diff --git a/source b/source
index 260d0228fa1..65164728782 100644
--- a/source
+++ b/source
@@ -2460,7 +2460,8 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
 
     <ul class="brief">
      <li><dfn data-x="http-structured-header" data-x-href="https://httpwg.org/http-extensions/draft-ietf-httpbis-header-structure.html">structured header</dfn></li>
-     <li><dfn data-x="http-structured-header-token" data-x-href="https://httpwg.org/http-extensions/draft-ietf-httpbis-header-structure.html#token">structured header tokens</dfn></li>
+     <li><dfn data-x="http-structured-header-token" data-x-href="https://httpwg.org/http-extensions/draft-ietf-httpbis-header-structure.html#token">token</dfn></li>
+     <li><dfn data-x="http-structured-header-parameters" data-x-href="https://httpwg.org/http-extensions/draft-ietf-httpbis-header-structure.html#param">parameters</dfn></li>
     </ul>
 
     <p>The following terms are defined in <cite>MIME Sniffing</cite>: <ref spec=MIMESNIFF></p>
@@ -2486,6 +2487,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
     <ul class="brief">
      <li><dfn><code>about:blank</code></dfn></li>
      <li>An <dfn data-x-href="https://fetch.spec.whatwg.org/#http-scheme">HTTP(S) scheme</dfn></li>
+     <li>A <dfn data-x-href="https://fetch.spec.whatwg.org/#local-scheme">local scheme</dfn></li>
      <li>A <dfn data-x-href="https://fetch.spec.whatwg.org/#network-scheme">network scheme</dfn></li>
      <li>A <dfn data-x-href="https://fetch.spec.whatwg.org/#fetch-scheme">fetch scheme</dfn></li>
      <li><dfn data-x-href="https://fetch.spec.whatwg.org/#concept-https-state-value">HTTPS state value</dfn></li>
@@ -2498,12 +2500,15 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
      <li><dfn data-x="navigation-request" data-x-href="https://fetch.spec.whatwg.org/#navigation-request">navigation request</dfn></li>
      <li><dfn data-x-href="https://fetch.spec.whatwg.org/#concept-network-error">network error</dfn></li>
      <li>`<dfn data-dfn-type="http-header" data-x="http-origin" data-x-href="https://fetch.spec.whatwg.org/#http-origin"><code>Origin</code></dfn>` header</li>
+     <li>`<dfn data-x-href="https://fetch.spec.whatwg.org/#http-cross-origin-resource-policy"><code>Cross-Origin-Resource-Policy</code></dfn>` header</li>
      <li><dfn data-x-href="https://fetch.spec.whatwg.org/#process-response">process response</dfn></li>
      <li><dfn data-x="concept-header-list-set" data-x-href="https://fetch.spec.whatwg.org/#concept-header-list-set">set</dfn></li>
      <li><dfn data-x="concept-fetch-terminate" data-x-href="https://fetch.spec.whatwg.org/#concept-fetch-terminate">terminate</dfn></li>
+     <li><dfn data-x-href="https://fetch.spec.whatwg.org/#cross-origin-resource-policy-check">cross-origin resource policy check</dfn></li>
      <li>the <dfn data-x-href="https://fetch.spec.whatwg.org/#requestcredentials"><code>RequestCredentials</code></dfn> enumeration</li>
      <li>the <dfn data-x-href="https://fetch.spec.whatwg.org/#requestdestination"><code>RequestDestination</code></dfn> enumeration</li>
      <li>the <dfn data-x-href="https://fetch.spec.whatwg.org/#dom-global-fetch"><code>fetch()</code></dfn> method</li>
+     <li><dfn data-x="serialize-a-response-url-for-reporting" data-x-href="https://fetch.spec.whatwg.org/#serialize-a-response-url-for-reporting">serialize a response URL for reporting</dfn></li>
      <li>
       <dfn data-x="concept-response"
       data-x-href="https://fetch.spec.whatwg.org/#concept-response">response</dfn> and its
@@ -3157,6 +3162,20 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
    </dd>
 
 
+   <dt>Reporting</dt>
+
+   <dd>
+    <p>The following terms are defined in <cite>Reporting</cite>: <ref
+    spec=REPORTING></p>
+
+    <ul class="brief">
+     <li><dfn data-x-href="https://w3c.github.io/reporting/#queue-report">Queue a report</dfn></li>
+     <li><dfn data-x-href="https://w3c.github.io/reporting/#report-type">report type</dfn></li>
+     <li><dfn data-x-href="https://w3c.github.io/reporting/#visible-to-reportingobservers">visible to <code>ReportingObserver</code>s</dfn></li>
+    </ul>
+   </dd>
+
+
    <dt>XMLHttpRequest</dt>
 
    <dd>
@@ -3934,18 +3953,6 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
     </ul>
    </dd>
 
-   <dt>Cross-Origin Embedder Policy</dt>
-
-   <dd>
-    <p>The following features are defined in <cite>Cross-Origin Embedder Policy</cite>: <ref
-    spec=COEP></p>
-
-    <ul class="brief">
-     <li>`<dfn data-x-href="https://wicg.github.io/cross-origin-embedder-policy/#http-headerdef-cross-origin-embedder-policy"><code>Cross-Origin-Embedder-Policy</code></dfn>` header</li>
-     <li><dfn data-x="obtain-cross-origin-embedder-policy" data-x-href="https://wicg.github.io/cross-origin-embedder-policy/#abstract-opdef-obtain-a-responses-embedder-policy">obtain a response's embedder policy</dfn></li>
-    </ul>
-   </dd>
-
   </dl>
 
   <hr>
@@ -9027,6 +9034,9 @@ partial interface <dfn id="document" data-lt="">Document</dfn> {
   empty string, which represents the default <span>referrer policy</span> used by <span
   data-x="concept-fetch">fetches</span> initiated by the <code>Document</code>.</p>
 
+  <p>The <code>Document</code> has an <dfn data-x="concept-document-embedder-policy">embedder
+  policy</dfn> (an <span>embedder policy</span>).</p>
+
   <p>The <code>Document</code> has a <dfn data-x="concept-document-csp-list" data-export=""
   data-dfn-for="Document">CSP list</dfn>, which is a <span data-x="concept-csp-list">CSP list</span>
   containing all of the <span>Content Security Policy</span> objects active for the document. The
@@ -76674,6 +76684,10 @@ popup4.close();</code></pre></div>
    <span data-x="concept-document-referrer-policy">referrer policy</span> to <var>creator</var>'s
    <span data-x="concept-document-referrer-policy">referrer policy</span>.</p></li>
 
+   <li><p>If <var>creator</var> is non-null, then set <var>document</var>'s
+   <span data-x="concept-document-embedder-policy">embedder policy</span> to <var>creator</var>'s
+   <span data-x="concept-document-embedder-policy">embedder policy</span>.</p></li>
+
    <li><p>Add <var>document</var> to <var>browsingContext</var>'s <span>session
    history</span>.</p></li>
 
@@ -78832,6 +78846,11 @@ interface <dfn>BarProp</dfn> {
        <li><p>Return <var>document</var>'s <span data-x="concept-document-referrer-policy">referrer
        policy</span>.</p></li>
       </ol>
+
+     <dt>The <span data-x="concept-settings-object-embedder-policy">embedder policy</span></dt>
+     <dd><p>Return <var>window</var>'s <span data-x="concept-document-window">associated
+     <code>Document</code></span>'s <span data-x="concept-document-embedder-policy">embedder
+     policy</span>.</p>
     </dl>
    </li>
 
@@ -80073,9 +80092,8 @@ interface <dfn>BarProp</dfn> {
     <p>If <var>value</var>[0] is "<code data-x="coop-same-origin">same-origin</code>", then:</p>
 
     <ol>
-     <li><p>Let <var>coep</var> be the result of <span
-     data-x="obtain-cross-origin-embedder-policy">obtaining a cross-origin embedder
-     policy</span> from <var>response</var>.</p></li>
+     <li><p>Let <var>coep</var> be the result of <span data-x="obtain an embedder policy">obtaining
+     an embedder policy</span> from <var>response</var>.</p></li>
 
      <li><p>If <var>coep</var> is "<code data-x="">require-corp</code>", then return "<code
      data-x="coop-same-origin-plus-COEP">same-origin-plus-COEP</code>".</p></li>
@@ -80176,6 +80194,277 @@ interface <dfn>BarProp</dfn> {
 
 
 
+  <h3 id="coep">Cross-origin embedder policies</h3>
+
+  <p>An <dfn data-export="">embedder policy value</dfn> controls the fetching of cross-origin
+  resources without explicit permission from resource owners. There are two such values:</p>
+
+  <dl>
+   <dt>"<dfn data-x="coep-unsafe-none" data-export="" data-dfn-for="embedder policy value"><code
+   data-x="">unsafe-none</code></dfn>"</dt>
+   <dd><p>This is the default value. When this value is used, cross-origin resources can be fetched
+   without giving explicit permission through the <span>CORS protocol</span> or the
+   `<code>Cross-Origin-Resource-Policy</code>` header.</p></dd>
+
+   <dt>"<dfn data-x="coep-require-corp" data-export="" data-dfn-for="embedder policy value"><code
+   data-x="">require-corp</code></dfn>"</dt>
+   <dd><p>When this value is used, fetching cross-origin resources requires the server's
+   explicit permission through the <span>CORS protocol</span> or the
+   `<code>Cross-Origin-Resource-Policy</code>` header.</p></dd>
+  </dl>
+
+  <p>An <dfn data-export="">embedder policy</dfn> consists of:</p>
+
+  <ul>
+   <li><p>A <dfn data-x="embedder-policy-value" data-dfn-for="embedder policy"
+   data-export="">value</dfn>, which is an <span>embedder policy value</span>, initially "<code
+   data-x="coep-unsafe-none">unsafe-none</code>".</p></li>
+
+   <li><p>A <dfn data-x="embedder-policy-reporting-endpoint" data-dfn-for="embedder policy"
+   data-export="">reporting endpoint</dfn> string, initially the empty string.</p></li>
+
+   <li><p>A <dfn data-x="embedder-policy-report-only-value" data-dfn-for="embedder policy"
+   data-export="">report only value</dfn>, which is an <span>embedder policy value</span>, initially
+   "<code data-x="coep-unsafe-none">unsafe-none</code>".</p></li>
+
+   <li><p>A <dfn data-x="embedder-policy-report-only-reporting-endpoint" data-dfn-for="embedder
+   policy" data-export="">report only reporting endpoint</dfn> string, initially the empty
+   string.</p></li>
+  </ul>
+
+  <p>The <dfn data-export="">"<code>coep</code>" report type</dfn> is a <span>report type</span>
+  whose value is "<code data-x="">coep</code>". It is <span>visible to
+  <code>ReportingObserver</code>s</span>.</p>
+
+  <h4>The headers</h4>
+
+  <p>The `<code>Cross-Origin-Embedder-Policy</code>` and
+  `<code>Cross-Origin-Embedder-Policy-Report-Only</code>` HTTP response header fields allow a server
+  to declare an <span>embedder policy</span> for an <span>environment settings object</span>. These
+  headers are <span data-x="http-structured-header">structured headers</span> whose values must be
+  <span data-x="http-structured-header-token">token</span>. <ref spec=STRUCTURED-HEADERS>
+
+  <p>The valid <span
+  data-x="http-structured-header-token">token</span> values are the <span data-x="embedder policy
+  value">embedder policy values</span>. The token may also have attached <span
+  data-x="http-structured-header-parameters">parameters</span>; of these, the "<dfn
+  data-x="coep-report-to"><code>report-to</code></dfn>" parameter can have a <span>valid URL
+  string</span> identifying an appropriate reporting endpoint. <ref
+  spec=REPORTING></p>
+
+  <div class="note">
+   <p>The <span data-x="obtain an embedder policy">processing model</span> fails open (by defaulting
+   to "<code data-x="coep-unsafe-none">unsafe-none</code>") in the presence of a header that cannot
+   be parsed as a token. This includes inadvertent lists created by combining multiple instances of
+   the `<code>Cross-Origin-Embedder-Policy</code>` header present in a given response:</p>
+
+   <table class="data">
+    <thead>
+     <tr>
+      <th>`<code>Cross-Origin-Embedder-Policy</code>`</th>
+      <th>Final <span>embedder policy value</span></th>
+     </tr>
+    </thead>
+    <tbody>
+     <tr>
+      <td><em>No header delivered</em></td>
+      <td>"<code data-x="coep-unsafe-none">unsafe-none</code>"</td>
+     </tr>
+     <tr>
+      <td>`<code data-x="">require-corp</code>`</td>
+      <td>"<code data-x="coep-require-corp">require-corp</code>"</td>
+     </tr>
+     <tr>
+      <td>`<code data-x="">unknown-value</code>`</td>
+      <td>"<code data-x="coep-unsafe-none">unsafe-none</code>"</td>
+     </tr>
+     <tr>
+      <td>`<code data-x="">require-corp, unknown-value</code>`</td>
+      <td>"<code data-x="coep-unsafe-none">unsafe-none</code>"</td>
+     </tr>
+     <tr>
+      <td>`<code data-x="">unknown-value, unknown-value</code>`</td>
+      <td>"<code data-x="coep-unsafe-none">unsafe-none</code>"</td>
+     </tr>
+     <tr>
+      <td>`<code data-x="">unknown-value, require-corp</code>`</td>
+      <td>"<code data-x="coep-unsafe-none">unsafe-none</code>"</td>
+     </tr>
+     <tr>
+      <td>`<code data-x="">require-corp, require-corp</code>`</td>
+      <td>"<code data-x="coep-unsafe-none">unsafe-none</code>"</td>
+     </tr>
+    </tbody>
+   </table>
+
+   <p>(The same applies to `<code>Cross-Origin-Embedder-Policy-Report-Only</code>`.)</p>
+  </div>
+
+  <hr>
+
+  <p>To <dfn data-export="">obtain an embedder policy</dfn> from a <span
+  data-x="concept-response">response</span> <var>response</var>:</p>
+
+  <ol>
+   <li><p>Let <var>policy</var> be a new <span>embedder policy</span>.</p></li>
+
+   <li><p>Let <var>parsedItem</var> be the result of <span
+   data-x="concept-response-header-list-get-structured-header">getting a structured header</span>
+   with `<code>Cross-Origin-Embedder-Policy</code>` and "<code data-x="">item</code>".</p></li>
+
+   <li>
+    <p>If <var>parsedItem</var> is neither failure nor null and <var>parsedItem</var>[0] is "<code
+    data-x="">require-corp</code>":</p>
+
+    <ol>
+     <li><p>Set <var>policy</var>'s <span data-x="embedder-policy-value">value</span> to "<code
+     data-x="coep-require-corp">require-corp</code>".</p></li>.
+
+     <li><p>If <var>parsedItem</var>[1]["<code data-x="coep-report-to">report-to</code>"] <span
+     data-x="map exists">exists</span>, then set <var>policy</var>'s <span
+     data-x="embedder-policy-reporting-endpoint">endpoint</span> to <var>parsedItem</var>[1]["<code
+     data-x="coep-report-to">report-to</code>"].</p></li>
+    </ol>
+   </li>
+
+   <li><p>Set <var>parsedItem</var> to the result of <span
+   data-x="concept-response-header-list-get-structured-header">getting a structured header</span>
+   with `<code>Cross-Origin-Embedder-Policy-Report-Only</code>` and "<code
+   data-x="">item</code>".</p></li>
+
+   <li>
+    <p>If <var>parsedItem</var> is neither failure nor null and <var>parsedItem</var>[0] is "<code
+    data-x="">require-corp</code>":</p>
+
+    <ol>
+     <li><p>Set <var>policy</var>'s <span data-x="embedder-policy-report-only-value">report only
+     value</span> to "<code data-x="coep-require-corp">require-corp</code>".</p></li>.
+
+     <li><p>If <var>parsedItem</var>[1]["<code data-x="coep-report-to">report-to</code>"] <span
+     data-x="map exists">exists</span>,  then set <var>policy</var>'s <span
+     data-x="embedder-policy-report-only-reporting-endpoint">report only reporting endpoint</span>
+     to <var>parsedItem</var>[1]["<code data-x="coep-report-to">report-to</code>"].</p></li>
+    </ol>
+   </li>
+
+   <li><p>Return <var>policy</var>.</p></li>
+  </ol>
+
+  <h4>Embedder policy checks</h4>
+
+  <p>To <dfn>check a navigation response's adherence to its embedder policy</dfn> given a <span
+  data-x="concept-response">response</span> <var>response</var> and a <span>browsing context</span>
+  <var>target</var>:</p>
+
+  <ol>
+   <li><p>If <var>target</var> is not a <span>child browsing context</span>, then return
+   true.</p></li>
+
+   <li><p>Let <var>responsePolicy</var> be the result of <span data-x="obtain an embedder
+   policy">obtaining an embedder policy</span> from <var>response</var>.</p></li>
+
+   <li><p>Let <var>parentPolicy</var> be <var>target</var>'s <span
+   data-x="bc-container-document">container document</span>'s <span
+   data-x="concept-document-embedder-policy">embedder policy</span>.</p></li>
+
+   <li><p>If <var>parentPolicy</var>'s <span data-x="embedder-policy-report-only-value">report only
+   value</span> is "<code data-x="coep-require-corp">require-corp</code>" and
+   <var>responsePolicy</var>'s <span data-x="embedder-policy-value">value</span> is "<code
+   data-x="coep-unsafe-none">unsafe-none</code>", then <span>queue a cross-origin embedder policy
+   inheritance violation</span> with <var>response</var>, "<code data-x="">navigation</code>",
+   <var>parentPolicy</var>'s <span data-x="embedder-policy-report-only-reporting-endpoint">report
+   only reporting endpoint</span>, and <var>target</var>'s <span
+   data-x="bc-container-document">container document</span>'s <span>relevant settings
+   object</span>.</p></li>
+
+   <li><p>If <var>parentPolicy</var>'s <span data-x="embedder-policy-value">value</span> is "<code
+   data-x="coep-unsafe-none">unsafe-none</code>" or <var>responsePolicy</var>'s <span
+   data-x="embedder-policy-value">value</span> is "<code
+   data-x="coep-require-corp">require-corp</code>", then return true.</p></li>
+
+   <li><p><span>Queue a cross-origin embedder policy inheritance violation</span> with
+   <var>response</var>, "<code data-x="">navigation</code>", <var>parentPolicy</var>'s <span
+   data-x="embedder-policy-reporting-endpoint">reporting endpoint</span>, and <var>target</var>'s
+   <span data-x="bc-container-document">container document</span>'s <span>relevant settings
+   object</span>.</p></li>
+
+   <li><p>Return false.</p></li>
+  </ol>
+
+  <p>To <dfn>check a global object's embedder policy</dfn> given a <code>WorkerGlobalScope</code>
+  <var>workerGlobalScope</var>, an <span>environment settings object</span> <var>owner</var>, and
+  a <span data-x="concept-response">response</span> <var>response</var>:</p>
+
+  <ol>
+   <li><p>If <var>workerGlobalScope</var> is not a <code>DedicatedWorkerGlobalScope</code> object,
+   then return true.</p></li>
+
+   <li><p>Let <var>policy</var> be <var>workerGlobalScope</var>'s <span
+   data-x="concept-WorkerGlobalScope-embedder-policy">embedder policy</span>.
+
+   <li><p>Let <var>ownerPolicy</var> be <var>owner</var>'s <span
+   data-x="concept-settings-object-embedder-policy">embedder policy</span>.
+
+   <li><p>If <var>ownerPolicy</var>'s <span data-x="embedder-policy-report-only-value">report only
+   value</span> is "<code data-x="coep-require-corp">require-corp</code>" and <var>policy</var>'s
+   <span data-x="embedder-policy-value">value</span> is "<code
+   data-x="coep-unsafe-none">unsafe-none</code>", then <span>queue a cross-origin embedder policy
+   inheritance violation</span> with <var>response</var>, "<code data-x="">worker
+   initialization</code>", <var>owner's policy</var>'s <span
+   data-x="embedder-policy-report-only-reporting-endpoint">report only reporting endpoint</span>,
+   and <var>owner</var>.</p></li>
+
+   <li><p>If <var>ownerPolicy</var>'s <span data-x="embedder-policy-value">value</span> is "<code
+   data-x="coep-unsafe-none">unsafe-none</code>" or <var>policy</var>'s <span
+   data-x="embedder-policy-value">value</span> is "<code
+   data-x="coep-require-corp">require-corp</code>", then return true.</p></li>
+
+   <li><p><span>Queue a cross-origin embedder policy inheritance violation</span> with
+   <var>response</var>, "<code data-x="">worker initialization</code>", <var>owner's policy</var>'s
+   <span data-x="embedder-policy-reporting-endpoint">reporting endpoint</span>, and
+   <var>owner</var>.</p></li>
+
+   <li><p>Return false.</p></li>
+  </ol>
+
+  <p>To <dfn>queue a cross-origin embedder policy inheritance violation</dfn> given a <span
+  data-x="concept-response">response</span> <var>response</var>, a string <var>type</var>, a string
+  <var>endpoint</var>, and an <span>environment settings object</span> <var>settings</var>:</p>
+
+  <ol>
+   <li><p>Let <var>serialized</var> be the result of <span
+   data-x="serialize-a-response-url-for-reporting">serializing a response URL for
+   reporting</span> with <var>response</var>.</p></li>
+
+   <li>
+    <p>Let <var>body</var> be a new object containing the following properties:</p>
+
+    <table class="data">
+     <thead>
+      <tr>
+       <th>key</th>
+       <th>value</th>
+      </tr>
+     </thead>
+     <tbody>
+      <tr>
+      <td>type</td>
+       <td><var>type</var></td>
+      </tr>
+      <tr>
+       <td>blocked-url</td>
+       <td><var>serialized</var></td>
+      </tr>
+     </tbody>
+    </table>
+   </li>
+
+   <li><p><span data-x="queue a report">Queue</span> <var>body</var> as the
+   <span>"<code>coep</code>" report type</span> for <var>endpoint</var> on <var>settings</var>.
+  </ol>
+
+
+
   <h3 split-filename="history" id="history">Session history and navigation</h3>
 
   <h4>Browsing sessions</h4>
@@ -82265,6 +82554,22 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
         </ol>
        </li>
 
+       <li>
+        <p>If <var>response</var> is not a <span>network error</span>, <var>browsingContext</var>
+        is a <span>child browsing context</span>, and the result of performing a
+        <span>cross-origin resource policy check</span> with <var>browsingContext</var>'s
+        <span data-x="bc-container-document">container document</span>'s <span>origin</span>,
+        <var>browsingContext</var>'s <span data-x="bc-container-document">container
+        document</span>'s <span>relevant settings object</span>, <var>response</var>, and true is
+        <b>blocked</b>, then set <var>response</var> to a <span>network error</span> and
+        <span>break</span>.</p>
+
+        <p class="note">Here we're running the <span>cross-origin resource policy check</span>
+        against the <span>parent browsing context</span> rather than
+        <var>sourceBrowsingContext</var>. This is because we care about the same-originness of the
+        embedded content against the parent context, not the navigation source.</p>
+       </li>
+
        <li>
         <p>If <var>response</var> does not have a <span
         data-x="concept-response-location-url">location URL</span> or the <span
@@ -82402,6 +82707,11 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
      data-x="">Blocked</code>" when executed upon <var>request</var>, <var>response</var>,
      <var>navigationType</var>, <var>source</var>, and <var>browsingContext</var>. <ref
      spec="CSP"></p></li>
+
+     <li><p>The result of <span
+     data-x="check a navigation response's adherence to its embedder policy">checking a
+     navigation response's adherence to its embedder policy</span> with <var>response</var>
+     and <var>browsingContext</var> is false.</p></li>
     </ul>
 
     <p class="note">This is where the network errors defined and propagated by <cite>Fetch</cite>,
@@ -82767,6 +83077,10 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
    `<code>Referrer-Policy</code>` header</span> of <var>response</var>. <ref
    spec="REFERRERPOLICY"></p></li>
 
+   <li><p>Set <var>document</var>'s <span data-x="concept-document-embedder-policy">embedder
+   policy</span> to the result of <span data-x="obtain an embedder policy">obtaining an
+   embedder policy</span> from <var>response</var>.</p></li>
+
    <li><p><span>Initialize a <code data-x="">Document</code>'s CSP list</span> given
    <var>document</var>, <var>response</var>, and <var>request</var>. <ref spec="CSP"></p>
 
@@ -86756,6 +87070,14 @@ interface <dfn>ApplicationCache</dfn> : <span>EventTarget</span> {
    <dd><p>The default <span>referrer policy</span> for <span data-x="concept-fetch">fetches</span>
    performed using this <span>environment settings object</span> as a <span
    data-x="concept-request-client">request client</span>. <ref spec=REFERRERPOLICY>
+
+   <dt>An <dfn data-x="concept-settings-object-embedder-policy" data-export=""
+   data-dfn-for="environment settings object">embedder policy</dfn></dt>
+
+   <dd><p>An <span>embedder policy</span> used by <span data-x="cross-origin resource policy
+   check">cross-origin resource policy checks</span> for <span data-x="concept-fetch">fetches</span>
+   performed using this <span>environment settings object</span> as a <span
+   data-x="concept-request-client">request client</span>.</p></dd>
   </dl>
 
   <p>An <span>environment settings object</span> also has an <dfn>outstanding rejected promises
@@ -98159,6 +98481,10 @@ interface <dfn>WorkerGlobalScope</dfn> : <span>EventTarget</span> {
   data-dfn-for="WorkerGlobalScope" data-x="concept-WorkerGlobalScope-referrer-policy">referrer
   policy</dfn> (a <span>referrer policy</span>). It is initially the empty string.</p>
 
+  <p>A <code>WorkerGlobalScope</code> object has an associated <dfn data-export=""
+  data-dfn-for="WorkerGlobalScope" data-x="concept-WorkerGlobalScope-embedder-policy">embedder
+  policy</dfn> (an <span>embedder policy</span>).</p>
+
   <p>A <code>WorkerGlobalScope</code> object has an associated <dfn data-export=""
   data-dfn-for="WorkerGlobalScope" data-x="concept-WorkerGlobalScope-csp-list">CSP list</dfn>, which
   is a <span data-x="concept-csp-list">CSP list</span> containing all of the <span>Content Security
@@ -98603,6 +98929,22 @@ interface <dfn>SharedWorkerGlobalScope</dfn> : <span>WorkerGlobalScope</span> {
      <span data-x="parse-referrer-policy-header">parsing the `<code>Referrer-Policy</code>`
      header</span> of <var>response</var>.</p></li>
 
+     <li><p>If <var>response</var>'s <span data-x="concept-response-url">url</span>'s <span
+     data-x="concept-url-scheme">scheme</span> is a <span>local scheme</span>, then set
+     <var>worker global scope</var>'s <span
+     data-x="concept-WorkerGlobalScope-embedder-policy">embedder policy</span> to <var>owner</var>'s
+     <span data-x="concept-settings-object-embedder-policy">embedder policy</span>.</p></li>
+
+     <li><p>Otherwise, set <var>worker global scope</var>'s <span
+     data-x="concept-WorkerGlobalScope-embedder-policy">embedder policy</span> to the result of
+     <span data-x="obtain an embedder policy">obtaining an embedder policy</span> from
+     <var>response</var>.</p></li>
+
+     <li><p>If the result of <span data-x="check a global object's embedder policy">checking a
+     global object's embedder policy</span> with <var>worker global scope</var>, <var>owner</var>,
+     and <var>response</var> is false, then set <var>response</var> to a <span>network
+     error</span>.</p></li>
+
      <li><p>Execute the <span>Initialize a <code data-x="">global object</code>'s CSP list</span>
      algorithm on <var>worker global scope</var> and <var>response</var>. <ref spec="CSP"></p></li>
 
@@ -98896,6 +99238,12 @@ interface <dfn>SharedWorkerGlobalScope</dfn> : <span>WorkerGlobalScope</span> {
       <p>Return <var>worker global scope</var>'s <span
       data-x="concept-WorkerGlobalScope-referrer-policy">referrer policy</span>.</p>
      </dd>
+
+     <dt>The <span data-x="concept-settings-object-embedder-policy">embedder policy</span></dt>
+     <dd>
+      <p>Return <var>worker global scope</var>'s <span
+      data-x="concept-WorkerGlobalScope-embedder-policy">embedder policy</span>.</p>
+     </dd>
     </dl>
    </li>
 
@@ -116196,6 +116544,54 @@ interface <dfn>External</dfn> {
   <code>text/event-stream</code> resources.</p>
 
 
+  <h3>`<dfn data-dfn-type="http-header"
+  data-export=""><code>Cross-Origin-Embedder-Policy</code></dfn>`</h3>
+
+  <p>This section describes a header for registration in the Permanent Message Header Field
+  Registry. <ref spec=RFC3864></p>
+
+  <dl>
+   <dt>Header field name:</dt>
+   <dd>Cross-Origin-Embedder-Policy</dd>
+   <dt>Applicable protocol:</dt>
+   <dd>http</dd>
+   <dt>Status:</dt>
+   <dd>standard</dd>
+   <dt>Author/Change controller:</dt>
+   <dd>WHATWG</dd>
+   <dt>Specification document(s):</dt>
+   <dd>
+    This document is the relevant specification.
+   </dd>
+   <dt>Related information:</dt>
+   <dd>None.</dd>
+  </dl>
+
+
+  <h3>`<dfn data-dfn-type="http-header"
+  data-export=""><code>Cross-Origin-Embedder-Policy-Report-Only</code></dfn>`</h3>
+
+  <p>This section describes a header for registration in the Permanent Message Header Field
+  Registry. <ref spec=RFC3864></p>
+
+  <dl>
+   <dt>Header field name:</dt>
+   <dd>Cross-Origin-Embedder-Policy-Report-Only</dd>
+   <dt>Applicable protocol:</dt>
+   <dd>http</dd>
+   <dt>Status:</dt>
+   <dd>standard</dd>
+   <dt>Author/Change controller:</dt>
+   <dd>WHATWG</dd>
+   <dt>Specification document(s):</dt>
+   <dd>
+    This document is the relevant specification.
+   </dd>
+   <dt>Related information:</dt>
+   <dd>None.</dd>
+  </dl>
+
+
   <h3>`<dfn><code data-x="http-cross-origin-opener-policy">Cross-Origin-Opener-Policy</code></dfn>`</h3>
 
   <p>This section describes a header for registration in the Permanent Message Header Field
@@ -120893,9 +121289,6 @@ INSERT INTERFACES HERE
    <dt id="refsCOMPUTABLE">[COMPUTABLE]</dt>
    <dd>(Non-normative) <cite><a href="http://www.turingarchive.org/browse.php/B/12">On computable numbers, with an application to the Entscheidungsproblem</a></cite>, A. Turing. In <cite>Proceedings of the London Mathematical Society</cite>, series 2, volume 42, pages 230-265. London Mathematical Society, 1937.</dd>
 
-   <dt id="refsCOEP">[COEP]</dt>
-   <dd><cite><a href="https://wicg.github.io/cross-origin-embedder-policy/">Cross-Origin Embedder Policy</a></cite>, M. West. WICG.</dd>
-
    <dt id="refsCOOKIES">[COOKIES]</dt>
    <dd><cite><a href="https://tools.ietf.org/html/rfc6265">HTTP State Management Mechanism</a></cite>, A. Barth. IETF.</dd>
 
@@ -121129,6 +121522,9 @@ INSERT INTERFACES HERE
    <dt id="refsMEDIASTREAM">[MEDIASTREAM]</dt>
    <dd><cite><a href="https://w3c.github.io/mediacapture-main/getusermedia.html">Media Capture and Streams</a></cite>, D. Burnett, A. Bergkvist, C. Jennings, A. Narayanan. W3C.</dd>
 
+   <dt id="refsREPORTING">[REPORTING]</dt>
+   <dd><cite><a href="https://w3c.github.io/reporting/">Reporting</a></cite>, D. Creager, I. Clelland, M. West. W3C.</dd>
+
    <dt id="refsMFREL">[MFREL]</dt>
    <dd><cite><a href="http://microformats.org/wiki/existing-rel-values#HTML5_link_type_extensions">Microformats Wiki: existing rel values</a></cite>. Microformats.</dd>
 

``Cross-Origin-Embedder-Policy``	Final embedder policy value
No header delivered	"`unsafe-none`"
``require-corp``	"`require-corp`"
``unknown-value``	"`unsafe-none`"
``require-corp, unknown-value``	"`unsafe-none`"
``unknown-value, unknown-value``	"`unsafe-none`"
``unknown-value, require-corp``	"`unsafe-none`"
``require-corp, require-corp``	"`unsafe-none`"