Location/WindowClient ancestorOrigins: note iframe referrerpolicy effect#44291
Merged
chrisdavidmills merged 2 commits intoMay 30, 2026
Conversation
Setting referrerpolicy="no-referrer" (or "same-origin" across an origin boundary) on an embedding <iframe> redacts the embedder's origin from the ancestorOrigins list of the framed document, replacing it with an opaque origin. Document this on both pages that expose ancestorOrigins. Closes mdn#42231
vamshikrishnaramasamy
requested review from
chrisdavidmills
and removed request for
a team
github-actions
Bot
added
Content:WebAPI
Contributor
|
Preview URLs (2 pages) (comment last updated: 2026-05-30 02:16:53) |
chrisdavidmills
requested changes
May 29, 2026
Contributor
chrisdavidmills
left a comment
chrisdavidmills
left a comment
There was a problem hiding this comment.
Thanks, @vamshikrishnaramasamy. This looks mostly fine; my suggestions are mainly slight clarifying improvements, which aim to break up that long sentence in each case.
| based on what site or list of sites is framing it. | ||
|
|
||
| > [!NOTE] | ||
| > The [`referrerpolicy`](/en-US/docs/Web/HTML/Reference/Elements/iframe#referrerpolicy) attribute of an embedding `<iframe>` affects this list. Setting it to `no-referrer`, or to `same-origin` when the framed document is cross-origin, redacts the origin of the document that contains the `<iframe>` from the `ancestorOrigins` list of the framed document: the origin is replaced with an opaque origin, which serializes as `"null"`. |
Contributor
There was a problem hiding this comment.
Suggested change
| > The [`referrerpolicy`](/en-US/docs/Web/HTML/Reference/Elements/iframe#referrerpolicy) attribute of an embedding `<iframe>` affects this list. Setting it to `no-referrer`, or to `same-origin` when the framed document is cross-origin, redacts the origin of the document that contains the `<iframe>` from the `ancestorOrigins` list of the framed document: the origin is replaced with an opaque origin, which serializes as `"null"`. | |
| > The [`referrerpolicy`](/en-US/docs/Web/HTML/Reference/Elements/iframe#referrerpolicy) attribute of an embedding `<iframe>` affects this list. Setting `referrerpolicy` to `no-referrer`, or to `same-origin` when the framed document is cross-origin, redacts the origin of the document containing the `<iframe>` from the `ancestorOrigins` list of the framed document. The origin is replaced with an opaque origin, which serializes as `"null"`. |
| The first element in the array is the origin of this window's parent, and the last element is the origin of the top-level browsing context. If this window is itself a top-level browsing context, then `ancestorOrigins` is an empty array. | ||
|
|
||
| > [!NOTE] | ||
| > The [`referrerpolicy`](/en-US/docs/Web/HTML/Reference/Elements/iframe#referrerpolicy) attribute of an embedding `<iframe>` affects this list. Setting it to `no-referrer`, or to `same-origin` when the framed document is cross-origin, redacts the origin of the document that contains the `<iframe>` from the `ancestorOrigins` list of the framed document: the origin is replaced with an opaque origin, which serializes as `"null"`. |
Contributor
There was a problem hiding this comment.
Suggested change
| > The [`referrerpolicy`](/en-US/docs/Web/HTML/Reference/Elements/iframe#referrerpolicy) attribute of an embedding `<iframe>` affects this list. Setting it to `no-referrer`, or to `same-origin` when the framed document is cross-origin, redacts the origin of the document that contains the `<iframe>` from the `ancestorOrigins` list of the framed document: the origin is replaced with an opaque origin, which serializes as `"null"`. | |
| > The [`referrerpolicy`](/en-US/docs/Web/HTML/Reference/Elements/iframe#referrerpolicy) attribute of an embedding `<iframe>` affects this list. Setting `referrerpolicy` to `no-referrer`, or to `same-origin` when the framed document is cross-origin, redacts the origin of the document containing the `<iframe>` from the `ancestorOrigins` list of the framed document. The origin is replaced with an opaque origin, which serializes as `"null"`. |
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Contributor
Author
|
Thanks @chrisdavidmills — applied both suggestions, the sentence reads much better split up. Done in be460e3. |
chrisdavidmills
approved these changes
May 30, 2026
Contributor
chrisdavidmills
left a comment
chrisdavidmills
left a comment
There was a problem hiding this comment.
Perfect, thanks, @vamshikrishnaramasamy!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #42231.
location.ancestorOrigins(andWindowClient.ancestorOrigins) don't mention that an embedding<iframe>'sreferrerpolicycan keep the embedder's origin out of the list. Settingreferrerpolicy="no-referrer", orreferrerpolicy="same-origin"when the framed document is cross-origin, replaces the embedder's origin with an opaque origin (serialized as"null") in the framed document'sancestorOrigins.Added a matching note to both pages that expose the property. Wording follows the behavior described by the reporter (@zcorpan) and the spec change in whatwg/html#11560.