whatwg / html

Helps with whatwg/sg#124.

Missed in #5287. Fixes #5698.

Closes #5690.

Fixes #5685.

And other font-related canvas settings.

Closes #4073.

Co-authored-by: Anne van Kesteren <annevk@annevk.nl>

Helps with whatwg/sg#102.

The Scripting section (under "Web application APIs") has grown
organically, resulting in subpar ordering and too-deep nesting. This
divides up the "Processing model" subsection into the following
subsections:

* Agents and agent clusters
* Realms and their counterparts
* Script processing model
* JavaScript specification host hooks

Additionally, new text is added to the "Realms and their counterparts"
section, briefly explaining how concepts are associated with global
objects, environment settings objects, and environments.

Fixes #5669. This also fixes existing mismatched parameter passing to
the "obtain a cross-origin opener policy" algorithm.

This supersedes the definition in
https://w3c.github.io/webappsec-secure-contexts/, and fixes several bugs
while doing so.

Closes #5558. Closes w3c/webappsec-secure-contexts#56. Closes
w3c/webappsec-secure-contexts#57. Closes
w3c/webappsec-secure-contexts#74. Closes
w3c/webappsec-secure-contexts#75.

Merges https://github.com/WICG/cross-origin-embedder-policy into HTML.

Associated PRs:

* whatwg/fetch#1030
* w3c/ServiceWorker#1516
* w3c/css-houdini-drafts#992

Fixes #5368, fixes #5634, fixes
whatwg/fetch#985, and fixes
w3c/ServiceWorker#1490.

Follow-up: #4916, #4919, #4930 #5223, and #5391. (As well as defining
cross-origin isolated, per #4732.)

Part of #4980.

Also give it both its old and logical ID. Helps with #5672.

Closes w3c/editing#261.

This commit adds the notion of cross-origin opener policy (COOP). COOP
allows websites to restrict which origins they share their browsing
context group with. annevk wrote a first draft of the behavior of COOP
here: https://gist.github.com/annevk/6f2dd8c79c77123f39797f6bdac43f3e.
This takes that draft and merges it into the spec, with many updates
along the way.

Closes #3740. Closes #4580. Closes #4921. Closes #5172.

Co-authored-by: clamy <clamy@chromium.org>
Co-authored-by: Anne van Kesteren <annevk@annevk.nl>
Co-authored-by: Domenic Denicola <d@domenic.me>

This abstracts away having to say "browsing context's WindowProxy
object's [[Window]] internal slot value", and replaces a few imprecise
instances of "browsing context's Window object".

You can't "fetch the descendants of and link" null.

Follows tc39/ecma262#1376, and prevents problems
in the future when the non-dotted forms are deleted.

This remove notes pointing to #2137, and thus closes #2137. We'll proceed with
preventing scripts from executing if they've moved between documents, as this is
now shipping in two engines.

These were generated by a postprocessing step, but that was removed:
whatwg/html-build#235. Since this is a one-time
cost it doesn't make sense to invoke a fragile script for it every
build.

An environment's top-level origin is null during the initial top-level navigation (before the response arrives) and otherwise represents the origin of the top-level document. It is currently implementation-defined for non-dedicated workers, but hopefully that can be sorted soon.

An environment's top-level creation URL is the URL of the top-level document. It is null for workers as they do not need the concept.

Needed for whatwg/fetch#943 and #5558.

Co-authored-by: Anne van Kesteren <annevk@annevk.nl>

Closes #5189.

Currently, top-level and nested navigations use a request destination of "document". This splits that into "document" (top-level) and "embed", "frame", "iframe", and "object" (nested).

It also makes embed/object use "navigate" as their request mode.

This complements whatwg/fetch#948 (which links relevant tests).

It was unclear how the "focus fixup rule" came into play, since that
rule is done using action at a distance. This inserts notes explicitly
calling out what happens.

See web-platform-tests/wpt#23485 for background.

Having a central point to acknowledge its non-existence will hopefully provide some clarity for #5560 and other changes.

Tests: web-platform-tests/wpt#23381.

Closes #5497.

* Removes the ready to be lazy loaded flag, in favor of the lazy load
  resumption steps
* Clears and invokes the lazy load resumption steps from the lazy load
  IntersectionObserver callback
* Clears and invokes the lazy load resumption steps when the img's lazy
  load attribute is set to the Eager state
* Removes the unnecessary in-parallel and task-posting machinery from
  updating the image data, in favor of setting the lazy load resumption
  steps and early-returning

Notably, this fixes a bug in the spec where it was impossible to lazy
load an image more than once.

Previously, the algorithm for "determine the sandbox flags" would try to
use whether or not the given browsing context was a child browsing
context, or whether it was an iframe element's nested browsing context.
However, when this algorithm was called during browsing context
creation, the appropriate relationships were not set up yet, so these
conditions would always be false.

This splits the algorithm into two, one for during creation which
accepts an embedder argument indicating the destination container, and
one for post-creation.