spec.bs

<pre class="metadata">
Title: Fenced Frame
Shortname: fenced-frame
Repository: WICG/fenced-frame
Inline Github Issues: true
Group: WICG
Status: CG-DRAFT
Level: 1
URL: https://wicg.github.io/fenced-frame/
Boilerplate: omit conformance, omit feedback-header
Editor: Dominic Farolino, Google https://www.google.com/, domfarolino@gmail.com, https://domfarolino.com
Abstract: The fenced frame enforces a boundary between the embedding page and the cross-site embedded document such that user data visible to the two sites is not able to be joined together.
!Participate: <a href="https://github.com/WICG/fenced-frame">GitHub WICG/fenced-frame</a> (<a href="https://github.com/WICG/fenced-frame/issues/new">new issue</a>, <a href="https://github.com/WICG/fenced-frame/issues?state=open">open issues</a>)
!Commits: <a href="https://github.com/WICG/fenced-frame/commits/master/spec.bs">GitHub spec.bs commits</a>
Complain About: accidental-2119 yes, missing-example-ids yes
Indent: 2
Default Biblio Status: current
Markup Shorthands: markdown yes
Assume Explicit For: yes
WPT Display: open
</pre>

<pre class="link-defaults">
spec: url; for:/; type: dfn; text: url
</pre>
<pre class="biblio">
{
  "protected-audience": {
    "authors": [
      "Paul Jensen"
    ],
    "href": "https://wicg.github.io/turtledove/",
    "title": "Protected Audience API",
    "status": "CG-DRAFT",
    "publisher": "WICG",
    "deliveredBy": [
      "https://wicg.io/"
    ]
  },
  "shared-storage": {
    "authors": [
      "Cammie Barnes"
    ],
    "href": "https://wicg.github.io/shared-storage/",
    "title": "Shared Storage API",
    "status": "CG-DRAFT",
    "publisher": "WICG",
    "deliveredBy": [
      "https://wicg.io/"
    ]
  },
  "prerendering-revamped": {
    "authors": [
      "Domenic Denicola",
      "Dominic Farolino"
    ],
    "href": "https://wicg.github.io/nav-speculation/prerendering.html",
    "title": "Prerendering Revamped",
    "status": "CG-DRAFT",
    "publisher": "WICG",
    "deliveredBy": [
      "https://wicg.io/"
    ]
  },
  "cspee": {
    "authors": [
      "Mike West"
    ],
    "href": "https://w3c.github.io/webappsec-cspee/",
    "title": "Prerendering Revamped",
    "status": "CG-DRAFT",
    "publisher": "WICG",
    "deliveredBy": [
      "https://wicg.io/"
    ]
  }
}
</pre>
<pre class="anchors">
urlPrefix: https://www.ietf.org/rfc/rfc4122.txt
  type: dfn; text: urn uuid

spec: prerendering-revamped; urlPrefix: https://wicg.github.io/nav-speculation/prerendering.html
  type: dfn
    for: navigable
      text: loading mode; url: #navigable-loading-mode

spec: html; urlPrefix: https://html.spec.whatwg.org/multipage/
  type: dfn
    urlPrefix: browsers.html
      text: check a navigation response's adherence to its embedder policy; url: check-a-navigation-response's-adherence-to-its-embedder-policy
      text: queue a cross-origin embedder policy inheritance violation; url: queue-a-cross-origin-embedder-policy-inheritance-violation
      text: determine navigation params policy container; url: determining-navigation-params-policy-container
      text: cross-origin opener policy enforcement result; url: coop-enforcement-result
      for: cross-origin opener policy enforcement result
        text: needs a browsing context group switch; url: coop-enforcement-bcg-switch
    urlPrefix: dom.html
      text: categories; url: concept-element-categories
      text: contexts in which this element can be used; url: concept-element-contexts
      text: embedded content; url: embedded-content-category
      text: content model; url: concept-element-content-model
      text: nothing; url: concept-content-nothing
      text: content attributes; url: concept-element-attributes
      text: global attributes; url: global-attributes
      text: dom interface; url: concept-element-dom
      text: accessibility considerations; url: concept-element-accessibility-considerations
      text: represents; url: represents
    urlPrefix: common-dom-interfaces.html
      text: reflect; url: reflect
    urlPrefix: embedder-content-other.html
      text: width; url: attr-dim-width
      text: height; url: attr-dim-height
    urlPrefix: document-sequences.html
      text: browsing context group; url: browsing-context-group
      text: browsing context group set; url: browsing-context-group-set
      text: creator base url; url: creator-base-url
      text: create a new browsing context and document; url: creating-a-new-browsing-context
      text: create a new browsing context group and document; url: creating-a-new-browsing-context-group
      text: initialize the navigable; url: initialize-the-navigable
      text: node navigable; url: node-navigable
      text: system visibility state; url: system-visibility-state
      for: navigable
        text: active session history entry; url: nav-active-history-entry
        text: current session history entry; url: nav-current-history-entry
        text: parent; url: nav-parent
        text: ongoing navigation
      for: traversable navigable
        text: session history entries; url: tn-session-history-entries
      for: browsing context group
        text: cross-origin isolation mode; url: bcg-cross-origin-isolation
      for: cross-origin isolation mode
        text: none; url:cross-origin-isolation-none
    urlPrefix: browsing-the-web.html
      text: create and initialize a Document object; url: initialise-the-document-object
      text: create navigation params by fetching; url: create-navigation-params-by-fetching
      text: document state; url: she-document-state
      text: historyHandling; url: navigation-hh
      text: referrerPolicy; url: navigation-referrer-policy
      text: attempt to populate the history entry's document; url: attempt-to-populate-the-history-entry's-document
      text: navigation params; url: navigation-params
      text: snapshot source snapshot params; url: snapshotting-source-snapshot-params
      for: navigation params
        text: response; url: navigation-params-response
        text: navigable; url: navigation-params-navigable
        text: origin; url: navigation-params-origin
        text: COOP enforcement result; url: navigation-params-coop-enforcement-result
      for: history handling behavior
        text: replace; url: hh-replace
      for: document state
        text: document; url: document-state-document
        text: history policy container; url: document-state-history-policy-container
        text: initiator origin; url: document-state-initiator-origin
      text: checking if unloading is user-canceled
      text: source snapshot params
      for: source snapshot params
        text: fetch client; url: source-snapshot-params-client
        text: source policy container; url: source-snapshot-params-policy-container
      text: session-history-entry
      for: session history entry
        text: step; url: she-step
      for: source snapshot params
        text: has transient activation; url: source-snapshot-params-activation
    urlPrefix: interaction.html
      text: activation notification; url: activation-notification
      text: consume user activation; url: consume-user-activation
      text: activation; url: activation
      text: click focusable; url: click-focusable
      text: focusable area; url: focusable-area
      text: sequential focus navigation; url: sequential-focus-navigation
      text: focus; url: dom-window-focus
      text: focus chain; url: focus-chain
      text: focus update steps; url: focus-update-steps
      text: focused; url: focused
      text: gain focus; url: gains-focus
      text: DOM anchor; url: dom-anchor
      text: get the focusable area; url: get-the-focusable-area
      text: currently focused area of a top-level traversable; url: currently-focused-area-of-a-top-level-traversable
      text: focused area; url: focused-area-of-the-document
      text: sequential navigation search algorithm; url: sequential-navigation-search-algorithm
    urlPefix: infrastructure.html
      text: immediately; url: immediately
    urlPrefix: nav-history-apis.html
      for: Window
        text: navigable; url: window-navigable
        text: opener; url: dom-opener
    urlPrefix: webappapis.html
      for: environment
        text: target browsing context; url: concept-environment-target-browsing-context
      text: navigation and traversal task source
    urlPrefix: document-sequences.html
      for: browsing context
        text: active document; url: active-document
    urlPrefix: interactive-elements.html
      text: accesskey attribute command; url: using-the-accesskey-attribute-to-define-a-command-on-other-elements
      text: previously focused element; url: previously-focused-element
    urlPrefix: popover.html
      text: hide popover algorithm; url: hide-popover-algorithm
    urlPrefix: form-control-infrastructure.html
      text: interactively validate the constraints; url: interactively-validate-the-constraints
    urlPrefix: custom-elements.html
      text: face validation anchor; url: face-validation-anchor
    urlPrefix: webappapis.html
      text: fire a click event; url: fire-a-click-event
    urlPrefix: urls-and-fetching.html
      text: about:srcdoc; url: about:srcdoc
spec: fetch; urlPrefix: https://fetch.spec.whatwg.org/
  type: dfn
    text: queue a cross-origin embedder policy CORP violation report; url: queue-a-cross-origin-embedder-policy-corp-violation-report
    text: should request be blocked due to a bad port; url: block-bad-port
    for: response
      text: has-cross-origin-redirects; url: response-has-cross-origin-redirects
spec: mixed-content; urlPrefix: https://w3c.github.io/webappsec-mixed-content/
  type: dfn
    text: should fetching request be blocked as mixed content; url: should-block-fetch
spec: RFC8941; urlPrefix: https://www.rfc-editor.org/rfc/rfc8941.html
  type: dfn
    text: structured header; url: #section-1
    for: structured header
      text: token; url: name-tokens
spec: permissions-policy; urlPrefix: https://w3c.github.io/webappsec-permissions-policy
  type: dfn
    text: ASCII-serialized policy directive; url: serialized-policy-directive
    text: serialized permissions policy; url: serialized-permissions-policy
    text: supported features; url: supported-features
    text: declared policy; url: declared-policy
    text: the special value *; url: the-special-value
    text: permissions policy; url: permissions-policy
    for: permissions
      text: matches; url: matches
spec: CSP; urlPrefix: https://w3c.github.io/webappsec-csp/
  type: dfn
    text: directive value; url: directive-value
    text: frame-src pre-request check; url: frame-src-pre-request
    text: frame-src post-request check; url: frame-src-post-request
    text: Get the effective directive for request; url: effective-directive-for-a-request
spec: CSPEE; urlPrefix: https://w3c.github.io/webappsec-cspee/
  type: dfn
    text: Is response to request blocked by context's required CSP?; url: process-response
    text: required csp; url: browsing-context-required-csp
spec: permissions-policy; urlPrefix: https://w3c.github.io/webappsec-permissions-policy
  type: dfn
    for: permissions policy
      text: inherited policy; url: inherited-policy
spec: css2; urlPrefix: https://www.w3.org/TR/CSS21/visuren.html
  type: dfn
    for: css2
      text: viewport; url: viewport
</pre>

<style>
/* Put nice boxes around each algorithm. */
[data-algorithm]:not(.heading) {
  padding: .5em;
  border: thin solid #ddd; border-radius: .5em;
  margin: .5em calc(-0.5em - 1px);
}
[data-algorithm]:not(.heading) > :first-child {
  margin-top: 0;
}
[data-algorithm]:not(.heading) > :last-child {
  margin-bottom: 0;
}
[data-algorithm] [data-algorithm] {
  margin: 1em 0;
}

.selected-text-file-an-issue {
  position: fixed;
  bottom: 0;
  right: 0;
  background: rgba(255, 255, 255, 0.8);
  font-size: smaller;
  padding: 4px 10px;
  z-index: 4;
}

dfn var {
  font-style: italic;
}

table {
  margin: 1em 0;
}

/* WHATWG-style <hr>s, instead of WICG-style. Specific selector is necessary to override WICG styles. */
:not(.head) > :not(.head) + hr {
  display: block;
  background: none;
  border: none;
  padding: 0;
  margin: 3em 0;
  height: auto;
}
:not(.head) > :not(.head) + hr::before {
  content: none;
}

/* WHATWG-style element definition class */
.element {
  background: #EEFFEE;
}
dt {
  margin-top: 12px;
  color: black;
}
dl, dd {
  padding-left: .5em;
}

/* domintro from https://resources.whatwg.org/standard.css */
.domintro {
  position: relative;
  color: green;
  background: #DDFFDD;
  margin: 2.5em 0 2em 0;
  padding: 1.5em 1em 0.5em 2em;
}

.domintro dt, .domintro dt * {
  color: black;
  font-size: inherit;
}
.domintro dd {
  margin: 0.5em 0 1em 2em; padding: 0;
}
.domintro dd p {
  margin: 0.5em 0;
}
.domintro::before {
  content: 'For web developers (non-normative)';
  background: green;
  color: white;
  padding: 0.15em 0.25em;
  font-style: normal;
  position: absolute;
  top: -0.8em;
  left: -0.8em;
}

/* .XXX from https://resources.whatwg.org/standard.css */
.XXX {
  color: #D50606;
  background: white;
  border: solid #D50606;
}
</style>

<script src="https://resources.whatwg.org/file-issue.js" async></script>

<h2 id=introduction>Introduction</h2>

*This section is non-normative.*

In a web that has its cookies and storage partitioned by top-frame site, there are occasions — such
as interest group based advertising as provided by the [[Protected-Audience]] API, or [Conversion
Lift
Measurements](https://github.com/w3c/web-advertising/blob/main/support_for_advertising_use_cases.md#conversion-lift-measurement))
— when it would be useful to display content from different partitions in the same page. This can
only be done in a privacy-preserving way if the {{Document}}s that contain data from different
partitions are isolated from each other, unable to communicate despite being re visually composed on
the same page. <{iframe}> elements are not suitable for this, since they offer many intentional
communication channels with their embedder. This specification introduces the <{fencedframe}>
element, a new element to embed {{Document}}s on a page that explicitly prevents communication
between the {{Document}} and its embedder.

This specification defines the new element, its integration with the rest of the web platform,
including [[#html-integration]] and [[#interaction-with-other-specs]], and its supporting primitives
like {{FencedFrameConfig}}, which is the major input to the <{fencedframe}> in place of normal
[=URLs=] and "`src`" attributes. Given that this specification defines a new element and its
integration with the rest of the platform, it should be read as largely a monkeypatch to the
[[HTML]], with its end goal to be merged into that standard, provided there is adequate
cross-browser support.

<h2 id=the-fencedframe-element>The <dfn element export>fencedframe</dfn> element</h2>

<dl class="element">
 <dt>[=Categories=]:</dt>
 <dd>[=Flow content=].</dd>
 <dd>[=Phrasing content=].</dd>
 <dd>[=Embedded content=].</dd>
 <dd>[=Interactive content=].</dd>
 <dd>[=Palpable content=].</dd>
 <dt>[=Contexts in which this element can be used=]:</dt>
 <dd>Where [=embedded content=] is expected.</dd>
 <dt>[=Content model=]:</dt>
 <dd>[=Nothing=].</dd>
 <dt>[=Content attributes=]:</dt>
 <dd>[=Global attributes=]</dd>
 <dd><code>[=width=]</code> — Horizontal dimension</dd>
 <dd><code>[=height=]</code> — Vertical dimension</dd>
 <dd><code><{fencedframe/allow}></code> — [=Permissions policy=] to be applied to the <{fencedframe}>'s contents</dd>
 <dt>[=Accessibility considerations=]:</dt>
 <dd><p class=XXX>TODO</p></dd>
 <dt>[=DOM interface=]:</dt>
 <dd>
<xmp class=idl>
[Exposed=Window]
interface HTMLFencedFrameElement : HTMLElement {
  [HTMLConstructor] constructor();

  [CEReactions] attribute FencedFrameConfig? config;
  [CEReactions] attribute DOMString width;
  [CEReactions] attribute DOMString height;
  [CEReactions] attribute DOMString allow;
};
</xmp>
</dd>
</dl>

The <{fencedframe}> element [=represents=] its [=fenced navigable container/fenced navigable=].

Descendants of <{fencedframe}> elements represent nothing.

Each <{fencedframe}> has a <dfn for=fencedframe>config</dfn>, which is either a
{{FencedFrameConfig}} or null. It is initially null.

<div algorithm=insertion>
  When a <{fencedframe}> element |element| is [=node is inserted into a document|inserted into a
  document=] whose [=Document/browsing context=] is non-null, run these steps:

  1. Let |nested traversable| be the result of [=create a new nested traversable|creating a new
     nested traversable=] for |element|.

  1. Set |nested traversable|'s [=navigable/loading mode=] to "`fencedframe`".

  1. <span class=XXX>Parse the sandbox attributes, once it exists</span>

  Issue: It's not necessary to call the <a
  href=https://html.spec.whatwg.org/multipage/browsing-the-web.html#url-and-history-update-steps>URL
  and history update steps</a> as we do during usual <a
  href=https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element:url-and-history-update-steps>child
  navigable creation</a> or <a
  href=https://html.spec.whatwg.org/multipage/nav-history-apis.html#apis-for-creating-and-navigating-browsing-contexts-by-name:url-and-history-update-steps>top-level
  traversable creation</a>, but we still need a mechanism to initialize
  {{History}}.{{History/length}} in the new navigable. This is an existing issue in the HTML
  Standard: <a
  href=https://github.com/whatwg/html/issues/9030>https://github.com/whatwg/html/issues/9030</a>.
</div>

<div algorithm=destroy>
  When a <{fencedframe}> element is [=removed from a document=], the user agent <p class=XXX>TODO:
  destroy the nested traversable</p>.
</div>

The <dfn attribute for=HTMLFencedFrameElement>config</dfn> IDL attribute getter steps are to return
[=this=]'s [=fencedframe/config=].

<div algorithm=config-setter>
  The {{HTMLFencedFrameElement/config}} IDL attribute setter steps are:

  1. If [=this=] is not [=connected=]:

    1. [=Assert=]: [=this=]'s [=fenced navigable container/fenced navigable=] is null.

       Note: This holds because when the element has been removed from the DOM, its removal steps
       immediately destroy the [=fenced navigable container/fenced navigable=].

  1. Let |urn uuid| be the given {{FencedFrameConfig}}'s [=fencedframeconfig/urn=].

  1. Let |shared storage context| be the given {{FencedFrameConfig}}'s [=fencedframeconfig/
     sharedStorageContext=].

  1. [=Navigate=] |element|'s [=fenced navigable container/fenced navigable=] to |urn uuid| using
     |element|'s [=Node/node document=], with [=historyHandling=] set to "<a for="history handling
     behavior">`replace`</a>", [=referrerPolicy=] set to <a>"`no-referrer`"</a>, and
     |shared storage context|.

     Note: See [[#navigation-changes]] for the <{fencedframe}>-specific changes to the ordinary
     navigation flow.

  <wpt>
    /fenced-frame/header-referrer.https.html
  </wpt>
</div>

The <dfn element-attr for=fencedframe>allow</dfn> attribute, when specified, determines the
[=container policy=] that will be used when the [=Document/permissions policy=] for a {{Document}}
in the <{fencedframe}>'s [=fenced navigable container/fenced navigable=] is initialized. Its value
must be a [=serialized permissions policy=]. [[!PERMISSIONS-POLICY]]

The IDL attribute <dfn attribute for=HTMLFencedFrameElement>allow</dfn> must [=reflect=] the
respective content attribute of the same name.

<h3 id=dimension-attributes>Dimension attributes</h3>

This section details monkeypatches to [[!HTML]]'s <a
href="https://html.spec.whatwg.org/multipage/embedded-content-other.html#dimension-attributes">Dimension
attributes</a> section. That section will be updated to include <{fencedframe}> in the list of
elements whose own <dfn element-attr for=fencedframe>width</dfn> and <dfn element-attr
for=fencedframe>height</dfn> dimension attributes have the same author requirements that apply to
the general <code>[=width=]</code> and <code>[=height=]</code> dimension attributes defined in
[[HTML]].

Furthermore, the IDL attributes <dfn attribute for=HTMLFencedFrameElement>width</dfn> and <dfn
attribute for=HTMLFencedFrameElement>height</dfn> must [=reflect=] the respective content attributes
of the same name.

<h3 id=fenced-frame-config-map>Fenced frame config mapping</h3>

Each [=traversable navigable=] has a <dfn for="traversable navigable" export>fenced frame config
mapping</dfn>, which is a [=fenced frame config mapping=].

Note: This mapping is consulted during [=navigate|navigation=], and written to by what we
colloquially refer to as *URN-generating APIs* or *config-generating APIs*, that generate both [=urn
uuids=] and [=fenced frame configs=] for use in navigating <{fencedframe}> and <{iframe}> elements.
See for example, the [[Protected-Audience]] API and [[Shared-Storage]] specifications.

A <dfn>fenced frame config mapping</dfn> has three submappings:

<dl dfn-for="fenced frame config mapping">
  : <dfn>pending config mapping</dfn>
  :: a [=map=] whose [=map/keys=] are [=urn uuids=] and whose [=map/values=] are [=fenced frame
     configs=]

  : <dfn>finalized config mapping</dfn>
  :: a [=map=] whose [=map/keys=] are [=urn uuids=] and whose [=map/values=] are [=fenced frame
     configs=]

  : <dfn>nested config mapping</dfn>
  :: a [=map=] whose [=map/keys=] are [=urn uuids=] and whose [=map/values=] are [=fenced frame
     configs=]
</dl>

Note: The purpose of pending configs is to enable config-generating APIs to resolve configs
asynchronously in a way that doesn't create timing side channels, i.e., the pending config is
returned to the web platform in a constant amount of time, before any computation whose duration
depends on cross-site data. Because the privacy of this depends on the web platform not being able
to discern when a pending config is finalized, it is important that all visibilities and values of
transparent fields do not change from the pending config to the finalized config, given that they
can be inspected through {{FencedFrameConfig}}'s getters. Therefore, a {{FencedFrameConfig}} that is
created and exposed to the web platform is effectively immutable even if the [=fenced frame config=]
represented by the [=fencedframe/config=]'s [=fencedframeconfig/urn=] is technically "pending", and
will finish resolving completely later.

Each [=fenced frame config mapping=] has a <dfn for="fenced frame config mapping">maximum number of
configs</dfn>, which is implementation-defined. The [=fenced frame config mapping/maximum number of
configs=] may be a non-negative number or infinity.

Note: It is important to specify the behavior of
[=fenced frame config mapping/maximum number of configs=] because its semantics can interact with
config-generating APIs in a privacy sensitive way.

At a high level, in order to store a [=fenced frame config=] in the
[=traversable navigable/fenced frame config mapping=], the creator of the config must first store a
pending config, and then turn the pending config into a finalized config. Those procedures are as
follows:

<div algorithm>
  To <dfn for="fenced frame config mapping" export>store a pending config</dfn> in a [=fenced frame
  config mapping=] |mapping| given a [=fenced frame config=] |config|, run these steps:

  1. Let |pendingMapping| be |mapping|'s [=fenced frame config mapping/pending config mapping=].

  1. If the [=map/size=] of |pendingMapping| + the [=map/size=] of |mapping|'s [=fenced frame config
     mapping/finalized config mapping=] ≥ |mapping|'s [=fenced frame config mapping/maximum number
     of configs=], return failure.

  1. Let |urn| be a randomly generated [=urn uuid=].

  1. [=Assert=]: |urn| does not [=map/exist=] in |pendingMapping|.

  1. [=map/Set=] |pendingMapping|[|urn|] to |config|.
  
  1. Return |urn|.
</div>

<div algorithm>
  To <dfn for="fenced frame config mapping" export>finalize a pending config</dfn> in a [=fenced
  frame config mapping=] |mapping| given a [=urn uuid=] |urn| and [=fenced frame config=]
  |config|, run these steps:

  1. Let |pendingMapping| be |mapping|'s [=fenced frame config mapping/pending config mapping=].

  1. Let |finalizedMapping| be |mapping|'s [=fenced frame config mapping/finalized config mapping=].

  1. If |pendingMapping|[|urn|] does not [=map/exist=], return failure.

  1. [=map/Remove=] |pendingMapping|[|urn|].

  1. [=map/Set=] |finalizedMapping|[|urn|] to |config|.
</div>

<div algorithm>
  To <dfn for="fenced frame config mapping" export>store nested configs</dfn> in a [=fenced frame
  config mapping=] |mapping| given a [=fenced frame config instance/nested configs=]
  |nestedConfigs|, run these steps:

  1. Let |nestedMapping| be |mapping|'s [=fenced frame config mapping/nested config mapping=].

  1. If |nestedConfigs| is null, return.

  1. [=map/iterate|For each=] |urn| → |config| of |nestedConfigs|:

    1. [=map/Set=] |nestedMapping|[|urn|] to |config|.
</div>

<div algorithm>
  To <dfn for="fenced frame config mapping" export>find a config</dfn> in a [=fenced frame config
  mapping=] |mapping| given a [=urn uuid=] |urn|, run these steps:

  1. Let |nestedMapping| be |mapping|'s [=fenced frame config mapping/nested config mapping=].

  1. Let |pendingMapping| be |mapping|'s [=fenced frame config mapping/pending config mapping=].

  1. Let |finalizedMapping| be |mapping|'s [=fenced frame config mapping/finalized config mapping=].

  1. If |nestedMapping|[|urn|] [=map/exists=], return its value.

  1. If |pendingMapping|[|urn|] [=map/exists=], wait until it does not [=map/exist=].

  1. If |finalizedMapping|[|urn|] [=map/exists=], return its value.

  1. Return failure.
</div>

<h3 id=fenced-frame-config-section>Fenced frame configs</h3>

<h4 id=fenced-frame-config-intro>Introduction</h4>

*This section is non-normative.*

A key feature of the <{fencedframe}> element is that web platform APIs can configure the behavior
of the frame in a way that limits the ability of other execution contexts to modify or inspect this
configuration, for security and privacy reasons. For example, the [[Protected-Audience]] API
performs on-device ad auctions over cross-site data, and it is important that the ad that wins the
auction can be loaded into a frame, without the API caller knowing *which ad* won the auction or
being able to manipulate the environment in which the ad loads.

We achieve this using the concept of a "[=fenced frame config=]". A [=fenced frame config=] is a
collection of fields that can be loaded into <{fencedframe}> elements and that specifies the
resulting environments. [=Fenced frame configs=] can only be created by specific web platform APIs,
and not constructed or modified by script. Their fields also contain "[=visibilities=]", which
dictate whether the field should be "redacted" when inspected through the {{FencedFrameConfig}}
interface. Config-generating APIs like the [[Protected-Audience]] and [[Shared-Storage]] APIs must
specify values for all fields of their [=fenced frame configs=] in order to ensure that they have
considered the privacy implications of each field, though they may choose to set the values to null.

Each time a <{fencedframe}> navigates to a [=fenced frame config=], it is instantiated as a new
[=fenced frame config instance=], which governs the particular [=browsing context group=] inside the
[=fenced navigable container/fenced navigable=].

<h4 id=fenced-frame-config-struct>The [=fenced frame config=] [=struct=]</h4>

We now establish some preliminary types:

A <dfn export for=fencedframeconfig>visibility</dfn> is either "<dfn export
for=visibility>`opaque`</dfn>" or "<dfn export for=visibility>`transparent`</dfn>".

A <dfn export for=fencedframetype>size</dfn> is a [=struct=] with the following [=struct/items=]:

<dl export dfn-for="size">
  : <dfn>width</dfn>
  :: a non-negative integer

  : <dfn>height</dfn>
  :: a non-negative integer
</dl>

<span class=XXX>TODO: Consider different numeric types for these members.</span>

An <dfn export for=fencedframetype>interest group descriptor</dfn> is a [=struct=] with the
following [=struct/items=]:

<dl export dfn-for="interest group descriptor">
  : <dfn>owner</dfn>
  :: an [=origin=]

  : <dfn>name</dfn>
  :: a [=string=]
</dl>

An <dfn export for=fencedframetype>exhaustive set of sandbox flags</dfn> is a [=sandboxing flag
set=].

A <dfn export for=fencedframetype>pending event</dfn> is a [=struct=] with the following
[=struct/items=]:

<dl export dfn-for="pending event">
  : <dfn>destination</dfn>
  :: a {{FenceReportingDestination}}

  : <dfn>event</dfn>
  :: a [=fencedframetype/destination event=]
</dl>

A <dfn export for=fencedframetype>reporting destination info</dfn> is a [=struct=] with the
following [=struct/items=]:

<dl export dfn-for="reporting destination info">
  : <dfn>reporting url map</dfn>
  :: a [=map=] whose [=map/keys=] are [=strings=] and whose [=map/values=] are [=URLs=]

  : <dfn>reporting macro map</dfn>
  :: null, or a [=map=] whose [=map/keys=] are [=strings=] and whose [=map/values=] are [=strings=]
</dl>

A <dfn export for=fencedframetype>fenced frame reporting map</dfn> is a [=map=] whose [=map/keys=]
are {{FenceReportingDestination}}s and whose [=map/values=] are either:
 * [=lists=] of [=fencedframetype/pending events=] (which are used to represent events that need to
   be reported asynchronously, because the metadata has not been finalized yet); or
 * [=fencedframetype/reporting destination infos=] (which are used
   to represent the actual metadata once it is finalized).

Note: This representation is meant to allow config-generating APIs to reduce latency by resolving
the values of reporting destinations asynchronously, after they've already constructed and returned
the fenced frame config (and even after the config has been loaded, and event reports have been
generated inside the fenced frame). When the config-generating API declares the [=fencedframetype/
fenced frame reporting map=], they can mark certain destinations as pending using an empty
[=list=], and then maintain a reference to the map for later. If the fenced frame attempts to
[=report an event=] to a destination while it is still pending, it stores the event in this
[=list=] for later handling. When the config-generating API or its callback eventually [=finalizes
a reporting destination=] through the reference it kept, it will handle all of the pending events
stored in the [=list=]. If the destination is never finalized, then the pending events will never
be sent.

<div algorithm>
  In order to <dfn export>finalize a reporting destination</dfn>, given a [=fencedframetype/fenced
  frame reporting map=] |reporting map|, a {{FenceReportingDestination}} |destination|, a [=map=]
  |destination map| whose [=map/keys=] are [=strings=] and whose [=map/values=] are [=urls=], and
  |macro map|, which is either null or a [=map=] whose [=map/keys=] are [=strings=] and whose
  [=map/values=] are [=strings=], run these steps:

  1. [=Assert=] that |reporting map|[|destination|] is a [=list=] (i.e., that |destination|'s
     metadata has not yet been finalized).

  1. Let |pending event list| be |reporting map|[|destination|].

  1. [=map/Set=] |reporting map|[|destination|] to a [=struct=] with the following [=struct/items=]:
       : [=reporting destination info/reporting url map=]
       :: |destination map|

       : [=reporting destination info/reporting macro map=]
       :: |macro map|

  1. [=list/For each=] |pending event| of |pending event list|:

     1. [=Send a beacon=] with |destination map| and |pending event|'s [=pending event/event=].
</div>

A <dfn export for=fencedframetype>fenced frame reporting metadata</dfn> is a [=struct=] with the
following [=struct/items=]:

<dl export dfn-for="fenced frame reporting metadata">
  : <dfn>fenced frame reporting map</dfn>
  :: a [=fencedframetype/fenced frame reporting map=]

  : <dfn>direct seller is seller</dfn>
  :: a [=boolean=], initially true

  : <dfn>allowed reporting origins</dfn>
  :: null or a [=list=] of [=origins=]. An origin must be present in this list to be the
     destination of a [=fencedframetype/destination URL event=] report.

  : <dfn>attempted custom url report to disallowed origin</dfn>
  :: a [=boolean=], initially false
</dl>

A <dfn export for=fencedframetype>fenced frame reporter</dfn> is a [=struct=] with the following
[=struct/items=]:
<dl export dfn-for="fenced frame reporter">
  : <dfn>fenced frame reporting metadata reference</dfn>
  :: a mutable reference to a [=fencedframetype/fenced frame reporting metadata=]
     <span class=XXX>TODO: Handle pointers/references in a more spec-y way</span>

  : <dfn>automatic beacon data</dfn>
  :: null, or a [=struct=] with the following [=struct/items=]:
     <dl dfn-for="automatic beacon data">
       : <dfn>eventData</dfn>
       :: a [=string=]

       : <dfn>destination</dfn>
       :: a [=list=] of {{FenceReportingDestination}}s

       : <dfn>once</dfn>
       :: a [=boolean=]
     </dl>
</dl>

A <dfn export for=fencedframetype>destination enum event</dfn> is a [=struct=] with the following
[=struct/items=]:
<dl export dfn-for="destination enum event">
  : <dfn>type</dfn>
  :: a [=string=]

  : <dfn>data</dfn>
  :: a [=string=]
</dl>

A <dfn export for=fencedframetype>destination URL event</dfn> is a [=URL=].

A <dfn export for=fencedframetype>destination event</dfn> is either a
[=fencedframetype/destination enum event=] or a [=fencedframetype/destination URL event=].

<div algorithm>
  In order to <dfn>send a beacon</dfn> with a [=fencedframetype/reporting destination info=]
  |destination info| and a [=fencedframetype/destination event=] |event|, run these steps:

  1. Let |destination url| be an empty [=string=].

  1. If |event| is a [=fencedframetype/destination enum event=], then:

     1. Let |destination map| be |destination info|'s
        [=reporting destination info/reporting url map=].

     1. Let |eventType| be |event|'s [=destination enum event/type=].

     1. If |destination map|[|eventType|] does not [=map/exist=], return.

     1. Set |destination url| to |destination map|[|eventType|].

  1. Otherwise:

     1. [=Assert=]: |event| is a [=fencedframetype/destination URL event=].

     1. Let |macro map| be |destination info|'s [=reporting destination info/reporting macro map=].

     1. If |macro map| is null, return.

     1. Set |destination url| to |event|.

     1. Let |destination url| be the result of [=fencedframeutil/substituting macros=] with
        |macro map| into |destination url|.
  
  1. Optionally, return.

    Note: This [=implementation-defined=] condition is intended to allow user agents to drop the
    beacon for a number of reasons, for example user opt-out or |destination url|'s [=site=] not
    being <a href="https://github.com/privacysandbox/attestation">enrolled</a>.

  1. Let |request| be a new [=request=] with the following properties:

    : [=request/method=]
    :: <code>`POST`</code> if |event| is a [=fencedframetype/destination enum event=], otherwise
       <code>`GET`</code>.

    : [=request/URL=]
    :: |destination url|

    : [=request/header list=]
    :: A new [=header list=] containing a [=header=] whose [=header/name=] is `"Content-Type"` and
       [=header/value=] is `"text/plain"`.

    : [=request/body=]
    :: If |event| is a [=fencedframetype/destination enum event=], a [=body=] whose [=body/source=]
       is |event|'s [=destination enum event/data=], otherwise null.

    : [=request/client=]
    :: null

    : [=request/service-workers mode=]
    :: `"all"`

       Issue: The default is `"all"`, so we technically don't have to set anything here. We do in order
       to remind ourselves that it might be more appropriate to skip service workers here, like some
       [other
       beacons](https://wicg.github.io/attribution-reporting-api/#ref-for-request-service-workers-mode).

    : [=request/origin=]
    :: <span class=XXX>Get the origin from somewhere, like the [implementation
       does](https://source.chromium.org/chromium/chromium/src/+/refs/heads/main:content/browser/fenced_frame/fenced_frame_reporter.cc;l=384;drc=183dd920ea5d6aed92e007c40e226f1f840c0567)</span>.

    : [=request/referrer=]
    :: `"no-referrer"`

    : [=request/mode=]
    :: `"cors"`

    : [=request/credentials mode=]
    :: `"omit"`

  1. [=Fetch=] |request|.

    Note: This algorithm can be invoked from while [=in parallel=] or while on a {{Document}}'s main
    thread. To handle the [=in parallel=] invocation correctly, ordinarily we would invoke [=fetch=]
    with [=fetch/useParallelQueue=] set to true, but since we don't pass in any of the <span
    class=allow-2119>optional</span> [=response=]-handling algorithms, there is no need to do this.
</div>

<div algorithm>
  In order to <dfn>report an event</dfn> using a [=fencedframetype/fenced frame reporter=]
  |reporter| with a {{FenceReportingDestination}} |destination|, and a
  [=fencedframetype/destination event=] |event|, run these steps:

  1. Let |metadata| be |reporter|'s
     [=fenced frame reporter/fenced frame reporting metadata reference=].

  1. If |destination| is `"direct-seller"`:

     1. If |metadata|'s [=fenced frame reporting metadata/direct seller is seller=] is true, set
        |destination| to `"seller"`.

     1. Otherwise, set |destination| to `"component-seller"`.

  1. If |event| is a [=fencedframetype/destination URL event=]:
     1. If |event|'s [=url/origin=] is not [=same origin=] with any of the entries in
        |metadata|'s [=fenced frame reporting metadata/allowed reporting origins=]:
        1. Set |metadata|'s
           [=fenced frame reporting metadata/attempted custom url report to disallowed origin=] to
           true.

     1. If |metadata|'s
        [=fenced frame reporting metadata/attempted custom url report to disallowed origin=] is
        true, return.

  1. Let |reporting map| be a reference to |metadata|'s
     [=fenced frame reporting metadata/fenced frame reporting map=].

  1. If |reporting map|[|destination|] does not [=map/exist=], return.

  1. If |reporting map|[|destination|] is a [=list=]:

     1. Let |newEvent| be a new [=fencedframetype/pending event=] with the following:
        : [=pending event/destination=]
        :: |destination|

        : [=pending event/event=]
        :: |event|

     1. [=list/Append=] |newEvent| to |reporting map|[|destination|].

     1. Return.

       Note: The pending event will be sent asynchronously.

  1. [=Assert=] that |reporting map|[|destination|] is a [=map=] (i.e. that |destination|'s
     metadata has been finalized).

  1. [=Send a beacon=] with |reporting map|[|destination|] and |event|.
</div>

<div algorithm>
  In order to <dfn>report a private aggregation event</dfn> using a [=fencedframetype/fenced frame
  reporter=] |reporter| with a [=string=] |event|, run these steps:

  1. |reporter| |event| <span class=XXX>TODO: Fill this in</span>
</div>

An <dfn export for=fencedframetype>exfiltration budget metadata</dfn> is a [=struct=] with the
following [=struct/items=]:

<dl export dfn-for="exfiltration budget metadata">
  : <dfn>origin</dfn>
  :: an [=origin=]

  : <dfn>amount to debit</dfn>
  :: a non-negative valid floating point number
</dl>

An <dfn export for=fencedframetype>exfiltration budget metadata reference</dfn> is a [=struct=] with
the following [=struct/items=]:

<dl export dfn-for="exfiltration budget metadata reference">
  : <dfn>origin</dfn>
  :: an [=origin=]

  : <dfn>amount to debit reference</dfn>
  :: a mutable reference to a non-negative valid floating point number
     <span class=XXX>TODO: Handle pointers/references in a more specy-y way</span>
</dl>

A <dfn export>partition nonce</dfn> is an [=implementation-defined=] value.

Note: This is similar to the <a href=https://fetch.spec.whatwg.org/#network-partition-key>network
partition key</a> used by <a href=https://fetch.spec.whatwg.org/>Fetch</a>.

A <dfn export>fenced frame config</dfn> is a [=struct=] with the following [=struct/items=]:

<dl export dfn-for="fenced frame config">
  : <dfn>mapped url</dfn>
  :: a [=struct=] with the following [=struct/items=]:
    : <dfn for="mapped url">value</dfn>
    :: a [=URL=]

    : <dfn for="mapped url">visibility</dfn>
    :: a [=fencedframeconfig/visibility=]

  : <dfn>container size</dfn>
  :: null, or a [=fencedframetype/size=]

  : <dfn>content size</dfn>
  :: null, or a [=struct=] with the following [=struct/items=]:
    : <dfn for="content size">value</dfn>
    :: a [=fencedframetype/size=]

    : <dfn for="content size">visibility</dfn>
    :: a [=fencedframeconfig/visibility=]

  : <dfn>interest group descriptor</dfn>
  :: null, or a [=struct=] with the following [=struct/items=]:
    : <dfn for="interest group descriptor">value</dfn>
    :: an [=fencedframetype/interest group descriptor=]

    : <dfn for="interest group descriptor">visibility</dfn>
    :: a [=fencedframeconfig/visibility=]

  : <dfn>on navigate callback</dfn>
  :: null, or a series of steps

  : <dfn>effective sandbox flags</dfn>
  :: null, or a [=struct=] with the following [=struct/items=]:
    : <dfn for="effective sandbox flags">value</dfn>
    :: an [=fencedframetype/exhaustive set of sandbox flags=]

    : <dfn for="effective sandbox flags">visibility</dfn>
    :: a [=fencedframeconfig/visibility=]

  : <dfn>effective enabled permissions</dfn>
  :: null, or a [=struct=] with the following [=struct/items=]:
    : <dfn for="effective enabled permissions">value</dfn>
    :: a [=list=] of [=policy-controlled features=]

    : <dfn for="effective enabled permissions">visibility</dfn>
    :: a [=fencedframeconfig/visibility=]

    Note: When non-null, this is a [=list=] of [=policy-controlled features=] that the generator of
    this config relies on exclusively being enabled inside the <{fencedframe}> that navigates to
    this config. Specifically, each feature in this list <span class=allow-2119>must</span> be
    enabled by the <{fencedframe}>'s [=fenced navigable container/fenced navigable=]'s
    [=Document/permissions policy=]'s [=permissions policy/inherited policy=] when navigating to
    this config for the navigation to succeed. The features in this list are not force-enabled, but
    rather are used to check that the embedder environment that influences the aforementioned
    [=permissions policy/inherited policy=] is relaxed enough to support these essential features.
    If the [=inherited policy for a feature|inherited policy value=] for any of these features is
    "`Disabled`", the navigation to this config will fail. Any [=policy-controlled feature=] *not*
    in this list will not be "`Disabled`" in the <{fencedframe}> that navigates to this config.

  : <dfn>fenced frame reporting metadata</dfn>
  :: null, or a [=struct=] with the following [=struct/items=]:
    : <dfn for="fenced frame reporting metadata">value</dfn>
    :: a [=fencedframetype/fenced frame reporting metadata=]

    : <dfn for="fenced frame reporting metadata">visibility</dfn>
    :: a [=fencedframeconfig/visibility=]

  : <dfn>exfiltration budget metadata</dfn>
  :: null, or a [=struct=] with the following [=struct/items=]:
    : <dfn for="exfiltration budget metadata">value</dfn>
    :: an [=fencedframetype/exfiltration budget metadata=]

    : <dfn for="exfiltration budget metadata">visibility</dfn>
    :: a [=fencedframeconfig/visibility=]

  : <dfn>nested configs</dfn>
  :: null, or a [=struct=] with the following [=struct/items=]:
    : <dfn for="nested configs">value</dfn>
    :: a [=list=] of [=fenced frame configs=]

    : <dfn for="nested configs">visibility</dfn>
    :: a [=fencedframeconfig/visibility=]

  : <dfn>embedder shared storage context</dfn>
  :: null, or a [=string=]
</dl>

<h4 id=fenced-frame-config-instance-struct>The [=fenced frame config instance=] [=struct=]</h4>

A <dfn export>fenced frame config instance</dfn> is a [=struct=] with the following [=struct/items=]:

<dl export dfn-for="fenced frame config instance">
  : <dfn>mapped url</dfn>
  :: a [=URL=]

  : <dfn>container size</dfn>
  :: null, or a [=fencedframetype/size=]

  : <dfn>content size</dfn>
  :: null, or a [=fencedframetype/size=]

  : <dfn>interest group descriptor</dfn>
  :: null, or an [=fencedframetype/interest group descriptor=]

  : <dfn>on navigate callback</dfn>
  :: null, or a series of steps

  : <dfn>effective sandbox flags</dfn>
  :: null, or an [=fencedframetype/exhaustive set of sandbox flags=]

  : <dfn>effective enabled permissions</dfn>
  :: null, or a [=list=] of [=policy-controlled features=]

  : <dfn>fenced frame reporter</dfn>
  :: null, or a [=fencedframetype/fenced frame reporter=]

  : <dfn>exfiltration budget metadata reference</dfn>
  :: null, or an [=fencedframetype/exfiltration budget metadata reference=]

  : <dfn>nested configs</dfn>
  :: null, or an [=map=] whose [=map/keys=] are [=urn uuids=] and whose [=map/values=] are [=fenced
     frame configs=]

  : <dfn>partition nonce</dfn>
  :: a [=partition nonce=]

  : <dfn>embedder shared storage context</dfn>
  :: null, or a [=string=]
</dl>

<div algorithm>
  To <dfn export>instantiate a config</dfn> given a [=fenced frame config=] |config|, return a
  [=fenced frame config instance=] with the following members:

    : [=fenced frame config instance/mapped url=]
    :: |config|'s [=fenced frame config/mapped url=]'s [=mapped url/value=]

    : [=fenced frame config instance/container size=]
    :: |config|'s [=fenced frame config/container size=]

    : [=fenced frame config instance/content size=]
    :: |config|'s [=fenced frame config/content size=] if null, otherwise |config|'s [=fenced frame
       config/content size=]'s [=content size/value=]

    : [=fenced frame config instance/interest group descriptor=]
    :: |config|'s [=fenced frame config/interest group descriptor=] if null, otherwise |config|'s
       [=fenced frame config/interest group descriptor=]'s [=interest group descriptor/value=]

    : [=fenced frame config instance/on navigate callback=]
    :: |config|'s [=fenced frame config/on navigate callback=]

    : [=fenced frame config instance/effective sandbox flags=]
    :: |config|'s [=fenced frame config/effective sandbox flags=] if null, otherwise |config|'s
       [=fenced frame config/effective sandbox flags=]'s [=effective sandbox flags/value=]

    : [=fenced frame config instance/effective enabled permissions=]
    :: |config|'s [=fenced frame config/effective enabled permissions=] if null, otherwise
       |config|'s [=fenced frame config/effective enabled permissions=]'s [=effective enabled
       permissions/value=]

    : [=fenced frame config instance/fenced frame reporter=]
    ::
        1. If |config|'s [=fenced frame config/fenced frame reporting metadata=]'s [=fenced frame
           reporting metadata/value=] is null, set to null.

        1. Otherwise, set to a [=fencedframetype/fenced frame reporter=] with the following
           members:

            : [=fenced frame reporter/fenced frame reporting metadata reference=]
            :: a reference to |config|'s [=fenced frame config/fenced frame reporting metadata=]'s
               [=fenced frame reporting metadata/value=]

            : [=fenced frame reporter/automatic beacon data=]
            :: null

    : [=fenced frame config instance/exfiltration budget metadata reference=]
    ::
        1. If |config|'s [=fenced frame config/exfiltration budget metadata=] is null, set to null.

        1. Otherwise, set to a [=fencedframetype/exfiltration budget metadata reference=]:

            : [=exfiltration budget metadata reference/origin=]
            :: |config|'s [=fenced frame config/exfiltration budget metadata=]'s [=exfiltration
               budget metadata/value=]'s [=exfiltration budget metadata/origin=]

            : [=exfiltration budget metadata reference/amount to debit reference=]
            :: a reference to |config|'s [=fenced frame config/exfiltration budget metadata=]'s
               [=exfiltration budget metadata/value=]'s [=exfiltration budget metadata/amount to
               debit=]

    : [=fenced frame config instance/nested configs=]
    ::
        1. If |config|'s [=fenced frame config/nested configs=] is null, set to null.

        1. Otherwise:

           1. Let |results| be a new [=map=].

           1. [=list/For each=] |nested config| of |config|'s [=fenced frame config/nested
             configs=]'s [=nested configs/value=]:

               1. Let |urn| be a randomly generated [=urn uuid=].

               1. [=map/Set=] |results|[|urn|] to |nested config|.

           1. Set [=fenced frame config instance/nested configs=] to |results|.

    : [=fenced frame config instance/partition nonce=]
    :: a random, unique [=partition nonce=]

    : [=fenced frame config instance/embedder shared storage context=]
    :: |config|'s [=fenced frame config/embedder shared storage context=]
</div>

Each [=browsing context=] has a <dfn for="browsing context">fenced frame config instance</dfn>,
which is a [=fenced frame config instance=] or null, initially null.

Advisement: This [=browsing context/fenced frame config instance=] should really exist on
[=browsing context group=], however until third-party cookies are <a
href=https://w3ctag.github.io/web-without-3p-cookies/#introduction>deprecated</a>, this
specification supports many of the <{fencedframe}> concepts on the <{iframe}> element. This requires
that for the short term, a normal [=navigable container/content navigable=] be able to load a
[=fenced frame config=], and therefore have access to the navigation's corresponding [=fenced frame
config instance=].

<h4 id=fenced-frame-config-interface>The {{FencedFrameConfig}} interface</h4>

One major input to the <{fencedframe}> element is the {{FencedFrameConfig}} interface, which
maps to an internal [=fenced frame config=] [=struct=].

<pre class=idl>
  enum OpaqueProperty {"opaque"};

  typedef (unsigned long or OpaqueProperty) FencedFrameConfigSize;
  typedef USVString FencedFrameConfigURL;

  [Exposed=Window, Serializable]
  interface FencedFrameConfig {
    readonly attribute FencedFrameConfigSize? containerWidth;
    readonly attribute FencedFrameConfigSize? containerHeight;
    readonly attribute FencedFrameConfigSize? contentWidth;
    readonly attribute FencedFrameConfigSize? contentHeight;

    undefined setSharedStorageContext(DOMString contextString);
  };
</pre>

Note: Note that {{FencedFrameConfig}}s cannot be constructed manually from JavaScript. They can only
be created by config-generating APIs. However, some browsers [support a developer-only
flag](https://github.com/WICG/fenced-frame/issues/94) which help developers test the <{fencedframe}>
element with arbitrary URLs *not* produced by config-generating APIs for development.

Each {{FencedFrameConfig}} has:

 * A <dfn for=fencedframeconfig>urn</dfn>, a [=urn uuid=]
 * A <dfn for=fencedframeconfig>sharedStorageContext</dfn>, a [=string=]
 * A <dfn for=fencedframeconfig>containerWidth</dfn>, a {{FencedFrameConfigSize}} or null
 * A <dfn for=fencedframeconfig>containerHeight</dfn>, a {{FencedFrameConfigSize}} or null
 * A <dfn for=fencedframeconfig>contentWidth</dfn>, a {{FencedFrameConfigSize}} or null
 * A <dfn for=fencedframeconfig>contentHeight</dfn>, a {{FencedFrameConfigSize}} or null

<div algorithm="containerWidth getter">
  The {{FencedFrameConfig/containerWidth}} IDL attribute getter steps are to return [=this=]'s
  [=fencedframeconfig/containerWidth=].
</div>

<div algorithm="containerHeight getter">
  The {{FencedFrameConfig/containerHeight}} IDL attribute getter steps are to return [=this=]'s
  [=fencedframeconfig/containerHeight=].
</div>

<div algorithm="contentWidth getter">
  The {{FencedFrameConfig/contentWidth}} IDL attribute getter steps are to return [=this=]'s
  [=fencedframeconfig/contentWidth=].
</div>

<div algorithm="contentHeight getter">
  The {{FencedFrameConfig/contentHeight}} IDL attribute getter steps are to return [=this=]'s
  [=fencedframeconfig/contentHeight=].
</div>

<div algorithm>
  The <dfn method for=FencedFrameConfig>setSharedStorageContext(|contextString|)</dfn> method steps
  are to set [=this=]'s [=fencedframeconfig/sharedStorageContext=] to |contextString|.
</div>

<div algorithm="FencedFrameConfig serializer">
  {{FencedFrameConfig}} objects are [=serializable objects=]. Their [=serialization steps=], given
  |value|, |serialized|, and |forStorage| are:

  1. If |forStorage| is true, then throw a {{DataCloneError}} {{DOMException}}.
  
  1. Set |serialized|.\[[Urn]] to |value|'s [=fencedframeconfig/urn=].

  1. Set |serialized|.\[[SharedStorageContext]] to |value|'s [=fencedframeconfig/
     sharedStorageContext=].

  1. Set |serialized|.\[[ContainerWidth]] to |value|'s [=fencedframeconfig/
     containerWidth=].

  1. Set |serialized|.\[[ContainerHeight]] to |value|'s [=fencedframeconfig/
     containerHeight=].

  1. Set |serialized|.\[[ContentWidth]] to |value|'s [=fencedframeconfig/
     contentWidth=].

  1. Set |serialized|.\[[ContentHeight]] to |value|'s [=fencedframeconfig/
     contentHeight=].


</div>

<div algorithm="FencedFrameConfig deserializer">
  Their [=deserialization steps=], given |serialized|, |value|, and <var ignore> targetRealm</var>
  are:

  1. Initialize |value|'s [=fencedframeconfig/urn=] to |serialized|.\[[Urn]].

  1. Initialize |value|'s [=fencedframeconfig/sharedStorageContext=] to
     |serialized|.\[[SharedStorageContext]].

  1. Initialize |value|'s [=fencedframeconfig/containerWidth=] to |serialized|.\[[ContainerWidth]].

  1. Initialize |value|'s [=fencedframeconfig/containerHeight=] to
     |serialized|.\[[ContainerHeight]].

  1. Initialize |value|'s [=fencedframeconfig/contentWidth=] to |serialized|.\[[ContentWidth]].

  1. Initialize |value|'s [=fencedframeconfig/contentHeight=] to |serialized|.\[[ContentHeight]].
</div>

Note: To help with ease of adoption,
[until 2026](https://github.com/WICG/turtledove/issues/286#issuecomment-1682842636) we will support
the API {{Window/navigator}}.{{Navigator/deprecatedReplaceInURN()}}, which allows you to substitute
macros into the [=fenced frame config/mapped url=] corresponding to a given [=urn uuid=] or
{{FencedFrameConfig}}.

<pre class=idl>
typedef (USVString or FencedFrameConfig) UrnOrConfig;

partial interface Navigator {
  Promise&lt;undefined&gt; deprecatedReplaceInURN(
    UrnOrConfig urnOrConfig, record&lt;USVString, USVString&gt; replacements);
};
</pre>

<div algorithm>
  To <dfn export for=fencedframeutil>substitute macros</dfn> with an [=ordered map=] with
  [=string=] [=map/keys=] and [=string=] [=map/values=] |macros| into a [=string=] |string|, run
  these steps:

  1. <span class=XXX>TODO:</span> [Spec this](https://github.com/WICG/fenced-frame/issues/116).
     Substitute the keys from |macros| with the corresponding values into |string|, and return the
     new string. There is no recursive substitution.
</div>

<div algorithm>
  The <dfn method for=Navigator>deprecatedReplaceInURN(|urnOrConfig|, |replacements|)</dfn>
  method steps are:

  1. Let |urn| be null.

  1. If |urnOrConfig| is a {{USVString}}, set |urn| to |urnOrConfig|.

  1. Otherwise, set |urn| to |urnOrConfig|'s [=fencedframeconfig/urn=].

  1. If |urn| is <span class=XXX>TODO invalid</span>, [=exception/throw=] a {{TypeError}}.

  1. [=map/For each=] |key| → _ of |replacements|:
     1. If |key| does not [=string/start with=] <code>${</code> or <code>%%</code>,
        [=exception/throw=] a {{TypeError}}.
     1. If |key| does not [=string/end with=] <code>}</code> or <code>%%</code>,
        [=exception/throw=] a {{TypeError}}.

  1. Let |p| be [=a new promise=].

  1. Let |global| be [=this=]'s [=relevant global object=].

  1. Run the following steps [=in parallel=]:

     1. Let |mapping| be |global|'s [=associated Document=]'s [=node navigable=]'s
        [=navigable/traversable navigable=]'s [=traversable navigable/fenced frame config mapping=].

     1. Let |config| be the result of [=fenced frame config mapping/finding a config=] in |mapping|
        with |urn|.

     1. If |config| is failure, [=queue a global task=] on the [=DOM manipulation task source=]
        given |global|, to [=resolve=] |p| with {{undefined}}, and abort these steps.

     1. Let |substitutedUrl| be the result of [=fencedframeutil/substituting macros=] with
        |replacements| into |config|'s [=fenced frame config/mapped url=]'s [=mapped url/value=].

     1. Set |config|'s [=fenced frame config/mapped url=]'s [=mapped url/value=] to
        |substitutedUrl|.

     1. [=Queue a global task=] on the [=DOM manipulation task source=] given |global|, to
        [=resolve=] |p| with {{undefined}}.

  1. Return |p|.

  <wpt>
    /fenced-frame/deprecated-config-apis.https.html
  </wpt>
</div>

<h3 id=fence-interface>The {{Fence}} interface</h3>

Several APIs specific to fenced frames are defined on the {{Fence}} interface.

<pre class=idl>
  enum FenceReportingDestination {
    "buyer",
    "seller",
    "component-seller",
    "direct-seller",
    "shared-storage-select-url",
  };

  dictionary FenceEvent {
    // This dictionary has two mutually exclusive modes that aren't represented as
    // distinct IDL types due to distinguishability issues:
    //
    // When reporting to a preregistered destination (specified by enum), the following
    // properties are used:
    DOMString eventType;
    DOMString eventData;
    sequence&lt;FenceReportingDestination&gt; destination;
    boolean once = false;

    // When reporting to a custom destination URL (with substitution of macros defined by
    // the Protected Audience buyer), the following property is used:
    USVString destinationURL;
  };

  typedef (FenceEvent or DOMString) ReportEventType;

  [Exposed=Window]
  interface Fence {
      undefined reportEvent(optional ReportEventType event = {});
      undefined setReportEventDataForAutomaticBeacons(optional FenceEvent event = {});
      sequence&lt;FencedFrameConfig&gt; getNestedConfigs();
  };
</pre>

<div algorithm>
  The <dfn method for=Fence>reportEvent(|event|)</dfn> method steps are:

  1. Let |instance| be [=this=]'s [=relevant global object=]'s [=Window/browsing context=]'s
     [=browsing context/fenced frame config instance=].

  1. If |instance| is null, then return.

  1. If the [=relevant settings object=]'s [=environment settings object/origin=] and |instance|'s
     [=fenced frame config instance/mapped url=]'s [=url/origin=] are not [=same origin=], then
     return.

  1. If |instance|'s [=fenced frame config instance/fenced frame reporter=] is null, then return.

  1. If |event| is a {{DOMString}}, run [=report a private aggregation event=] using |instance|'s
     [=fenced frame config instance/fenced frame reporter=] with |event|.

  1. If |event| is a {{FenceEvent}}:

     1. If |event| has a {{FenceEvent/destinationURL}}:
        1. If |event| has a {{FenceEvent/destination}} or a {{FenceEvent/eventType}} or a
           {{FenceEvent/eventData}}:

           1. [=exception/Throw=] a {{TypeError}}.

        1. Let |destinationURL| be the result of running the [=URL parser=] on
           {{FenceEvent/destinationURL}}.

        1. [=exception/Throw=] a {{TypeError}} if any of the following conditions hold:

           * |destinationURL| is failure;
           * |destinationURL| [=url/scheme=] is not "`https`";

        1. Run [=report an event=] using |instance|'s [=fenced frame config instance/fenced frame
           reporter=] with {{FenceReportingDestination/buyer}} and a
           [=fencedframetype/destination URL event=] that is |event|'s
           {{FenceEvent/destinationURL}}.

     1. Otherwise:
        1. If |event| does not have a {{FenceEvent/destination}} or |event| does not have a
           {{FenceEvent/eventType}}:

           1. [=exception/Throw=] a {{TypeError}}.

        1. [=list/For each=] |destination| of |event|'s {{FenceEvent/destination}}:

        1. Run [=report an event=] using |instance|'s [=fenced frame config instance/fenced frame
           reporter=] with |destination| and a [=fencedframetype/destination enum event=] with the
           following [=struct/items=]:

           : [=destination enum event/type=]
           :: |event|'s {{FenceEvent/eventType}}

           : [=destination enum event/data=]
           :: |event|'s {{FenceEvent/eventData}} (or the empty string if it is not defined).

  <wpt>
    /fenced-frame/fence-report-event.https.html
    /fenced-frame/fence-report-event-destination-url.https.html
  </wpt>
</div>

<div algorithm>
  The <dfn method for=Fence>setReportEventDataForAutomaticBeacons(|event|)</dfn>
  method steps are:
  1. If |event| does not have a {{FenceEvent/destination}} or |event| does not have a
     {{FenceEvent/eventType}}:
     1. [=exception/Throw=] a {{TypeError}}.

  1. If |event|'s {{FenceEvent/eventType}} is not `"reserved.top_navigation"`, return.

  1. Let |instance| be [=this=]'s [=relevant global object=]'s [=Window/browsing context=]'s
     [=browsing context/fenced frame config instance=].

  1. If |instance| is null, then return.

  1. If the [=relevant settings object=]'s [=environment settings object/origin=] and |instance|'s
     [=fenced frame config instance/mapped url=]'s [=url/origin=] are not [=same origin=], then
     return.

  1. If |instance|'s [=fenced frame config instance/fenced frame reporter=] is null, then return.

  1. Set |instance|'s [=fenced frame config instance/fenced frame reporter=]'s [=fenced frame
     reporter/automatic beacon data=] to a [=struct=] with the following [=struct/items=]:

     : [=automatic beacon data/eventData=]
     :: |event|'s {{FenceEvent/eventData}} if defined, otherwise empty string

     : [=automatic beacon data/destination=]
     :: |event|'s {{FenceEvent/destination}}

     : [=automatic beacon data/once=]
     :: |event|'s {{FenceEvent/once}}

  <wpt>
    /fenced-frame/set-automatic-beacon.https.html
  </wpt>
</div>

<div algorithm>
  The <dfn method for=Fence>getNestedConfigs()</dfn> method steps are:

  1. Let |instance| be [=this=]'s [=relevant global object=]'s [=Window/browsing context=]'s
     [=browsing context/fenced frame config instance=].

  1. If |instance| is null, then return.

  1. If the [=relevant settings object=]'s [=environment settings object/origin=] and |instance|'s
     [=fenced frame config instance/mapped url=]'s [=url/origin=] are not [=same origin=], then
     return.

  1. If |instance|'s [=fenced frame config instance/nested configs=] is null, then return.

  1. Let |results| be an empty [=list=] of {{FencedFrameConfig}}s.

  1. [=map/For each=] |urn| → |config| of |instance|'s [=fenced frame config instance/nested
     configs=]:

     1. Let |newConfig| be a [=new=] {{FencedFrameConfig}} object created in [=this=]'s [=relevant
        realm=], with the following:

        : [=fencedframeconfig/urn=]
        :: |urn|

        : [=fencedframeconfig/sharedStorageContext=]
        :: |config|'s [=fenced frame config/embedder shared storage context=]

        : [=fencedframeconfig/containerWidth=]
        :: null if |config|'s [=fenced frame config/container size=] is null, otherwise |config|'s
           [=fenced frame config/container size=]'s [=size/width=]

        : [=fencedframeconfig/containerHeight=]
        :: null if |config|'s [=fenced frame config/container size=] is null, otherwise |config|'s
           [=fenced frame config/container size=]'s [=size/height=]

        : [=fencedframeconfig/contentWidth=]
        :: null if |config|'s [=fenced frame config/content size=] is null, the `"opaque"`
           {{OpaqueProperty}} if |config|'s [=fenced frame config/content size=]'s [=content
           size/visibility=] is [=visibility/opaque=], otherwise |config|'s [=fenced frame
           config/content size=]'s [=size/width=]

        : [=fencedframeconfig/contentHeight=]
        :: null if |config|'s [=fenced frame config/content size=] is null, the `"opaque"`
           {{OpaqueProperty}} if |config|'s [=fenced frame config/content size=]'s [=content
           size/visibility=] is [=visibility/opaque=], otherwise |config|'s [=fenced frame
           config/content size=]'s [=size/height=]

     1. [=list/Append=] |newConfig| to |results|.

  1. Return |results|.

  <wpt>
    /fenced-frame/get-nested-configs.https.html
    /fenced-frame/config-cross-origin-apis.https.html
  </wpt>
</div>

<h3 id=new-request-destination>New [=request=] [=request/destination=]</h3>

The processing model of a <{fencedframe}>'s navigation request deviates from that of the normal
[=navigation request=] in enough ways to justify a new [=request=] [=request/destination=] value.
This specification updates the [=request=] [=request/destination=] enumeration to include a new
entry, "<code>fencedframe</code>". Perform the following monkeypatches to the [[FETCH]] Standard.

Add "<code>fencedframe</code>" to the [=non-subresource request=] list and to the [=navigation
request=] list.

Add "<code>fencedframe</code>" to the {{RequestDestination}} enum.

<div algorithm=fetch-destination-patch>
  In the [=fetch=] algorithm, step 13.2, where it says:

    > A user agent should set value to the first matching statement, if any, switching on request's
    [=request/destination=]:

  Add "<code>fencedframe</code>" to the switch cases alongside "<code>document</code>",
  "<code>frame</code>", and "<code>iframe</code>".

  <wpt>
    /fenced-frame/header-secFetchDest.https.html
  </wpt>
</div>

Non-normatively, update the DOM intro [destination
table](https://fetch.spec.whatwg.org/#destination-table) to illustrate that <{fencedframe}> [=navigation requests=] have the following properties:
 * [=request/destination=] of "`fencedframe`"
 * [=request/initiator=] ""
 * CSP directive of <code>fenced-frame-src</code>
 * Features as HTML's <code>&lt;fencedframe&gt;</code>

<h3 id=automatic-reporting>Automatic Reporting</h3>

*This first introductory paragraph is non-normative.*

A side effect of the fenced boundary model is that ads will lose the ability to know if a click
resulted in a successful navigation. This is because the page loaded from a top-level [=navigate|
navigation=] originating from a fenced frame will not be allowed to report to the fenced frame that
it loaded (through something like <code>window.[=Window/opener=]</code>). Instead, we introduce a
special event-level [=pending event/eventType|reporting type=], `reserved.top_navigation`, which
automatically sends an [=report an event|event-level beacon=] when a fenced frame initiates a
successful [=navigate|navigation=] to a [=top-level traversable=].

<div algorithm>
  To <dfn>attempt to send an automatic beacon</dfn> given a [=source snapshot params=]
  |sourceSnapshotParams|, an [=origin=] |sourceOrigin|, a {{Document}} |targetDocument|, and a
  [=string=] |eventType|, run these steps:

  1. [=Assert=]: |eventType| is "`reserved.top_navigation`".

  1. If |targetDocument|'s [=node navigable=]'s [=traversable navigable=] is not a [=top-level
     traversable=], abort these steps.

  1. If |sourceSnapshotParams|'s [=source snapshot params/has transient activation=] is set to false,
     abort these steps.

  1. Let |config| be |sourceSnapshotParams|'s [=source snapshot params/initiator fenced frame config
     instance=].

  1. If |config| is null, abort these steps.

     Note: Since this algorithm is called unconditionally for all navigations, this is used to catch
     cases where a [=navigate|navigation=] to a [=top-level traversable=] does not originate from a
     <{fencedframe}>.

  1. Let |beacon data| be |config|'s [=fenced frame config instance/fenced frame reporter=]'s
     [=fenced frame reporter/automatic beacon data=].

  1. Let |event data| be |beacon data|'s [=automatic beacon data/eventData=] if |beacon data| is not
     null, the empty string otherwise.

  1. If |sourceOrigin| is not [=same origin=] with |config|'s [=fenced frame config instance/mapped
     url=]'s [=url/origin=], abort these steps.

  1. [=list/For each=] |destination| of |config|'s [=fenced frame config instance/fenced frame
     reporter=]'s [=fenced frame reporter/fenced frame reporting metadata reference=]'s
     [=fencedframetype/fenced frame reporting map=]'s [=map/keys=]:

    1. If |beacon data|'s [=automatic beacon data/destinations=] [=list/contains=] |destination|,
       run [=report an event=] using |config|'s [=fenced frame config instance/fenced frame
       reporter=] with |destination|, |eventType|, and |event data|.

       Otherwise, run [=report an event=] using |config|'s [=fenced frame config instance/fenced
       frame reporter=] with |destination|, |eventType|, and the empty string.

  1. If |beacon data|'s [=automatic beacon data/once=] is true, set |config|'s [=fenced frame
      config instance/fenced frame reporter=]'s [=fenced frame reporter/automatic beacon data=] to
      null.

  <wpt>
    /fenced-frame/automatic-beacon-click-handler.https.html
    /fenced-frame/automatic-beacon-two-events-clear.https.html
    /fenced-frame/automatic-beacon-two-events-persist.https.html
    /fenced-frame/automatic-beacon-unfenced-top.https.html
    /fenced-frame/automatic-beacon-no-destination.https.html
  </wpt>
</div>

<div algorithm="automatic beacon patch">
  Modify [[HTML]]'s [=attempt to populate the history entry's document=] algorithm. In step 6,
  substep 11, add a new step after step 5 that reads:

  6. if <var ignore>failure</var> is false, then [=attempt to send an automatic beacon=] given <var
     ignore>sourceSnapshotParams</var>, <var ignore>entry</var>'s [=document state=]'s [=document
     state/initiator origin=], <var ignore>document</var>, and "`reserved.top_navigation`".
</div>

<h2 id=html-integration>HTML Integration</h2>

<h3 id=window-extension>Extensions to the {{Window}} interface</h3>

<pre class="idl">
  partial interface Window {
    // Collection of fenced frame APIs
    readonly attribute Fence? fence;
  };
</pre>

Each {{Window}} object has an associated <dfn for=Window>fence</dfn>, which is a {{Fence}} instance created alongside the {{Window}}.

<div algorithm>
  The <dfn attribute for=Window>fence</dfn> getter steps are:
    1. If [=this=]'s [=Window/browsing context=]'s [=browsing context/fenced frame config instance=]
       is not null, then return [=this=]'s [=Window/fence=].

    1. Return null.

  <wpt>
    /fenced-frame/fence-api.https.html
  </wpt>
</div>

<h3 id=creating-browsing-contexts-patch>Modifications to creating browsing contexts</h3>

<div algorithm="creating a new browsing context and document patch">
  In [[HTML]]'s [=creating a new browsing context and document=] algorithm, rewrite the two steps
  (currently steps 4 &amp; 15) starting with;

    * If |creator| is non-null, then:

  to instead use the tighter condition:

    * If |creator| is non-null and <var ignore>embedder</var> is not a <{fencedframe}> element,
      then:

  Note: This is because we need to ensure that we do not leak <var ignore>creator</var>'s [=the
  document's referrer|referrer=], [=Document/origin=], [=creator base url=], [=Document/policy
  container=], across the fenced frame boundary.


  Add a substep to step 4 of this algorithm (that was modified above) that reads:

    4. Set <var ignore>browsingContext</var>'s [=browsing context/fenced frame config instance=] to
       |creator|'s [=Document/browsing context=]'s [=browsing context/fenced frame config
       instance=].
</div>

<h3 id=local-scheme-policy-container-inheritance>Policy container inheritance</h3>

When making a [=navigation request=] to a [=is local|local=] [=URL=], <{iframe}>s clone their
[=Document/policy container=] from the [=navigation request=]'s *initiator* {{Document}}. If
<{fencedframe}>s were to do the same thing, that would allow information about the initiator's
[=Document/policy container=] to leak across a fenced frame boundary. This section patches
[=Document/policy container=] inheritance to close that leak.

<div algorithm=local-policy-inheritance-determine-params>
  Modify the [=determine navigation params policy container=] algorithm to have a new optional
  [=boolean=] parameter |fenced| that defaults to false.

  Rewrite step 3 to read:

    3. If |responseURL| [=is local=], |initiatorPolicyContainer| is not null, and |fenced| false,
       then return a [=clone a policy container|clone=] of |initiatorPolicyContainer|.

  Note: We do not need to modify the case where |responseURL| is <code>[=about:srcdoc=]</code>,
  because navigations to <code>[=about:srcdoc=]</code> are not supported in fenced frames.
</div>

<div algorithm=local-policy-inheritance-populate-session-history-entry>
  Add a step before step 23 of [=create navigation params by fetching=] that says:

  23. Let |fenced| be true if |navigable| is a [=fenced navigable container/fenced navigable=],
      false otherwise.

      Note: This ensures |fenced| is true regardless of whether the initiator {{Document}} is
      |navigable|'s [=navigable/active document=] or its [=navigable/unfenced parent=].

  Rewrite step 23 (now step 24) to read:

  24. Let <var ignore>resultPolicyContainer</var> be the result of [=determining navigation params
      policy container=] given <var ignore>response</var>'s [=response/URL=], <var ignore>
      entry</var>'s [=document state=]'s [=document state/history policy container=], <var ignore>
      sourceSnapshotParams</var>'s [=source snapshot params/source policy container=], null, <var
      ignore>responsePolicyContainer</var>, and |fenced|.
</div>

Note: <{fencedframe}> [=policy container=] inheritance upon initial {{Document}} creation is handled
in the [[#creating-browsing-contexts-patch]] section.

<h3 id=nested-traversables>Nested traversables</h3>

<h4 id=nested-traversables-intro>Introduction</h4>

*This section is non-normative.*

The [[HTML]] Standard organizes [=navigables=] into two categories: [=child navigables=] and
[=traversable navigables=] (also known as [=top-level traversables=]). The introduction of features
like fenced frames, and to a lesser extent <a href=https://github.com/wicg/portals>portals</a>,
complicates this model by adding a new type of [=traversable navigable=] that is *sometimes* like a
[=child navigable=]. Because these new frame types are housed in a separate [=browsing context
group=] from their embedder, some concrete level of isolation is expected and required; on the other
hand since they are composed visually inside of *other* [=browsing context groups=], sometimes they
need to behave like the normal [=child navigables=] that we see in e.g., <{iframe}>s.

The complexity here is in deciding when terms like [=navigable container=],
[=navigable/parent|navigable parent=], and [=Document/descendant navigables=] need to cross the
[=traversable navigable=]/[=browsing context group=] boundary, versus when doing so would be unsafe
or incorrect. The examples below illustrate this point.

<p class=example id=fenced-user-activation>When a user [=user activation|activates=] content inside
of a {{Document}}, ordinarily the [=activation notification=] steps give user activation to all
[=Document/ancestor navigables=] and all [=same origin=] [=Document/descendant navigables=]. But
because a <{fencedframe}> can host sensitive content that needs to be isolated from its embedder,
and because [=user activation=] and [=consume user activation|consumption=] offer a communication
vector between these two parties, for the purpose of user activation a <{fencedframe}>'s
[=fenced navigable container/fenced navigable=] cannot not be considered a descendant of its
embedder, nor can its embedder be considered an ancestor of the <{fencedframe}>'s [=fenced navigable
container/fenced navigable=], in the way that the [=user activation=] algorithms currently use those
terms. In other words, we consider user activation to be *fenced*, to denote that it never crosses
the [=fenced navigable container/fenced navigable=] boundary; if it were unfenced, it would behave
as it would with <{iframe}>s, allowing [=user activation=] to flow freely across the frame
boundary.</p>

<wpt>
  /fenced-frame/consume-user-activation.https.html
</wpt>

<p class=example id=unfenced-sandbox-inheritance>Unlike [=user activation=], when a
<{fencedframe}>'s [=fenced navigable container/fenced navigable=] gets [=created a new nested
traversable|created=] or [=navigated=], it <span class=allow-2119>must</span> <a
href=https://html.spec.whatwg.org/#sandboxing:active-sandboxing-flag-set-3>inherit</a> its embedder
{{Document}}'s [=Document/active sandboxing flag set=] as is standard for {{Document}}s in normal
[=child navigables=]. If we did not do this, then the <{fencedframe}> element would be a trivial
sandbox bypass. Because <{fencedframe}> sandbox flag inheritance behaves similarly to how it does in
<{iframe}> elements, we consider sandbox inheritance to be *unfenced*.</p>

To provide the isolation mentioned above, and its conditional relaxation, this specification defines
a new kind of parent for [=traversable navigables=] called an [=traversable navigable/unfenced
parent=], which provides a link to its embedder that algorithms can intentionally use when they need
to be *unfenced*, as described above.

Note: Introducing a new kind of parent ([=traversable navigable/unfenced parent=]) is an intentional
design decision. It means that by default, the <{fencedframe}> boundary is private and isolated,
since by default nothing in the web platform traverses from a <{fencedframe}>'s [=fenced navigable
container/fenced navigable=] to its embedder. Care <span class=allow-2119>must</span> be taken when
modifying algorithms to make them capable of traversing across the <{fencedframe}> [=fenced navigable
container/fenced navigable=] boundary, and each modification of this sort will be evaluated
independently and appear in this specification.

The rest of this section provides patches to various [[HTML]] definitions (and their uses) that deal
with collections of related navigables, with the intention of fencing and unfencing various parts of
the web platform appropriately.

<h4 id=traversable-navigables>Traversable navigables</h4>

In [[HTML]]'s <a
href=https://html.spec.whatwg.org/multipage/document-sequences.html#traversable-navigable>Traversable
navigables</a> section, add the following:

In addition to the properties of a [=navigable=], a [=traversable navigable=] has:

 * An <dfn for="traversable navigable">unfenced parent</dfn>, a [=navigable=] or null, initially null.

Note: The [=traversable navigable/unfenced parent=] link is what gives a <{fencedframe}>'s
[=fenced navigable container/fenced navigable=] a link to its embedder, which is used carefully for
things that need to be "*unfenced*", like some algorithms in the focus processing model.

<div algorithm>
  To get the <dfn for=navigable>unfenced parent</dfn> of a [=navigable=] |navigable|:

    1. If |navigable| is a [=child navigable=], return |navigable|'s [=navigable/parent=].

    1. [=Assert=]: |navigable| is a [=fenced navigable container/fenced navigable=].

    1. Return |navigable|'s [=traversable navigable/unfenced parent=].

    Note: This algorithm is different from the [=traversable navigable=]'s [=traversable
    navigable/unfenced parent=] getter in that this algorithm first tries to get the [=navigable=]'s
    normal [=navigable/parent=] if |navigable| is a normal [=child navigable=].
</div>

<div algorithm>
  To get the <dfn for=navigable>unfenced container document</dfn> of a [=navigable=] |navigable|:

    1. Let |parentNavigable| be |navigable|'s [=navigable/unfenced parent=].

    1. Return |parentNavigable|'s [=navigable/active document=].
</div>

<h4 id=nested-traversables-inner>Nested traversables</h4>

In [[HTML]]'s <a
href=https://html.spec.whatwg.org/multipage/document-sequences.html#navigables>Navigables</a>
section, add a new subsection titled "Nested traversables" with the following text, definitions, and
algorithms.

Similar to [=navigable containers=] and their respective [=navigable container/content navigables=],
other elements (so far, only the <{fencedframe}> element) present a more isolated [=navigable=] to
the user. These elements are called <dfn>fenced navigable containers</dfn>.

A [=fenced navigable container=] has a <dfn for="fenced navigable container">fenced navigable</dfn>,
which is either a [=traversable navigable=] with a non-null [=traversable navigable/unfenced
parent=], or null. It is initially null.

<wpt>
  /fenced-frame/window-frameElement.https.html
</wpt>

<div algorithm>
  To <dfn>initialize the nested traversable</dfn> |traversable| given a [=document state=]
  |documentState| and a [=navigable=] |parent|:

  1. [=Initialize the navigable=] |traversable| given |documentState|.

  1. Set |traversable|'s [=traversable navigable/unfenced parent=] to |parent|.
</div>

<div algorithm>
  To <dfn>create a new nested traversable</dfn> given an element |element|:

  1. Let |group| be a new [=browsing context group=].

  Note: There doesn't seem to be a reason to [=set/append=] |group| to the user agent's [=browsing
  context group set=] like [=create a new browsing context group and document=] does.

  1. Let |document| be the second return value of [=creating a new browsing context and document=]
     given |element| [=Node/node document=], |element|, and |group|.

  1. Let |documentState| be a new [=document state=], whose [=document state/document=] is |document|.

  1. Let |traversable| be a new [=traversable navigable=].

  1. Let |parentNavigable| be |element|'s [=node navigable=].

  1. [=Initialize the nested traversable=] |traversable| given |documentState| and
     |parentNavigable|.

  1. Set |element|'s [=fenced navigable container/fenced navigable=] to |traversable|.

  1. Let |initialHistoryEntry| be |traversable|'s [=navigable/active session history entry=].

  1. Set |initialHistoryEntry|'s [=session history entry/step=] to 0.

  1. [=Append=] |initialHistoryEntry| to |traversable|'s [=traversable navigable/session history
     entries=].

  1. Return |traversable|.
</div>

Note: The [=create a new nested traversable=] algorithm creates the first kind of [=traversable
navigable=] that is not a [=top-level traversable=]. This will require removing the note about
nested traversables in [[HTML]]'s <a
href=https://html.spec.whatwg.org/multipage/document-sequences.html#top-level-traversables>Top-level
traversables</a> section.

<h4 id=top-level-traversables>Top-level traversables</h4>

The [[HTML]] Standard currently defines a [=top-level traversable=] as a [=traversable navigable=]
whose [=navigable/parent=] is null, however this is an insufficient definition that this
specification changes. [[HTML]] mentions that outside of this specification, all [=traversable
navigables=] are [=top-level traversables=], but "envisions" future specifications that may want to
create a kind of [=traversable navigable|traversable=] that is nested, and achieves the nesting
through a non-null [=navigable/parent=]; hence the distinction between [=top-level traversables=]
and [=traversable navigables=] relies on the [=navigable/parent=] null-ness.

The [=fenced navigable container/fenced navigable=] this specification proposes is precisely what
[[HTML]] envisioned when carving out space for the distinction between [=top-level traversables=]
and [=traversable navigables=], however this specification does not make use of the
[=navigable/parent=] pointer for [=fenced navigable container/fenced navigables=], for reasons
described <a href=#nested-traversables-intro>above</a> (instead they use the [=traversable
navigable/unfenced parent=] pointer). That means by default, both [=top-level traversables=] and
[=fenced navigable container/fenced navigables=] both have null [=navigable/parents=], which renders
the distinction meaningless.

To mend the intended distinction between [=top-level traversables=] and [=fenced navigable container
/fenced navigables=], patch the following definitions like so:

<div algorithm>
  A <dfn>top-level traversable</dfn> is a [=traversable navigable=] whose [=navigable/parent=] and
  [=traversable navigable/unfenced parent=] are both null.
</div>

<br>

<div algorithm>
  To get the <dfn noexport for="navigable">top-level traversable</dfn> of a [=navigable=] |inputNavigable|:

    1. Let |navigable| be |inputNavigable|.

    1. [=iteration/While=]:

      1. If |navigable|'s [=navigable/parent=] and [=traversable navigable/unfenced parent=] are
         both null, then [=iteration/break=].

      1. Set |navigable| to |navigable|'s [=navigable/parent=] or [=traversable navigable/unfenced
         parent=], whichever is non-null.

         Note: Exactly one of |navigable|'s [=navigable/parent=] or [=traversable navigable/unfenced
         parent=] will be non-null here.

    1. Return |navigable|.
</div>

Note: With these new definitions, a [=top-level traversable=] is essentially "unfenced" as described
in the [[#nested-traversables-intro]].

<h3 id=navigable-traversing-algorithms>Modifications to navigable-traversing algorithms</h3>

<div algorithm="inclusive-descendant-navigables-patch">
  Modify the [=Document/inclusive descendant navigables=] algorithm to take a new optional
  [=boolean=] argument <var><dfn lt="inclusive-dn-unfenced">unfenced</dfn></var> that defaults to
  false.

  Further rewrite step 2 of this algorithm to:

  2. [=list/Extend=] <var ignore>navigables</var> with <var ignore>document</var>'s
     [=Document/descendant navigables=] with [=dn-unfenced|unfenced=] set to
     <var>[=inclusive-dn-unfenced|unfenced=]</var>.
</div>

<div algorithm="descendant-navigables-patch">
  Modify the [=Document/descendant navigables=] algorithm to take a new optional [=boolean=]
  argument <dfn lt="dn-unfenced">unfenced</dfn> that defaults to false, and rewrite the algorithm
  like so:

  1. Let |navigables| be a new [=list=].

  1. Let |navigableContainers| be a [=list=] of all [=shadow-including descendants=] of <var
     ignore>document</var> that are [=navigable containers=] (or [=fenced navigable containers=], if
     <var>[=dn-unfenced|unfenced=]</var> is true), in [=shadow-including tree order=].

  1. [=list/For each=] |navigableContainer| of |navigableContainers|:

    1. If |navigableContainer|'s [=navigable container/content navigable=] and [=fenced navigable
       container/fenced navigable=] are both null, then [=iteration/continue=].

    1. Let |descendantNavigable| be either |navigableContainer|'s [=navigable container/content
       navigable=] or [=fenced navigable container/fenced navigable=], whichever is non-null.

    1. [=list/Extend=] |navigables| with |descendantNavigable|'s [=navigable/active document=]'s
       [=Document/inclusive descendant navigables=] with [=inclusive-dn-unfenced|unfenced=] set to
       <var>[=dn-unfenced|unfenced=]</var>.

  1. Return |navigables|.
</div>

<h3 id=focusing-changes>Modifications to the focusing algorithms</h3>

The [[HTML]] standard defines how to handle focusing elements and {{Window}}s, both by user gesture
and through script-initiated APIs. Since fenced frames are designed to prevent communication across
a fenced frame boundary, we need to handle focusing carefully. This is because when focus crosses a
<{fencedframe}> boundary, contexts on both sides of the boundary can detect that change, which can
be used to open a communication channel between a <{fencedframe}> and its embedder.

We do this by not allowing the [=focusing steps=] to move script-initiated focus across a fenced
frame boundary.

<p class=example id=user-initiated-focus>When a user clicks on an element like a <{button}> inside a
<{fencedframe}> while another element *outside* of the <{fencedframe}> is [=focused=], the
[=focusing steps=] will allow the <{button}> to [=gain focus=], because this is specifically a
user-initiated action. Without allowing that, no element inside of a <{fencedframe}> would never be
able [=gain focus=].</p>

<p class=example id=script-initiated-focus>If we were to continue allowing all elements to be
[=focused=] via the {{HTMLOrSVGElement/focus()}} method as is the status quo before this
specification, a [=fenced navigable container=] and its [=fenced navigable container/fenced
navigable=] could use a sequence of {{HTMLOrSVGElement/focus()}} calls to send arbitrary data across
the fenced frame boundary, which is a privacy leak. To avoid this, we effectively "fence" the
{{HTMLOrSVGElement/focus()}} method, which sacrifices some functionality for privacy.</p>

<div algorithm=focusing-steps-patch>
  Modify the [=focusing steps=] to take a new optional [=boolean=] argument <var><dfn
  lt="focus-unfenced">unfenced</dfn></var> that defaults to false.

  Add a new step after step 3 of the algorithm (that changes new focus target) that reads:

  3. If |new focus target| is a [=fenced navigable container=] with non-null
    [=fenced navigable container/fenced navigable=], then set |new focus target| to the
    [=fenced navigable container/fenced navigable=]'s [=navigable/active document=].

  Add a new step after the step that defines the |new chain| variable, that reads:

  9. If <var>[=focus-unfenced|unfenced=]</var> is false, |new chain| [=list/contains=] a
     {{Document}} |document| whose [=node navigable=]'s [=navigable/traversable navigable=] is a
     [=fenced navigable container/fenced navigable=], and <var ignore>old chain</var> does not also
     [=list/contain=] |document|, then return.

    Note: This is how we bail-out early just before calling the [=focus update steps=], in the case
    where focus is trying to cross the fence.

  Modify the user agent sentence after the algorithm steps in [=focusing steps=] to read:

  User agents must [=immediately=] run the [=focusing steps=] for a [=focusable area=] or
  [=navigable=] |candidate| with <var>[=focus-unfenced|unfenced=]</var> set to true whenever the
  user attempts to move the focus to |candidate|.
</div>

<div algorithm=access-key-patch>
  Modify the action of the [=accesskey attribute command=] algorithm to be:

  1. Run the [=focusing steps=] for the element with <var ignore>[=focus-unfenced|unfenced=]</var>
     set to true.

  1. <a>Fire a `click` event</a> at the element.
</div>

<div algorithm=activation-patch>
  Modify the behavior when a user [=activation|activates=] a [=click focusable=] [=focusable area=]
  to be:

  When a user [=activation|activates=] a [=click focusable=] [=focusable area=], the user agent must
  run the [=focusing steps=] on the [=focusable area=] with <var ignore>focus trigger</var> set
  to "`click`" and <var ignore>[=focus-unfenced|unfenced=]</var> set to true.
</div>

<div algorithm=hide-popover-patch>
  Modify step 10 of the [=hide popover algorithm=] to read:

  10. If |previouslyFocusedElement| is not null, then:
      1. Set <var ignore>element</var>'s [=previously focused element=] to null.
      2. If <var ignore>focusPreviousElement</var> is true, then run the [=focusing steps=] for
        |previouslyFocusedElement| with <var ignore>[=focus-unfenced|unfenced=]</var> set to true; the
        viewport should not be scrolled by doing this step.

  Note: Although dismissing a popover manually is a user-initiated gesture, the
  [=focusing steps=] will be called with [=focus-unfenced|unfenced=] set to false regardless
  of whether this was called from user gesture or via a script call.
</div>

<div algorithm=interactively-validate-patch>
  Modify the first bullet point of step 3 of the [=interactively validate the constraints=]
  algorithm to read:

  * User agents may focus one of those elements in the process, by running the
    [=focusing steps=] for that element, and may change the scrolling position of the
    document, or perform some other action that brings the element to the user's attention.
    If these steps were invoked by user gesture, [=focusing steps=] can be called with
    [=focus-unfenced|unfenced=] set to true. For elements that are
    [=form-associated custom elements=], user agents should use their [=face validation anchor=]
    instead, for the purposes of these actions.
</div>

<div algorithm=has-focus-steps>
  Add a step after step 2 of the while loop in the [=has focus steps=] algorithm that reads:

  3. If the [=focused area=] of |candidate| is a [=fenced navigable container=] with a non-null
    [=fenced navigable container/fenced navigable=], then set |candidate| to the [=navigable/active
    document=] of that [=fenced navigable container=]'s [=fenced navigable container/fenced
    navigable=].
</div>

<div algorithm=focus-chain>
  Modify step 3 of the while loop in the [=focus chain=] algorithm to read:
  3. If |currentObject| is a [=focusable area=], then set |currentObject| to |currentObject|'s [=DOM
     anchor=]'s [=Node/node document=].

     Otherwise, if |currentObject| is a {{Document}} whose [=node navigable=]'s [=navigable/parent=]
     is non-null, then set |currentObject| to |currentObject|'s [=node navigable=]'s
     [=navigable/parent=].

     Otherwise, if |currentObject| is a {{Document}} whose [=node navigable=] is a [=traversable
     navigable=] whose [=traversable navigable/unfenced parent=] is non-null, then set
     |currentObject| to |currentObject|'s [=node navigable=]'s [=traversable navigable/unfenced
     parent=].

     Otherwise, [=iteration/break=].
</div>
  
<div algorithm=get-the-focusable-area>
  Modify the [=get the focusable area=] algorithm. Add a new case to the switch statement:

  <dl class="switch">
    <dt>If <var ignore>focus target</var> is a [=fenced navigable container=] with a non-null
    [=fenced navigable container/fenced navigable=]</dt>

    <dd><p>Return the [=fenced navigable container=]'s [=fenced navigable container/fenced
    navigable=]'s [=navigable/active document=].</p></dd>
  </dl>

  Note: This algorithm can unconditionally "jump the fence" boundary because its return value always
  feeds into an algorithm that *does* carefully consider the fence boundary.
</div>

<div algorithm=currently-focused-area-of-a-top-level-traversable>
  Modify step 3 of the [=currently focused area of a top-level traversable=] algorithm to read:

  3. While |candidate|'s [=focused area=] is either a [=navigable container=] with a non-null
     [=navigable container/content navigable=] or a [=fenced navigable container=] with a non-null
     [=fenced navigable container/fenced navigable=]: set |candidate| to the [=navigable/active
     document=] of either that [=navigable container=]'s [=navigable container/content navigable=]
     or that [=fenced navigable container=]'s [=fenced navigable container/fenced navigable=],
     whichever is non-null.
</div>

<div algorithm=sequential-focus-navigation-patch>
  Modify step 6 of the [=sequential focus navigation=] algorithm to read:

  6. If |candidate| is not null, then run the [=focusing steps=] for |candidate| with
     [=focus-unfenced|unfenced=] set to true and return.

  Modify step 9 of the [=sequential focus navigation=] algorithm to read:

  9. Otherwise, |starting point| is a [=focusable area=] whose [=Node/node document=]'s [=node
     navigable=] is a [=child navigable=] or [=fenced navigable container/fenced navigable=]. Set
     |starting point| to that [=node navigable=]'s [=navigable/unfenced parent=] and return to the
     step labeled <i>loop</i>.
</div>

<div algorithm=sequential-navigation-search-patch>
  Modify step 2 of the [=sequential navigation search algorithm=] to read:

  2. If |candidate| is a [=navigable container=] with a non-null
    [=navigable container/content navigable=], then let |new candidate| be the result of running the
    [=sequential navigation search algorithm=] with |candidate|'s
    [=navigable container/content navigable=] as the first argument, <var ignore>direction</var> as
    the second, and <i>sequential</i> as the third.

    If |candidate| is a [=fenced navigable container=] with a non-null
    [=fenced navigable container/fenced navigable=], then let |new candidate| be the result of
    running the [=sequential navigation search algorithm=] with |candidate|'s
    [=fenced navigable container/fenced navigable=] as the first argument,
    <var ignore>direction</var> as the second, and <i>sequential</i> as the third.

    If |new candidate| is null, then let <var ignore>starting point</var>
    be |candidate|, and return to the top of this algorithm. Otherwise, let
    |candidate| be |new candidate|.
</div>

<wpt>
  /fenced-frame/anchor-focus.https.html
  /fenced-frame/autofocus-denied.https.html
  /fenced-frame/script-focus.https.html
</wpt>

<h3 id=navigation-patch>Navigation</h3>

This section describes how the <{fencedframe}> element interacts with the ever-complicated process
of navigation, which includes integration with various headers, isolation mechanisms, and policies.

<h4 id=supports-loading-mode>The \`<a http-header><code>Supports-Loading-Mode</code></a>\` HTTP response header</h4>

<i>This section is intended to monkeypatch the [[HTML]] Standard, however since the \`<a
http-header><code>Supports-Loading-Mode</code></a>\` header has not been merged into [[HTML]] yet,
and instead lives in the [[Prerendering-Revamped]] specification, this section effectively
monkeypatches that monkeypatch specification.</i>

Add the new [=structured header/token=] below to the list of valid [=structured header/tokens=] for the \`<a
http-header><code>Supports-Loading-Mode</code></a>\` response header:

The \`<code><dfn export for="Supports-Loading-Mode">fenced-frame</dfn></code>\` token indicates that
the response can be used to create a {{Document}} inside of a [=fenced navigable container/fenced
navigable=]. Without this explicit opt-in, all navigations inside of a [=fenced navigable
container/fenced navigable=] will fail, as outlined in [[#navigation-patch]].

<div algorithm=navigation-patch>
  [[HTML]]'s [=attempt to populate the history entry's document=] algorithm is modified such that
  just before the step inside the [=queue a task|queued task=] starting with "If <var
  ignore>failure</var> is true, then:", insert a new step:

8. Otherwise, if all of the following conditions are true:

    * |navigationParams|'s [=navigation params/navigable=]'s [=navigable/traversable navigable=] is
      a [=fenced navigable container/fenced navigable=];
    * |navigationParams|'s [=navigation params/response=]'s [=response/URL=]'s [=url/scheme=] is
      "<code>https</code>"; and
    * the result of [=getting the supported loading modes=] for |navigationParams|'s [=navigation
      params/response=] does not [=list/contain=] \`<code><a
      for="Supports-Loading-Mode">fenced-frame</a></code>\`

   then set <var ignore>failure</var> to true.

</div>

<h4 id=coop-coep>COOP, COEP, and cross-origin isolation</h4>

Outside of this specification, the \`<a http-header><code>Cross-Origin-Opener-Policy</code></a>\`
header only <a
href=https://html.spec.whatwg.org/C#populating-a-session-history-entry:top-level-traversable-2>applies</a>
to [=top-level traversables=] instead of all [=navigables=], and this specification continues this
intention insofar as this header does not have an impact on [=fenced navigable container/fenced
navigables=], nor is it inherited from its embedder. Consequently, the [=browsing context group=]
hosted inside of a [=fenced navigable container/fenced navigable|fenced traversable navigable=] will
always have its [=browsing context group/cross-origin isolation mode=] set to "<a for="cross-origin
isolation mode">`none`</a>".

Nevertheless, a [=fenced navigable container/fenced navigable=] respects its [=traversable
navigable/unfenced parent=]'s [=policy container/embedder policy=], which is accomplished below:

<div algorithm=coep-adherence-patch>
  In the [=check a navigation response's adherence to its embedder policy=] algorithm, rewrite all
  occurrences of:

    * |navigable|'s [=navigable/container document=]

  with:

    * |navigable|'s [=navigable/unfenced container document=]
</div>

Note: This causes navigations inside of a <{fencedframe}> to fail if they are not served with a
suitable \`<a http-header><code>Cross-Origin-Embedder-Policy</code></a>\` header, just as
<{iframe}>s behave.

Issue: Determine if we need to fence or unfence the [=queue a cross-origin embedder policy
inheritance violation=] algorithm, as leaving it unfenced may cause a privacy leak.

<div algorithm=corp-patch>
  Next, we modify how the [=cross-origin resource policy check=] <a
  href=https://html.spec.whatwg.org/C#populating-a-session-history-entry:cross-origin-resource-policy-check>applies
  to navigation requests</a>. Rewrite step 19, substep 13 of the [=create navigation params by
  fetching=] algorithm like so:

    1. If |response| is not a [=network error=], |navigable| is a [=child navigable=] or [=fenced
       navigable container/fenced navigable=], and the result of performing a [=cross-origin
       resource policy check=] with |navigable|'s [=navigable/unfenced container document=]'s
       [=Document/origin=], |navigable|'s [=navigable/unfenced container document=]'s [=relevant
       settings object=], <var ignore>request</var>'s [=request/destination=], |response|, and
       true is **blocked**, then set |response| to a [=network error=] and [=iteration/break=].

       Note: Here we're running the [=cross-origin resource policy check=] against the
       [=navigable/unfenced parent|unfenced parent navigable=] rather than |navigable| itself. This
       is because we care about the same-originness of the embedded content against the embedder's
       context (ignoring the "fence"), not the navigation source.
</div>

Issue: Determine if we need to fence or unfence the [=queue a cross-origin embedder policy
CORP violation report=] algorithm, as leaving it unfenced may cause a privacy leak.

<wpt>
  /fenced-frame/embedder-coop-coep-blocked.https.html
  /fenced-frame/embedder-no-coep.https.html
  /fenced-frame/embedder-require-corp.https.html
</wpt>

<h4 id=navigation-changes>Actual navigation changes</h4>

<div algorithm=source-snapshot-param-config>
  Add two new [=struct/item=]s to the [=source snapshot params=] [=struct=]:

  : <dfn for="source snapshot params">initiator fenced frame config instance</dfn>
  :: a [=fenced frame config instance=] or null, initially null.

  : <dfn for="source snapshot params">target fenced frame config</dfn>
  :: a [=fenced frame config=] or null, initially null.

  Note: The [=source snapshot params/initiator fenced frame config instance=] is the [=fenced frame
  config instance=] that's loaded into a navigation initiator's [=browsing context=], if any exists.
  It is used by the [=attempt to send an automatic beacon=] algorithm to retrieve the [=fenced frame
  reporter/automatic beacon data=] to be sent out if the <{fencedframe}>-initiated navigation
  succeeds. The [=source snapshot params/target fenced frame config=] on the other hand, is the
  non-[=instantiate a config|instantiated=] [=fenced frame config=] that will be loaded into a a
  <{fencedframe}> element for navigations targeting fenced frames. These fields do not interact
  *together* in any meaningful way.
</div>

<div algorithm=snapshot-source-snapshot-params>
  Modify the [=snapshot source snapshot params=] algorithm to return a [=source snapshot params=]
  with an additional field:

  : [=source snapshot params/initiator fenced frame config instance=]
  :: <var ignore>sourceDocument</var>'s [=browsing context=]'s [=browsing context/fenced frame
     config instance=]
</div>

<div algorithm=navigate>
  Modify the definition of [[HTML]]'s [=navigate=] algorithm to include an extra parameter: an
  optional [=string=] |sharedStorageContext| (default null).

  Modify step 7 of [[HTML]]'s [=navigate=] algorithm to include the following condition:

    * |navigable| is a [=fenced navigable container/fenced navigable=];

      Note: This ensures that *all* navigations inside of a <{fencedframe}> are made with the "<a
      for="history handling behavior">`replace`</a>" mode, regardless of the initiator.

  <wpt>
    /fenced-frame/history-back-and-forward-should-not-work-in-fenced-tree.https.html
    /fenced-frame/history-length-fenced-navigations-replace-do-not-contribute-to-joint.https.html
    /fenced-frame/history-length-outer-page-navigation-not-reflected-in-fenced.https.html
  </wpt>

  Modify step 8 of the same algorithm to include the following condition:

    * <var ignore>sourceDocument</var>'s [=node navigable=] is not a [=fenced navigable container=]
      while at the same time |navigable| is a [=fenced navigable container/fenced navigable=].

      Note: This ensures that embedder-initiated navigations can *never* trigger a fragment
      navigation inside of a <{fencedframe}>.

  <wpt>
    /fenced-frame/fragment-navigation.https.html
  </wpt>

  Insert these steps immediately after step 20, the step that goes [=in parallel=], so that what
  follows are the first steps that run [=in parallel=] in the patched algorithm:

    1. If |url| is a [=urn uuid=] and |navigable| is a [=fenced navigable container/fenced
       navigable=]:

      1. Let |config| be the result of [=fenced frame config mapping/finding a
         config=] in <var ignore>sourceDocument</var>'s [=node navigable=]'s [=navigable/traversable
         navigable=]'s [=traversable navigable/fenced frame config mapping=].

         Note: This might "wait" for an arbitrary period of time for the |config| associated with
         the [=urn uuid=] |url| to be "finalized" in the [=traversable navigable/fenced frame config
         mapping=]. This is why this step runs [=in parallel=]. This navigation will be canceled by
         any subsequent embedder-initiated navigations, <span class=allow-2119>should</span> they
         occur, by the usual mechanism that tracks the [=navigable/ongoing navigation=].

      1. Set |config|'s [=fenced frame config/embedder shared storage context=] to
         |sharedStorageContext|.

      1. Set <var ignore>sourceSnapshotParams</var>'s [=source snapshot params/target fenced frame
         config=] to |config|.

      1. [=Assert=] |config|'s [=fenced frame config/mapped url=]'s [=mapped url/value=] is a
         [=URL=] whose [=url/scheme=] is "`https`".

      1. Set |url| to |config|'s [=fenced frame config/mapped url=]'s [=mapped url/value=].

  <wpt>
    /fenced-frame/frame-navigation.https.html
  </wpt>

  Rewrite the step starting with "Let |unloadPromptCanceled| be the result of" to:

    1. Let |unloadPromptCanceled| be false if |navigable| is a [=fenced navigable container/fenced
       navigable=], or the result of [=checking if unloading is user-canceled=] for |navigable|'s
       [=navigable/active document=]'s [=Document/inclusive descendant navigables=] otherwise.

  <wpt>
    /fenced-frame/before-unload.https.html
  </wpt>
</div>

<br>

The below patches make use of the previously-assigned [=source snapshot params/target fenced frame
config=], [=instantiate a config|instantiating=] it in preparation for use when the navigation is
finalized.

<div algorithm=navigation-params-config-instance>
  Add a new [=struct/item=] to the [=navigation params=] [=struct=]:

  : <dfn for="navigation params">fenced frame config instance</dfn>
  :: A [=fenced frame config instance=] or null, initially null.

     Note: This is only set for embedder-initiated <{fencedframe}> navigations, and if a new
     {{Document}} is created as a result of such a navigation, this member is transferred to the new
     [=fenced navigable container/fenced navigable=]'s [=navigable/active browsing context=]'s
     [=browsing context/fenced frame config instance=] member.
</div>

<div algorithm=create-navigation-params-config-instance>
  Modify [[HTML]]'s [=create navigation params by fetching=] algorithm such that the last step that
  returns a [=navigation params=] has the following additional assignment:

  : [=navigation params/fenced frame config instance=]
  :: If |sourceSnapshotParams|'s [=source snapshot params/target fenced frame config=] is null, then
     null; otherwise, the result of [=instantiate a config|instantiating=] |sourceSnapshotParams|'s
     [=source snapshot params/target fenced frame config=].
</div>

<br>

Finally, the below patches make use of the [=navigation params=]'s [=navigation params/fenced frame
config instance=], and handle the assignment of a [=browsing context=]'s [=browsing context/fenced
frame config instance=] that is initiated by a navigation.

Note: A [=browsing context=]'s [=browsing context/fenced frame config instance=] is assigned in two
different ways: (1) during embedder-initiated <{fencedframe}> navigation, as described by the rest
of this section, and (2) inherited during initial {{Document}} creation for {{Document}}s in [=child
navigables=] whose [=navigable/traversable navigable=] is a [=fenced navigable container/fenced
navigable=], as handled in the [[#creating-browsing-contexts-patch]] section.

For any successful navigation inside of a <{fencedframe}>, regardless of whether it was initiated by
content in the <{fencedframe}> or its embedder, exactly one of two things will happen:

 * <i>Embedder-initiated navigations</i>: The [=navigation params=]'s [=navigation params/fenced
   frame config instance=] will be unconditionally assigned to the <{fencedframe}>'s [=fenced
   navigable container=]'s [=fenced navigable container/fenced navigable=]'s [=navigable/active
   browsing context=]'s [=browsing context/fenced frame config instance=].

 * <i>Inner-content-initiated navigations</i>: The [=fenced frame config instance=] referenced in
   the immediately-preceding point persists through this kind of cross-{{Document}} navigation.

<div algorithm=create-and-initialize-document-patch>
  Modify [[!HTML]]'s [=create and initialize a Document object=] algorithm to insert one step after
  step 2 that reads:

  3. If |navigationParams|'s [=navigation params/fenced frame config instance=] is not null:

    1. [=Assert=]: |browsingContext| does not equal |navigationParams|'s [=navigation
       params/navigable=]'s [=navigable/active browsing context=].

       Note: This is because embedder-initiated navigations (indicated by |navigationParams|'s
       [=navigation params/fenced frame config instance=] being non-null) always cause a
       [[#bcg-swap]].

    1. Set |browsingContext|'s [=browsing context/fenced frame config instance=] to
       |navigationParams|'s [=navigation params/fenced frame config instance=].
</div>

<span class=XXX>TODO: Call the [=fenced frame config instance/on navigate callback=] at the
appropriate time.</span>

<h4 id=bcg-swap>Browsing context group swap</h4>

When the embedder of a <{fencedframe}> initiates navigations inside the frame, we must perform a
[=browsing context group=] swap to entirely reset the context inside the frame, to ensure nothing is
left over to be leaked to the next {{Document}}.

<div algorithm=attempt-populate-history-bcg-swap>
  Modify [[HTML]]'s [=attempt to populate the history entry's document=] algorithm. Add a step
  before the step that reads "6. [=Queue a global task=] on the [=navigation and traversal task
  source=]", that reads:

  6. If all of the following conditions are true:

       * |navigable| is a [=fenced navigable container/fenced navigable=];

       * <var ignore>sourceSnapshotParams</var>'s [=source snapshot params/fetch client=] is **not**
         |navigable|'s [=navigable/active document=]'s [=relevant settings object=];

       * |navigationParams| is non-null

     then set |navigationParams|'s [=navigation params/COOP enforcement result=]'s [=cross-origin
     opener policy enforcement result/needs a browsing context group switch=] [=boolean=] to true.

     Issue: This indeed works, but we should consider using a separate mechanism to carry this out,
     instead of piggybacking off of the COOP mechanism which was designed without fenced frames in
     mind, and could evolve in ways that give this specification unwanted side-effects.
</div>

<h3 id=page-visibility>Page visibility</h3>

The <a href=https://html.spec.whatwg.org/#page-visibility>Page visibility</a> section of [[HTML]] is
modified such that the first step of the algorithm that runs when a user-agent changes a
[=traversable navigable=]'s [=system visibility state=] calls the [=Document/inclusive descendant
navigables=] algorithm with [=inclusive-dn-unfenced|unfenced=] set to true.

<h2 id="interaction-with-other-specs">Interactions with other specifications</h2>

Due to the necessarily cross-cutting nature of the <{fencedframe}> element and its interactions with
core concepts like [=navigable=] and [=browsing context group=], there are a number of
specifications that rely on terms whose usages must be re-evaluated in light of this specification;
this section houses the various changes that we propose to other specifications.

<h3 id=prerendering-monkeypatch>Prerendering</h3>

The <a href=https://wicg.github.io/nav-speculation/prerendering.html>Prerendering Revamped</a>
specification defines [=navigable=]'s [=navigable/loading mode=] and the values it can take on. Our
specification adds another value for fenced frames:

: "`fencedframe`"
:: This [=navigable=] is displaying a <{fencedframe}>'s content

Issue: Specify the behavior that leads to the following:

<wpt>
  /fenced-frame/prerender.https.html
</wpt>

<h3 id=csp-integration>Content Security Policy</h3>

*This introductory section is non-normative*.

Content Security Policy [[!CSP]] can ordinarily be used by web content associated with a
{{Document}} that hosts a [=navigable container=] to limit the source of navigations in a [=child
navigable=].

In order to prevent [[!CSP]] from being used a communication side-channel exposing the [=URL=] of
navigations inside a <{fencedframe}> to the site operating its embedder, the only [=source
expressions=] that can influence a <{fencedframe}> navigation are:

 * The <a grammar>scheme-source</a> "`https:`"
 * The <a grammar>host-source</a> "`https://*:*`"
 * The [=string=] "`*`"

See our <a
href=https://github.com/WICG/fenced-frame/blob/master/explainer/interaction_with_content_security_policy.md#proposal---scheme-source-matching>CSP
explainer</a> that describes this.

<h4 id=csp-algorithms>Algorithms</h4>

<div algorithm=pre-request-check-csp>
  Add a step after step 2 of the [=frame-src pre-request check=] that says:

  3. If <var ignore>request</var>'s [=request/destination=] is "`fencedframe`", and this directive's
     [=directive value|value=] does not [=set/contain=] either "`https:`", "`https://*:*`", or
     "`*`", return "`Blocked`".
</div>

<div algorithm=post-request-check-csp>
  Add a step after step 2 of the [=frame-src post-request check=] that says:

  3. If <var ignore>request</var> [=request/destination=] is "`fencedframe`", and this directive's
    [=directive value|value=] does not [=set/contain=] either "`https:`", "`https://*:*`", or "`*`",
    return "`Blocked`".
</div>

Next, we modify the behavior of the [[CSPEE]] specification. If the embedding frame specifies a
[=required CSP=], fenced frames will not load. This is done to prevent arbitrary data flow from the
embedder to the fenced frame.

<div algorithm=cspee-changes>
  Add a step after step 1 in the [=Is response to request blocked by context's required CSP?=]
  algorithm that reads:

  2. If <var ignore>context</var>'s [=required csp=] is not `null`, and <var ignore>request</var>
    [=request/destination=] is "`fencedframe`", return "`Blocked`".
</div>

<h4 id=new-csp-directive>New fenced-frame-src [[!CSP]] [=directive=]</h4>

Since <{fencedframe}> is a different element than <{iframe}>, using the <b><i>[=frame-src=]</i></b>
directive wouldn't give web sites enough control over their CSP rules. Introduce a new [[!CSP]]
[=directive=]: <b><i>fenced-frame-src</i></b>. The monkey-patched specification is printed below:

<div algorithm=fenced-frame-src>
  The <dfn>fenced-frame-src</dfn> directive restricts the URLs which may be loaded into a
  <{fencedframe}>'s [=fenced navigable container/fenced navigable=]. The syntax for the directive's
  name and value is described by the following ABNF:

  <pre>
    directive-name  = "fenced-frame-src"
    directive-value = <a grammar>serialized-source-list</a>
  </pre>

  <div id="fenced-frame-src-example" class="example">
    Given a page with the following Content Security Policy:
    <pre>
      <a http-header>Content-Security-Policy</a>: <a>fenced-frame-src</a> https://example.com/
    </pre>

    Fetches for the following code will return a [=network error=], as the URL provided does not
    match `fenced-frame-src`'s <a>source list</a>:

    <pre highlight="html">
      &lt;fencedframe src="https://example.org/"&gt;
      &lt;/fencedframe&gt;
    </pre>
  </div>

  The <a href="https://w3c.github.io/webappsec-csp/#frame-src-pre-request">Pre-request check</a> and
  <a href="https://w3c.github.io/webappsec-csp/#frame-src-post-request">Post-request check</a> will
  be the same as the
  <a href="https://w3c.github.io/webappsec-csp/#directive-frame-src">frame-src</a>'s check.
</div>

<div algorithm=default-src-amendment>
  The [=default-src=] directive's Example 7 and Example 8 will be amended. Where it says:

  <pre>
    <a http-header>Content-Security-Policy</a>: <a>connect-src</a> <a grammar>'self'</a>;
                            ...
                            <a>worker-src</a> <a grammar>'self'</a>
  </pre>

  It will now say:

  <pre>
    <a http-header>Content-Security-Policy</a>: <a>connect-src</a> <a grammar>'self'</a>;
                            ...
                            <a>fenced-frame-src</a> <a grammar>'self'</a>;
                            ...
                            <a>worker-src</a> <a grammar>'self'</a>
  </pre>
</div>

<div algorithm=directive-fallback-list>
  In the <a href="https://w3c.github.io/webappsec-csp/#directive-fallback-list">directive fallback
  list</a>, in step 1, add a new entry to the list:

  : "`fenced-frame-src`"
  ::
    1.  Return `<< "fenced-frame-src", "frame-src", "child-src", "default-src" >>`.
</div>

<div algorithm=effective-directive-switch-patch>
  Modify the switch on step 3 of the [=Get the effective directive for request=] algorithm to
  include the following case:

  : "`fencedframe`"
  ::
    1.  Return `fenced-frame-src`.
</div>

<wpt>
  /fenced-frame/ancestor-throttle.https.html
  /fenced-frame/csp-allowed.https.html
  /fenced-frame/csp-blocked.https.html
  /fenced-frame/csp-fenced-frame-src-allowed.https.html
  /fenced-frame/csp-fenced-frame-src-blocked.https.html
  /fenced-frame/csp-frame-src-allowed.https.html
  /fenced-frame/csp-frame-src-blocked.https.html
  /fenced-frame/csp-transparent-url.https.html
  /fenced-frame/csp.https.html
  /fenced-frame/cspee.https.html
  /fenced-frame/embedder-csp-not-propagate.https.html
</wpt>

<h3 id=permissions-policy-changes>Permissions Policies</h3>

*This introductory sub-section is non-normative.*

The [=policy-controlled features=] available to {{Document}}s inside of a <{fencedframe}> are
determined exclusively by the [=fenced frame config=] that the <{fencedframe}> navigates to.
Specifically, the [=fenced frame config=]'s [=fenced frame config/effective enabled permissions=]
defines the exclusive list of [=policy-controlled features=] that will be enabled in the
{{Document}} (all others will be disabled).

During navigation, the [=fenced frame config=] [=instantiate a config|instantiates=] a [=browsing
context/fenced frame config instance=] that is stored on the [=browsing context=] in the [=fenced
navigable container/fenced navigable=]. This browsing context's [=browsing context/fenced frame
config instance=]'s [=fenced frame config instance/effective enabled permissions=] is consulted
[=Should navigation response to navigation request be blocked by Permissions Policy?|during
navigation=]. A <{fencedframe}> navigation can only succeed if the [=Document/permissions policy=]
for the navigation's resulting {{Document}} has an [=permissions policy/inherited policy=] such that
the [=inherited policy for a feature|inherited policy value=] is "`Enabled`" for each feature in the
[=fenced frame config/effective enabled permissions=]. Otherwise the environment the <{fencedframe}>
is embedded in is deemed unsuitable for the [=fenced frame config=], and the navigation is blocked.

At the same time, to make sure that a <{fencedframe}>'s embedder does not directly influence content
in the frame based on that navigation's [=navigation params/origin=] (since the origin is derived
from cross-site data), this specification modifies various [[PERMISSIONS-POLICY]] algorithms such
that a <{fencedframe}> {{Document}}'s [=permissions policy/inherited policy=] is computed without
consideration of whether its [=navigation params/origin=] is [=same origin=] with its embedder's.
Therefore a feature can only be enabled inside of a <{fencedframe}> if its embedder *explicitly*
delegates it via [=the special value *=] [=allowlist=].

Considering all of the above, we get the following interesting implications:

 * If a [=policy-controlled feature|feature=] that [=list/exists=] in the [=fenced frame
   config/effective enabled permissions=] has a [=policy-controlled feature/default allowlist=] of
   [=the special value *=], and no \`<a http-header>`Permissions-Policy`</a>\` header is served on
   the <{fencedframe}> embedder, and the <{fencedframe/allow}> attribute is empty, the navigation
   inside the <{fencedframe}> will succeed, and the resulting {{Document}} will be [=allowed to
   use=] the [=policy-controlled feature|feature=] (i.e., it will be enabled).

 * If a [=policy-controlled feature|feature=] that [=list/exists=] in the [=fenced frame
   config/effective enabled permissions=] has a [=policy-controlled feature/default allowlist=] of
   <a for="default allowlist">`'self'`</a>, and no \`<a http-header>`Permissions-Policy`</a>\`
   header is served on the <{fencedframe}> embedder, and the <{fencedframe/allow}> attribute is
   empty, the navigation inside the <{fencedframe}> will be blocked.

   Note: This is because ordinarily this [=policy-controlled feature|feature=] would only be enabled
   if the subframe's {{Document}} was [=same origin=] with its embedder, a check this specification
   avoids for fenced frames, since the <{fencedframe}>s {{Document}}'s [=Document/origin=] is
   derived from cross-site data. Therefore, we simply "fail close".

 * If a [=policy-controlled feature|feature=] that [=list/exists=] in the [=fenced frame
   config/effective enabled permissions=] has a [=policy-controlled feature/default allowlist=] of
   <a for="default allowlist">`'self'`</a>, and the <{fencedframe}>'s <{fencedframe/allow}>
   attribute contains the [=policy-controlled feature|feature=] but no [=allowlist=], the rules
   described in <a href=allow-attribute-fenced-frame>The `allow` attribute section</a>, the default
   [=allowlist=] for the feature will be `'src'` which is meant to represent the embedder-supplied
   navigation [=URL=], for which there is none when navigating a <{fencedframe}>, as the navigation
   [=URL=] is determined by the [=fenced frame config=]. The navigation will be blocked.

 * If a [=policy-controlled feature|feature=] that [=list/exists=] in the [=fenced frame
   config/effective enabled permissions=] has a [=policy-controlled feature/default allowlist=] of
   <a for="default allowlist">`'self'`</a> but either the \`<a
   http-header>`Permissions-Policy`</a>\` header served on the <{fencedframe}>'s embedder *OR* the
   <{fencedframe/allow}> attribute sets that [=policy-controlled feature|feature=]'s [=allowlist=]
   to [=the special value *=], then the navigation inside the <{fencedframe}> will succeed, and the
   resulting {{Document}} is [=allowed to use=] the [=policy-controlled feature|feature=].

 * If a navigation inside a <{fencedframe}> would otherwise succeed, but the [=response=] on the
   navigation inside the <{fencedframe}> is served with a \`<a
   http-header>`Permissions-Policy`</a>\` header that sets the [=allowlist=] to "`none`" or an
   otherwise incompatible [=origin=] for a feature in the [=fenced frame config/effective enabled
   permissions=], the navigation still succeeds, but the {{Document}} in the <{fencedframe}> is
   **not** [=allowed to use=] the feature.

   Note: This is OK because it is the <{fencedframe}>'s content *itself* that is making the decision
   to disable a particular feature, not its embedder environment.

The patches in the below section "fence" the appropriate [[PERMISSIONS-POLICY]] and [[HTML]]
algorithms to achieve the outcomes described in the above explanatory content.

<h4 id=permissions-policy-patches>Algorithm patches</h4>

<div id=allow-attribute-fenced-frame algorithm=allow-attribute-fenced-frame>
  Rename the <a href=https://w3c.github.io/webappsec-permissions-policy/#iframe-allow-attribute>The
  `allow` attribute of the `iframe` element</a> section to "The `allow` attribute of the `iframe`
  and `fencedframe` element", and rewrite the section to read:

  <{iframe}> and <{fencedframe}> elements have an respective `allow` attributes (<{iframe}>:
  <{iframe/allow}>; <{fencedframe}>: <{fencedframe/allow}>), which contain an [=ASCII-serialized
  policy directive=].

  The allowlist for the features named in the attribute may be empty; in that case, the default
  value for the [=allowlist=] is "`src`", which represents the origin of the URL in the iframe's
  <{iframe/src}> attribute, or the fencedframe's [=fenced frame config=].

  When not empty, the <{iframe}>'s <{iframe/allow}> or <{fencedframe}>'s <{fencedframe/allow}>
  attribute will result in adding an [=allowlist=] for each [=supported feature=] to the <{iframe}>
  or <{fencedframe}>'s [=container policy=], when it is constructed.
</div>

<div algorithm=create-permissions-policy>
  Modify the [$Create a Permissions Policy for a navigable$] algorithm:

  Given null or an element (|container|), an [=origin=] (|origin|), and an optional [=boolean=]
  |fenced| that defaults to false, this algorithm returns a new Permissions Policy.

  Rewrite step 1 to read:

  1. [=Assert=]: if not null, <var ignore>container</var> is either a [=navigable container=] or a
     [=fenced navigable container=].

  Rewrite step 3 to read:

  4. For each |feature| [=supported features|supported=]:

     1. Let |isInherited| be the result of running [$Define an inherited policy for feature in
        container at origin$] on |feature|, |container|, |origin|, and |fenced|.

     2. Set <var ignore>inherited policy</var>[|feature|] to |isInherited|.
</div>

<div algorithm=create-permissions-policy-response>
  Modify the [$Create a Permissions Policy for a navigable from response$] algorithm to read:

  Given null, a [=navigable container=]-or-[=fenced navigable container=] (|container|), an
  [=origin=] (|origin|), and a [=response=] (<var ignore>response</var>), this algorithm returns a
  new [=Document/permissions policy=].

  Add a step before step 1 that reads:

  1. Let |fenced| be true if |container| is a [=fenced navigable container=], and false otherwise.

  Modify what is *now* step 2 of the algorithm to read:

  2. Let <var ignore>policy</var> be the result of running [$Create a Permissions Policy
     for a navigable$] given |container|, |origin|, and |fenced|.
</div>

<div algorithm=attempt-populate-history-patches>
  Modify [[HTML]]'s [=attempt to populate the history entry's document=] algorithm. Add a step
  before the step inside the [=queue a task|queued task=] starting with "If
  |failure| is true, then:" that reads:

  8. Otherwise, if the result of [=should navigation response to navigation request be blocked by
    Permissions Policy?=] given <var ignore>navigationParams</var> is "`Blocked`", then set 
    |failure| to true.

  Note: If this algorithm returns "`Blocked`", the pre-existing {{Document}} in the <{fencedframe}>
  does not stick around; an error page will be loaded.
</div>

<div algorithm=permissions-policy-block-request>
  Create a new algorithm called <dfn>should navigation response to navigation request be blocked by
  Permissions Policy?</dfn> in [[!HTML]].

  Given a [=navigation params=] (|navigationParams|), this algorithm returns "`Blocked`" or
  "`Allowed`":

  1. Let |navigable| be |navigationParams|'s [=navigation params/navigable=].

  1. If |navigable| is not a [=fenced navigable container/fenced navigable=], then return
     "`Allowed`".

  1. Let |origin| be |navigationParams|'s [=navigation params/origin=].

  1. Let |effective permissions| be the |navigable|'s [=navigable/active browsing context=]'s
     [=browsing context/fenced frame config instance=]'s [=fenced frame config instance/effective
     enabled permissions=].

     Issue: Per work omitted in [pull request
     #84](https://github.com/WICG/fenced-frame/pull/84#discussion_r1186531028), the config instance
     has not yet been assigned to the browsing context. We should consider storing the instance
     inside |navigationParams| and reference it from here instead.

  1. Let |permissions policy| be the result of [$Create a Permissions Policy for a navigable|
     creating a permissions policy$] given |navigable|'s [=fenced navigable container=], |origin|,
     and <var ignore>fenced</var> set to true.

     Note: This is identical to the [=Document/permissions policy=] that will be created when the
     navigation constructs the ultimate {{Document}} for this pending navigation. We create it now
     and run tests on it since this is the appropriate time to determine if a navigation will fail,
     and then throw it away. If the navigation succeeds, it will be recreated identically and
     unconditionally installed on the {{Document}}.

  1. Let |inherited policy| be |permissions policy|'s [=permissions policy/inherited policy=].

  1. [=list/For each=] |effective permission| of |effective permissions|:

    1. If |inherited policy|[|effective permission|] is "Disabled", return "`Blocked`".

  1. Return "`Allowed`."
</div>

<div algorithm=define-inherited-policy-in-container-patches>
  Modify the [$Define an inherited policy for feature in container at origin$] algorithm to
  read:

  Given a feature (|feature|), null or a [=navigable container=] (|container|), an [=origin=] for a
  document in that container (|origin|), and an optional [=boolean=] |fenced| that defaults to
  false, this algorithm returns the [=permissions policy/inherited policy=] for that feature.
  
  Rewrite step 3 to read:

  3. If the result of executing [$Is feature enabled in document for origin?$] on |feature|,
     |container|'s [=Node/node document=], |origin|, and |fenced| is "Disabled", return
     "Disabled".

  Note: We don't have to rewrite step 2, which also delegates to the same algorithm, to pass in the
  |fenced| [=boolean=] because step 2 has to do with checking to see if |feature| is enabled
  |container|'s [=Node/node document=], not the {{Document}} hosted *inside* |container|.

  Rewrite step 7 to read:

  7. If |fenced| is false, |feature|'s [=policy-controlled feature/default allowlist=] is
     `'self'`, and |origin| is [=same origin=] with |container|'s [=Node/node document=]'s
     origin, return `"Enabled"`.
</div>

<div algorithm=is-feature-enabled-patches>
  Modify the [$Is feature enabled in document for origin?$] algorithm to read:

  Given a feature (|feature|), a {{Document}} object (|document|), an [=url/origin=] (|origin|), and
  an optional [=boolean=] |fenced| that defaults to false, this algorithm returns "`Disabled`" if
  |feature| should be considered disabled, and "`Enabled`" otherwise.

  Rewrite step 3 to read:

  3. If |feature| is present in |policy|'s [=declared policy=],

    1. If |fenced| is false, and the [=allowlist=] for |feature| in |policy|'s [=declared policy=]
       [=permissions/matches=] |origin|, then return "`Enabled`".

    2. Otherwise, if |fenced| is true, and the [=allowlist=] for |feature| in |policy|'s [=declared
       policy=] is [=the special value *=], then return "`Enabled`".

    3. Otherwise, return "`Disabled`".

  Rewrite step 5 to read:

  5. If |fenced| is false, |feature|'s [=policy-controlled feature/default allowlist=] is `'self'`,
     and |origin| is [=same origin=] with |document|'s origin, return "Enabled".
</div>

<wpt>
  /fenced-frame/default-enabled-features-allow-all.https.html
  /fenced-frame/default-enabled-features-allow-none.https.html
  /fenced-frame/default-enabled-features-allow-self.https.html
  /fenced-frame/default-enabled-features-attribute-allow.https.html
  /fenced-frame/default-enabled-features-attribute-change.https.html
  /fenced-frame/default-enabled-features-attribute-disallow.https.html
  /fenced-frame/default-enabled-features-attribution-disabled.https.html
  /fenced-frame/default-enabled-features-subframe.https.html
  /fenced-frame/default-enabled-features-unset.https.html
  /fenced-frame/permission-api-denied-non-standard.https.html
  /fenced-frame/permission-api-denied.https.html
  /fenced-frame/permission-geolocation.https.html
  /fenced-frame/permission-notification.https.html
</wpt>

<h3 id=cssom-monkeypatch>CSSOM View</h3>

The [[!CSSOM-VIEW]] specification defines the {{Element/scrollIntoView()}} method that calls the
[=scroll a target into view=] algorithm. This will not only scroll the {{Element}} or
[=css2/viewport=] to make the target visible, but will also scroll [=tree/ancestor=]s if necessary
to make the target visible, essentially causing the scroll to "bubble up". This means that
{{Element/scrollIntoView()}} performed in a [=child navigable=] or [=fenced navigable container/
fenced navigable=] can be observed by its embedder, allowing for collusion across a fenced frame
boundary. This section patches the [=scroll a target into view=] algorithm to prevent that collusion
at the expense of some utility.

<div algorithm=scroll-target-into-view>
  Modify the [=scroll a target into view=] algorithm to add a step at the end of the algorithm that
  reads:

  14. If <var ignore>scrolling box</var>'s associated {{Element}}'s associated {{Document}}'s [=node
     navigable=]'s [=navigable/traversable navigable=] is a [=fenced navigable container/fenced
     navigable=], or if <var ignore>scrolling box</var>'s associated [=css2/viewport=]'s associated
     {{Document}}'s [=node navigable=]'s [=navigable/traversable navigable=] is a [=fenced navigable
     container/fenced navigable=], then let this be the last instance of this algorithm that stops
     any further recursive instances that would otherwise follow.

  Note: This allows scrolling to "bubble up" to a fenced frame boundary, but not cross it.

  <wpt>
    /fenced-frame/scroll-into-view.https.html
  </wpt>
</div>

<h2 id=security-and-privacy>Security & Privacy Considerations</h2>

This material is being upstreamed from our explainer into this specification, and in the meantime
you can consult the following resources:

 * [Security considerations](https://github.com/WICG/fenced-frame/tree/master/explainer#security-considerations)
 * [Privacy considerations](https://github.com/WICG/fenced-frame/tree/master/explainer#privacy-considerations)
 * [TAG Security/Privacy Questionnaire](https://github.com/WICG/fenced-frame/blob/master/explainer/TAG_Security_Privacy_Questionnaire.md)