diff --git a/source b/source
index dc2ce71f574..37a70f76379 100644
--- a/source
+++ b/source
@@ -10014,6 +10014,8 @@ o.myself = o;</code></pre>
   <span data-x="concept-document-url">URL</span> in their user interface. This is the primary
   mechanism by which a user can tell if a site is attempting to impersonate another.</p>
 
+  <!-- TODO: Update text about document origin -->
+
   <p>The <code>Document</code> object's <dfn data-x="concept-document-origin"
   data-x-href="https://dom.spec.whatwg.org/#concept-document-origin"
   data-x-for="Document">origin</dfn> is defined in <cite>DOM</cite>. It is initially set when the
@@ -10199,7 +10201,8 @@ partial interface <dfn id="document" data-lt="">Document</dfn> {
   <!--INSERT TRACKING-->
   On getting, if the document is a <span>cookie-averse <code>Document</code> object</span>, then the
   user agent must return the empty string. Otherwise, if the <code>Document</code>'s <span
-  data-x="concept-document-origin">origin</span> is an <span data-x="concept-origin-opaque">opaque
+  data-x="concept-document-policy-container">policy container</span>'s <span
+  data-x="policy-container-origin">origin</span> is an <span data-x="concept-origin-opaque">opaque
   origin</span>, the user agent must throw a <span>"<code>SecurityError</code>"</span>
   <code>DOMException</code>. Otherwise, the user agent must return the <span>cookie-string</span>
   for the document's <span data-x="concept-document-url">URL</span> for a "non-HTTP" API, decoded
@@ -10207,7 +10210,8 @@ partial interface <dfn id="document" data-lt="">Document</dfn> {
 
   <p>On setting, if the document is a <span>cookie-averse <code>Document</code> object</span>, then
   the user agent must do nothing. Otherwise, if the <code>Document</code>'s <span
-  data-x="concept-document-origin">origin</span> is an <span data-x="concept-origin-opaque">opaque
+  data-x="concept-document-policy-container">policy container</span>'s <span
+  data-x="policy-container-origin">origin</span> is an <span data-x="concept-origin-opaque">opaque
   origin</span>, the user agent must throw a <span>"<code>SecurityError</code>"</span>
   <code>DOMException</code>. Otherwise, the user agent must act as it would when <span
   data-x="receives a set-cookie-string">receiving a set-cookie-string</span> for the document's
@@ -15054,7 +15058,8 @@ interface <dfn interface>HTMLLinkElement</dfn> : <span>HTMLElement</span> {
      <dd><var>document</var>'s <span data-x="concept-document-URL">URL</span></dd>
 
      <dt><span data-x="link options origin">origin</span></dt>
-     <dd><var>document</var>'s <span data-x="concept-document-origin">origin</span></dd>
+     <dd><var>document</var>'s <span data-x="concept-document-policy-container">policy
+     container</span>'s <span data-x="policy-container-origin">origin</span></dd>
 
      <dt><span data-x="link options environment">environment</span></dt>
      <dd><var>document</var>'s <span>relevant settings object</span></dd>
@@ -15169,7 +15174,8 @@ interface <dfn interface>HTMLLinkElement</dfn> : <span>HTMLElement</span> {
        <dd><var>doc</var>'s <span data-x="concept-document-URL">URL</span></dd>
 
        <dt><span data-x="link options origin">origin</span></dt>
-       <dd><var>doc</var>'s <span data-x="concept-document-origin">origin</span></dd>
+       <dd><var>doc</var>'s <span data-x="concept-document-policy-container">policy
+       container</span>'s <span data-x="policy-container-origin">origin</span></dd>
 
        <dt><span data-x="link options environment">environment</span></dt>
        <dd><var>doc</var>'s <span>relevant settings object</span></dd>
@@ -24549,7 +24555,8 @@ document.body.appendChild(wbr);</code></pre>
    the header, and jump to the step labeled <i>sanitize</i> below. <ref spec=RFC6266></p></li>
 
    <li><p>Let <var>interface origin</var> be the <span
-   data-x="concept-document-origin">origin</span> of the <code>Document</code> in which the <span
+   data-x="policy-container-origin">origin</span> of the <code>Document</code>'s <span
+   data-x="concept-document-policy-container">policy container</span> in which the <span
    data-x="downloading hyperlinks">download</span> or <span>navigate</span> action resulting in the
    download was initiated, if any.</p></li>
 
@@ -29470,7 +29477,8 @@ was an English &lt;a href="/wiki/Music_hall">music hall&lt;/a> singer, ...</code
      <li><p>Let <var>key</var> be a tuple consisting of <var>urlString</var>, the <code>img</code>
      element's <code data-x="attr-img-crossorigin">crossorigin</code> attribute's mode, and, if that
      mode is not <span data-x="attr-crossorigin-none">No CORS</span>, the <span>node
-     document</span>'s <span data-x="concept-document-origin">origin</span>.</p></li>
+     document</span>'s <span data-x="concept-document-policy-container">policy container</span>'s
+     <span data-x="policy-container-origin">origin</span>.</p></li>
 
      <li>
       <p>If the <span>list of available images</span> contains an entry for <var>key</var>,
@@ -30489,7 +30497,8 @@ was an English &lt;a href="/wiki/Music_hall">music hall&lt;/a> singer, ...</code
    data-x="attr-img-crossorigin">crossorigin</code> content attribute.</p></li>
 
    <li><p>&#x231B; Let <var>origin</var> be the <code>img</code> element's <span>node
-   document</span>'s <span data-x="concept-document-origin">origin</span>.</p></li>
+   document</span>'s <span data-x="concept-document-policy-container">policy container</span>'s
+   <span data-x="policy-container-origin">origin</span>.</p></li>
 
    <li><p>&#x231B; Let <var>client</var> be the <code>img</code> element's <span>node
    document</span>'s <span>relevant settings object</span>.</p></li>
@@ -32221,7 +32230,8 @@ interface <dfn interface>HTMLIFrameElement</dfn> : <span>HTMLElement</span> {
 
     <li><p>If the result of running <span data-x="is-feature-enabled">is feature enabled in document
     for origin</span> on <var>feature</var>, <var>document</var>, and <var>document</var>'s <span
-    data-x="concept-document-origin">origin</span> is "<code data-x="">Enabled</code>", then return
+    data-x="concept-document-policy-container">policy container</span> <span
+    data-x="policy-container-origin">origin</span> is "<code data-x="">Enabled</code>", then return
     true.</p></li>
 
     <li><p>Return false.</p></li>
@@ -50994,7 +51004,8 @@ You cannot submit this form when the field is incorrect.</samp></pre>
 
    <li>
     <p>If <span>this</span>'s <span>relevant settings object</span>'s <span
-    data-x="concept-settings-object-origin">origin</span> is not <span>same origin</span> with
+    data-x="concept-settings-object-policy-container">policy container</span>'s <span
+    data-x="policy-container-origin">origin</span> is not <span>same origin</span> with
     <span>this</span>'s <span>relevant settings object</span>'s <span>top-level origin</span>, and
     <span>this</span>'s <code data-x="attr-input-type">type</code> attribute is not in the <span
     data-x="attr-input-type-file">File Upload</span> state or <span
@@ -59267,8 +59278,10 @@ interface <dfn interface>HTMLDialogElement</dfn> : <span>HTMLElement</span> {
    document</span>.</p></li>
 
    <li><p>If <var>control</var>'s <span>node document</span>'s <span
-   data-x="concept-document-origin">origin</span> is not the <span data-x="same origin">same</span>
-   as the <span data-x="concept-document-origin">origin</span> of <var>topDocument</var>, then
+   data-x="concept-document-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span> is not the <span data-x="same origin">same</span>
+   as the <span data-x="policy-container-origin">origin</span> of <var>topDocument</var>'s
+   <span data-x="concept-document-policy-container">policy container</span>, then
    return.</p></li>
 
    <li><p><span data-x="list empty">Empty</span> <var>topDocument</var>'s
@@ -75880,8 +75893,10 @@ END:VCARD</pre>
    data-x="nav-window">active window</span> of each of <var>document</var>'s <span>descendant
    navigables</span>, filtered to include only those <span data-x="navigable">navigables</span>
    whose <span data-x="nav-document">active document</span>'s <span
-   data-x="concept-document-origin">origin</span> is <span>same origin</span> with
-   <var>document</var>'s <span data-x="concept-document-origin">origin</span>.</p></li>
+   data-x="concept-document-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span> is <span>same origin</span> with
+   <var>document</var>'s <span data-x="concept-document-policy-container">policy container</span>'s
+   <span data-x="policy-container-origin">origin</span>.</p></li>
 
    <li><p><span data-x="list iterate">For each</span> <var>window</var> in <var>windows</var>, set
    <var>window</var>'s <span>last activation timestamp</span> to the <span>current high resolution
@@ -77556,8 +77571,10 @@ partial interface <span id="NavigatorUserActivation-partial">Navigator</span> {
    <li><p><span data-x="list iterate">For each</span> <var>ancestorNavigable</var> of
    <var>target</var>'s <span>ancestor navigables</span>: if <var>ancestorNavigable</var>'s <span
    data-x="nav-document">active document</span>'s <span
-   data-x="concept-document-origin">origin</span> is not <span>same origin</span> with
-   <var>target</var>'s <span data-x="concept-document-origin">origin</span>, then return.</p></li>
+   data-x="concept-document-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span> is not <span>same origin</span> with
+   <var>target</var>'s <span data-x="concept-document-policy-container">policy container</span>'s
+   <span data-x="policy-container-origin">origin</span>, then return.</p></li>
 
    <li><p>Let <var>topDocument</var> be <var>target</var>'s <span>node navigable</span>'s <span
    data-x="nav-top">top-level traversable</span>'s <span data-x="nav-document">active
@@ -81285,7 +81302,8 @@ dictionary <dfn dictionary>DragEventInit</dfn> : <span>MouseEventInit</span> {
 
   <ol>
    <li><p>Let <var>effectiveDomain</var> be <span>this</span>'s <span
-   data-x="concept-document-origin">origin</span>'s <span
+   data-x="concept-document-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span>'s <span
    data-x="concept-origin-effective-domain">effective domain</span>.
 
    <li><p>If <var>effectiveDomain</var> is null, then return the empty string.</p></li>
@@ -81305,7 +81323,8 @@ dictionary <dfn dictionary>DragEventInit</dfn> : <span>MouseEventInit</span> {
    throw a <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>
 
    <li><p>Let <var>effectiveDomain</var> be <span>this</span>'s <span
-   data-x="concept-document-origin">origin</span>'s <span
+   data-x="concept-document-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span>'s <span
    data-x="concept-origin-effective-domain">effective domain</span>.
 
    <li><p>If <var>effectiveDomain</var> is null, then throw a
@@ -81318,7 +81337,8 @@ dictionary <dfn dictionary>DragEventInit</dfn> : <span>MouseEventInit</span> {
    <li><p>If the <span>surrounding agent</span>'s <span>agent cluster</span>'s <span>is
    origin-keyed</span> is true, then return.</p></li>
 
-   <li><p>Set <var>this</var>'s <span data-x="concept-document-origin">origin</span>'s <span
+   <li><p>Set <var>this</var>'s <span data-x="concept-document-policy-container">policy
+   container</span>'s <span data-x="policy-container-origin">origin</span>'s <span
    data-x="concept-origin-domain">domain</span> to the result of <span data-x="host
    parser">parsing</span> the given value.</p></li>
   </ol>
@@ -81493,7 +81513,8 @@ dictionary <dfn dictionary>DragEventInit</dfn> : <span>MouseEventInit</span> {
 
   <p>The consequences of using this header are that <span w-nodev>the resulting
   <code>Document</code>'s <span>agent cluster key</span> is its <span
-  data-x="concept-document-origin">origin</span>, instead of the <span data-x="obtain a
+  data-x="concept-document-policy-container">policy container</span>'s <span
+  data-x="policy-container-origin">origin</span>, instead of the <span data-x="obtain a
   site">corresponding site</span>. In terms of observable effects, this means that
   </span>attempting to <a href="#relaxing-the-same-origin-restriction">relax the same-origin
   restriction</a> using <code data-x="dom-document-domain">document.domain</code> will instead do
@@ -82080,23 +82101,27 @@ dictionary <dfn dictionary>DragEventInit</dfn> : <span>MouseEventInit</span> {
    data-x="bc-tlbc">top-level browsing context</span>'s <span>active document</span>.</p></li>
 
    <li><p>Let <var>accessorInclusiveAncestorOrigins</var> be the list obtained by taking the <span
-   data-x="concept-document-origin">origin</span> of the <span data-x="nav-document">active
-   document</span> of each of <var>accessor</var>'s <span>active document</span>'s <span>inclusive
+   data-x="policy-container-origin">origin</span> of the <span data-x="nav-document">active
+   document</span>'s <span data-x="concept-document-policy-container">policy container</span>
+   of each of <var>accessor</var>'s <span>active document</span>'s <span>inclusive
    ancestor navigables</span>.</p></li>
 
    <li><p>Let <var>accessedTopDocument</var> be <var>accessed</var>'s <span
    data-x="bc-tlbc">top-level browsing context</span>'s <span>active document</span>.</p></li>
 
    <li><p>Let <var>accessedInclusiveAncestorOrigins</var> be the list obtained by taking the <span
-   data-x="concept-document-origin">origin</span> of the <span data-x="nav-document">active
-   document</span> of each of <var>accessed</var>'s <span>active document</span>'s <span>inclusive
+   data-x="policy-container-origin">origin</span> of the <span data-x="nav-document">active
+   document</span>'s <span data-x="concept-document-policy-container">policy container</span>
+   of each of <var>accessed</var>'s <span>active document</span>'s <span>inclusive
    ancestor navigables</span>.</p></li>
 
    <li>
     <p>If any of <var>accessorInclusiveAncestorOrigins</var> are not <span>same origin</span> with
-    <var>accessorTopDocument</var>'s <span data-x="concept-document-origin">origin</span>, or if
+    <var>accessorTopDocument</var>'s <span data-x="concept-document-policy-container">policy
+    container</span>'s <span data-x="policy-container-origin">origin</span>, or if
     any of <var>accessedInclusiveAncestorOrigins</var> are not <span>same origin</span> with
-    <var>accessedTopDocument</var>'s <span data-x="concept-document-origin">origin</span>, then
+    <var>accessedTopDocument</var>'s <span data-x="concept-document-policy-container">policy
+    container</span>'s <span data-x="policy-container-origin">origin</span>, then
     return.</p>
 
     <p class="note">This avoids leaking information about cross-origin iframes to a top level frame
@@ -82135,8 +82160,10 @@ dictionary <dfn dictionary>DragEventInit</dfn> : <span>MouseEventInit</span> {
    data-x="browsing-context-initial-url">initial URL</span>, <var>accessed</var>'s <span
    data-x="bc-tlbc">top-level browsing context</span>'s <span
    data-x="browsing-context-initial-url">initial URL</span>, <var>accessor</var>'s <span>active
-   document</span>'s <span data-x="concept-document-origin">origin</span>, <var>accessed</var>'s
-   <span>active document</span>'s <span data-x="concept-document-origin">origin</span>,
+   document</span>'s <span data-x="concept-document-policy-container">policy container</span>'s
+   <span data-x="policy-container-origin">origin</span>, <var>accessed</var>'s
+   <span>active document</span>'s <span data-x="concept-document-policy-container">policy
+   container</span>'s <span data-x="policy-container-origin">origin</span>,
    <var>accessor</var>'s <span data-x="bc-tlbc">top-level browsing context</span>'s <span
    data-x="opener-origin-at-creation">opener origin at creation</span>, <var>accessed</var>'s <span
    data-x="bc-tlbc">top-level browsing context</span>'s <span
@@ -83441,6 +83468,9 @@ dictionary <dfn dictionary>DragEventInit</dfn> : <span>MouseEventInit</span> {
   <!-- Note: each item has to define a default value for creating a new policy container. -->
 
   <ul>
+   <li><p>An <dfn export for="policy container" data-x="policy-container-origin">origin</dfn>,
+   which is an <span>origin</span>.  It is initially an opaque origin.</p></li>
+
    <li><p>A <dfn export for="policy container" data-x="policy-container-csp-list">CSP list</dfn>,
    which is a <span data-x="concept-csp-list">CSP list</span>. It is initially empty.</p></li>
 
@@ -83461,6 +83491,9 @@ dictionary <dfn dictionary>DragEventInit</dfn> : <span>MouseEventInit</span> {
   <ol>
    <li><p>Let <var>clone</var> be a new <span>policy container</span>.</p></li>
 
+   <li><p>Set <var>clone</var>'s <span data-x="policy-container-origin">origin</span> to
+   <var>policyContainer</var>'s <span data-x="policy-container-origin">origin</span>.</p></li>
+
    <li><p><span data-x="list iterate">For each</span> <var>policy</var> in
    <var>policyContainer</var>'s <span data-x="policy-container-csp-list">CSP list</span>, <span
    data-x="list append">append</span> a copy of <var>policy</var> into <var>clone</var>'s <span
@@ -83512,6 +83545,10 @@ dictionary <dfn dictionary>DragEventInit</dfn> : <span>MouseEventInit</span> {
 
    <li><p>Let <var>result</var> be a new <span>policy container</span>.</p></li>
 
+   <li><p>Set <var>result</var>'s <span data-x="policy-container-origin">origin</span> to
+   <var>response</var>'s <span data-x="concept-response-url">URL</span>'s
+   <span data-x="concept-url-origin">origin</span>.</p></li>
+
    <li><p>Set <var>result</var>'s <span data-x="policy-container-csp-list">CSP list</span> to the
    result of <span data-x="parse-response-csp">parsing a response's Content Security Policies</span>
    given <var>response</var>.</p></li>
@@ -83567,7 +83604,9 @@ dictionary <dfn dictionary>DragEventInit</dfn> : <span>MouseEventInit</span> {
    <li><p>If <var>responsePolicyContainer</var> is not null, then return
    <var>responsePolicyContainer</var>.</p></li>
 
-   <li><p>Return a new <span>policy container</span>.</p></li>
+   <li><p>Return a new <span>policy container</span> with its
+   <span data-x="policy-container-origin">origin</span> set to <var>responseURL</var>'s
+   <span data-x="concept-url-origin">origin</span>.</p></li>
   </ol>
 
   <p>To <dfn data-x="initialize worker policy container">initialize a worker global scope's policy
@@ -83745,9 +83784,11 @@ dictionary <dfn dictionary>DragEventInit</dfn> : <span>MouseEventInit</span> {
 
   <ol>
    <li><p>Return true if the <span>current settings object</span>'s <span
-   data-x="concept-settings-object-origin">origin</span> is <span>same origin-domain</span> with
+   data-x="concept-settings-object-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span> is <span>same origin-domain</span> with
    <var>O</var>'s <span>relevant settings object</span>'s <span
-   data-x="concept-settings-object-origin">origin</span>, and false otherwise.</p></li>
+   data-x="concept-settings-object-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span>, and false otherwise.</p></li>
   </ol>
 
   <p class="note">This abstract operation does not return a <span>Completion Record</span>.</p>
@@ -84620,9 +84661,11 @@ dictionary <dfn dictionary>WindowPostMessageOptions</dfn> : <span>StructuredSeri
      data-x="nav-target">target name</span>.</p></li>
 
      <li><p>If <var>navigable</var>'s <span data-x="nav-document">active document</span>'s <span
-     data-x="concept-document-origin">origin</span> is <span>same origin</span> with
+     data-x="concept-document-policy-container">policy container</span>'s <span
+     data-x="policy-container-origin">origin</span> is <span>same origin</span> with
      <var>window</var>'s <span>relevant settings object</span>'s <span
-     data-x="concept-settings-object-origin">origin</span>, then <span data-x="list
+     data-x="concept-settings-object-policy-container">policy container</span>'s <span
+     data-x="policy-container-origin">origin</span>, then <span data-x="list
      append">append</span> <var>name</var> to <var>names</var>.</p></li>
     </ol>
    </li>
@@ -84841,9 +84884,11 @@ dictionary <dfn dictionary>WindowPostMessageOptions</dfn> : <span>StructuredSeri
    <li><p>If <var>container</var> is null, then return null.</p></li>
 
    <li><p>If <var>container</var>'s <span>node document</span>'s <span
-   data-x="concept-document-origin">origin</span> is not <span>same origin-domain</span> with the
+   data-x="concept-document-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span> is not <span>same origin-domain</span> with the
    <span>current settings object</span>'s <span
-   data-x="concept-settings-object-origin">origin</span>, then return null.</p></li>
+   data-x="concept-settings-object-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span>, then return null.</p></li>
 
    <li><p>Return <var>container</var>.</p></li>
   </ol>
@@ -85021,12 +85066,6 @@ interface <dfn interface>BarProp</dfn> {
       <span data-x="concept-document-window">associated <code>Document</code></span>.</p>
      </dd>
 
-     <dt>The <span data-x="concept-settings-object-origin">origin</span></dt>
-     <dd>
-      <p>Return the <span data-x="concept-document-origin">origin</span> of <var>window</var>'s
-      <span data-x="concept-document-window">associated <code>Document</code></span>.</p>
-     </dd>
-
      <dt>The <span data-x="concept-settings-object-policy-container">policy container</span></dt>
      <dd>
       <p>Return the <span data-x="concept-document-policy-container">policy container</span> of
@@ -85610,7 +85649,8 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
 
      <li><p><span data-x="list append">Append</span> the <span data-x="serialization of an
      origin">serialization</span> of <var>current</var>'s <span
-     data-x="concept-document-origin">origin</span> to <var>output</var>.</p></li>
+     data-x="concept-document-policy-container">policy container</span>'s <span
+     data-x="policy-container-origin">origin</span> to <var>output</var>.</p></li>
     </ol>
    </li>
 
@@ -85645,9 +85685,11 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
 
   <ol>
    <li><p>If <span>this</span>'s <span>relevant <code>Document</code></span> is non-null and its
-   <span data-x="concept-document-origin">origin</span> is not <span>same origin-domain</span> with
+   <span data-x="concept-document-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span> is not <span>same origin-domain</span> with
    the <span>entry settings object</span>'s <span
-   data-x="concept-settings-object-origin">origin</span>, then throw a
+   data-x="concept-settings-object-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span>, then throw a
    <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>
 
    <li><p>Return <span>this</span>'s <span data-x="concept-location-url">url</span>, <span
@@ -85676,9 +85718,11 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
 
   <ol>
    <li><p>If <span>this</span>'s <span>relevant <code>Document</code></span> is non-null and its
-   <span data-x="concept-document-origin">origin</span> is not <span>same origin-domain</span> with
+   <span data-x="concept-document-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span> is not <span>same origin-domain</span> with
    the <span>entry settings object</span>'s <span
-   data-x="concept-settings-object-origin">origin</span>, then throw a
+   data-x="concept-settings-object-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span>, then throw a
    <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>
 
    <li><p>Return the <span data-x="serialization of an origin">serialization</span> of
@@ -85691,9 +85735,11 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
 
   <ol>
    <li><p>If <span>this</span>'s <span>relevant <code>Document</code></span> is non-null and its
-   <span data-x="concept-document-origin">origin</span> is not <span>same origin-domain</span> with
+   <span data-x="concept-document-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span> is not <span>same origin-domain</span> with
    the <span>entry settings object</span>'s <span
-   data-x="concept-settings-object-origin">origin</span>, then throw a
+   data-x="concept-settings-object-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span>, then throw a
    <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>
 
    <li><p>Return <span>this</span>'s <span data-x="concept-location-url">url</span>'s <span
@@ -85707,9 +85753,11 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
    return.</p></li>
 
    <li><p>If <span>this</span>'s <span>relevant <code>Document</code></span>'s <span
-   data-x="concept-document-origin">origin</span> is not <span>same origin-domain</span> with the
+   data-x="concept-document-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span> is not <span>same origin-domain</span> with the
    <span>entry settings object</span>'s <span
-   data-x="concept-settings-object-origin">origin</span>, then throw a
+   data-x="concept-settings-object-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span>, then throw a
    <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>
 
    <li><p>Let <var>copyURL</var> be a copy of <span>this</span>'s <span
@@ -85741,9 +85789,11 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
 
   <ol>
    <li><p>If <span>this</span>'s <span>relevant <code>Document</code></span> is non-null and its
-   <span data-x="concept-document-origin">origin</span> is not <span>same origin-domain</span> with
+   <span data-x="concept-document-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span> is not <span>same origin-domain</span> with
    the <span>entry settings object</span>'s <span
-   data-x="concept-settings-object-origin">origin</span>, then throw a
+   data-x="concept-settings-object-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span>, then throw a
    <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>
 
    <li><p>Let <var>url</var> be <span>this</span>'s <span
@@ -85769,9 +85819,11 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
    return.</p></li>
 
    <li><p>If <span>this</span>'s <span>relevant <code>Document</code></span>'s <span
-   data-x="concept-document-origin">origin</span> is not <span>same origin-domain</span> with the
+   data-x="concept-document-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span> is not <span>same origin-domain</span> with the
    <span>entry settings object</span>'s <span
-   data-x="concept-settings-object-origin">origin</span>, then throw a
+   data-x="concept-settings-object-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span>, then throw a
    <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>
 
    <li><p>Let <var>copyURL</var> be a copy of <span>this</span>'s <span
@@ -85793,9 +85845,11 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
 
   <ol>
    <li><p>If <span>this</span>'s <span>relevant <code>Document</code></span> is non-null and its
-   <span data-x="concept-document-origin">origin</span> is not <span>same origin-domain</span> with
+   <span data-x="concept-document-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span> is not <span>same origin-domain</span> with
    the <span>entry settings object</span>'s <span
-   data-x="concept-settings-object-origin">origin</span>, then throw a
+   data-x="concept-settings-object-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span>, then throw a
    <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>
 
    <li><p>If <span>this</span>'s <span data-x="concept-location-url">url</span>'s <span
@@ -85813,9 +85867,11 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
    return.</p></li>
 
    <li><p>If <span>this</span>'s <span>relevant <code>Document</code></span>'s <span
-   data-x="concept-document-origin">origin</span> is not <span>same origin-domain</span> with the
+   data-x="concept-document-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span> is not <span>same origin-domain</span> with the
    <span>entry settings object</span>'s <span
-   data-x="concept-settings-object-origin">origin</span>, then throw a
+   data-x="concept-settings-object-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span>, then throw a
    <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>
 
    <li><p>Let <var>copyURL</var> be a copy of <span>this</span>'s <span
@@ -85837,9 +85893,11 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
 
   <ol>
    <li><p>If <span>this</span>'s <span>relevant <code>Document</code></span> is non-null and its
-   <span data-x="concept-document-origin">origin</span> is not <span>same origin-domain</span> with
+   <span data-x="concept-document-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span> is not <span>same origin-domain</span> with
    the <span>entry settings object</span>'s <span
-   data-x="concept-settings-object-origin">origin</span>, then throw a
+   data-x="concept-settings-object-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span>, then throw a
    <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>
 
    <li><p>If <span>this</span>'s <span data-x="concept-location-url">url</span>'s <span
@@ -85857,9 +85915,11 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
    return.</p></li>
 
    <li><p>If <span>this</span>'s <span>relevant <code>Document</code></span>'s <span
-   data-x="concept-document-origin">origin</span> is not <span>same origin-domain</span> with the
+   data-x="concept-document-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span> is not <span>same origin-domain</span> with the
    <span>entry settings object</span>'s <span
-   data-x="concept-settings-object-origin">origin</span>, then throw a
+   data-x="concept-settings-object-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span>, then throw a
    <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>
 
    <li><p>Let <var>copyURL</var> be a copy of <span>this</span>'s <span
@@ -85885,9 +85945,11 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
 
   <ol>
    <li><p>If <span>this</span>'s <span>relevant <code>Document</code></span> is non-null and its
-   <span data-x="concept-document-origin">origin</span> is not <span>same origin-domain</span> with
+   <span data-x="concept-document-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span> is not <span>same origin-domain</span> with
    the <span>entry settings object</span>'s <span
-   data-x="concept-settings-object-origin">origin</span>, then throw a
+   data-x="concept-settings-object-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span>, then throw a
    <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>
 
    <li><p>Return the result of <span data-x="URL path serializer">URL path serializing</span> this
@@ -85901,9 +85963,11 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
    return.</p></li>
 
    <li><p>If <span>this</span>'s <span>relevant <code>Document</code></span>'s <span
-   data-x="concept-document-origin">origin</span> is not <span>same origin-domain</span> with the
+   data-x="concept-document-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span> is not <span>same origin-domain</span> with the
    <span>entry settings object</span>'s <span
-   data-x="concept-settings-object-origin">origin</span>, then throw a
+   data-x="concept-settings-object-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span>, then throw a
    <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>
 
    <li><p>Let <var>copyURL</var> be a copy of <span>this</span>'s <span
@@ -85928,9 +85992,11 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
 
   <ol>
    <li><p>If <span>this</span>'s <span>relevant <code>Document</code></span> is non-null and its
-   <span data-x="concept-document-origin">origin</span> is not <span>same origin-domain</span> with
+   <span data-x="concept-document-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span> is not <span>same origin-domain</span> with
    the <span>entry settings object</span>'s <span
-   data-x="concept-settings-object-origin">origin</span>, then throw a
+   data-x="concept-settings-object-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span>, then throw a
    <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>
 
    <li><p>If <span>this</span>'s <span data-x="concept-location-url">url</span>'s <span
@@ -85949,9 +86015,11 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
    return.</p></li>
 
    <li><p>If <span>this</span>'s <span>relevant <code>Document</code></span>'s <span
-   data-x="concept-document-origin">origin</span> is not <span>same origin-domain</span> with the
+   data-x="concept-document-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span> is not <span>same origin-domain</span> with the
    <span>entry settings object</span>'s <span
-   data-x="concept-settings-object-origin">origin</span>, then throw a
+   data-x="concept-settings-object-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span>, then throw a
    <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>
 
    <li><p>Let <var>copyURL</var> be a copy of <span>this</span>'s <span
@@ -85987,9 +86055,11 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
 
   <ol>
    <li><p>If <span>this</span>'s <span>relevant <code>Document</code></span> is non-null and its
-   <span data-x="concept-document-origin">origin</span> is not <span>same origin-domain</span> with
+   <span data-x="concept-document-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span> is not <span>same origin-domain</span> with
    the <span>entry settings object</span>'s <span
-   data-x="concept-settings-object-origin">origin</span>, then throw a
+   data-x="concept-settings-object-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span>, then throw a
    <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>
 
    <li><p>If <span>this</span>'s <span data-x="concept-location-url">url</span>'s <span
@@ -86008,9 +86078,11 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
    return.</p></li>
 
    <li><p>If <span>this</span>'s <span>relevant <code>Document</code></span>'s <span
-   data-x="concept-document-origin">origin</span> is not <span>same origin-domain</span> with the
+   data-x="concept-document-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span> is not <span>same origin-domain</span> with the
    <span>entry settings object</span>'s <span
-   data-x="concept-settings-object-origin">origin</span>, then throw a
+   data-x="concept-settings-object-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span>, then throw a
    <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>
 
    <li><p>Let <var>copyURL</var> be a copy of <span>this</span>'s <span
@@ -86058,9 +86130,11 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
    return.</p></li>
 
    <li><p>If <span>this</span>'s <span>relevant <code>Document</code></span>'s <span
-   data-x="concept-document-origin">origin</span> is not <span>same origin-domain</span> with the
+   data-x="concept-document-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span> is not <span>same origin-domain</span> with the
    <span>entry settings object</span>'s <span
-   data-x="concept-settings-object-origin">origin</span>, then throw a
+   data-x="concept-settings-object-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span>, then throw a
    <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>
 
    <li><p><span data-x="parse a url">Parse</span> <var>url</var> relative to the <span>entry
@@ -86098,9 +86172,11 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
 
    <li><p>If <var>document</var> is null, then return.</p></li>
 
-   <li><p>If <var>document</var>'s <span data-x="concept-document-origin">origin</span> is not
+   <li><p>If <var>document</var>'s <span data-x="concept-document-policy-container">policy
+   container</span>'s <span data-x="policy-container-origin">origin</span> is not
    <span>same origin-domain</span> with the <span>entry settings object</span>'s <span
-   data-x="concept-settings-object-origin">origin</span>, then throw a
+   data-x="concept-settings-object-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span>, then throw a
    <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>
 
    <li><p><span>Reload</span> <var>document</var>'s <span>node navigable</span>.</p></li>
@@ -86116,9 +86192,11 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
    an empty <span>list</span>.</p></li>
 
    <li><p>If <span>this</span>'s <span>relevant <code>Document</code></span>'s <span
-   data-x="concept-document-origin">origin</span> is not <span>same origin-domain</span> with the
+   data-x="concept-document-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span> is not <span>same origin-domain</span> with the
    <span>entry settings object</span>'s <span
-   data-x="concept-settings-object-origin">origin</span>, then throw a
+   data-x="concept-settings-object-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span>, then throw a
    <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>
 
    <li><p>Otherwise, return <span>this</span>'s <span
@@ -86660,7 +86738,8 @@ interface <dfn interface>History</dfn> {
    </table>
 
    <p>Note how only the <span data-x="concept-document-url">URL</span> of the <code>Document</code>
-   matters, and not its <span data-x="concept-document-origin">origin</span>. They can mismatch in
+   matters, and not its <span data-x="concept-document-policy-container">policy container</span>'s
+   <span data-x="policy-container-origin">origin</span>. They can mismatch in
    cases like <code>about:blank</code> <code>Document</code>s with inherited origins, in sandboxed
    <code>iframe</code>s, or when the <code data-x="dom-document-domain">document.domain</code>
    setter has been used.</p>
@@ -87287,9 +87366,11 @@ interface <dfn interface>BeforeUnloadEvent</dfn> : <span>Event</span> {
    <li><p>Let <var>document</var> be <var>container</var>'s <span>nested navigable</span>'s <span
    data-x="nav-document">active document</span>.</p></li>
 
-   <li><p>If <var>document</var>'s <span data-x="concept-document-origin">origin</span> and
+   <li><p>If <var>document</var>'s <span data-x="concept-document-policy-container">policy
+   container</span>'s <span data-x="policy-container-origin">origin</span> and
    <var>container</var>'s <span>node document</span>'s <span
-   data-x="concept-document-origin">origin</span> are not <span>same origin-domain</span>, then
+   data-x="concept-document-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span> are not <span>same origin-domain</span>, then
    return null.</p></li>
 
    <li><p>Return <var>document</var>.</p></li>
@@ -87892,7 +87973,8 @@ interface <dfn interface>BeforeUnloadEvent</dfn> : <span>Event</span> {
         policy</span>'s <span data-x="coop-struct-value">value</span> is "<code
         data-x="coop-same-origin">same-origin</code>" or "<code
         data-x="coop-same-origin-plus-coep">same-origin-plus-COEP</code>", and
-        <var>currentDocument</var>'s <span data-x="concept-document-origin">origin</span> is not
+        <var>currentDocument</var>'s <span data-x="concept-document-policy-container">policy
+        container</span>'s <span data-x="policy-container-origin">origin</span> is not
         <span>same origin</span> with <var>currentDocument</var>'s <span>relevant settings
         object</span>'s <span>top-level origin</span>, then:</p>
 
@@ -88073,7 +88155,8 @@ interface <dfn interface>BeforeUnloadEvent</dfn> : <span>Event</span> {
 
     <ol>
      <li><p>Set <var>creatorOrigin</var> to <var>creator</var>'s <span
-     data-x="concept-document-origin">origin</span>.</p></li>
+     data-x="concept-document-policy-container">policy container</span>'s <span
+     data-x="policy-container-origin">origin</span>.</p></li>
 
      <li><p>Set <var>browsingContext</var>'s <span>creator base URL</span> to an algorithm which
      returns <var>creator</var>'s <span data-x="document base URL">base URL</span>.</p></li>
@@ -88151,9 +88234,6 @@ interface <dfn interface>BeforeUnloadEvent</dfn> : <span>Event</span> {
      <dt><span data-x="concept-document-mode">mode</span></dt>
      <dd>"<code data-x="">quirks</code>"</dd>
 
-     <dt><span data-x="concept-document-origin">origin</span></dt>
-     <dd><var>origin</var></dd>
-
      <dt><span data-x="concept-document-bc">browsing context</span></dt>
      <dd><var>browsingContext</var>
 
@@ -88184,7 +88264,8 @@ interface <dfn interface>BeforeUnloadEvent</dfn> : <span>Event</span> {
      <var>creator</var>'s <span data-x="concept-document-policy-container">policy
      container</span>.</p></li>
 
-     <li><p>If <var>creator</var>'s <span data-x="concept-document-origin">origin</span> is
+     <li><p>If <var>creator</var>'s <span data-x="concept-document-policy-container">policy
+     container</span>'s <span data-x="policy-container-origin">origin</span> is
      <span>same origin</span> with <var>creator</var>'s <span>relevant settings object</span>'s
      <span>top-level origin</span>, then set <var>document</var>'s <span
      data-x="concept-document-coop">cross-origin opener policy</span> to <var>creator</var>'s <span
@@ -88194,6 +88275,10 @@ interface <dfn interface>BeforeUnloadEvent</dfn> : <span>Event</span> {
     </ol>
    </li>
 
+   <li><p>Set <var>document</var>'s <span data-x="concept-document-policy-container">policy
+   container</span>'s <span data-x="policy-container-origin">origin</span> to <var>origin</var>.
+   </p></li>
+
    <li><p><span>Assert</span>: <var>document</var>'s <span data-x="concept-document-url">URL</span>
    and <var>document</var>'s <span>relevant settings object</span>'s <span
    data-x="concept-environment-creation-url">creation URL</span> are
@@ -88255,7 +88340,8 @@ interface <dfn interface>BeforeUnloadEvent</dfn> : <span>Event</span> {
 
    <li><p>Set <var>browsingContext</var>'s <span data-x="opener-origin-at-creation">opener origin
    at creation</span> to <var>opener</var>'s <span data-x="nav-document">active document</span>'s
-   <span data-x="concept-document-origin">origin</span>.</p></li>
+   <span data-x="concept-document-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span>.</p></li>
 
    <li><p>Return <var>browsingContext</var> and <var>document</var>.</p></li>
   </ol>
@@ -88291,7 +88377,8 @@ interface <dfn interface>BeforeUnloadEvent</dfn> : <span>Event</span> {
 
   <p class="note">The cases that return <var>sourceOrigin</var> or <var>containerOrigin</var>
   result in two <code>Document</code>s that end up with the same underlying <span
-  data-x="concept-document-origin">origin</span>, meaning that <code
+  data-x="concept-document-policy-container">policy container</span> <span
+  data-x="policy-container-origin">origin</span>, meaning that <code
   data-x="dom-document-domain">document.domain</code> affects both.</p>
 
 
@@ -88363,8 +88450,10 @@ interface <dfn interface>BeforeUnloadEvent</dfn> : <span>Event</span> {
 
   <ol>
    <li><p>If <var>A</var>'s <span>active document</span>'s <span
-   data-x="concept-document-origin">origin</span> is <span>same origin</span> with <var>B</var>'s
-   <span>active document</span>'s <span data-x="concept-document-origin">origin</span>, then return
+   data-x="concept-document-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span> is <span>same origin</span> with <var>B</var>'s
+   <span>active document</span>'s <span data-x="concept-document-policy-container">policy
+   container</span>'s <span data-x="policy-container-origin">origin</span>, then return
    true.</p></li>
 
    <li><p>If <var>A</var>'s <span data-x="bc-tlbc">top-level browsing context</span> is
@@ -88377,7 +88466,8 @@ interface <dfn interface>BeforeUnloadEvent</dfn> : <span>Event</span> {
    <li>
     <p>If there exists an <span>ancestor browsing context</span> of <var>B</var> whose <span>active
     document</span> has the <span data-x="same origin">same</span> <span
-    data-x="concept-document-origin">origin</span> as the <span>active document</span> of
+    data-x="concept-document-policy-container">policy container</span> <span
+    data-x="policy-container-origin">origin</span> as the <span>active document</span> of
     <var>A</var>, then return true.</p>
 
     <p class="note">This includes the case where <var>A</var> is an <span>ancestor browsing
@@ -88829,7 +88919,8 @@ interface <dfn interface>BeforeUnloadEvent</dfn> : <span>Event</span> {
     null, initially null.</p>
 
     <p class="note">This is the origin that we set "<code data-x="">about:</code>"-schemed
-    <code>Document</code>s' <span data-x="concept-document-origin">origin</span> to. We store it
+    <code>Document</code>s' <span data-x="concept-document-policy-container">policy
+    container</span>'s <span data-x="policy-container-origin">origin</span> to. We store it
     here because it is also used when restoring these <code>Document</code>s during traversal,
     since they are reconstructed locally without visiting the network. It is also used to compare
     the origin before and after the <span>session history entry</span> is <span data-x="attempt to
@@ -89463,9 +89554,6 @@ location.href = '#foo';</code></pre>
    <dd>a <span data-x="concept-response">response</span> that ultimately was navigated to
    (potentially a <span>network error</span>)</dd>
 
-   <dt><dfn data-x="navigation-params-origin">origin</dfn></dt>
-   <dd>an <span>origin</span> to use for the new <code>Document</code></dd>
-
    <dt><dfn data-x="navigation-params-policy-container">policy container</dfn></dt>
    <dd>a <span>policy container</span> to use for the new <code>Document</code></dd>
 
@@ -89555,7 +89643,8 @@ location.href = '#foo';</code></pre>
    params</span> given <var>sourceDocument</var>.</p></li>
 
    <li><p>Let <var>initiatorOriginSnapshot</var> be <var>sourceDocument</var>'s <span
-   data-x="concept-document-origin">origin</span>.</p></li>
+   data-x="concept-document-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span>.</p></li>
 
    <li id="sandboxLinks">
     <p>If <var>sourceDocument</var>'s <span>node navigable</span> is not <span>allowed by
@@ -89773,7 +89862,8 @@ location.href = '#foo';</code></pre>
      data-x="document-state-origin">origin</span> to
      <var>navigable</var>'s <span data-x="nav-parent">parent</span>'s <span
      data-x="nav-document">active document</span>'s <span
-     data-x="concept-document-origin">origin</span>.</p></li>
+     data-x="concept-document-policy-container">policy container</span>'s <span
+     data-x="policy-container-origin">origin</span>.</p></li>
 
      <li><p>Let <var>historyEntry</var> be a new <span>session history entry</span>, with its <span
      data-x="she-url">URL</span> set to <var>url</var> and its <span
@@ -89811,6 +89901,9 @@ location.href = '#foo';</code></pre>
        <var>finalSandboxFlags</var>, <var>documentState</var>'s <span
        data-x="document-state-initiator-origin">initiator origin</span>, and null.</p></li>
 
+       <li><p>Set <var>policyContainer</var>'s <span data-x="policy-container-origin">origin</span>
+       to <var>responseOrigin</var>.</p></li>
+
        <li><p>Let <var>coop</var> be a new <span>cross-origin opener policy</span>.</p></li>
 
        <li>
@@ -89843,11 +89936,8 @@ location.href = '#foo';</code></pre>
          <dt><span data-x="navigation-params-response">response</span></dt>
          <dd><var>response</var></dd>
 
-         <dt><span data-x="navigation-params-origin">origin</span></dt>
-         <dd><var>responseOrigin</var></dd>
-
          <dt><span data-x="navigation-params-policy-container">policy container</span></dt>
-         <dd><var>policyContainer</var></dd>
+         <dd><var>policyContainer</var>
 
          <dt><span data-x="navigation-params-sandboxing">final sandboxing flag set</span></dt>
          <dd><var>finalSandboxFlags</var></dd>
@@ -89943,9 +90033,11 @@ location.href = '#foo';</code></pre>
      context</span> whose <span>disowned</span> is false; and</p></li>
 
      <li><p><var>historyEntry</var>'s <span data-x="she-document">document</span>'s <span
-     data-x="concept-document-origin">origin</span> is not <var>navigable</var>'s <span
+     data-x="concept-document-policy-container">policy container</span>'s <span
+     data-x="policy-container-origin">origin</span> is not <var>navigable</var>'s <span
      data-x="nav-document">active document</span>'s <span
-     data-x="concept-document-origin">origin</span></p></li>
+     data-x="concept-document-policy-container">policy container</span>'s <span
+     data-x="policy-container-origin">origin</span></p></li>
     </ul>
 
     <p>then set <var>historyEntry</var>'s <span data-x="she-document-state">document state</span>'s
@@ -90020,7 +90112,8 @@ location.href = '#foo';</code></pre>
 
    <li><p>If <var>initiatorOrigin</var> is not <span>same origin-domain</span> with
    <var>targetNavigable</var>'s <span data-x="nav-document">active document</span>'s <span
-   data-x="concept-document-origin">origin</span>, then return.</p></li>
+   data-x="concept-document-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span>, then return.</p></li>
 
    <li>
     <p>Let <var>request</var> be a new <span data-x="concept-request">request</span> whose <span
@@ -90215,11 +90308,10 @@ location.href = '#foo';</code></pre>
      <dt><span data-x="navigation-params-response">response</span></dt>
      <dd><var>response</var></dd>
 
-     <dt><span data-x="navigation-params-origin">origin</span></dt>
-     <dd><var>initiatorOrigin</var></dd>
-
      <dt><span data-x="navigation-params-policy-container">policy container</span></dt>
-     <dd><var>policyContainer</var></dd>
+     <dd>a <span data-x="clone a policy container">clone</span> of <var>policyContainer</var>
+     with its <span data-x="policy-container-origin">origin</span> set to
+     <var>initiatorOrigin</var></dd>
 
      <dt><span data-x="navigation-params-sandboxing">final sandboxing flag set</span></dt>
      <dd><var>finalSandboxFlags</var></dd>
@@ -91018,7 +91110,8 @@ location.href = '#foo';</code></pre>
      data-x="navigation-params-response">response</span>, <var>navigable</var>,
      <var>navigationParams</var>'s <span data-x="navigation-params-policy-container">policy
      container</span>'s <span data-x="policy-container-csp-list">CSP list</span>, and
-     <var>navigationParams</var>'s <span data-x="navigation-params-origin">origin</span> is false,
+     <var>navigationParams</var>'s <span data-x="navigation-params-policy-container">policy
+     container</span>'s <span data-x="policy-container-origin">origin</span> is false,
      then set <var>failure</var> to true.</p></li>
 
      <li>
@@ -91124,7 +91217,8 @@ location.href = '#foo';</code></pre>
 
        <li><p>Set <var>entry</var>'s <span data-x="she-document-state">document state</span>'s
        <span data-x="document-state-origin">origin</span> to <var>document</var>'s <span
-       data-x="concept-document-origin">origin</span>.</p></li>
+       data-x="concept-document-policy-container">policy container</span>'s <span
+       data-x="policy-container-origin">origin</span>.</p></li>
       </ol>
      </li>
 
@@ -91207,6 +91301,9 @@ location.href = '#foo';</code></pre>
    <var>navigable</var>'s <span data-x="nav-container-document">container document</span>'s <span
    data-x="concept-document-policy-container">policy container</span>, and null.</p></li>
 
+   <li><p>Set <var>policyContainer</var>'s <span data-x="policy-container-origin">origin</span>
+   to <var>responseOrigin</var>.</p></li>
+
    <li>
     <p>Return a new <span>navigation params</span>, with</p>
 
@@ -91220,9 +91317,6 @@ location.href = '#foo';</code></pre>
      <dt><span data-x="navigation-params-response">response</span></dt>
      <dd><var>response</var></dd>
 
-     <dt><span data-x="navigation-params-origin">origin</span></dt>
-     <dd><var>responseOrigin</var></dd>
-
      <dt><span data-x="navigation-params-policy-container">policy container</span></dt>
      <dd><var>policyContainer</var></dd>
 
@@ -91392,7 +91486,8 @@ location.href = '#foo';</code></pre>
 
      <dt><span data-x="coop-enforcement-origin">origin</span></dt>
      <dd><var>navigable</var>'s <span data-x="nav-document">active document</span>'s <span
-     data-x="concept-document-origin">origin</span></dd>
+     data-x="concept-document-policy-container">policy container</span>'s <span
+     data-x="policy-container-origin">origin</span></dd>
 
      <dt><span data-x="coop-enforcement-coop">cross-origin opener policy</span></dt>
      <dd><var>navigable</var>'s <span data-x="nav-document">active document</span>'s <span
@@ -91400,7 +91495,8 @@ location.href = '#foo';</code></pre>
 
      <dt><span data-x="coop-enforcement-source">current context is navigation source</span></dt>
      <dd>true if <var>navigable</var>'s <span data-x="nav-document">active document</span>'s <span
-     data-x="concept-document-origin">origin</span> is <span>same origin</span> with
+     data-x="concept-document-policy-container">policy container</span>'s <span
+     data-x="policy-container-origin">origin</span> is <span>same origin</span> with
      <var>entry</var>'s <span data-x="she-document-state">document state</span>'s <span
      data-x="document-state-initiator-origin">initiator origin</span> otherwise false</dd>
     </dl>
@@ -91605,7 +91701,8 @@ location.href = '#foo';</code></pre>
       <span>child navigable</span>, and the result of performing a <span>cross-origin resource
       policy check</span> with <var>navigable</var>'s <span
       data-x="nav-container-document">container document</span>'s <span
-      data-x="concept-document-origin">origin</span>, <var>navigable</var>'s <span
+      data-x="concept-document-policy-container">policy container</span>'s <span
+      data-x="policy-container-origin">origin</span>, <var>navigable</var>'s <span
       data-x="nav-container-document">container document</span>'s <span>relevant settings
       object</span>, <var>request</var>'s <span
       data-x="concept-request-destination">destination</span>, <var>response</var>, and true is
@@ -91795,6 +91892,9 @@ location.href = '#foo';</code></pre>
    <var>sourceSnapshotParams</var>'s <span data-x="source-snapshot-params-policy-container">source
    policy container</span>, null, and <var>responsePolicyContainer</var>.</p></li>
 
+   <li><p>Set <var>resultPolicyContainer</var>'s <span
+   data-x="policy-container-origin">origin</span> to <var>responseOrigin</var></p></li>.
+
    <li>
     <p>Return a new <span>navigation params</span>, with</p>
 
@@ -91808,9 +91908,6 @@ location.href = '#foo';</code></pre>
      <dt><span data-x="navigation-params-response">response</span></dt>
      <dd><var>response</var></dd>
 
-     <dt><span data-x="navigation-params-origin">origin</span></dt>
-     <dd><var>responseOrigin</var></dd>
-
      <dt><span data-x="navigation-params-policy-container">policy container</span></dt>
      <dd><var>resultPolicyContainer</var></dd>
 
@@ -91845,10 +91942,13 @@ location.href = '#foo';</code></pre>
   <span>node navigable</span> is a <span>top-level traversable</span> or if all of its
   <code>Document</code>'s <span>ancestor navigables</span> all have <span
   data-x="nav-document">active documents</span> whose <span
-  data-x="concept-document-origin">origins</span> are the <span>same origin</span> as the element's
-  <span>node document</span>'s <span data-x="concept-document-origin">origin</span>. If an element
+  data-x="concept-document-policy-container">policy containers</span>' <span
+  data-x="policy-container-origin">origins</span> are the <span>same origin</span> as the element's
+  <span>node document</span>'s <span data-x="concept-document-policy-container">policy
+  container</span>'s <span data-x="policy-container-origin">origin</span>. If an element
   has a <span>browsing context scope origin</span>, then its value is the <span
-  data-x="concept-document-origin">origin</span> of the element's <span>node document</span>.</p>
+  data-x="policy-container-origin">origin</span> of the element's <span>node document</span>'s
+  <span data-x="concept-document-policy-container">policy container</span>.</p>
 
   <p class="XXX">This definition is broken and needs investigation to see what it was intended to
   express: see <a href="https://github.com/whatwg/html/issues/4703">issue #4703</a>.</p>
@@ -92200,7 +92300,8 @@ location.href = '#foo';</code></pre>
 
        <li>
         <p>If <var>targetEntry</var>'s <span data-x="she-document">document</span>'s <span
-        data-x="concept-document-origin">origin</span> is not <var>oldOrigin</var>, then set
+        data-x="concept-document-policy-container">policy container</span>'s <span
+        data-x="policy-container-origin">origin</span> is not <var>oldOrigin</var>, then set
         <var>targetEntry</var>'s <span data-x="she-serialized-state">serialized state</span> to
         <span>StructuredSerializeForStorage</span>(null).</p>
 
@@ -92220,7 +92321,8 @@ location.href = '#foo';</code></pre>
          context</span> whose <span>disowned</span> is false; and</p></li>
 
          <li><p><var>targetEntry</var>'s <span data-x="she-document">document</span>'s <span
-         data-x="concept-document-origin">origin</span> is not <var>oldOrigin</var></p></li>
+         data-x="concept-document-policy-container">policy container</span>'s <span
+         data-x="policy-container-origin">origin</span> is not <var>oldOrigin</var></p></li>
         </ul>
 
         <p>then set <var>targetEntry</var>'s <span data-x="she-document-state">document
@@ -93149,7 +93251,8 @@ location.href = '#foo';</code></pre>
     data-x="navigation-params-navigable">navigable</span>'s <span data-x="nav-bc">active browsing
     context</span>. In such a case, the created <code>Window</code>, <code>Document</code>, and
     <span>agent</span> will not end up being used; because the created <code>Document</code>'s
-    <span data-x="concept-document-origin">origin</span> is <span
+    <span data-x="concept-document-policy-container">policy container</span>'s <span
+    data-x="policy-container-origin">origin </span> is <span
     data-x="concept-origin-opaque">opaque</span>, we will end up creating a new <span>agent</span>
     and <code>Window</code> <a href="#create-new-agent-and-window">later in this algorithm</a> to
     go along with the new <code>Document</code>.</p>
@@ -93158,7 +93261,8 @@ location.href = '#foo';</code></pre>
    <li>
     <p>Let <var>permissionsPolicy</var> be the result of <span>creating a permissions policy from a
     response</span> given <var>browsingContext</var>, <var>navigationParams</var>'s <span
-    data-x="navigation-params-origin">origin</span>, and <var>navigationParams</var>'s <span
+    data-x="navigation-params-policy-container">policy container</span>'s <span
+    data-x="policy-container-origin">origin</span>, and <var>navigationParams</var>'s <span
     data-x="navigation-params-response">response</span>. <ref spec="PERMISSIONSPOLICY"></p>
 
     <div class="note">
@@ -93167,7 +93271,8 @@ location.href = '#foo';</code></pre>
      been used for <var>navigationParams</var>'s <span
      data-x="navigation-params-navigable">navigable</span>'s <span
      data-x="nav-container-document">container document</span>, then its <span
-     data-x="concept-document-origin">origin</span> cannot be <span>same origin-domain</span> with
+     data-x="concept-document-policy-container">policy container</span>'s <span
+     data-x="policy-container-origin">origin</span> cannot be <span>same origin-domain</span> with
      the passed origin, because these steps run before the <var>document</var> is created, so it
      cannot itself yet have used <code data-x="dom-document-domain">document.domain</code>. Note
      that this means that Permissions Policy checks are less permissive compared to doing a
@@ -93191,9 +93296,11 @@ location.href = '#foo';</code></pre>
    <li>
     <p>If <var>browsingContext</var>'s <span>active document</span>'s <span>is initial
     <code>about:blank</code></span> is true, and <var>browsingContext</var>'s <span>active
-    document</span>'s <span data-x="concept-document-origin">origin</span> is <span>same
+    document</span>'s <span data-x="concept-document-policy-container">policy container</span>'s
+    <span data-x="policy-container-origin">origin</span> is <span>same
     origin-domain</span> with <var>navigationParams</var>'s <span
-    data-x="navigation-params-origin">origin</span>, then set <var>window</var> to
+    data-x="navigation-params-policy-container">policy container</span>'s <span
+    data-x="policy-container-origin">origin</span>, then set <var>window</var> to
     <var>browsingContext</var>'s <span>active window</span>.</p>
 
     <p class="note">This means that both the <span data-x="is initial about:blank">initial
@@ -93220,7 +93327,8 @@ location.href = '#foo';</code></pre>
 
      <li><p>Let <var>agent</var> be the result of <span
      data-x="obtain-similar-origin-window-agent">obtaining a similar-origin window agent</span>
-     given <var>navigationParams</var>'s <span data-x="navigation-params-origin">origin</span>,
+     given <var>navigationParams</var>'s <span data-x="navigation-params-policy-container">policy
+     container</span>'s <span data-x="policy-container-origin">origin</span>,
      <var>browsingContext</var>'s <span data-x="tlbc group">group</span>, and
      <var>requestsOAC</var>.</p></li>
 
@@ -93242,7 +93350,8 @@ location.href = '#foo';</code></pre>
      <li><p>Let <var>topLevelCreationURL</var> be <var>creationURL</var>.</p></li>
 
      <li><p>Let <var>topLevelOrigin</var> be <var>navigationParams</var>'s <span
-     data-x="navigation-params-origin">origin</span>.</p></li>
+     data-x="navigation-params-policy-container">policy container</span>'s <span
+     data-x="policy-container-origin">origin</span>.</p></li>
 
      <li>
       <p>If <var>navigable</var>'s <span data-x="nav-container">container</span> is not null,
@@ -93286,9 +93395,6 @@ location.href = '#foo';</code></pre>
      <dt><span data-x="concept-document-content-type">content type</span></dt>
      <dd><var>contentType</var></dd>
 
-     <dt><span data-x="concept-document-origin">origin</span></dt>
-     <dd><var>navigationParams</var>'s <span data-x="navigation-params-origin">origin</span></dd>
-
      <dt><span data-x="concept-document-bc">browsing context</span></dt>
      <dd><var>browsingContext</var>
 
@@ -93767,9 +93873,6 @@ new PaymentRequest(&hellip;); // Allowed to use
      <dt><span data-x="navigation-params-response">response</span></dt>
      <dd>a new <span data-x="concept-response">response</span></dd>
 
-     <dt><span data-x="navigation-params-origin">origin</span></dt>
-     <dd><var>origin</var></dd>
-
      <dt><span data-x="navigation-params-policy-container">policy container</span></dt>
      <dd>a new <span>policy container</span></dd>
 
@@ -93812,7 +93915,8 @@ new PaymentRequest(&hellip;); // Allowed to use
   </ol>
 
   <p class="note">Because we ensure the resulting <code>Document</code>'s <span
-  data-x="concept-document-origin">origin</span> is <span
+  data-x="concept-document-policy-container">policy container</span>'s <span
+  data-x="policy-container-origin">origin</span> is <span
   data-x="concept-origin-opaque">opaque</span>, and the resulting <code>Document</code> cannot run
   script with access to the DOM, the existence and properties of this <code>Document</code> are not
   observable to web developer code. This means that most of the above values, e.g., the
@@ -94002,8 +94106,10 @@ new PaymentRequest(&hellip;); // Allowed to use
 
    <li><p>If <var>newDocument</var> is given, <var>newDocument</var>'s <span>was created via
    cross-origin redirects</span> is false, and <var>newDocument</var>'s <span
-   data-x="concept-document-origin">origin</span> is the <span data-x="same origin">same</span> as
-   <var>oldDocument</var>'s <span data-x="concept-document-origin">origin</span>, then set
+   data-x="concept-document-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span> is the <span data-x="same origin">same</span> as
+   <var>oldDocument</var>'s <span data-x="concept-document-policy-container">policy
+   container</span>'s <span data-x="policy-container-origin">origin</span>, then set
    <var>newDocument</var>'s <span>previous document unload timing</span> to
    <var>unloadTimingInfo</var>.</p></li>
   </ol>
@@ -94256,9 +94362,10 @@ new PaymentRequest(&hellip;); // Allowed to use
       <p><span>While</span> <var>containerDocument</var> is not null:</p>
 
       <ol>
-       <li><p>If <var>containerDocument</var>'s <span data-x="concept-document-origin">origin</span>
-       is not <span>same origin</span> with <var>destinationOrigin</var>, then return
-       false.</p></li>
+       <li><p>If <var>containerDocument</var>'s <span
+       data-x="concept-document-policy-container">policy container</span>'s <span
+       data-x="policy-container-origin">origin</span> is not <span>same origin</span> with
+       <var>destinationOrigin</var>, then return false.</p></li>
 
        <li><p>Set <var>containerDocument</var> to <var>containerDocument</var>'s <span
        data-x="doc-container-document">container document</span>.</p></li>
@@ -94863,7 +94970,8 @@ new PaymentRequest(&hellip;); // Allowed to use
     <p>A <span class="XXX" data-x="">for now</span> <span>implementation-defined</span> value, null,
     or an <span>origin</span>. For a "top-level" potential execution environment it is null (i.e.,
     when there is no response yet); otherwise it is the "top-level" <span>environment</span>'s <span
-    data-x="concept-settings-object-origin">origin</span>. For a dedicated worker or worklet it is
+    data-x="concept-settings-object-policy-container">policy container</span>'s <span
+    data-x="policy-container-origin">origin</span>. For a dedicated worker or worklet it is
     the <span>top-level origin</span> of its creator. For a shared or service worker it is an
     <span>implementation-defined</span> value.</p>
 
@@ -94936,13 +95044,6 @@ new PaymentRequest(&hellip;); // Allowed to use
     object</span> to <span data-x="parse a url">parse URLs</span>.</p>
    </dd>
 
-   <dt>An <dfn data-x="concept-settings-object-origin" export for="environment
-   settings object">origin</dfn></dt>
-
-   <dd>
-    <p>An <span>origin</span> used in security checks.</p>
-   </dd>
-
    <dt>A <dfn data-x="concept-settings-object-policy-container" export
    for="environment settings object">policy container</dfn></dt>
 
@@ -101297,7 +101398,8 @@ document.body.appendChild(frame)</code></pre>
   <p>The <dfn attribute for="WindowOrWorkerGlobalScope"
   data-x="dom-origin"><code>origin</code></dfn> getter steps are to return <span>this</span>'s
   <span>relevant settings object</span>'s <span
-  data-x="concept-settings-object-origin">origin</span>, <span data-x="serialization of an
+  data-x="concept-settings-object-policy-container">policy container</span>'s <span
+  data-x="policy-container-origin">origin</span>, <span data-x="serialization of an
   origin">serialized</span>.</p>
 
   <p>The <dfn attribute for="WindowOrWorkerGlobalScope"
@@ -101434,9 +101536,11 @@ document.body.appendChild(frame)</code></pre>
    <li><p>Let <var>entryDocument</var> be the <span>entry global object</span>'s <span
    data-x="concept-document-window">associated <code>Document</code></span>.</p></li>
 
-   <li><p>If <var>document</var>'s <span data-x="concept-document-origin">origin</span> is not
+   <li><p>If <var>document</var>'s <span data-x="concept-document-policy-container">policy
+   container</span>'s <span data-x="policy-container-origin">origin</span> is not
    <span>same origin</span> to <var>entryDocument</var>'s <span
-   data-x="concept-document-origin">origin</span>, then throw a
+   data-x="concept-document-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span>, then throw a
    <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>
 
    <li>
@@ -102516,7 +102620,8 @@ function sendData(data) {
    modals flag</span> set, then return true.</p></li>
 
    <li><p>If <var>window</var>'s <span>relevant settings object</span>'s <span
-   data-x="concept-settings-object-origin">origin</span> and <var>window</var>'s <span>relevant
+   data-x="concept-settings-object-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span> and <var>window</var>'s <span>relevant
    settings object</span>'s <span>top-level origin</span> are not <span>same origin-domain</span>,
    then return true.</p></li>
 
@@ -103216,7 +103321,8 @@ interface <dfn interface>Navigator</dfn> {
    <li><p>If the <span>resulting URL record</span>'s <span data-x="concept-url-scheme">scheme</span>
    is not an <span>HTTP(S) scheme</span> or the <span>resulting URL record</span>'s <span
    data-x="concept-url-origin">origin</span> is not <span>same origin</span> with
-   <var>environment</var>'s <span data-x="concept-settings-object-origin">origin</span>, then throw
+   <var>environment</var>'s <span data-x="concept-settings-object-policy-container">policy
+   container</span>'s <span data-x="policy-container-origin">origin</span>, then throw
    a <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>
 
    <li>
@@ -104438,7 +104544,8 @@ typedef (<span>WindowProxy</span> or <span>MessagePort</span> or <span>ServiceWo
   <p>The <dfn attribute for="MessageEvent"><code
   data-x="dom-MessageEvent-origin">origin</code></dfn> attribute must return the value it was
   initialized to. It represents, in <span>server-sent events</span> and <span>cross-document
-  messaging</span>, the <span data-x="concept-document-origin">origin</span> of the document that
+  messaging</span>, the <span data-x="concept-document-policy-container">policy container</span>'s
+  <span data-x="policy-container-origin">origin</span> of the document that
   sent the message (typically the scheme, hostname, and port of the document, but not its path or
   <span data-x="concept-url-fragment">fragment</span>).</p>
 
@@ -105501,7 +105608,8 @@ function receiver(e) {
 
    <li><p>If <var>targetOrigin</var> is a single U+002F SOLIDUS character (/), then set
    <var>targetOrigin</var> to <var>incumbentSettings</var>'s <span
-   data-x="concept-settings-object-origin">origin</span>.</p>
+   data-x="concept-settings-object-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span>.</p>
 
    <li>
     <p>Otherwise, if <var>targetOrigin</var> is not a single U+002A ASTERISK character (*),
@@ -105533,12 +105641,14 @@ function receiver(e) {
     <ol>
      <li><p>If the <var>targetOrigin</var> argument is not a single literal U+002A ASTERISK character
      (*) and <var>targetWindow</var>'s <span data-x="concept-document-window">associated
-     <code>Document</code></span>'s <span data-x="concept-document-origin">origin</span> is not
+     <code>Document</code></span>'s <span data-x="concept-document-policy-container">policy
+     container</span>'s <span data-x="policy-container-origin">origin</span> is not
      <span>same origin</span> with <var>targetOrigin</var>, then return.</p></li>
 
      <li><p>Let <var>origin</var> be the <span data-x="serialization of an
      origin">serialization</span> of <var>incumbentSettings</var>'s <span
-     data-x="concept-settings-object-origin">origin</span>.</p></li>
+     data-x="concept-settings-object-policy-container">policy container</span>'s <span
+     data-x="policy-container-origin">origin</span>.</p></li>
 
      <li><p>Let <var>source</var> be the <code>WindowProxy</code> object corresponding to
      <var>incumbentSettings</var>'s <span data-x="concept-settings-object-global">global
@@ -106286,7 +106396,8 @@ interface <dfn interface>BroadcastChannel</dfn> : <span>EventTarget</span> {
    any exceptions.</p></li>
 
    <li><p>Let <var>sourceOrigin</var> be <span>this</span>'s <span>relevant settings object</span>'s
-   <span data-x="concept-settings-object-origin">origin</span>.</p></li>
+   <span data-x="concept-settings-object-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span>.</p></li>
 
    <li><p>Let <var>sourceStorageKey</var> be the result of running <span>obtain a storage key for
    non-storage purposes</span> with <span>this</span>'s <span>relevant settings
@@ -107246,6 +107357,12 @@ interface <dfn interface>SharedWorkerGlobalScope</dfn> : <span>WorkerGlobalScope
     <code>SharedWorkerGlobalScope</code> object created in the previous step.</p>
    </li>
 
+   <li><p>Set <var>worker global scope</var>'s
+   <span data-x="concept-WorkerGlobalScope-policy-container">policy container</span>'s
+   <span data-x="policy-container-origin">origin</span> to <var>outside settings</var>'s
+   <span data-x="concept-settings-object-policy-container">policy container</span>'s
+   <span data-x="policy-container-origin">origin</span>.</p></li>
+
    <li><p><span>Set up a worker environment settings object</span> with <var>realm execution
    context</var>, <var>outside settings</var>, and <var>unsafeWorkerCreationTime</var>, and let
    <var>inside settings</var> be the result.</p></li>
@@ -107264,7 +107381,8 @@ interface <dfn interface>SharedWorkerGlobalScope</dfn> : <span>WorkerGlobalScope
      <li><p>Set <var>worker global scope</var>'s <span
      data-x="concept-SharedWorkerGlobalScope-constructor-origin">constructor origin</span> to
      <var>outside settings</var>'s <span
-     data-x="concept-settings-object-origin">origin</span>.</p></li>
+     data-x="concept-settings-object-policy-container">policy container</span>'s <span
+     data-x="policy-container-origin">origin</span>.</p></li>
 
      <li><p>Set <var>worker global scope</var>'s <span
      data-x="concept-SharedWorkerGlobalScope-constructor-url">constructor url</span> to
@@ -107614,7 +107732,8 @@ interface <dfn interface>SharedWorkerGlobalScope</dfn> : <span>WorkerGlobalScope
 
   <ol>
    <li><p>Let <var>inherited origin</var> be <var>outside settings</var>'s <span
-   data-x="concept-settings-object-origin">origin</span>.</p></li>
+   data-x="concept-settings-object-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span>.</p></li>
 
    <li><p>Let <var>realm</var> be the value of <var>execution context</var>'s Realm
    component.</p></li>
@@ -107649,14 +107768,6 @@ interface <dfn interface>SharedWorkerGlobalScope</dfn> : <span>WorkerGlobalScope
       data-x="concept-WorkerGlobalScope-url">url</span>.</p>
      </dd>
 
-     <dt>The <span data-x="concept-settings-object-origin">origin</span></dt>
-     <dd>
-      <p>Return a unique <span data-x="concept-origin-opaque">opaque origin</span> if <var>worker
-      global scope</var>'s <span data-x="concept-WorkerGlobalScope-url">url</span>'s <span
-      data-x="concept-url-scheme">scheme</span> is "<code data-x="">data</code>", and <var>inherited
-      origin</var> otherwise.</p>
-     </dd>
-
      <dt>The <span data-x="concept-settings-object-policy-container">policy container</span></dt>
      <dd>
       <p>Return <var>worker global scope</var>'s <span
@@ -107677,6 +107788,18 @@ interface <dfn interface>SharedWorkerGlobalScope</dfn> : <span>WorkerGlobalScope
     </dl>
    </li>
 
+   <li><p><span>Assert</span> that <var>settings object</var>'s <span
+   data-x="concept-settings-object-policy-container">policy container</span>'s <span
+   data-x="policy-container-origin">origin</span> is an <span data-x="concept-origin-opaque">opaque
+   origin</span>.</p></li>
+
+   <li><p>If <var>worker global scope</var>'s <span
+   data-x="concept-WorkerGlobalScope-url">url</span>'s <span
+   data-x="concept-url-scheme">scheme</span> is not "<code data-x="">data</code>", then set
+   <var>settings object</var>'s <span data-x="concept-settings-object-policy-container">policy
+   container</span>'s <span data-x="policy-container-origin">origin</span> to <var>inherited
+   origin</var>.</p></li>
+
    <li><p>Set <var>settings object</var>'s <span data-x="concept-environment-id">id</span> to a new
    unique opaque string, <span data-x="concept-environment-creation-url">creation URL</span> to
    <var>worker global scope</var>'s <span>url</span>, <span>top-level creation URL</span> to null,
@@ -108812,8 +108935,6 @@ interface <dfn interface>WorkletGlobalScope</dfn> {};</code></pre>
   object</span> <var>outsideSettings</var>:</p>
 
   <ol>
-   <li><p>Let <var>origin</var> be a unique <span data-x="concept-origin-opaque">opaque
-   origin</span>.</p></li>
 
    <li><p>Let <var>inheritedAPIBaseURL</var> be <var>outsideSettings</var>'s <span>API base
    URL</span>.</p></li>
@@ -108822,6 +108943,10 @@ interface <dfn interface>WorkletGlobalScope</dfn> {};</code></pre>
    container">clone</span> of <var>outsideSettings</var>'s <span
    data-x="concept-settings-object-policy-container">policy container</span>.</p></li>
 
+   <li><p>Set <var>inheritedPolicyContainer</var>'s <span
+   data-x="policy-container-origin">origin</span> to a unique <span
+   data-x="concept-origin-opaque">opaque origin</span>.</p></li>
+
    <li><p>Let <var>realm</var> be the value of <var>executionContext</var>'s Realm
    component.</p></li>
 
@@ -108861,11 +108986,6 @@ interface <dfn interface>WorkletGlobalScope</dfn> {};</code></pre>
       available to worklet code make use of the <span>API base URL</span>.</p>
      </dd>
 
-     <dt>The <span data-x="concept-settings-object-origin">origin</span></dt>
-     <dd>
-      <p>Return <var>origin</var>.</p>
-     </dd>
-
      <dt>The <span data-x="concept-settings-object-policy-container">policy container</span></dt>
      <dd>
       <p>Return <var>inheritedPolicyContainer</var>.</p>
@@ -109517,7 +109637,8 @@ interface <dfn interface>Storage</dfn> {
     session storage area.</p>
 
     <p>Throws a <span>"<code>SecurityError</code>"</span> <code>DOMException</code> if the
-    <code>Document</code>'s <span data-x="concept-document-origin">origin</span> is an <span
+    <code>Document</code>'s <span data-x="concept-document-policy-container">policy
+    container</span>'s <span data-x="policy-container-origin">origin</span> is an <span
     data-x="concept-origin-opaque">opaque origin</span> or if the request violates a policy decision
     (e.g., if the user agent is configured to not allow the page to persist data).</p>
    </dd>
@@ -109577,7 +109698,8 @@ interface <dfn interface>Storage</dfn> {
     storage area.</p>
 
     <p>Throws a <span>"<code>SecurityError</code>"</span> <code>DOMException</code> if the
-    <code>Document</code>'s <span data-x="concept-document-origin">origin</span> is an <span
+    <code>Document</code>'s <span data-x="concept-document-policy-container">policy
+    container</span>'s <span data-x="policy-container-origin">origin</span> is an <span
     data-x="concept-origin-opaque">opaque origin</span> or if the request violates a policy decision
     (e.g., if the user agent is configured to not allow the page to persist data).</p>
    </dd>
@@ -111584,9 +111706,11 @@ dictionary <dfn dictionary>StorageEventInit</dfn> : <span>EventInit</span> {
      <li><p>Let <var>parentDocument</var> be <var>d</var>'s <span
      data-x="doc-container-document">container document</span>.</p></li>
 
-     <li><p>If <var>parentDocument</var>'s <span data-x="concept-document-origin">origin</span> is
+     <li><p>If <var>parentDocument</var>'s <span data-x="concept-document-policy-container">policy
+     container</span>'s <span data-x="policy-container-origin">origin</span> is
      <span>same origin</span> with <var>d</var>'s <span
-     data-x="concept-document-origin">origin</span> and <var>parentDocument</var>'s <span
+     data-x="concept-document-policy-container">policy container</span>'s <span
+     data-x="policy-container-origin">origin</span> and <var>parentDocument</var>'s <span
      data-x="document's character encoding">character encoding</span> is not
      <span>UTF-16BE/LE</span>, then return <var>parentDocument</var>'s <span data-x="document's
      character encoding">character encoding</span>, with the <span