable]]: true, [[Configurable]]: true }).

If a browsing context's disowned is true, its window.opener attribute is null. That prevents scripts in the browsing context from changing any properties of its opener browsing context's Window object (i.e., the Window object from which the browsing context was created).

Otherwise, if a browsing context's disowned is false, then scripts in that browsing context can use window.opener to change properties of its opener browsing context's Window object. For example, a script running in the browsing context can change the value of window.opener.location, causing the opener browsing context to navigate to a completely different document.

The parent attribute's getter must run these steps:

  1. Let current be this Window object's browsing context.

  2. If current is null, then return null.

  3. If current is a child browsing context of another browsing context parent, then return parent's WindowProxy object.

  4. Assert: current is a top-level browsing context.

  5. Return current's WindowProxy object.

The frameElement attribute's getter must run these steps:

  1. Let current be this Window object's browsing context.

  2. If current is null, then return null.

  3. If current is not a child browsing context, then return null.

  4. Let container be current's browsing context container.

  5. If container's node document's origin is not same origin-domain with the current settings object's origin, then return null.

  6. Return container.

An example of when these IDL attributes can return null is as follows:

<!DOCTYPE html>
<iframe></iframe>

<script>
"use strict";
const element = document.querySelector("iframe");
const iframeWindow = element.contentWindow;
element.remove();

console.assert(iframeWindow.top === null);
console.assert(iframeWindow.parent === null);
console.assert(iframeWindow.frameElement === null);
</script>

Here the browsing context corresponding to iframeWindow was discarded when element was removed from the document.

7.1.3 Security

A browsing context A is familiar with a second browsing context B if one of the following conditions is true:


A browsing context A is allowed to navigate a second browsing context B if the following algorithm returns true:

  1. If A is not the same browsing context as B, and A is not one of the ancestor browsing contexts of B, and B is not a top-level browsing context, and A's active document's active sandboxing flag set has its sandboxed navigation browsing context flag set, then return false.

  2. Otherwise, if B is a top-level browsing context, and is one of the ancestor browsing contexts of A, then:

    1. If this algorithm is triggered by user activation and A's active document's active sandboxing flag set has its sandboxed top-level navigation with user activation browsing context flag set, then return false.

    2. Otherwise, if this algorithm is not triggered by user activation and A's active document's active sandboxing flag set has its sandboxed top-level navigation without user activation browsing context flag set, then return false.

  3. Otherwise, if B is a top-level browsing context, and is neither A nor one of the ancestor browsing contexts of A, and A's Document's active sandboxing flag set has its sandboxed navigation browsing context flag set, and A is not the one permitted sandboxed navigator of B, then return false.

  4. Return true.


An element has a browsing context scope origin if its Document's browsing context is a top-level browsing context or if all of its Document's ancestor browsing contexts all have active documents whose origin are the same origin as the element's node document's origin. If an element has a browsing context scope origin, then its value is the origin of the element's node document.

7.1.4 Groupings of browsing contexts

A user agent holds a browsing context group set (a set of browsing context groups).

A browsing context group holds a browsing context set (a set of top-level browsing contexts).

To create a new browsing context group, run these steps:

  1. Let group be a new browsing context group.

  2. Append group to the user agent's browsing context group set.

  3. Append the result of creating a new browsing context with null to group.

  4. Return group.

To append a top-level browsing context browsingContext to a browsing context group group, run these steps:

  1. Append browsingContext to group's browsing context set.

  2. Set browsingContext's group to group.

To remove a top-level browsing context browsingContext, run these steps:

  1. Assert: browsingContext's group is non-null, because a browsing context only gets discarded once.

  2. Let group be browsingContext's group.

  3. Set browsingContext's group to null.

  4. Remove browsingContext from group's browsing context set.

  5. If group's browsing context set is empty, then remove group from the user agent's browsing context group set.

Append and remove are primitive operations that help define the lifetime of a browsing context group. They are called from creating a new browsing context group, creating a new auxiliary browsing context, and discarding a browsing context.


The HTML Standard used to define "unit of related browsing contexts" and "unit of related similar-origin browsing contexts". These have been removed as they were not adequate.

7.1.5 ブラウジングコンテキスト名

ブラウジングコンテキストは、ブラウジングコンテキスト名を持つことができる。特に明記しない限り、それは空文字列である。

妥当なブラウジングコンテキスト名は、U+005F LOW LINE文字で始まらない少なくとも1文字をもつ任意の文字列である。(アンダースコアで始まる名前は、特別なキーワードのために予約されている。)

妥当なブラウジングコンテキスト名またはキーワードは、妥当なブラウジングコンテキスト名またはASCII大文字・小文字不区別_blank_self_parent、または_topの1つにマッチするいずれかとなる任意の文字列である。

これらの値は、以下の(非規範的な)テーブルで要約されるように、ページがサンドボックス化されるかどうかに基づいて異なる意味を持つ。この表において、"current"はリンクまたはスクリプト内にあるブラウジングコンテキストを意味し、"parent"はリンクまたはスクリプト内にあるいずれかの親ブラウジングコンテキストを意味し、"top"はリンクまたはスクリプトがあるいずれかのトップレベルブラウジングコンテキストを意味し、"new"はさまざまなユーザー設定とユーザーエージェントのポリシーに次第で、新しいトップレベルブラウジングコンテキストまたは補助ブラウジングコンテキストが作成されることを意味し、"none"は何も起こらないことを意味し、"maybe new"は"allow-popups"キーワードはまたsandbox属性で指定される場合(またはユーザーがサンドボックスを覆う場合)、"new"と同じであり、そうでなければ"none"と同じである。

キーワード普通の効果iframeでの効果
sandbox=""sandbox="allow-top-navigation"
リンクおよびフォーム送信に対して、何も指定しないcurrentcurrentcurrent
空文字列currentcurrentcurrent
_blanknewmaybe newmaybe new
_selfcurrentcurrentcurrent
親が存在しない場合の_parentcurrentcurrentcurrent
親がまたトップである場合の_parentparent/topnoneparent/top
存在するがトップでない場合の_parentparentnonenone
トップが現在である場合の_topcurrentcurrentcurrent
トップが現在でない場合の_toptopnonetop
名前が存在しないnewmaybe newmaybe new
名前が存在しかつ子孫であるspecified descendantspecified descendantspecified descendant
名前が存在し現在であるcurrentcurrentcurrent
名前が存在しかつトップとなる祖先であるspecified ancestornonespecified ancestor/top
名前が存在しかつトップでない祖先であるspecified ancestornonenone
他の名前が共通のトップとともに存在するspecifiednonenone
familiarかつある許可されたサンドボックス化されたナビゲーターである場合、異なるトップをもつ名前が存在するspecifiedspecifiedspecified
familiarだがある許可されたサンドボックス化されたナビゲーターでない場合、異なるトップをもつ名前が存在するspecifiednonenone
familiarでない、異なるトップをもつ名前が存在するnewmaybe newmaybe new

サンドボックス化されたブラウジングコンテキストの制限のほとんどは、他のアルゴリズムにより適用される。たとえば、下記で与えられるブラウジングコンテキスト名で与えられたをブラウジングコンテキストを選択するための規則でなく、ナビゲーションアルゴリズムとして。


The rules for choosing a browsing context, given a browsing context name name, a browsing context current, and a boolean noopener are as follows:

  1. Let chosen be null.

  2. Let new be false.

  3. Let sandboxingFlagSet be current's active document's active sandboxing flag set.

  4. If name is the empty string or an ASCII case-insensitive match for "_self", then set chosen to current.

  5. Otherwise, if name is an ASCII case-insensitive match for "_parent", set chosen to current's parent browsing context, if any, and current otherwise.

  6. Otherwise, if name is an ASCII case-insensitive match for "_top", set chosen to current's top-level browsing context, if any, and current otherwise.

  7. Otherwise, if name is not an ASCII case-insensitive match for "_blank", there exists a browsing context whose name is the same as name, current is familiar with that browsing context, and the user agent determines that the two browsing contexts are related enough that it is ok if they reach each other, set chosen to that browsing context. If there are multiple matching browsing contexts, the user agent should set chosen to one in some arbitrary consistent manner, such as the most recently opened, most recently focused, or more closely related.

    This will be made more precise in issue #313.

  8. Otherwise, a new browsing context is being requested, and what happens depends on the user agent's configuration and abilities — it is determined by the rules given for the first applicable option from the following list:

    The user agent may inform the user that a popup has been blocked.

    If sandboxingFlagSet has the sandboxed auxiliary navigation browsing context flag set

    The user agent may offer the user one of:

    1. Set chosen to the result of creating a new top-level browsing context and set new to true.

    2. Set chosen to an existing top-level browsing context.

    If this case occurs, it means that an author has explicitly sandboxed the document that is trying to open a link.

    If the user declines or the user agent doesn't offer the above, the variables remain unchanged.

    If the user agent has been configured such that in this instance it will create a new browsing context
    1. Set new to true.

    2. If noopener is true, then set chosen to the result of creating a new top-level browsing context.

    3. Otherwise:

      1. Set chosen to the result of creating a new auxiliary browsing context with current.

      2. If sandboxingFlagSet's sandboxed navigation browsing context flag is set, then current must be set as chosen's one permitted sandboxed navigator.

    4. If sandboxingFlagSet's sandbox propagates to auxiliary browsing contexts flag is set, then all the flags that are set in sandboxingFlagSet must be set in chosen's popup sandboxing flag set.

    5. If name is not an ASCII case-insensitive match for "_blank", then set chosen's name to name.

    If the newly created browsing context is immediately navigated, then the navigation will be done with replacement enabled.

    If the user agent has been configured such that in this instance it will reuse current

    Set chosen to current.

    If the user agent has been configured such that in this instance it will not find a browsing context

    Do nothing.

    User agents are encouraged to provide a way for users to configure the user agent to always reuse current.

  9. Return chosen and new.

7.2 Security infrastructure for Window, WindowProxy, and Location objects

Although typically objects cannot be accessed across origins, the web platform would not be true to itself if it did not have some legacy exceptions to that rule that the web depends upon.

7.2.1 Integration with IDL

When perform a security check is invoked, with a platformObject, identifier, and type, run these steps:

  1. If platformObject is a Window or Location object, then:

    1. Repeat for each e that is an element of ! CrossOriginProperties(platformObject):

      1. If SameValue(e.[[Property]], identifier) is true, then:

        1. If type is "method" and e has neither [[NeedsGet]] nor [[NeedsSet]], then return.

        2. Otherwise, if type is "getter" and e.[[NeedsGet]] is true, then return.

        3. Otherwise, if type is "setter" and e.[[NeedsSet]] is true, then return.

  2. If ! IsPlatformObjectSameOrigin(platformObject) is false, then throw a "SecurityError" DOMException.

7.2.2 Shared internal slot: [[CrossOriginPropertyDescriptorMap]]

Window and Location objects both have a [[CrossOriginPropertyDescriptorMap]] internal slot, whose value is initially an empty map.

The [[CrossOriginPropertyDescriptorMap]] internal slot contains a map with entries whose keys are (currentGlobal, objectGlobal, propertyKey)-tuples and values are property descriptors, as a memoization of what is visible to scripts when currentGlobal inspects a Window or Location object from objectGlobal. It is filled lazily by CrossOriginGetOwnPropertyHelper, which consults it on future lookups.

User agents should allow a value held in the map to be garbage collected along with its corresponding key when nothing holds a reference to any part of the value. That is, as long as garbage collection is not observable.

For example, with const href = Object.getOwnPropertyDescriptor(crossOriginLocation, "href").set the value and its corresponding key in the map cannot be garbage collected as that would be observable.

User agents may have an optimization whereby they remove key-value pairs from the map when document.domain is set. This is not observable as document.domain cannot revisit an earlier value.

For example, setting document.domain to "example.com" on www.example.com means user agents can remove all key-value pairs from the map where part of the key is www.example.com, as that can never be part of the origin again and therefore the corresponding value could never be retrieved from the map.

7.2.3 Shared abstract operations

7.2.3.1 CrossOriginProperties ( O )
  1. Assert: O is a Location or Window object.

  2. If O is a Location object, then return « { [[Property]]: "href", [[NeedsGet]]: false, [[NeedsSet]]: true }, { [[Property]]: "replace" } ».

  3. Let crossOriginWindowProperties be « { [[Property]]: "window", [[NeedsGet]]: true, [[NeedsSet]]: false }, { [[Property]]: "self", [[NeedsGet]]: true, [[NeedsSet]]: false }, { [[Property]]: "location", [[NeedsGet]]: true, [[NeedsSet]]: true }, { [[Property]]: "close" }, { [[Property]]: "closed", [[NeedsGet]]: true, [[NeedsSet]]: false }, { [[Property]]: "focus" }, { [[Property]]: "blur" }, { [[Property]]: "frames", [[NeedsGet]]: true, [[NeedsSet]]: false }, { [[Property]]: "length", [[NeedsGet]]: true, [[NeedsSet]]: false }, { [[Property]]: "top", [[NeedsGet]]: true, [[NeedsSet]]: false }, { [[Property]]: "opener", [[NeedsGet]]: true, [[NeedsSet]]: false }, { [[Property]]: "parent", [[NeedsGet]]: true, [[NeedsSet]]: false }, { [[Property]]: "postMessage" } ».

  4. Repeat for each e that is an element of O's document-tree child browsing context name property set:

    1. Add { [[Property]]: e, [[HideFromKeys]]: true } as the last element of crossOriginWindowProperties.

  5. Return crossOriginWindowProperties.

Indexed properties do not need to be safelisted as they are handled directly by the WindowProxy object.

7.2.3.2 CrossOriginPropertyFallback ( P )
  1. If P is "then", @@toStringTag, @@hasInstance, or @@isConcatSpreadable, then return PropertyDescriptor{ [[Value]]: undefined, [[Writable]]: false, [[Enumerable]]: false, [[Configurable]]: true }.

  2. Throw a "SecurityError" DOMException.

7.2.3.3 IsPlatformObjectSameOrigin ( O )
  1. Return true if the current settings object's origin is same origin-domain with O's relevant settings object's origin, and false otherwise.

7.2.3.4 CrossOriginGetOwnPropertyHelper ( O, P )

If this abstract operation returns undefined and there is no custom behavior, the caller needs to throw a "SecurityError" DOMException. In practice this is handled by the caller calling CrossOriginPropertyFallback.

  1. Let crossOriginKey be a tuple consisting of the current settings object, O's relevant settings object, and P.

  2. Repeat for each e that is an element of ! CrossOriginProperties(O):

    1. If SameValue(e.[[Property]], P) is true, then:

      1. If the value of the [[CrossOriginPropertyDescriptorMap]] internal slot of O contains an entry whose key is crossOriginKey, then return that entry's value.

      2. Let originalDesc be OrdinaryGetOwnProperty(O, P).

      3. Let crossOriginDesc be undefined.

      4. If e.[[NeedsGet]] and e.[[NeedsSet]] are absent, then:

        1. Let value be originalDesc.[[Value]].

        2. If ! IsCallable(value) is true, then set value to an anonymous built-in function, created in the current Realm Record, that performs the same steps as the IDL operation P on object O.

        3. Set crossOriginDesc to PropertyDescriptor{ [[Value]]: value, [[Enumerable]]: false, [[Writable]]: false, [[Configurable]]: true }.

      5. Otherwise:

        1. Let crossOriginGet be undefined.

        2. If e.[[NeedsGet]] is true, then set crossOriginGet to an anonymous built-in function, created in the current Realm Record, that performs the same steps as the getter of the IDL attribute P on object O.

        3. Let crossOriginSet be undefined.

        4. If e.[[NeedsSet]] is true, then set crossOriginSet to an anonymous built-in function, created in the current Realm Record, that performs the same steps as the setter of the IDL attribute P on object O.

        5. Set crossOriginDesc to PropertyDescriptor{ [[Get]]: crossOriginGet, [[Set]]: crossOriginSet, [[Enumerable]]: false, [[Configurable]]: true }.

      6. Create an entry in the value of the [[CrossOriginPropertyDescriptorMap]] internal slot of O with key crossOriginKey and value crossOriginDesc.

      7. Return crossOriginDesc.

  3. Return undefined.

The reason that the property descriptors produced here are configurable is to preserve the invariants of the essential internal methods required by the JavaScript specification. In particular, since the value of the property can change as a consequence of navigation, it is required that the property be configurable. (However, see tc39/ecma262 issue #672 and references to it elsewhere in this specification for cases where we are not able to preserve these invariants, for compatibility with existing Web content.) [JAVASCRIPT]

The reason the property descriptors are non-enumerable, despite this mismatching the same-origin behavior, is for compatibility with existing Web content. See issue #3183 for details.

7.2.3.5 CrossOriginGet ( O, P, Receiver )
  1. Let desc be ? O.[[GetOwnProperty]](P).

  2. Assert: desc is not undefined.

  3. If ! IsDataDescriptor(desc) is true, then return desc.[[Value]].

  4. Assert: IsAccessorDescriptor(desc) is true.

  5. Let getter be desc.[[Get]].

  6. If getter is undefined, then throw a "SecurityError" DOMException.

  7. Return ? Call(getter, Receiver).

7.2.3.6 CrossOriginSet ( O, P, V, Receiver )
  1. Let desc be ? O.[[GetOwnProperty]](P).

  2. Assert: desc is not undefined.

  3. If desc.[[Set]] is present and its value is not undefined, then:

    1. Perform ? Call(setter, Receiver, «V»).

    2. Return true.

  4. Throw a "SecurityError" DOMException.

7.2.3.7 CrossOriginOwnPropertyKeys ( O )
  1. Let keys be a new empty List.

  2. Repeat for each e that is an element of ! CrossOriginProperties(O):

    1. If e.[[HideFromKeys]] is not true, append e.[[Property]] to keys.

  3. If keys does not contain "then", then append "then" to keys.

  4. Return the concatenation of keys and « @@toStringTag, @@hasInstance, @@isConcatSpreadable ».