From 0567e38a2342ca2a18fda19b7338b7f8c9afacc8 Mon Sep 17 00:00:00 2001
From: Yoav Weiss <yoav.weiss@shopify.com>
Date: Mon, 30 Sep 2024 10:55:11 +0200
Subject: [PATCH] Address comments from Dom

---
 source | 27 ++++++++++++++++++++-------
 1 file changed, 20 insertions(+), 7 deletions(-)

diff --git a/source b/source
index c874621f78e..ebe20423c4c 100644
--- a/source
+++ b/source
@@ -86806,14 +86806,15 @@ dictionary <dfn dictionary>DragEventInit</dfn> : <span>MouseEventInit</span> {
     <p>Other risks from same-origin applications include:</p>
     <ul>
      <li><p>Same-origin requests fetching the document's content — could be mitigated through
-     Fetch Metadata filtering.</p></li>
+     Fetch Metadata filtering.<ref>FETCHMETADATA</ref></p></li>
      <li><p>Same-origin framing - could be mitigated through <code>X-Frame-Options</code> or CSP
      <code data-x="frame-ancestors directive">frame-ancestors</code>.</p></li>
      <li><p>JavaScript accessible cookies - can be mitigated by ensuring all cookies are <code
      data-x="">httponly</code>.</p></li>
      <li><p>localStorage access to sensitive data.</p></li>
      <li><p>Service worker installation.</p></li>
-     <li><p>Cache API manipulation or access to sensitive data.</p></li>
+     <li><p><a href="https://w3c.github.io/ServiceWorker/#cache">Cache API</a> manipulation or
+     access to sensitive data.<ref>SW</ref></p></li>
      <li><p><code data-x="">postMessage</code> or <code>BroadcastChannel</code> messaging that
      exposes sensitive information.</p></li>
      <li><p>Autofill which may not require user interaction for same-origin documents.</p></li>
@@ -87019,11 +87020,20 @@ dictionary <dfn dictionary>DragEventInit</dfn> : <span>MouseEventInit</span> {
    <var>activeDocumentCOOPValue</var>, <var>activeDocumentNavigationOrigin</var>,
    <var>responseCOOPValue</var>, and <var>responseOrigin</var> is true, then return false.</p></li>
 
-   <li><p>If <var>activeDocumentCOOPValue</var> is "<code
-   data-x="coop-noopener-allow-popups">noopener-allow-popups</code>" and
-   <var>responseCOOPValue</var> is "<code
-   data-x="coop-same-origin-allow-popups">same-origin-allow-popups</code>" or "<code
-   data-x="coop-unsafe-none">unsafe-none</code>", then return false.</p></li>
+   <li>
+    <p>If <var>activeDocumentCOOPValue</var> is "<code
+    data-x="coop-noopener-allow-popups">noopener-allow-popups</code>", then:</p>
+
+    <ol>
+     <li><p>If <var>responseCOOPValue</var> is "<code
+     data-x="coop-unsafe-none">unsafe-none</code>", then return false.</p></li>
+
+     <li><p>If <var>responseCOOPValue</var> is "<code
+     data-x="coop-same-origin-allow-popups">same-origin-allow-popups</code>" and
+     <var>activeDocumentNavigationOrigin</var> is <span>same origin</span> with
+     <var>responseOrigin</var>, then return false.</p></li>
+    </ol>
+   </li>
 
    <li>
     <p>If all of the following are true:</p>
@@ -143647,6 +143657,9 @@ INSERT INTERFACES HERE
    <dt id="refsFETCH">[FETCH]</dt>
    <dd><cite><a href="https://fetch.spec.whatwg.org/">Fetch</a></cite>, A. van Kesteren. WHATWG.</dd>
 
+   <dt id="refsFETCHMETADATA">[FETCH-METADATA]</dt>
+   <dd><cite><a href="https://w3c.github.io/webappsec-fetch-metadata/">Fetch Metadata Request Headers</a></cite>, M.West. W3C.</dd>
+
    <dt id="refsFILEAPI">[FILEAPI]</dt>
    <dd><cite><a href="https://w3c.github.io/FileAPI/">File API</a></cite>, A. Ranganathan. W3C.</dd>