Introducing self.origin, a reliable way to get the origin of a global

Fixes https://www.w3.org/Bugs/Public/show_bug.cgi?id=28801.

source

@@ -87543,6 +87543,8 @@ interface <dfn>DocumentAndElementEventHandlers</dfn> {
 
 [NoInterfaceObject, Exposed=(Window,Worker)]
 interface <dfn>WindowOrWorkerGlobalScope</dfn> {
+  [Replaceable] readonly attribute USVString <span data-x="dom-origin">origin</span>;
+
   // base64 utility methods
   DOMString <span data-x="dom-btoa">btoa</span>(DOMString data);
   DOMString <span data-x="dom-atob">atob</span>(DOMString data);
@@ -87566,6 +87568,33 @@ interface <dfn>WindowOrWorkerGlobalScope</dfn> {
           http://software.hixie.ch/utilities/js/live-dom-viewer/saved/1229
   -->
 
+  <dl class="domintro">
+   <dt><var>origin</var> = self . <code subdfn data-x="dom-origin">origin</code></dt>
+
+   <dd><p>Returns the global object's <span>origin</span>, serialised as string.</p></dd>
+  </dl>
+
+  <div class="example">
+   <p>Developers are strongly encouraged to use <code data-x="">self.origin</code> over <code
+   data-x="">location.origin</code>. The former returns the <span>origin</span> of the environment,
+   the latter of the URL of the environment. Imagine the following script executing in a document on
+   <code data-x="">https://stargate.example/</code>:</p>
+
+   <pre>var frame = document.createElement("iframe")
+frame.onload = function() {
+  var frameWin = frame.contentWindow
+  console.log(frameWin.location.origin) // "null"
+  console.log(frameWin.origin) // "https://stargate.example"
+}
+document.body.appendChild(frame)</pre>
+
+   <p><code data-x="">self.origin</code> is a more reliable security indicator.</p>
+  </div>
+
+  <p>The <dfn data-x="dom-origin"><code>origin</code></dfn> attribute's getter must return this
+  object's <span>relevant setting object</span>'s <span>origin</span>, <span data-x="Unicode
+  serialisation of an origin">serialised</span>.</p>
+
 
   <h3 id="atob">Base64 utility methods</h3>