From c9cbe3fd7fd82056acda59fa500b37b11d219b65 Mon Sep 17 00:00:00 2001
From: Garrett Tanzer <gtanzer@chromium.org>
Date: Wed, 3 Apr 2024 19:18:35 +0000
Subject: [PATCH 01/30] disableUntrustedNetwork skeleton

---
 spec.bs | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/spec.bs b/spec.bs
index f061739..cfdc138 100644
--- a/spec.bs
+++ b/spec.bs
@@ -1516,6 +1516,7 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
       undefined reportEvent(optional ReportEventType event = {});
       undefined setReportEventDataForAutomaticBeacons(optional FenceEvent event = {});
       sequence&lt;FencedFrameConfig&gt; getNestedConfigs();
+      Promise&lt;undefined&gt; disableUntrustedNetwork();
   };
 </pre>
 
@@ -1699,6 +1700,19 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
   </wpt>
 </div>
 
+<div algorithm>
+  The <dfn method for=Fence>disableUntrustedNetwork()</dfn> method steps are:
+
+  1. Let |instance| be [=this=]'s [=relevant global object=]'s [=Window/browsing context=]'s
+     [=browsing context/fenced frame config instance=].
+
+  1. If |instance| is null, then return.
+
+  1. If the [=relevant settings object=]'s [=environment settings object/origin=] and |instance|'s
+     [=fenced frame config instance/mapped url=]'s [=url/origin=] are not [=same origin=], then
+     return.
+</div>
+
 <h3 id=new-request-destination>New [=request=] [=request/destination=]</h3>
 
 The processing model of a <{fencedframe}>'s navigation request deviates from that of the normal

From 39d31fb7171adf377173899b8b581d8e88ff0823 Mon Sep 17 00:00:00 2001
From: Garrett Tanzer <gtanzer@chromium.org>
Date: Tue, 9 Apr 2024 16:45:31 +0000
Subject: [PATCH 02/30] fill out more

---
 spec.bs | 48 +++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 43 insertions(+), 5 deletions(-)

diff --git a/spec.bs b/spec.bs
index cfdc138..d44443f 100644
--- a/spec.bs
+++ b/spec.bs
@@ -1143,11 +1143,14 @@ A <dfn export>fenced frame config</dfn> is a [=struct=] with the following [=str
 
   : <dfn>embedder shared storage context</dfn>
   :: null, or a [=string=]
-  
+
   : <dfn>is ad component</dfn>
-  :: A [=boolean=]. Defaulting to false.
+  :: A [=boolean=], defaults to false.
+
+  : <dfn>can disable untrusted network</dfn>
+  :: A [=boolean=], defaults to true.
 </dl>
-  
+
   Note: When true, this [=fenced frame config=] reprsents an ad component. An ad component can be
   used to construct ads composed of multiple pieces. See the <a
   href=https://github.com/WICG/turtledove/blob/main/FLEDGE.md#34-ads-composed-of-multiple-pieces>Protected
@@ -1196,8 +1199,14 @@ A <dfn export>fenced frame config instance</dfn> is a [=struct=] with the follow
 
   : <dfn>embedder shared storage context</dfn>
   :: null, or a [=string=]
-  
+
   : <dfn>is ad component</dfn>
+  :: A [=boolean=]
+
+  : <dfn>can disable untrusted network</dfn>
+  :: A [=boolean=]
+
+  : <dfn>has disabled untrusted network</dfn>
   :: A [=boolean=], initially false.
 </dl>
 
@@ -1280,9 +1289,15 @@ A <dfn export>fenced frame config instance</dfn> is a [=struct=] with the follow
 
     : [=fenced frame config instance/embedder shared storage context=]
     :: |config|'s [=fenced frame config/embedder shared storage context=]
-    
+
     : [=fenced frame config instance/is ad component=]
     :: |config|'s [=fenced frame config/is ad component=]
+
+    : [=fenced frame config instance/can disable untrusted network=]
+    :: |config|'s [=fenced frame config/can disable untrusted network=]
+
+    : [=fenced frame config instance/has disabled untrusted network=]
+    :: false
 </div>
 
 Each [=browsing context=] has a <dfn for="browsing context">fenced frame config instance</dfn>,
@@ -1708,9 +1723,32 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
 
   1. If |instance| is null, then return.
 
+  1. If |instance|'s [=fenced frame config instance/can disable untrusted network=] is false, then
+     return.
+
   1. If the [=relevant settings object=]'s [=environment settings object/origin=] and |instance|'s
      [=fenced frame config instance/mapped url=]'s [=url/origin=] are not [=same origin=], then
      return.
+
+  1. Let |p| be [=a new promise=].
+
+  1. Let |global| be [=this=]'s [=relevant global object=].
+
+  1. Run the following steps [=in parallel=]:
+
+     1. Let |fencedFrameNonce| be |instance|'s [=fenced frame config instance/partition nonce=].
+
+     1. <span class=XXX>TODO: Let |credentiallessNonce| be the page credentialless nonce.</span>
+
+     1. <span class=XXX>TODO: Actually revoke the partition nonces |fencedFrameNonce| and
+        |credentiallessNonce|.</span>
+
+     1. <span class=XXX>TODO: Wait on all nested fenced frames to disable network too.</span>
+
+     1. [=Queue a global task=] on the [=DOM manipulation task source=] given |global|, to
+        [=resolve=] |p| with {{undefined}}.
+
+  1. Return |p|.
 </div>
 
 <h3 id=new-request-destination>New [=request=] [=request/destination=]</h3>

From 7eaf2b102c71801e340cae3042df3eb425de6ad6 Mon Sep 17 00:00:00 2001
From: Garrett Tanzer <gtanzer@chromium.org>
Date: Tue, 9 Apr 2024 16:47:24 +0000
Subject: [PATCH 03/30] more

---
 spec.bs | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/spec.bs b/spec.bs
index d44443f..b217e58 100644
--- a/spec.bs
+++ b/spec.bs
@@ -1743,6 +1743,8 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
      1. <span class=XXX>TODO: Actually revoke the partition nonces |fencedFrameNonce| and
         |credentiallessNonce|.</span>
 
+     1. Set |instance|'s [=fenced frame config instance/has disabled untrusted network=] to true.
+
      1. <span class=XXX>TODO: Wait on all nested fenced frames to disable network too.</span>
 
      1. [=Queue a global task=] on the [=DOM manipulation task source=] given |global|, to

From c4705a66f64e7c872f4486b14772468975e2f469 Mon Sep 17 00:00:00 2001
From: Garrett Tanzer <gtanzer@chromium.org>
Date: Thu, 11 Apr 2024 18:13:59 +0000
Subject: [PATCH 04/30] address comments

---
 spec.bs | 26 +++++++++++++++++---------
 1 file changed, 17 insertions(+), 9 deletions(-)

diff --git a/spec.bs b/spec.bs
index b217e58..7888410 100644
--- a/spec.bs
+++ b/spec.bs
@@ -1718,19 +1718,19 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
 <div algorithm>
   The <dfn method for=Fence>disableUntrustedNetwork()</dfn> method steps are:
 
+  1. Let |p| be [=a new promise=].
+
   1. Let |instance| be [=this=]'s [=relevant global object=]'s [=Window/browsing context=]'s
      [=browsing context/fenced frame config instance=].
 
-  1. If |instance| is null, then return.
+  1. If |instance| is null, then [=resolve=] |p| with {{undefined}} and return |p|.
 
   1. If |instance|'s [=fenced frame config instance/can disable untrusted network=] is false, then
-     return.
+     [=resolve=] |p| with {{undefined}} and return |p|.
 
   1. If the [=relevant settings object=]'s [=environment settings object/origin=] and |instance|'s
      [=fenced frame config instance/mapped url=]'s [=url/origin=] are not [=same origin=], then
-     return.
-
-  1. Let |p| be [=a new promise=].
+     [=resolve=] |p| with {{undefined}} and return |p|.
 
   1. Let |global| be [=this=]'s [=relevant global object=].
 
@@ -1738,14 +1738,22 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
 
      1. Let |fencedFrameNonce| be |instance|'s [=fenced frame config instance/partition nonce=].
 
-     1. <span class=XXX>TODO: Let |credentiallessNonce| be the page credentialless nonce.</span>
+     1. Let |credentiallessNonce| be
+
+     Issue: the page credentialless nonce
+     (<a href="https://github.com/WICG/fenced-frame/issues/151">WICG/fenced-frame#151</a>)
 
-     1. <span class=XXX>TODO: Actually revoke the partition nonces |fencedFrameNonce| and
-        |credentiallessNonce|.</span>
+     1. Revoke the partition nonces |fencedFrameNonce| and |credentiallessNonce|.
+
+     Issue: Spec the revocation process.
+     (<a href="https://github.com/WICG/fenced-frame/issues/151">WICG/fenced-frame#151</a>)
 
      1. Set |instance|'s [=fenced frame config instance/has disabled untrusted network=] to true.
 
-     1. <span class=XXX>TODO: Wait on all nested fenced frames to disable network too.</span>
+     1. Wait on all nested fenced frames to disable network too.
+
+     Issue: Spec this waiting more formally.
+     (<a href="https://github.com/WICG/fenced-frame/issues/151">WICG/fenced-frame#151</a>)
 
      1. [=Queue a global task=] on the [=DOM manipulation task source=] given |global|, to
         [=resolve=] |p| with {{undefined}}.

From ab9785d37820bb1554cf340e8c924e5af1e6487d Mon Sep 17 00:00:00 2001
From: Garrett Tanzer <gtanzer@chromium.org>
Date: Wed, 10 Jul 2024 14:12:48 +0000
Subject: [PATCH 05/30] skeleton

---
 spec.bs | 37 ++++++++++++++++++++++++++++++++++---
 1 file changed, 34 insertions(+), 3 deletions(-)

diff --git a/spec.bs b/spec.bs
index 7888410..fd4194d 100644
--- a/spec.bs
+++ b/spec.bs
@@ -1743,10 +1743,9 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
      Issue: the page credentialless nonce
      (<a href="https://github.com/WICG/fenced-frame/issues/151">WICG/fenced-frame#151</a>)
 
-     1. Revoke the partition nonces |fencedFrameNonce| and |credentiallessNonce|.
+     1. Invoke [=revoke network for a partition nonce=] on |fencedFrameNonce|.
 
-     Issue: Spec the revocation process.
-     (<a href="https://github.com/WICG/fenced-frame/issues/151">WICG/fenced-frame#151</a>)
+     1. Invoke [=revoke network for a partition nonce=] on |credentiallessNonce|.
 
      1. Set |instance|'s [=fenced frame config instance/has disabled untrusted network=] to true.
 
@@ -1761,6 +1760,38 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
   1. Return |p|.
 </div>
 
+<div algorithm>
+  In order to <dfn>revoke network for a partition nonce</dfn> using a
+  [=fenced frame config instance/partition nonce=] |nonce|, run these steps:
+
+  1. If |event|'s {{FenceEvent/eventType}} [=string/starts with=] "`reserved.`", then return.
+
+  1. <span class=XXX>TODO: Fill this in</span>
+</div>
+
+<div algorithm>
+  To determine whether fetching a [=request=] |request| <dfn>should be blocked due to a revoked
+  partition nonce</dfn> using a [=fenced frame config instance/partition nonce=] |nonce|, run these
+  steps:
+
+  1. <span class=XXX>TODO: Fill this in</span>
+</div>
+
+<h3 id=disable-fetch>Fetch monkeypatches for network revocation</h3>
+
+The network revocation mechanism requires the following monkeypatches to the [[FETCH]] Standard.
+
+<div algorithm=network-revocation-check-patch>
+  In the [=main fetch=] algorithm, step 7, where it says:
+
+    > If should request be blocked due to a bad port, should fetching request be blocked as mixed
+    > content, or should request be blocked by Content Security Policy returns blocked, then set
+    > response to a network error.
+
+  Add "[=should request be blocked due to a revoked partition nonce=]" to the conditions after
+  "should request be blocked by Content Security Policy".
+</div>
+
 <h3 id=new-request-destination>New [=request=] [=request/destination=]</h3>
 
 The processing model of a <{fencedframe}>'s navigation request deviates from that of the normal

From d75f324d0f63b62ab3842f7838bc8014d99e3335 Mon Sep 17 00:00:00 2001
From: Garrett Tanzer <gtanzer@chromium.org>
Date: Wed, 17 Jul 2024 21:07:53 +0000
Subject: [PATCH 06/30] content done % links

---
 spec.bs | 32 ++++++++++++++++++++++++--------
 1 file changed, 24 insertions(+), 8 deletions(-)

diff --git a/spec.bs b/spec.bs
index fd4194d..40c5b1b 100644
--- a/spec.bs
+++ b/spec.bs
@@ -1760,21 +1760,34 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
   1. Return |p|.
 </div>
 
+A user agent has an associated <dfn>network revocation nonce set</dfn>, which is a [=set=] of
+[=partition nonces=], and a <dfn>network revocation exemption map</dfn>, which is a [=map=] whose
+[=map/keys=] are [=partition nonces=] and [=map/values=] are [=sets=] of [=URLs=].
+
+Note: The network revocation exemption map is used only for web platform tests; in normal usage
+it is always empty.
+
 <div algorithm>
   In order to <dfn>revoke network for a partition nonce</dfn> using a
   [=fenced frame config instance/partition nonce=] |nonce|, run these steps:
 
-  1. If |event|'s {{FenceEvent/eventType}} [=string/starts with=] "`reserved.`", then return.
+  1. [=set/Append=] |nonce| to the user agent's [=network revocation nonce set=].
 
-  1. <span class=XXX>TODO: Fill this in</span>
+  1. <span class=XXX>TODO: Cancel requests in progress.</span>
 </div>
 
 <div algorithm>
   To determine whether fetching a [=request=] |request| <dfn>should be blocked due to a revoked
-  partition nonce</dfn> using a [=fenced frame config instance/partition nonce=] |nonce|, run these
-  steps:
+  partition nonce</dfn> using a [=fenced frame config instance/partition nonce=] |nonce| and a
+  [=URL=] |requestURL|, run these steps:
+
+  1. If the user agent's [=network revocation exemption map=][|nonce|] [=map/exists=], and if
+     |requestURL| [=set/exists=] in it, return <b>allowed</b>.
+
+  1. If the user agent's [=network revocation nonce set=] [=set/contains=] |nonce|, return
+     <b>blocked</b>.
 
-  1. <span class=XXX>TODO: Fill this in</span>
+  1. Return <b>allowed</b>.
 </div>
 
 <h3 id=disable-fetch>Fetch monkeypatches for network revocation</h3>
@@ -1784,9 +1797,12 @@ The network revocation mechanism requires the following monkeypatches to the [[F
 <div algorithm=network-revocation-check-patch>
   In the [=main fetch=] algorithm, step 7, where it says:
 
-    > If should request be blocked due to a bad port, should fetching request be blocked as mixed
-    > content, or should request be blocked by Content Security Policy returns blocked, then set
-    > response to a network error.
+    > If <a lt="block bad port">should <var>request</var> be blocked due to a bad port</a>,
+    > <a lt="should fetching request be blocked as mixed content?">
+    > should fetching <var>request</var> be blocked as mixed content</a>, or
+    > <a lt="should request be blocked by Content Security Policy?">should <var>request</var>
+    > be blocked by Content Security Policy</a> returns <b>blocked</b>, then set
+    > <var>response</var> to a <a>network error</a>.
 
   Add "[=should request be blocked due to a revoked partition nonce=]" to the conditions after
   "should request be blocked by Content Security Policy".

From 7c89c4edea5d948e98efb3652f6a0b5b7c1c673d Mon Sep 17 00:00:00 2001
From: Liam Brady <blu2.5@me.com>
Date: Thu, 8 Aug 2024 15:10:36 -0400
Subject: [PATCH 07/30] Update spec.bs

---
 spec.bs | 145 ++++++++++++++++++++++++++++++++++++++++++++++----------
 1 file changed, 121 insertions(+), 24 deletions(-)

diff --git a/spec.bs b/spec.bs
index 8298b35..0dfbd6e 100644
--- a/spec.bs
+++ b/spec.bs
@@ -111,6 +111,8 @@ spec: html; urlPrefix: https://html.spec.whatwg.org/multipage/
     urlPrefix: embedder-content-other.html
       text: width; url: attr-dim-width
       text: height; url: attr-dim-height
+    urlPrefix: document-lifecycle.html
+      text: abort a document; url: abort-a-document
     urlPrefix: document-sequences.html
       text: browsing context group; url: browsing-context-group
       text: browsing context group set; url: browsing-context-group-set
@@ -138,6 +140,7 @@ spec: html; urlPrefix: https://html.spec.whatwg.org/multipage/
       text: historyHandling; url: navigation-hh
       text: referrerPolicy; url: navigation-referrer-policy
       text: attempt to populate the history entry's document; url: attempt-to-populate-the-history-entry's-document
+      text: completionSteps; url: attempt-to-populate-completion-steps
       text: navigation params; url: navigation-params
       text: snapshot source snapshot params; url: snapshotting-source-snapshot-params
       for: navigation params
@@ -448,8 +451,13 @@ Each <{fencedframe}> has a <dfn for=fencedframe>config</dfn>, which is either a
 </div>
 
 <div algorithm=destroy>
-  When a <{fencedframe}> element is [=removed from a document=], the user agent <p class=XXX>TODO:
-  destroy the nested traversable</p>.
+  When a <{fencedframe}> element is [=removed from a document=], the user agent must run the
+  following steps:
+  
+  1. <p class=XXX>TODO: destroy the nested traversable.</p>
+
+  1. [=Recalculate the untrusted network status of all frames=] given the {{Document}}'s [=node
+     navigable=]'s [=navigable/top-level traversable=].
 </div>
 
 The <dfn attribute for=HTMLFencedFrameElement>config</dfn> IDL attribute getter steps are to return
@@ -759,6 +767,11 @@ a reporting destination=] through the reference it kept, it will handle all of t
 stored in the [=list=]. If the destination is never finalized, then the pending events will never
 be sent.
 
+An <dfn for=fencedframetype>untrusted network status</dfn> is either "<dfn export for='untrusted
+network status'>`enabled`</dfn>", "<dfn export for='untrusted network status'>`disabled for this
+tree`</dfn>", or "<dfn export for='untrusted network status'>`disabled for this and descendant
+trees`</dfn>".
+
 <div algorithm>
   In order to <dfn export>finalize a reporting destination</dfn>, given a [=fencedframetype/fenced
   frame reporting map=] |reporting map|, a {{FenceReportingDestination}} |destination|, a [=map=]
@@ -1152,6 +1165,13 @@ A <dfn export>fenced frame config</dfn> is a [=struct=] with the following [=str
   : <dfn>is ad component</dfn>
   :: A [=boolean=], defaults to false.
 
+  Note: When true, this [=fenced frame config=] represents an ad component. An ad component can be
+  used to construct ads composed of multiple pieces. See the <a
+  href=https://github.com/WICG/turtledove/blob/main/FLEDGE.md#34-ads-composed-of-multiple-pieces>Protected
+  Audience explainer</a>. For an ad component, event reporting is handled differently. See the <a
+  href=https://github.com/WICG/turtledove/blob/main/Fenced_Frames_Ads_Reporting.md#support-for-ad-components>Fenced
+  Frame Ads Reporting explainer</a> that describes this.
+
   : <dfn>cross-origin reporting allowed</dfn>
   :: A [=boolean=], defaults to false.
 
@@ -1159,13 +1179,6 @@ A <dfn export>fenced frame config</dfn> is a [=struct=] with the following [=str
   :: A [=boolean=], defaults to true.
 </dl>
 
-  Note: When true, this [=fenced frame config=] reprsents an ad component. An ad component can be
-  used to construct ads composed of multiple pieces. See the <a
-  href=https://github.com/WICG/turtledove/blob/main/FLEDGE.md#34-ads-composed-of-multiple-pieces>Protected
-  Audience explainer</a>. For an ad component, event reporting is handled differently. See the <a
-  href=https://github.com/WICG/turtledove/blob/main/Fenced_Frames_Ads_Reporting.md#support-for-ad-components>Fenced
-  Frame Ads Reporting explainer</a> that describes this.
-
 <h4 id=fenced-frame-config-instance-struct>The [=fenced frame config instance=] [=struct=]</h4>
 
 A <dfn export>fenced frame config instance</dfn> is a [=struct=] with the following [=struct/items=]:
@@ -1214,8 +1227,12 @@ A <dfn export>fenced frame config instance</dfn> is a [=struct=] with the follow
   : <dfn>can disable untrusted network</dfn>
   :: A [=boolean=]
 
-  : <dfn>has disabled untrusted network</dfn>
-  :: A [=boolean=], initially false.
+  : <dfn>untrusted network status</dfn>
+  :: An [=fencedframetype/untrusted network status=], initially [=untrusted network
+     status/enabled=].
+
+  : <dfn>on network disabled promises</dfn>
+  :: A [=list=] of {{Promise|Promises}}.
 
   : <dfn>cross-origin reporting allowed</dfn>
   :: A [=boolean=], initially false.
@@ -1310,8 +1327,11 @@ A <dfn export>fenced frame config instance</dfn> is a [=struct=] with the follow
     : [=fenced frame config instance/can disable untrusted network=]
     :: |config|'s [=fenced frame config/can disable untrusted network=]
 
-    : [=fenced frame config instance/has disabled untrusted network=]
-    :: false
+    : [=fenced frame config instance/untrusted network status=]
+    :: [=untrusted network status/enabled=]
+
+    : [=fenced frame config instance/on network disabled promises=]
+    :: an empty [=list=]
 </div>
 
 Each [=browsing context=] has a <dfn for="browsing context">fenced frame config instance</dfn>,
@@ -1887,19 +1907,79 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
 
      1. Invoke [=revoke network for a partition nonce=] on |credentiallessNonce|.
 
-     1. Set |instance|'s [=fenced frame config instance/has disabled untrusted network=] to true.
+     1. Set |instance|'s [=fenced frame config instance/untrusted network status=] to [=untrusted
+        network status/disabled for this tree=].
 
-     1. Wait on all nested fenced frames to disable network too.
+     1. [=list/Append=] |p| to |instance|'s [=fenced frame config instance/on network disabled
+        promises=].
 
-     Issue: Spec this waiting more formally.
-     (<a href="https://github.com/WICG/fenced-frame/issues/151">WICG/fenced-frame#151</a>)
-
-     1. [=Queue a global task=] on the [=DOM manipulation task source=] given |global|, to
-        [=resolve=] |p| with {{undefined}}.
+     1. [=Recalculate the untrusted network status of all frames=] given |global|'s
+        [=Window/browsing context=]'s [=browsing context/top-level traversable=].
 
   1. Return |p|.
 </div>
 
+<div algorithm>
+  To <dfn>Recalculate the untrusted network status of all frames</dfn> given a [=top-level
+  traversable=] |topLevelTraversable|, run these steps:
+
+  1. Let |navigables| be |topLevelTraversable|'s [=navigable/active document=]'s
+     [=Document/inclusive descendant navigables=] with [=inclusive-dn-unfenced|unfenced=] set to
+     true.
+  
+  1. Let |i| be |navigables|' [=list/size=] - 1.
+
+  1. Let |navigablesWithNetworkChildren| be an empty [=set=].
+
+  1. While |i| > 0:
+
+     1. Let |currentNavigable| be |navigables|[|i|].
+
+     1. Set |i| to |i| - 1.
+
+     1. If |currentNavigable| is not a [=fenced navigable container/fenced navigable=], then
+        [=iteration/continue=].
+
+     1. Let |config| be |currentNavigable|'s [=navigable/active browsing context=]'s [=browsing
+        context/fenced frame config instance=].
+
+     1. If |config| is null, then [=iteration/continue=].
+
+     1. If |config|'s [=fenced frame config instance/untrusted network status=] is [=untrusted
+        network status/disabled for this and descendant trees=], then [=iteration/continue=].
+
+     1. Let |networkCutoffReady| be true if |navigablesWithNetworkChildren| does not [=set/contain=]
+        |currentNavigable| and |config|'s [=fenced frame config instance/untrusted network status=]
+        is [=untrusted network status/disabled for this tree=], false otherwise.
+
+     1. If |networkCutoffReady| is true:
+
+        1. Set |config|'s [=fenced frame config instance/untrusted network status=] to [=untrusted
+           network status/disabled for this and descendant trees=].
+
+        1. Let |global| be |currentNavigable|'s [=navigable/active window=].
+
+        1. For each |promise| in |config|'s [=fenced frame config instance/on network disabled
+           promises=]:
+
+           1. [=Queue a global task=] on the [=DOM manipulation task source=] given |global|, to
+              [=resolve=] |promise| with {{undefined}}.
+
+        1. [=list/Empty=] |config|'s [=fenced frame config instance/on network disabled promises=].
+
+     1. Otherwise:
+
+        1. Let |ancestorFencedRoot| be |currentNavigable|'s [=navigable/unfenced parent=].
+
+        1. While |ancestorFencedRoot| is not null and |ancestorFencedRoot| is not a [=fenced
+           navigable container/fenced navigable=]:
+
+           1. Set |ancestorFencedRoot| to |ancestorFencedRoot|'s [=navigable/parent=].
+        
+        1. If |ancestorFencedRoot| is not null, [=set/append=] |ancestorFencedRoot| to
+           |navigablesWithNetworkChildren|.
+</div>
+
 A user agent has an associated <dfn>network revocation nonce set</dfn>, which is a [=set=] of
 [=partition nonces=], and a <dfn>network revocation exemption map</dfn>, which is a [=map=] whose
 [=map/keys=] are [=partition nonces=] and [=map/values=] are [=sets=] of [=URLs=].
@@ -1917,7 +1997,7 @@ it is always empty.
 </div>
 
 <div algorithm>
-  To determine whether fetching a [=request=] |request| <dfn>should be blocked due to a revoked
+  To determine whether fetching a [=request=] <var ignore>request</var> <dfn>should request be blocked due to a revoked
   partition nonce</dfn> using a [=fenced frame config instance/partition nonce=] |nonce| and a
   [=URL=] |requestURL|, run these steps:
 
@@ -1930,24 +2010,41 @@ it is always empty.
   1. Return <b>allowed</b>.
 </div>
 
-<h3 id=disable-fetch>Fetch monkeypatches for network revocation</h3>
+<h3 id=revocation-patches>Monkeypatches for network revocation</h3>
 
 The network revocation mechanism requires the following monkeypatches to the [[FETCH]] Standard.
 
 <div algorithm=network-revocation-check-patch>
-  In the [=main fetch=] algorithm, step 7, where it says:
+  In the [=fetch=] algorithm, step 7, where it says:
 
     > If <a lt="block bad port">should <var>request</var> be blocked due to a bad port</a>,
     > <a lt="should fetching request be blocked as mixed content?">
     > should fetching <var>request</var> be blocked as mixed content</a>, or
     > <a lt="should request be blocked by Content Security Policy?">should <var>request</var>
     > be blocked by Content Security Policy</a> returns <b>blocked</b>, then set
-    > <var>response</var> to a <a>network error</a>.
+    > <var ignore>response</var> to a <a>network error</a>.
 
   Add "[=should request be blocked due to a revoked partition nonce=]" to the conditions after
   "should request be blocked by Content Security Policy".
 </div>
 
+The network revocation mechanism requires the following monkeypatches to the [[HTML]] Standard.
+
+<div algorithm=network-status-document-abort>
+  Add a new step to the [=abort a document=] algorithm after step 4 that says:
+
+  5. [=Recalculate the untrusted network status of all frames=] given <var ignore>document</var>'s
+     [=node navigable=]'s [=navigable/top-level traversable=].
+</div>
+
+<div algorithm=network-status-navigate>
+  Modify the call to [=attempt to populate the history entry's document=] in the [=navigate=]
+  algorithm. Update the [=completionSteps=] to include the following new step:
+
+  2. [=Recalculate the untrusted network status of all frames=] given <var ignore>navigable</var>'s
+     [=navigable/top-level traversable=].
+</div>
+
 <h3 id=new-request-destination>New [=request=] [=request/destination=]</h3>
 
 The processing model of a <{fencedframe}>'s navigation request deviates from that of the normal

From 0ce475f132c232f4d4226617009401a2955436bb Mon Sep 17 00:00:00 2001
From: Liam Brady <blu2.5@me.com>
Date: Wed, 11 Sep 2024 11:42:06 -0400
Subject: [PATCH 08/30] remove 'defaults to'

---
 spec.bs | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/spec.bs b/spec.bs
index 0dfbd6e..bf402fe 100644
--- a/spec.bs
+++ b/spec.bs
@@ -1163,7 +1163,7 @@ A <dfn export>fenced frame config</dfn> is a [=struct=] with the following [=str
   :: null, or a [=string=]
 
   : <dfn>is ad component</dfn>
-  :: A [=boolean=], defaults to false.
+  :: A [=boolean=], initially false.
 
   Note: When true, this [=fenced frame config=] represents an ad component. An ad component can be
   used to construct ads composed of multiple pieces. See the <a
@@ -1173,10 +1173,10 @@ A <dfn export>fenced frame config</dfn> is a [=struct=] with the following [=str
   Frame Ads Reporting explainer</a> that describes this.
 
   : <dfn>cross-origin reporting allowed</dfn>
-  :: A [=boolean=], defaults to false.
+  :: A [=boolean=], initially false.
 
   : <dfn>can disable untrusted network</dfn>
-  :: A [=boolean=], defaults to true.
+  :: A [=boolean=], initially true.
 </dl>
 
 <h4 id=fenced-frame-config-instance-struct>The [=fenced frame config instance=] [=struct=]</h4>

From c92fa386a70242578459cbe5d91963a8aa67013c Mon Sep 17 00:00:00 2001
From: Liam Brady <blu2.5@me.com>
Date: Wed, 11 Sep 2024 18:37:20 -0400
Subject: [PATCH 09/30] address comments for code that's new in this PR

---
 spec.bs | 92 +++++++++++++++++++++++++++++++--------------------------
 1 file changed, 50 insertions(+), 42 deletions(-)

diff --git a/spec.bs b/spec.bs
index eb580b6..62242c9 100644
--- a/spec.bs
+++ b/spec.bs
@@ -477,8 +477,8 @@ attribute.
   
   1. <p class=XXX>TODO: destroy the nested traversable.</p>
 
-  1. [=Recalculate the untrusted network status of all frames=] given the {{Document}}'s [=node
-     navigable=]'s [=navigable/top-level traversable=].
+  1. [=Recalculate the untrusted network status of all fenced frame descendants=] given the
+     {{Document}}'s [=node navigable=]'s [=navigable/top-level traversable=].
 </div>
 
 The <dfn attribute for=HTMLFencedFrameElement>config</dfn> IDL attribute getter steps are to return
@@ -1593,8 +1593,11 @@ partial interface Navigator {
 <div algorithm>
   The <dfn method for=Navigator>adAuctionComponents(|numAdComponents|)</dfn>
   
-  1. Let |instance| be [=this=]'s [=relevant global object=]'s [=Window/browsing context=]'s
-     [=browsing context/fenced frame config instance=].
+  1. Let |context| be [=this=]'s [=relevant global object=]'s [=Window/browsing context=].
+
+  1. If |context| is null, then throw a {{SecurityError}} {{DOMException}}.
+
+  1. Let |instance| be |context|'s [=browsing context/fenced frame config instance=].
 
   1. If |instance| is null, then throw a {{DOMException}}.
 
@@ -1674,8 +1677,11 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
 <div algorithm>
   The <dfn method for=Fence>reportEvent(|event|)</dfn> method steps are:
 
-  1. Let |instance| be [=this=]'s [=relevant global object=]'s [=Window/browsing context=]'s
-     [=browsing context/fenced frame config instance=].
+  1. Let |context| be [=this=]'s [=relevant global object=]'s [=Window/browsing context=].
+
+  1. If |context| is null, then throw a {{SecurityError}} {{DOMException}}.
+
+  1. Let |instance| be |context|'s [=browsing context/fenced frame config instance=].
 
   1. If |instance| is null, then return.
   
@@ -1783,8 +1789,11 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
   1. If |event|'s {{FenceEvent/eventType}} does not match one of the [=fencedframetype/automatic
      beacon event type=] values, return.
 
-  1. Let |instance| be [=this=]'s [=relevant global object=]'s [=Window/browsing context=]'s
-     [=browsing context/fenced frame config instance=].
+  1. Let |context| be [=this=]'s [=relevant global object=]'s [=Window/browsing context=].
+
+  1. If |context| is null, then throw a {{SecurityError}} {{DOMException}}.
+
+  1. Let |instance| be |context|'s [=browsing context/fenced frame config instance=].
 
   1. If |instance| is null, then return.
 
@@ -1819,8 +1828,11 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
 <div algorithm>
   The <dfn method for=Fence>getNestedConfigs()</dfn> method steps are:
 
-  1. Let |instance| be [=this=]'s [=relevant global object=]'s [=Window/browsing context=]'s
-     [=browsing context/fenced frame config instance=].
+  1. Let |context| be [=this=]'s [=relevant global object=]'s [=Window/browsing context=].
+
+  1. If |context| is null, then throw a {{SecurityError}} {{DOMException}}.
+
+  1. Let |instance| be |context|'s [=browsing context/fenced frame config instance=].
 
   1. If |instance| is null, then return.
 
@@ -1859,8 +1871,11 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
 
   1. Let |p| be [=a new promise=].
 
-  1. Let |instance| be [=this=]'s [=relevant global object=]'s [=Window/browsing context=]'s
-     [=browsing context/fenced frame config instance=].
+  1. Let |context| be [=this=]'s [=relevant global object=]'s [=Window/browsing context=].
+
+  1. If |context| is null, then throw a {{SecurityError}} {{DOMException}}.
+
+  1. Let |instance| be |context|'s [=browsing context/fenced frame config instance=].
 
   1. If |instance| is null, then [=resolve=] |p| with {{undefined}} and return |p|.
 
@@ -1892,29 +1907,27 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
      1. [=list/Append=] |p| to |instance|'s [=fenced frame config instance/on network disabled
         promises=].
 
-     1. [=Recalculate the untrusted network status of all frames=] given |global|'s
-        [=Window/browsing context=]'s [=browsing context/top-level traversable=].
+     1. [=Recalculate the untrusted network status of all fenced frame descendants=] given
+        |global|'s [=Window/browsing context=]'s [=browsing context/top-level traversable=].
 
   1. Return |p|.
 </div>
 
 <div algorithm>
-  To <dfn>Recalculate the untrusted network status of all frames</dfn> given a [=top-level
-  traversable=] |topLevelTraversable|, run these steps:
+  To <dfn>Recalculate the untrusted network status of all fenced frame descendants</dfn> given a
+  [=top-level traversable=] |topLevelTraversable|, run these steps:
+
+  1. [=Assert=]: this is running [=in parallel=].
 
   1. Let |navigables| be |topLevelTraversable|'s [=navigable/active document=]'s
      [=Document/inclusive descendant navigables=] with [=inclusive-dn-unfenced|unfenced=] set to
      true.
   
-  1. Let |i| be |navigables|' [=list/size=] - 1.
-
   1. Let |navigablesWithNetworkChildren| be an empty [=set=].
 
-  1. While |i| > 0:
+  1. [=iteration/While=] |navigables| is not [=queue/empty=]:
 
-     1. Let |currentNavigable| be |navigables|[|i|].
-
-     1. Set |i| to |i| - 1.
+     1. Let |currentNavigable| be the result of [=queue/dequeue|dequeuing=] from |navigables|.
 
      1. If |currentNavigable| is not a [=fenced navigable container/fenced navigable=], then
         [=iteration/continue=].
@@ -1947,16 +1960,11 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
         1. [=list/Empty=] |config|'s [=fenced frame config instance/on network disabled promises=].
 
      1. Otherwise:
+        1. Let |ancestorFencedRoot| be |currentNavigable|'s [=navigable/unfenced parent=]'s
+           [=navigable/active document=]'s [=Document/ancestor navigables=][0].
 
-        1. Let |ancestorFencedRoot| be |currentNavigable|'s [=navigable/unfenced parent=].
-
-        1. While |ancestorFencedRoot| is not null and |ancestorFencedRoot| is not a [=fenced
-           navigable container/fenced navigable=]:
-
-           1. Set |ancestorFencedRoot| to |ancestorFencedRoot|'s [=navigable/parent=].
-        
-        1. If |ancestorFencedRoot| is not null, [=set/append=] |ancestorFencedRoot| to
-           |navigablesWithNetworkChildren|.
+        1. If |ancestorFencedRoot| is a [=fenced navigable container/fenced navigable=],
+           [=set/append=] |ancestorFencedRoot| to |navigablesWithNetworkChildren|.
 </div>
 
 A user agent has an associated <dfn>network revocation nonce set</dfn>, which is a [=set=] of
@@ -2012,16 +2020,16 @@ The network revocation mechanism requires the following monkeypatches to the [[H
 <div algorithm=network-status-document-abort>
   Add a new step to the [=abort a document=] algorithm after step 4 that says:
 
-  5. [=Recalculate the untrusted network status of all frames=] given <var ignore>document</var>'s
-     [=node navigable=]'s [=navigable/top-level traversable=].
+  5. [=Recalculate the untrusted network status of all fenced frame descendants=] given <var
+     ignore>document</var>'s [=node navigable=]'s [=navigable/top-level traversable=].
 </div>
 
 <div algorithm=network-status-navigate>
   Modify the call to [=attempt to populate the history entry's document=] in the [=navigate=]
   algorithm. Update the [=completionSteps=] to include the following new step:
 
-  2. [=Recalculate the untrusted network status of all frames=] given <var ignore>navigable</var>'s
-     [=navigable/top-level traversable=].
+  2. [=Recalculate the untrusted network status of all fenced frame descendants=] given <var
+     ignore>navigable</var>'s [=navigable/top-level traversable=].
 </div>
 
 <h3 id=new-request-destination>New [=request=] [=request/destination=]</h3>
@@ -2694,12 +2702,12 @@ the fenced frame boundary, which is a privacy leak. To avoid this, we effectivel
 <div algorithm=currently-focused-area-of-a-top-level-traversable>
   Modify step 3 of the [=currently focused area of a top-level traversable=] algorithm to read:
 
-  3. While |candidate|'s [=focused area=] is either a [=navigable container=] with a non-null
-     [=navigable container/content navigable=] or a [=fenced navigable container=] with a non-null
-     [=fenced navigable container/fenced navigable=]: set |candidate| to the [=navigable/active
-     document=] of either that [=navigable container=]'s [=navigable container/content navigable=]
-     or that [=fenced navigable container=]'s [=fenced navigable container/fenced navigable=],
-     whichever is non-null.
+  3. [=iteration/While=] |candidate|'s [=focused area=] is either a [=navigable container=] with a
+     non-null [=navigable container/content navigable=] or a [=fenced navigable container=] with a
+     non-null [=fenced navigable container/fenced navigable=]: set |candidate| to the
+     [=navigable/active document=] of either that [=navigable container=]'s [=navigable
+     container/content navigable=] or that [=fenced navigable container=]'s [=fenced navigable
+     container/fenced navigable=], whichever is non-null.
 </div>
 
 <div algorithm=sequential-focus-navigation-patch>
@@ -2904,7 +2912,7 @@ CORP violation report=] algorithm, as leaving it unfenced may cause a privacy le
   
   1. Let |current navigable| be |sourceDocument|'s [=node navigable=].
 
-  1. While |current navigable| is not null:
+  1. [=iteration/While=] |current navigable| is not null:
 
     1. [=map/iterate|For each=] |type| → |data| of |current navigable|'s [=navigable/active
        document=]'s [=Document/automatic beacon data map=]:

From d94859fda396421f51ec5fcf21032c7aa45b1b3b Mon Sep 17 00:00:00 2001
From: Liam Brady <blu2.5@me.com>
Date: Thu, 12 Sep 2024 11:25:24 -0400
Subject: [PATCH 10/30] Update spec.bs

---
 spec.bs | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/spec.bs b/spec.bs
index 62242c9..7efb5b7 100644
--- a/spec.bs
+++ b/spec.bs
@@ -1289,6 +1289,13 @@ A <dfn export>fenced frame config instance</dfn> is a [=struct=] with the follow
   : <dfn>on network disabled promises</dfn>
   :: A [=list=] of {{Promise|Promises}}.
 
+  Note: This stores the callback {{Promise|Promises}} that were created during
+  {{Fence/disableUntrustedNetwork()}}. This is populated when {{Fence/disableUntrustedNetwork()}} is
+  first invoked, and all {{Promise|Promises}} in this [=list=] are resolved at once when the
+  <{fencedframe}> and its descendants have their network access fully revoked (i.e. the [=fenced
+  frame config instance/untrusted network status=] is [=untrusted network status/disabled for this
+  and descendant trees=]).
+
   : <dfn>cross-origin reporting allowed</dfn>
   :: A [=boolean=], initially false.
 </dl>

From 9b6e1580b3275b09f8b159ae4ca4df82bcde369f Mon Sep 17 00:00:00 2001
From: Liam Brady <blu2.5@me.com>
Date: Thu, 12 Sep 2024 11:30:55 -0400
Subject: [PATCH 11/30] attempt to fix validation errors

---
 spec.bs | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/spec.bs b/spec.bs
index 7efb5b7..28b5cca 100644
--- a/spec.bs
+++ b/spec.bs
@@ -1289,12 +1289,12 @@ A <dfn export>fenced frame config instance</dfn> is a [=struct=] with the follow
   : <dfn>on network disabled promises</dfn>
   :: A [=list=] of {{Promise|Promises}}.
 
-  Note: This stores the callback {{Promise|Promises}} that were created during
-  {{Fence/disableUntrustedNetwork()}}. This is populated when {{Fence/disableUntrustedNetwork()}} is
-  first invoked, and all {{Promise|Promises}} in this [=list=] are resolved at once when the
-  <{fencedframe}> and its descendants have their network access fully revoked (i.e. the [=fenced
-  frame config instance/untrusted network status=] is [=untrusted network status/disabled for this
-  and descendant trees=]).
+     Note: This stores the callback {{Promise|Promises}} that were created during
+     {{Fence/disableUntrustedNetwork()}}. This is populated when {{Fence/disableUntrustedNetwork()}} is
+     first invoked, and all {{Promise|Promises}} in this [=list=] are resolved at once when the
+     <{fencedframe}> and its descendants have their network access fully revoked (i.e. the [=fenced
+     frame config instance/untrusted network status=] is [=untrusted network status/disabled for this
+     and descendant trees=]).
 
   : <dfn>cross-origin reporting allowed</dfn>
   :: A [=boolean=], initially false.

From 5d982b3d4af1669ae5d41b33ade712727c0169f2 Mon Sep 17 00:00:00 2001
From: Liam Brady <blu2.5@me.com>
Date: Thu, 12 Sep 2024 11:35:09 -0400
Subject: [PATCH 12/30] attempt to fix validation errors

---
 spec.bs | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/spec.bs b/spec.bs
index 28b5cca..d82733a 100644
--- a/spec.bs
+++ b/spec.bs
@@ -1289,13 +1289,6 @@ A <dfn export>fenced frame config instance</dfn> is a [=struct=] with the follow
   : <dfn>on network disabled promises</dfn>
   :: A [=list=] of {{Promise|Promises}}.
 
-     Note: This stores the callback {{Promise|Promises}} that were created during
-     {{Fence/disableUntrustedNetwork()}}. This is populated when {{Fence/disableUntrustedNetwork()}} is
-     first invoked, and all {{Promise|Promises}} in this [=list=] are resolved at once when the
-     <{fencedframe}> and its descendants have their network access fully revoked (i.e. the [=fenced
-     frame config instance/untrusted network status=] is [=untrusted network status/disabled for this
-     and descendant trees=]).
-
   : <dfn>cross-origin reporting allowed</dfn>
   :: A [=boolean=], initially false.
 </dl>
@@ -1394,6 +1387,13 @@ A <dfn export>fenced frame config instance</dfn> is a [=struct=] with the follow
 
     : [=fenced frame config instance/on network disabled promises=]
     :: an empty [=list=]
+
+    Note: This stores the callback {{Promise|Promises}} that were created during
+    {{Fence/disableUntrustedNetwork()}}. This is populated when {{Fence/disableUntrustedNetwork()}}
+    is first invoked, and all {{Promise|Promises}} in this [=list=] are resolved at once when the
+    <{fencedframe}> and its descendants have their network access fully revoked (i.e. the [=fenced
+    frame config instance/untrusted network status=] is [=untrusted network status/disabled for this
+    and descendant trees=]).
 </div>
 
 Each [=browsing context=] has a <dfn for="browsing context">fenced frame config instance</dfn>,

From 44435e0a1e3890e6b937f02b25a733c732534dd4 Mon Sep 17 00:00:00 2001
From: Liam Brady <blu2.5@me.com>
Date: Thu, 12 Sep 2024 11:40:05 -0400
Subject: [PATCH 13/30] test if removing the note fixes the build

---
 spec.bs | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/spec.bs b/spec.bs
index e243100..ced35b7 100644
--- a/spec.bs
+++ b/spec.bs
@@ -1388,13 +1388,6 @@ A <dfn export>fenced frame config instance</dfn> is a [=struct=] with the follow
 
     : [=fenced frame config instance/on network disabled promises=]
     :: an empty [=list=]
-
-    Note: This stores the callback {{Promise|Promises}} that were created during
-    {{Fence/disableUntrustedNetwork()}}. This is populated when {{Fence/disableUntrustedNetwork()}}
-    is first invoked, and all {{Promise|Promises}} in this [=list=] are resolved at once when the
-    <{fencedframe}> and its descendants have their network access fully revoked (i.e. the [=fenced
-    frame config instance/untrusted network status=] is [=untrusted network status/disabled for this
-    and descendant trees=]).
 </div>
 
 Each [=browsing context=] has a <dfn for="browsing context">fenced frame config instance</dfn>,

From 78d16734b70ab9452c66bd0c392a660b9dda95af Mon Sep 17 00:00:00 2001
From: Liam Brady <blu2.5@me.com>
Date: Thu, 12 Sep 2024 11:48:34 -0400
Subject: [PATCH 14/30] attempt to fix validation errors

---
 spec.bs | 42 +++++++++++++++++++++++++-----------------
 1 file changed, 25 insertions(+), 17 deletions(-)

diff --git a/spec.bs b/spec.bs
index ced35b7..3b20bc3 100644
--- a/spec.bs
+++ b/spec.bs
@@ -1179,17 +1179,18 @@ A <dfn export>fenced frame config</dfn> is a [=struct=] with the following [=str
     : <dfn for="effective enabled permissions">visibility</dfn>
     :: a [=fencedframeconfig/visibility=]
 
-    Note: When non-null, this is a [=list=] of [=policy-controlled features=] that the generator of
-    this config relies on exclusively being enabled inside the <{fencedframe}> that navigates to
-    this config. Specifically, each feature in this list <span class=allow-2119>must</span> be
-    enabled by the <{fencedframe}>'s [=fenced navigable container/fenced navigable=]'s
-    [=Document/permissions policy=]'s [=permissions policy/inherited policy=] when navigating to
-    this config for the navigation to succeed. The features in this list are not force-enabled, but
-    rather are used to check that the embedder environment that influences the aforementioned
-    [=permissions policy/inherited policy=] is relaxed enough to support these essential features.
-    If the [=inherited policy for a feature|inherited policy value=] for any of these features is
-    "`Disabled`", the navigation to this config will fail. Any [=policy-controlled feature=] *not*
-    in this list will not be "`Disabled`" in the <{fencedframe}> that navigates to this config.
+       Note: When non-null, this is a [=list=] of [=policy-controlled features=] that the generator
+       of this config relies on exclusively being enabled inside the <{fencedframe}> that navigates
+       to this config. Specifically, each feature in this list <span class=allow-2119>must</span> be
+       enabled by the <{fencedframe}>'s [=fenced navigable container/fenced navigable=]'s
+       [=Document/permissions policy=]'s [=permissions policy/inherited policy=] when navigating to
+       this config for the navigation to succeed. The features in this list are not force-enabled,
+       but rather are used to check that the embedder environment that influences the aforementioned
+       [=permissions policy/inherited policy=] is relaxed enough to support these essential
+       features. If the [=inherited policy for a feature|inherited policy value=] for any of these
+       features is "`Disabled`", the navigation to this config will fail. Any [=policy-controlled
+       feature=] *not* in this list will not be "`Disabled`" in the <{fencedframe}> that navigates
+       to this config.
 
   : <dfn>fenced frame reporting metadata</dfn>
   :: null, or a [=struct=] with the following [=struct/items=]:
@@ -1221,12 +1222,12 @@ A <dfn export>fenced frame config</dfn> is a [=struct=] with the following [=str
   : <dfn>is ad component</dfn>
   :: A [=boolean=], initially false.
 
-  Note: When true, this [=fenced frame config=] represents an ad component. An ad component can be
-  used to construct ads composed of multiple pieces. See the <a
-  href=https://github.com/WICG/turtledove/blob/main/FLEDGE.md#34-ads-composed-of-multiple-pieces>Protected
-  Audience explainer</a>. For an ad component, event reporting is handled differently. See the <a
-  href=https://github.com/WICG/turtledove/blob/main/Fenced_Frames_Ads_Reporting.md#support-for-ad-components>Fenced
-  Frame Ads Reporting explainer</a> that describes this.
+     Note: When true, this [=fenced frame config=] represents an ad component. An ad component can
+     be used to construct ads composed of multiple pieces. See the <a
+     href=https://github.com/WICG/turtledove/blob/main/FLEDGE.md#34-ads-composed-of-multiple-pieces>Protected
+     Audience explainer</a>. For an ad component, event reporting is handled differently. See the <a
+     href=https://github.com/WICG/turtledove/blob/main/Fenced_Frames_Ads_Reporting.md#support-for-ad-components>Fenced
+     Frame Ads Reporting explainer</a> that describes this.
 
   : <dfn>cross-origin reporting allowed</dfn>
   :: A [=boolean=], initially false.
@@ -1388,6 +1389,13 @@ A <dfn export>fenced frame config instance</dfn> is a [=struct=] with the follow
 
     : [=fenced frame config instance/on network disabled promises=]
     :: an empty [=list=]
+
+       Note: This stores the callback {{Promise|Promises}} that were created during
+       {{Fence/disableUntrustedNetwork()}}. This is populated when
+       {{Fence/disableUntrustedNetwork()}} is first invoked, and all {{Promise|Promises}} in this
+       [=list=] are resolved at once when the <{fencedframe}> and its descendants have their network
+       access fully revoked (i.e. the [=fenced frame config instance/untrusted network status=] is
+       [=untrusted network status/disabled for this and descendant trees=]).
 </div>
 
 Each [=browsing context=] has a <dfn for="browsing context">fenced frame config instance</dfn>,

From 77e3bd428ca2a515ff6933c5345e27f30564914e Mon Sep 17 00:00:00 2001
From: Liam Brady <blu2.5@me.com>
Date: Thu, 12 Sep 2024 12:00:28 -0400
Subject: [PATCH 15/30] Update spec.bs

---
 spec.bs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/spec.bs b/spec.bs
index 3b20bc3..b8e6137 100644
--- a/spec.bs
+++ b/spec.bs
@@ -1969,8 +1969,8 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
         1. [=list/Empty=] |config|'s [=fenced frame config instance/on network disabled promises=].
 
      1. Otherwise:
-        1. Let |ancestorFencedRoot| be |currentNavigable|'s [=navigable/unfenced parent=]'s
-           [=navigable/active document=]'s [=Document/ancestor navigables=][0].
+        1. Let |ancestorFencedRoot| be |currentNavigable|'s [=traversable navigable/unfenced
+           parent=]'s [=navigable/traversable navigable=].
 
         1. If |ancestorFencedRoot| is a [=fenced navigable container/fenced navigable=],
            [=set/append=] |ancestorFencedRoot| to |navigablesWithNetworkChildren|.

From f5b12551046905519a333ce376bedc9095d21ea5 Mon Sep 17 00:00:00 2001
From: Liam Brady <blu2.5@me.com>
Date: Thu, 12 Sep 2024 13:41:52 -0400
Subject: [PATCH 16/30] remove "can disable untrusted network"

---
 spec.bs | 14 +++-----------
 1 file changed, 3 insertions(+), 11 deletions(-)

diff --git a/spec.bs b/spec.bs
index b8e6137..bf1eca1 100644
--- a/spec.bs
+++ b/spec.bs
@@ -1231,9 +1231,6 @@ A <dfn export>fenced frame config</dfn> is a [=struct=] with the following [=str
 
   : <dfn>cross-origin reporting allowed</dfn>
   :: A [=boolean=], initially false.
-
-  : <dfn>can disable untrusted network</dfn>
-  :: A [=boolean=], initially true.
 </dl>
 
 <h4 id=fenced-frame-config-instance-struct>The [=fenced frame config instance=] [=struct=]</h4>
@@ -1281,9 +1278,6 @@ A <dfn export>fenced frame config instance</dfn> is a [=struct=] with the follow
   : <dfn>is ad component</dfn>
   :: A [=boolean=]
 
-  : <dfn>can disable untrusted network</dfn>
-  :: A [=boolean=]
-
   : <dfn>untrusted network status</dfn>
   :: An [=fencedframetype/untrusted network status=], initially [=untrusted network
      status/enabled=].
@@ -1381,9 +1375,6 @@ A <dfn export>fenced frame config instance</dfn> is a [=struct=] with the follow
     : [=fenced frame config instance/cross-origin reporting allowed=]
     :: |config|'s [=fenced frame config/cross-origin reporting allowed=]
 
-    : [=fenced frame config instance/can disable untrusted network=]
-    :: |config|'s [=fenced frame config/can disable untrusted network=]
-
     : [=fenced frame config instance/untrusted network status=]
     :: [=untrusted network status/enabled=]
 
@@ -1888,8 +1879,9 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
 
   1. If |instance| is null, then [=resolve=] |p| with {{undefined}} and return |p|.
 
-  1. If |instance|'s [=fenced frame config instance/can disable untrusted network=] is false, then
-     [=resolve=] |p| with {{undefined}} and return |p|.
+  1. If [=this=]'s [=relevant global object=]'s [=Window/navigable=]'s [=navigable/traversable
+     navigable=] is not a [=fenced navigable container/fenced navigable=], then [=resolve=] |p| with
+     {{undefined}} and return |p|.
 
   1. If the [=relevant settings object=]'s [=environment settings object/origin=] and |instance|'s
      [=fenced frame config instance/mapped url=]'s [=url/origin=] are not [=same origin=], then

From a51ffdd9d5ddb97bf482edeef5438c5585c6165f Mon Sep 17 00:00:00 2001
From: Liam Brady <blu2.5@me.com>
Date: Thu, 12 Sep 2024 15:17:39 -0400
Subject: [PATCH 17/30] convert same-origin check to assert

---
 spec.bs | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/spec.bs b/spec.bs
index bf1eca1..6c3bcf7 100644
--- a/spec.bs
+++ b/spec.bs
@@ -1879,14 +1879,16 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
 
   1. If |instance| is null, then [=resolve=] |p| with {{undefined}} and return |p|.
 
+  1. [=Assert=]: the [=relevant settings object=]'s [=environment settings object/origin=] and
+     |instance|'s [=fenced frame config instance/mapped url=]'s [=url/origin=] are [=same origin=].
+
+     Note: Only contexts that are [=same origin=] to the [=fenced frame config instance/mapped url=]
+     described in the [=fenced frame config instance=] are allowed to call this API.
+
   1. If [=this=]'s [=relevant global object=]'s [=Window/navigable=]'s [=navigable/traversable
      navigable=] is not a [=fenced navigable container/fenced navigable=], then [=resolve=] |p| with
      {{undefined}} and return |p|.
 
-  1. If the [=relevant settings object=]'s [=environment settings object/origin=] and |instance|'s
-     [=fenced frame config instance/mapped url=]'s [=url/origin=] are not [=same origin=], then
-     [=resolve=] |p| with {{undefined}} and return |p|.
-
   1. Let |global| be [=this=]'s [=relevant global object=].
 
   1. Run the following steps [=in parallel=]:

From 53162401407b628721825dea9ef61e356580931f Mon Sep 17 00:00:00 2001
From: Liam Brady <blu2.5@me.com>
Date: Thu, 12 Sep 2024 15:21:20 -0400
Subject: [PATCH 18/30] update credentialless issue link

---
 spec.bs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/spec.bs b/spec.bs
index 6c3bcf7..179cc77 100644
--- a/spec.bs
+++ b/spec.bs
@@ -1898,7 +1898,7 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
      1. Let |credentiallessNonce| be
 
      Issue: the page credentialless nonce
-     (<a href="https://github.com/WICG/fenced-frame/issues/151">WICG/fenced-frame#151</a>)
+     (<a href="https://github.com/WICG/fenced-frame/issues/191">WICG/fenced-frame#191</a>)
 
      1. Invoke [=revoke network for a partition nonce=] on |fencedFrameNonce|.
 

From 62f3b437a632b870316c26dcecabde3c26c542a7 Mon Sep 17 00:00:00 2001
From: Liam Brady <blu2.5@me.com>
Date: Thu, 12 Sep 2024 15:41:12 -0400
Subject: [PATCH 19/30] add changes from other review

---
 spec.bs | 24 +++++++++---------------
 1 file changed, 9 insertions(+), 15 deletions(-)

diff --git a/spec.bs b/spec.bs
index 92bc7d3..6f3b56e 100644
--- a/spec.bs
+++ b/spec.bs
@@ -1210,9 +1210,6 @@ A <dfn export>fenced frame config</dfn> is a [=struct=] with the following [=str
 
   : <dfn>cross-origin reporting allowed</dfn>
   :: A [=boolean=], initially false.
-
-  : <dfn>can disable untrusted network</dfn>
-  :: A [=boolean=], defaults to true.
 </dl>
   
   Note: When true, this [=fenced frame config=] represents an ad component. An ad component can be
@@ -1267,9 +1264,6 @@ A <dfn export>fenced frame config instance</dfn> is a [=struct=] with the follow
   : <dfn>is ad component</dfn>
   :: A [=boolean=]
 
-  : <dfn>can disable untrusted network</dfn>
-  :: A [=boolean=]
-
   : <dfn>has disabled untrusted network</dfn>
   :: A [=boolean=], initially false.
 
@@ -1363,9 +1357,6 @@ A <dfn export>fenced frame config instance</dfn> is a [=struct=] with the follow
     : [=fenced frame config instance/cross-origin reporting allowed=]
     :: |config|'s [=fenced frame config/cross-origin reporting allowed=]
 
-    : [=fenced frame config instance/can disable untrusted network=]
-    :: |config|'s [=fenced frame config/can disable untrusted network=]
-
     : [=fenced frame config instance/has disabled untrusted network=]
     :: false
 </div>
@@ -1845,12 +1836,15 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
 
   1. If |instance| is null, then [=resolve=] |p| with {{undefined}} and return |p|.
 
-  1. If |instance|'s [=fenced frame config instance/can disable untrusted network=] is false, then
-     [=resolve=] |p| with {{undefined}} and return |p|.
+  1. [=Assert=]: the [=relevant settings object=]'s [=environment settings object/origin=] and
+     |instance|'s [=fenced frame config instance/mapped url=]'s [=url/origin=] are [=same origin=].
+
+     Note: Only contexts that are [=same origin=] to the [=fenced frame config instance/mapped url=]
+     described in the [=fenced frame config instance=] are allowed to call this API.
 
-  1. If the [=relevant settings object=]'s [=environment settings object/origin=] and |instance|'s
-     [=fenced frame config instance/mapped url=]'s [=url/origin=] are not [=same origin=], then
-     [=resolve=] |p| with {{undefined}} and return |p|.
+  1. If [=this=]'s [=relevant global object=]'s [=Window/navigable=]'s [=navigable/traversable
+     navigable=] is not a [=fenced navigable container/fenced navigable=], then [=resolve=] |p| with
+     {{undefined}} and return |p|.
 
   1. Let |global| be [=this=]'s [=relevant global object=].
 
@@ -1861,7 +1855,7 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
      1. Let |credentiallessNonce| be
 
      Issue: the page credentialless nonce
-     (<a href="https://github.com/WICG/fenced-frame/issues/151">WICG/fenced-frame#151</a>)
+     (<a href="https://github.com/WICG/fenced-frame/issues/191">WICG/fenced-frame#191</a>)
 
      1. Invoke [=revoke network for a partition nonce=] on |fencedFrameNonce|.
 

From 49fe6a25dce1e55c392c30f4af5d69cbb5292cdc Mon Sep 17 00:00:00 2001
From: Liam Brady <blu2.5@me.com>
Date: Thu, 12 Sep 2024 17:10:04 -0400
Subject: [PATCH 20/30] address comments

---
 spec.bs | 27 ++++++++++++++++-----------
 1 file changed, 16 insertions(+), 11 deletions(-)

diff --git a/spec.bs b/spec.bs
index 6f3b56e..f596eff 100644
--- a/spec.bs
+++ b/spec.bs
@@ -1878,22 +1878,27 @@ A user agent has an associated <dfn>network revocation nonce set</dfn>, which is
 [=partition nonces=], and a <dfn>network revocation exemption map</dfn>, which is a [=map=] whose
 [=map/keys=] are [=partition nonces=] and [=map/values=] are [=sets=] of [=URLs=].
 
-Note: The network revocation exemption map is used only for web platform tests; in normal usage
-it is always empty.
+Note: The [=network revocation exemption map=] is used only for web platform tests; in normal usage
+it is always empty. This list is modified directly in web platform tests by a function call to
+exempt specific URLs from network revocation.
+
+Issue: This will require a RFC to add a test-only function to the WPT web driver.
+(<a href="https://github.com/WICG/fenced-frame/issues/192">WICG/fenced-frame#192</a>)
 
 <div algorithm>
-  In order to <dfn>revoke network for a partition nonce</dfn> using a
-  [=fenced frame config instance/partition nonce=] |nonce|, run these steps:
+  To <dfn>revoke network for a partition nonce</dfn> using a [=fenced frame config
+  instance/partition nonce=] |nonce|, run these steps:
 
   1. [=set/Append=] |nonce| to the user agent's [=network revocation nonce set=].
 
-  1. <span class=XXX>TODO: Cancel requests in progress.</span>
+  1. [=fetch group/terminated|Terminate=] [=this=]'s [=relevant settings object=]'s
+     [=fetch/fetch group=].
 </div>
 
 <div algorithm>
-  To determine whether fetching a [=request=] |request| <dfn>should be blocked due to a revoked
-  partition nonce</dfn> using a [=fenced frame config instance/partition nonce=] |nonce| and a
-  [=URL=] |requestURL|, run these steps:
+  To determine whether fetching a [=request=] <var ignore>request</var> <dfn>must be blocked due to
+  a revoked partition nonce</dfn> using a [=fenced frame config instance/partition nonce=] |nonce|
+  and a [=URL=] |requestURL|, run these steps:
 
   1. If the user agent's [=network revocation exemption map=][|nonce|] [=map/exists=], and if
      |requestURL| [=set/exists=] in it, return <b>allowed</b>.
@@ -1909,16 +1914,16 @@ it is always empty.
 The network revocation mechanism requires the following monkeypatches to the [[FETCH]] Standard.
 
 <div algorithm=network-revocation-check-patch>
-  In the [=main fetch=] algorithm, step 7, where it says:
+  In the [=fetch=] algorithm, step 7, where it says:
 
     > If <a lt="block bad port">should <var>request</var> be blocked due to a bad port</a>,
     > <a lt="should fetching request be blocked as mixed content?">
     > should fetching <var>request</var> be blocked as mixed content</a>, or
     > <a lt="should request be blocked by Content Security Policy?">should <var>request</var>
     > be blocked by Content Security Policy</a> returns <b>blocked</b>, then set
-    > <var>response</var> to a <a>network error</a>.
+    > <var ignore>response</var> to a <a>network error</a>.
 
-  Add "[=should request be blocked due to a revoked partition nonce=]" to the conditions after
+  Add "[=must be blocked due to a revoked partition nonce=]" to the conditions after
   "should request be blocked by Content Security Policy".
 </div>
 

From 9de235e87df620896bb1edcdc61547f71a21aa0b Mon Sep 17 00:00:00 2001
From: Liam Brady <blu2.5@me.com>
Date: Fri, 4 Oct 2024 16:16:20 -0400
Subject: [PATCH 21/30] Update spec.bs

---
 spec.bs | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/spec.bs b/spec.bs
index fe3547a..d4a779c 100644
--- a/spec.bs
+++ b/spec.bs
@@ -1879,11 +1879,9 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
 
   1. If |instance| is null, then [=resolve=] |p| with {{undefined}} and return |p|.
 
-  1. [=Assert=]: the [=relevant settings object=]'s [=environment settings object/origin=] and
-     |instance|'s [=fenced frame config instance/mapped url=]'s [=url/origin=] are [=same origin=].
-
-     Note: Only contexts that are [=same origin=] to the [=fenced frame config instance/mapped url=]
-     described in the [=fenced frame config instance=] are allowed to call this API.
+  1. If the [=relevant settings object=]'s [=environment settings object/origin=] and
+     |instance|'s [=fenced frame config instance/mapped url=]'s [=url/origin=] are not [=same
+     origin=], then [=reject=] |p| with a {{TypeError}}.
 
   1. If [=this=]'s [=relevant global object=]'s [=Window/navigable=]'s [=navigable/traversable
      navigable=] is not a [=fenced navigable container/fenced navigable=], then [=resolve=] |p| with

From 2c067b0c989e407699e6bde209800c308335ac76 Mon Sep 17 00:00:00 2001
From: Liam Brady <blu2.5@me.com>
Date: Fri, 1 Nov 2024 18:03:46 -0400
Subject: [PATCH 22/30] address review comments

---
 spec.bs | 64 ++++++++++++++++++++++++---------------------------------
 1 file changed, 27 insertions(+), 37 deletions(-)

diff --git a/spec.bs b/spec.bs
index cde853d..f1176e7 100644
--- a/spec.bs
+++ b/spec.bs
@@ -1434,14 +1434,13 @@ A <dfn export>fenced frame config instance</dfn> is a [=struct=] with the follow
     :: [=untrusted network status/enabled=]
 
     : [=fenced frame config instance/on network disabled promises=]
-    :: an empty [=list=]
+    :: A [=list=] of {{Promise|Promises}}, initially empty.
 
-       Note: This stores the callback {{Promise|Promises}} that were created during
-       {{Fence/disableUntrustedNetwork()}}. This is populated when
-       {{Fence/disableUntrustedNetwork()}} is first invoked, and all {{Promise|Promises}} in this
-       [=list=] are resolved at once when the <{fencedframe}> and its descendants have their network
-       access fully revoked (i.e. the [=fenced frame config instance/untrusted network status=] is
-       [=untrusted network status/disabled for this and descendant trees=]).
+       Note: This stores various {{Promise|Promises}} from various globals that were created during
+       {{Fence/disableUntrustedNetwork()}}. We store them here so that we can resolve all of them at
+       once when the <{fencedframe}> and its descendants have their network access fully revoked
+       (i.e., the [=fenced frame config instance/untrusted network status=] is [=untrusted network
+       status/disabled for this and descendant trees=]).
 </div>
 
 Each [=browsing context=] has a <dfn for="browsing context">fenced frame config instance</dfn>,
@@ -1648,11 +1647,8 @@ partial interface Navigator {
 <div algorithm>
   The <dfn method for=Navigator>adAuctionComponents(|numAdComponents|)</dfn>
   
-  1. Let |context| be [=this=]'s [=relevant global object=]'s [=Window/browsing context=].
-
-  1. If |context| is null, then throw a {{SecurityError}} {{DOMException}}.
-
-  1. Let |instance| be |context|'s [=browsing context/fenced frame config instance=].
+  1. Let |instance| be [=this=]'s [=relevant global object=]'s [=Window/browsing context=]'s
+     [=browsing context/fenced frame config instance=].
 
   1. If |instance| is null, then throw a {{DOMException}}.
 
@@ -1733,11 +1729,8 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
 <div algorithm>
   The <dfn method for=Fence>reportEvent(|event|)</dfn> method steps are:
 
-  1. Let |context| be [=this=]'s [=relevant global object=]'s [=Window/browsing context=].
-
-  1. If |context| is null, then throw a {{SecurityError}} {{DOMException}}.
-
-  1. Let |instance| be |context|'s [=browsing context/fenced frame config instance=].
+  1. Let |instance| be [=this=]'s [=relevant global object=]'s [=Window/browsing context=]'s
+     [=browsing context/fenced frame config instance=].
 
   1. If |instance| is null, then return.
   
@@ -1851,11 +1844,8 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
   1. If |event|'s {{FenceEvent/eventType}} does not match one of the [=fencedframetype/automatic
      beacon event type=] values, return.
 
-  1. Let |context| be [=this=]'s [=relevant global object=]'s [=Window/browsing context=].
-
-  1. If |context| is null, then throw a {{SecurityError}} {{DOMException}}.
-
-  1. Let |instance| be |context|'s [=browsing context/fenced frame config instance=].
+  1. Let |instance| be [=this=]'s [=relevant global object=]'s [=Window/browsing context=]'s
+     [=browsing context/fenced frame config instance=].
 
   1. If |instance| is null, then return.
 
@@ -1890,11 +1880,8 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
 <div algorithm>
   The <dfn method for=Fence>getNestedConfigs()</dfn> method steps are:
 
-  1. Let |context| be [=this=]'s [=relevant global object=]'s [=Window/browsing context=].
-
-  1. If |context| is null, then throw a {{SecurityError}} {{DOMException}}.
-
-  1. Let |instance| be |context|'s [=browsing context/fenced frame config instance=].
+  1. Let |instance| be [=this=]'s [=relevant global object=]'s [=Window/browsing context=]'s
+     [=browsing context/fenced frame config instance=].
 
   1. If |instance| is null, then return.
 
@@ -1939,7 +1926,7 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
 
   1. Let |instance| be |context|'s [=browsing context/fenced frame config instance=].
 
-  1. If |instance| is null, then [=resolve=] |p| with {{undefined}} and return |p|.
+  1. [=Assert=]: |instance| is not null.
 
   1. If the [=relevant settings object=]'s [=environment settings object/origin=] and
      |instance|'s [=fenced frame config instance/mapped url=]'s [=url/origin=] are not [=same
@@ -1955,14 +1942,12 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
 
      1. Let |fencedFrameNonce| be |instance|'s [=fenced frame config instance/partition nonce=].
 
-     1. Let |credentiallessNonce| be
-
-     Issue: the page credentialless nonce
-     (<a href="https://github.com/WICG/fenced-frame/issues/191">WICG/fenced-frame#191</a>)
+     1. Let |credentiallessNonce| be |global|'s [=page credentialless nonce=].
 
      1. Invoke [=revoke network for a partition nonce=] on |fencedFrameNonce|.
 
-     1. Invoke [=revoke network for a partition nonce=] on |credentiallessNonce|.
+     1. If |credentiallessNonce| is non-null, invoke [=revoke network for a partition nonce=] on
+        |credentiallessNonce|.
 
      1. Set |instance|'s [=fenced frame config instance/untrusted network status=] to [=untrusted
         network status/disabled for this tree=].
@@ -1988,9 +1973,9 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
   
   1. Let |navigablesWithNetworkChildren| be an empty [=set=].
 
-  1. [=iteration/While=] |navigables| is not [=queue/empty=]:
+  1. [=iteration/While=] |navigables| is not [=stack/empty=]:
 
-     1. Let |currentNavigable| be the result of [=queue/dequeue|dequeuing=] from |navigables|.
+     1. Let |currentNavigable| be the result of [=stack/pop|popping=] from |navigables|.
 
      1. If |currentNavigable| is not a [=fenced navigable container/fenced navigable=], then
         [=iteration/continue=].
@@ -1998,8 +1983,6 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
      1. Let |config| be |currentNavigable|'s [=navigable/active browsing context=]'s [=browsing
         context/fenced frame config instance=].
 
-     1. If |config| is null, then [=iteration/continue=].
-
      1. If |config|'s [=fenced frame config instance/untrusted network status=] is [=untrusted
         network status/disabled for this and descendant trees=], then [=iteration/continue=].
 
@@ -2007,6 +1990,9 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
         |currentNavigable| and |config|'s [=fenced frame config instance/untrusted network status=]
         is [=untrusted network status/disabled for this tree=], false otherwise.
 
+        Note: A frame is added to |navigablesWithNetworkChildren| when a child fenced frame is
+        determined to not be ready for network cutoff.
+
      1. If |networkCutoffReady| is true:
 
         1. Set |config|'s [=fenced frame config instance/untrusted network status=] to [=untrusted
@@ -2081,6 +2067,10 @@ The network revocation mechanism requires the following monkeypatches to the [[F
 
   Add "[=must be blocked due to a revoked partition nonce=]" to the conditions after
   "should request be blocked by Content Security Policy".
+
+  Issue: This needs to be passed in both the fenced frame nonce as well as the iframe credentialless
+  nonce, if it exists.
+  (<a href="https://github.com/WICG/fenced-frame/issues/191">WICG/fenced-frame#191</a>)
 </div>
 
 The network revocation mechanism requires the following monkeypatches to the [[HTML]] Standard.

From 95cc59789d2f5ac2ed458e84391b06429fc5479d Mon Sep 17 00:00:00 2001
From: Liam Brady <blu2.5@me.com>
Date: Mon, 4 Nov 2024 13:53:15 -0500
Subject: [PATCH 23/30] clean up merge issues

---
 spec.bs | 183 +++++++++++++-------------------------------------------
 1 file changed, 42 insertions(+), 141 deletions(-)

diff --git a/spec.bs b/spec.bs
index af500aa..f6e4345 100644
--- a/spec.bs
+++ b/spec.bs
@@ -1915,6 +1915,47 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
   </wpt>
 </div>
 
+<div algorithm>
+  The <dfn method for=Fence>notifyEvent(|event|)</dfn> method steps are:
+
+  1. If [=this=]'s {{Document}} is not [=Document/fully active=], then return.
+
+  1. Let |navigable| be [=this=]'s [=relevant global object=]'s [=Window/navigable=].
+  
+  1. If any of the following conditions are met, then throw a {{SecurityError}} {{DOMException}}:
+
+      * |navigable| is not a [=fenced navigable container/fenced navigable=];
+  
+      * |event|'s {{Event/isTrusted}} is false;
+  
+      * |event|'s [=Event/dispatch flag=] is unset;
+
+      * |event|'s {{Event/type}} is not "<code>click</code>"
+  
+  1. If [=this=]'s [=relevant global object=] does not have [=transient activation=], then return.
+
+  1. [=Consume user activation=] for [=this=]'s [=relevant global object=].
+
+  1. Let |parentNavigable| be |navigable|'s [=navigable/unfenced parent=].
+
+  1. [=Queue a global task=] on the [=DOM manipulation task source=] given |parentNavigable|'s     
+     [=navigable/active window=] to run these steps:
+  
+     1. Perform the [=activation notification=] steps.
+
+     1. [=Fire an event=] named "<code>[=fencedtreeclick=]</code>" at |navigable|'s 
+        [=fenced navigable container=]. Initialize the event's {{Event/bubbles}} and {{Event/cancelable}} attributes to `true`. When running the 
+        <a href="https://dom.spec.whatwg.org/#inner-event-creation-steps">inner event creation steps</a>, set the <var ignore=''>time</var> to an [=implementation-defined=] value that is consistent across all invocations of this method.
+
+  <wpt>
+    /fenced-frame/notify-event-iframe.https.html
+    /fenced-frame/notify-event-invalid.https.html
+    /fenced-frame/notify-event-nested-fenced-frames.https.html
+    /fenced-frame/notify-event-success.https.html
+    /fenced-frame/notify-event-transient-user-activation.https.html
+  </wpt>
+</div>
+
 <div algorithm>
   The <dfn method for=Fence>disableUntrustedNetwork()</dfn> method steps are:
 
@@ -1926,8 +1967,6 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
 
   1. Let |instance| be |context|'s [=browsing context/fenced frame config instance=].
 
-  1. [=Assert=]: |instance| is not null.
-
   1. If the [=relevant settings object=]'s [=environment settings object/origin=] and
      |instance|'s [=fenced frame config instance/mapped url=]'s [=url/origin=] are not [=same
      origin=], then [=reject=] |p| with a {{TypeError}}.
@@ -2051,7 +2090,7 @@ Issue: This will require a RFC to add a test-only function to the WPT web driver
   1. Return <b>allowed</b>.
 </div>
 
-<h3 id=revocation-patches>Monkeypatches for network revocation</h3>
+<h3 id=disable-fetch>Monkeypatches for network revocation</h3>
 
 The network revocation mechanism requires the following monkeypatches to the [[FETCH]] Standard.
 
@@ -2090,144 +2129,6 @@ The network revocation mechanism requires the following monkeypatches to the [[H
      ignore>navigable</var>'s [=navigable/top-level traversable=].
 </div>
 
-<div algorithm>
-  The <dfn method for=Fence>notifyEvent(|event|)</dfn> method steps are:
-
-  1. If [=this=]'s {{Document}} is not [=Document/fully active=], then return.
-
-  1. Let |navigable| be [=this=]'s [=relevant global object=]'s [=Window/navigable=].
-  
-  1. If any of the following conditions are met, then throw a {{SecurityError}} {{DOMException}}:
-
-      * |navigable| is not a [=fenced navigable container/fenced navigable=];
-  
-      * |event|'s {{Event/isTrusted}} is false;
-  
-      * |event|'s [=Event/dispatch flag=] is unset;
-
-      * |event|'s {{Event/type}} is not "<code>click</code>"
-  
-  1. If [=this=]'s [=relevant global object=] does not have [=transient activation=], then return.
-
-  1. [=Consume user activation=] for [=this=]'s [=relevant global object=].
-
-  1. Let |parentNavigable| be |navigable|'s [=navigable/unfenced parent=].
-
-  1. [=Queue a global task=] on the [=DOM manipulation task source=] given |parentNavigable|'s     
-     [=navigable/active window=] to run these steps:
-  
-     1. Perform the [=activation notification=] steps.
-
-     1. [=Fire an event=] named "<code>[=fencedtreeclick=]</code>" at |navigable|'s 
-        [=fenced navigable container=]. Initialize the event's {{Event/bubbles}} and {{Event/cancelable}} attributes to `true`. When running the 
-        <a href="https://dom.spec.whatwg.org/#inner-event-creation-steps">inner event creation steps</a>, set the <var ignore=''>time</var> to an [=implementation-defined=] value that is consistent across all invocations of this method.
-
-  <wpt>
-    /fenced-frame/notify-event-iframe.https.html
-    /fenced-frame/notify-event-invalid.https.html
-    /fenced-frame/notify-event-nested-fenced-frames.https.html
-    /fenced-frame/notify-event-success.https.html
-    /fenced-frame/notify-event-transient-user-activation.https.html
-  </wpt>
-</div>
-
-<div algorithm>
-  The <dfn method for=Fence>disableUntrustedNetwork()</dfn> method steps are:
-
-  1. Let |p| be [=a new promise=].
-
-  1. Let |instance| be [=this=]'s [=relevant global object=]'s [=Window/browsing context=]'s
-     [=browsing context/fenced frame config instance=].
-
-  1. If the [=relevant settings object=]'s [=environment settings object/origin=] and
-     |instance|'s [=fenced frame config instance/mapped url=]'s [=url/origin=] are not [=same
-     origin=], then [=reject=] |p| with a {{TypeError}}.
-
-  1. If [=this=]'s [=relevant global object=]'s [=Window/navigable=]'s [=navigable/traversable
-     navigable=] is not a [=fenced navigable container/fenced navigable=], then [=resolve=] |p| with
-     {{undefined}} and return |p|.
-
-  1. Let |global| be [=this=]'s [=relevant global object=].
-
-  1. Run the following steps [=in parallel=]:
-
-     1. Let |fencedFrameNonce| be |instance|'s [=fenced frame config instance/partition nonce=].
-
-     1. Let |credentiallessNonce| be
-
-     Issue: the page credentialless nonce
-     (<a href="https://github.com/WICG/fenced-frame/issues/191">WICG/fenced-frame#191</a>)
-
-     1. Invoke [=revoke network for a partition nonce=] on |fencedFrameNonce|.
-
-     1. Invoke [=revoke network for a partition nonce=] on |credentiallessNonce|.
-
-     1. Set |instance|'s [=fenced frame config instance/has disabled untrusted network=] to true.
-
-     1. Wait on all nested fenced frames to disable network too.
-
-     Issue: Spec this waiting more formally.
-     (<a href="https://github.com/WICG/fenced-frame/issues/151">WICG/fenced-frame#151</a>)
-
-     1. [=Queue a global task=] on the [=DOM manipulation task source=] given |global|, to
-        [=resolve=] |p| with {{undefined}}.
-
-  1. Return |p|.
-</div>
-
-A user agent has an associated <dfn>network revocation nonce set</dfn>, which is a [=set=] of
-[=partition nonces=], and a <dfn>network revocation exemption map</dfn>, which is a [=map=] whose
-[=map/keys=] are [=partition nonces=] and [=map/values=] are [=sets=] of [=URLs=].
-
-Note: The [=network revocation exemption map=] is used only for web platform tests; in normal usage
-it is always empty. This list is modified directly in web platform tests by a function call to
-exempt specific URLs from network revocation.
-
-Issue: This will require a RFC to add a test-only function to the WPT web driver.
-(<a href="https://github.com/WICG/fenced-frame/issues/192">WICG/fenced-frame#192</a>)
-
-<div algorithm>
-  To <dfn>revoke network for a partition nonce</dfn> using a [=fenced frame config
-  instance/partition nonce=] |nonce|, run these steps:
-
-  1. [=set/Append=] |nonce| to the user agent's [=network revocation nonce set=].
-
-  1. [=fetch group/terminated|Terminate=] [=this=]'s [=relevant settings object=]'s
-     [=fetch/fetch group=].
-</div>
-
-<div algorithm>
-  To determine whether fetching a [=request=] <var ignore>request</var> <dfn>must be blocked due to
-  a revoked partition nonce</dfn> using a [=fenced frame config instance/partition nonce=] |nonce|
-  and a [=URL=] |requestURL|, run these steps:
-
-  1. If the user agent's [=network revocation exemption map=][|nonce|] [=map/exists=], and if
-     |requestURL| [=set/exists=] in it, return <b>allowed</b>.
-
-  1. If the user agent's [=network revocation nonce set=] [=set/contains=] |nonce|, return
-     <b>blocked</b>.
-
-  1. Return <b>allowed</b>.
-</div>
-
-<h3 id=disable-fetch>Fetch monkeypatches for network revocation</h3>
-
-The network revocation mechanism requires the following monkeypatches to the [[FETCH]] Standard.
-
-<div algorithm=network-revocation-check-patch>
-  In the [=fetch=] algorithm, step 7, where it says:
-
-    > If <a lt="block bad port">should <var>request</var> be blocked due to a bad port</a>,
-    > <a lt="should fetching request be blocked as mixed content?">
-    > should fetching <var>request</var> be blocked as mixed content</a>, or
-    > <a lt="should request be blocked by Content Security Policy?">should <var>request</var>
-    > be blocked by Content Security Policy</a> returns <b>blocked</b>, then set
-    > <var ignore>response</var> to a <a>network error</a>.
-
-  Add "[=must be blocked due to a revoked partition nonce=]" to the conditions after
-  "should request be blocked by Content Security Policy".
-</div>
-
 <h3 id=new-request-destination>New [=request=] [=request/destination=]</h3>
 
 The processing model of a <{fencedframe}>'s navigation request deviates from that of the normal

From 38d1e666bd5a318832d81c2fd2b7526fd898585e Mon Sep 17 00:00:00 2001
From: Liam Brady <blu2.5@me.com>
Date: Mon, 4 Nov 2024 13:55:23 -0500
Subject: [PATCH 24/30] clean up and move note to definition

---
 spec.bs | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/spec.bs b/spec.bs
index f6e4345..452350a 100644
--- a/spec.bs
+++ b/spec.bs
@@ -1338,7 +1338,13 @@ A <dfn export>fenced frame config instance</dfn> is a [=struct=] with the follow
      status/enabled=].
 
   : <dfn>on network disabled promises</dfn>
-  :: A [=list=] of {{Promise|Promises}}.
+  :: A [=list=] of {{Promise|Promises}}, initially empty.
+
+     Note: This stores various {{Promise|Promises}} from various globals that were created during
+     {{Fence/disableUntrustedNetwork()}}. We store them here so that we can resolve all of them at
+     once when the <{fencedframe}> and its descendants have their network access fully revoked
+     (i.e., the [=fenced frame config instance/untrusted network status=] is [=untrusted network
+     status/disabled for this and descendant trees=]).
 
   : <dfn>cross-origin reporting allowed</dfn>
   :: A [=boolean=], initially false.
@@ -1434,13 +1440,7 @@ A <dfn export>fenced frame config instance</dfn> is a [=struct=] with the follow
     :: [=untrusted network status/enabled=]
 
     : [=fenced frame config instance/on network disabled promises=]
-    :: A [=list=] of {{Promise|Promises}}, initially empty.
-
-       Note: This stores various {{Promise|Promises}} from various globals that were created during
-       {{Fence/disableUntrustedNetwork()}}. We store them here so that we can resolve all of them at
-       once when the <{fencedframe}> and its descendants have their network access fully revoked
-       (i.e., the [=fenced frame config instance/untrusted network status=] is [=untrusted network
-       status/disabled for this and descendant trees=]).
+    :: A empty [=list=] of {{Promise|Promises}}.
 </div>
 
 Each [=browsing context=] has a <dfn for="browsing context">fenced frame config instance</dfn>,
@@ -2090,7 +2090,7 @@ Issue: This will require a RFC to add a test-only function to the WPT web driver
   1. Return <b>allowed</b>.
 </div>
 
-<h3 id=disable-fetch>Monkeypatches for network revocation</h3>
+<h3 id=disable-fetch>Fetch monkeypatches for network revocation</h3>
 
 The network revocation mechanism requires the following monkeypatches to the [[FETCH]] Standard.
 

From f30fc25a6b32f7c75feaa32a94a1cd94289a8d04 Mon Sep 17 00:00:00 2001
From: Liam Brady <blu2.5@me.com>
Date: Fri, 6 Dec 2024 18:01:47 -0500
Subject: [PATCH 25/30] address comments

---
 spec.bs | 23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

diff --git a/spec.bs b/spec.bs
index db0f262..f34b421 100644
--- a/spec.bs
+++ b/spec.bs
@@ -1341,7 +1341,8 @@ A <dfn export>fenced frame config instance</dfn> is a [=struct=] with the follow
      status/enabled=].
 
   : <dfn>on network disabled promises</dfn>
-  :: A [=list=] of {{Promise|Promises}}, initially empty.
+  :: A [=map=] whose [=map/keys=] are [=global objects=] and [=values=] are [=lists=] of
+     {{Promise|Promises}}, initially empty.
 
      Note: This stores various {{Promise|Promises}} from various globals that were created during
      {{Fence/disableUntrustedNetwork()}}. We store them here so that we can resolve all of them at
@@ -1443,7 +1444,7 @@ A <dfn export>fenced frame config instance</dfn> is a [=struct=] with the follow
     :: [=untrusted network status/enabled=]
 
     : [=fenced frame config instance/on network disabled promises=]
-    :: A empty [=list=] of {{Promise|Promises}}.
+    :: A empty [=map=].
 </div>
 
 Each [=browsing context=] has a <dfn for="browsing context">fenced frame config instance</dfn>,
@@ -1994,9 +1995,13 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
      1. Set |instance|'s [=fenced frame config instance/untrusted network status=] to [=untrusted
         network status/disabled for this tree=].
 
-     1. [=list/Append=] |p| to |instance|'s [=fenced frame config instance/on network disabled
+     1. Let |promises| be |instance|'s [=fenced frame config instance/on network disabled
         promises=].
 
+     1. If |promises|[|global|] [=map/exists=], [=list/append=] |p| to |promises|[|global|].
+
+        Otherwise, [=map/set=] |promises|[|global|] to the [=list=] « |p| ».
+
      1. [=Recalculate the untrusted network status of all fenced frame descendants=] given
         |global|'s [=Window/browsing context=]'s [=browsing context/top-level traversable=].
 
@@ -2040,15 +2045,15 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
         1. Set |config|'s [=fenced frame config instance/untrusted network status=] to [=untrusted
            network status/disabled for this and descendant trees=].
 
-        1. Let |global| be |currentNavigable|'s [=navigable/active window=].
+        1. For each |global| → |promises| in |config|'s [=fenced frame config instance/on network
+           disabled promises=]:
 
-        1. For each |promise| in |config|'s [=fenced frame config instance/on network disabled
-           promises=]:
+           1. For each |promise| in |promises|:
 
-           1. [=Queue a global task=] on the [=DOM manipulation task source=] given |global|, to
-              [=resolve=] |promise| with {{undefined}}.
+              1. [=Queue a global task=] on the [=DOM manipulation task source=] given |global|, to
+                 [=resolve=] |promise| with {{undefined}}.
 
-        1. [=list/Empty=] |config|'s [=fenced frame config instance/on network disabled promises=].
+        1. [=map/Clear=] |config|'s [=fenced frame config instance/on network disabled promises=].
 
      1. Otherwise:
         1. Let |ancestorFencedRoot| be |currentNavigable|'s [=traversable navigable/unfenced

From eaf68b0d3e50ffcb353b52b5d7d2a65ce62c24de Mon Sep 17 00:00:00 2001
From: Liam Brady <blu2.5@me.com>
Date: Tue, 10 Dec 2024 16:56:10 -0500
Subject: [PATCH 26/30] call out what is being stored in
 navigablesWithNetworkChildren

---
 spec.bs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/spec.bs b/spec.bs
index f34b421..28eac06 100644
--- a/spec.bs
+++ b/spec.bs
@@ -2018,7 +2018,8 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
      [=Document/inclusive descendant navigables=] with [=inclusive-dn-unfenced|unfenced=] set to
      true.
   
-  1. Let |navigablesWithNetworkChildren| be an empty [=set=].
+  1. Let |navigablesWithNetworkChildren| be a [=set=] of [=fenced navigable container/fenced
+     navigables=], initially empty.
 
   1. [=iteration/While=] |navigables| is not [=stack/empty=]:
 

From f4763411f08e5a4a381d0420f23295fdf858bc03 Mon Sep 17 00:00:00 2001
From: Liam Brady <blu2.5@me.com>
Date: Thu, 12 Dec 2024 13:43:16 -0500
Subject: [PATCH 27/30] address review comments

---
 spec.bs | 56 +++++++++++++++++++++++++-------------------------------
 1 file changed, 25 insertions(+), 31 deletions(-)

diff --git a/spec.bs b/spec.bs
index 28eac06..ccc5a89 100644
--- a/spec.bs
+++ b/spec.bs
@@ -859,8 +859,14 @@ be sent.
 
 An <dfn for=fencedframetype>untrusted network status</dfn> is either "<dfn export for='untrusted
 network status'>`enabled`</dfn>", "<dfn export for='untrusted network status'>`disabled for this
-tree`</dfn>", or "<dfn export for='untrusted network status'>`disabled for this and descendant
-trees`</dfn>".
+tree`</dfn>", or "<dfn export for='untrusted network status'>`disabled for all subtrees`</dfn>".
+
+Note: [=untrusted network status/Disabled for this tree=] is not the final network cutoff state. It
+is an intermediate state where the frame has had its network access revoked, but at least one
+subframe still has network access. It does not get special API access at this stage as any
+information it gets access to can still be exfiltrated via the subframe with network access. Once
+all sub-fenced frames have also had their untrusted network disabled, the fenced frame's status
+will switch to the final [=untrusted network status/disabled for all subtrees=] state.
 
 <div algorithm>
   In order to <dfn export>finalize a reporting destination</dfn>, given a [=fencedframetype/fenced
@@ -1348,7 +1354,7 @@ A <dfn export>fenced frame config instance</dfn> is a [=struct=] with the follow
      {{Fence/disableUntrustedNetwork()}}. We store them here so that we can resolve all of them at
      once when the <{fencedframe}> and its descendants have their network access fully revoked
      (i.e., the [=fenced frame config instance/untrusted network status=] is [=untrusted network
-     status/disabled for this and descendant trees=]).
+     status/disabled for all subtrees=]).
 
   : <dfn>cross-origin reporting allowed</dfn>
   :: A [=boolean=], initially false.
@@ -1981,16 +1987,18 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
 
   1. Let |global| be [=this=]'s [=relevant global object=].
 
+  1. Let |settings| be [=this=]'s [=relevant settings object=].
+
   1. Run the following steps [=in parallel=]:
 
      1. Let |fencedFrameNonce| be |instance|'s [=fenced frame config instance/partition nonce=].
 
      1. Let |credentiallessNonce| be |global|'s [=page credentialless nonce=].
 
-     1. Invoke [=revoke network for a partition nonce=] on |fencedFrameNonce|.
+     1. Invoke [=revoke network for a partition nonce=] on |fencedFrameNonce| with |settings|.
 
      1. If |credentiallessNonce| is non-null, invoke [=revoke network for a partition nonce=] on
-        |credentiallessNonce|.
+        |credentiallessNonce| with |settings|.
 
      1. Set |instance|'s [=fenced frame config instance/untrusted network status=] to [=untrusted
         network status/disabled for this tree=].
@@ -2009,7 +2017,7 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
 </div>
 
 <div algorithm>
-  To <dfn>Recalculate the untrusted network status of all fenced frame descendants</dfn> given a
+  To <dfn>recalculate the untrusted network status of all fenced frame descendants</dfn> given a
   [=top-level traversable=] |topLevelTraversable|, run these steps:
 
   1. [=Assert=]: this is running [=in parallel=].
@@ -2032,24 +2040,25 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
         context/fenced frame config instance=].
 
      1. If |config|'s [=fenced frame config instance/untrusted network status=] is [=untrusted
-        network status/disabled for this and descendant trees=], then [=iteration/continue=].
+        network status/disabled for all subtrees=], then [=iteration/continue=].
 
      1. Let |networkCutoffReady| be true if |navigablesWithNetworkChildren| does not [=set/contain=]
         |currentNavigable| and |config|'s [=fenced frame config instance/untrusted network status=]
         is [=untrusted network status/disabled for this tree=], false otherwise.
 
-        Note: A frame is added to |navigablesWithNetworkChildren| when a child fenced frame is
-        determined to not be ready for network cutoff.
+        Note: A [=fenced navigable container/fenced navigable=] is added to
+        |navigablesWithNetworkChildren| when it is the unfenced ancestor of another fenced frame
+        that is determined to not be ready for network cutoff.
 
      1. If |networkCutoffReady| is true:
 
         1. Set |config|'s [=fenced frame config instance/untrusted network status=] to [=untrusted
-           network status/disabled for this and descendant trees=].
+           network status/disabled for all subtrees=].
 
-        1. For each |global| → |promises| in |config|'s [=fenced frame config instance/on network
-           disabled promises=]:
+        1. [=map/For each=] |global| → |promises| in |config|'s [=fenced frame config instance/on
+           network disabled promises=]:
 
-           1. For each |promise| in |promises|:
+           1. [=list/For each=] |promise| in |promises|:
 
               1. [=Queue a global task=] on the [=DOM manipulation task source=] given |global|, to
                  [=resolve=] |promise| with {{undefined}}.
@@ -2077,12 +2086,12 @@ Issue: This will require a RFC to add a test-only function to the WPT web driver
 
 <div algorithm>
   To <dfn>revoke network for a partition nonce</dfn> using a [=fenced frame config
-  instance/partition nonce=] |nonce|, run these steps:
+  instance/partition nonce=] |nonce| given a [=relevant settings object=] |settings|, run these
+  steps:
 
   1. [=set/Append=] |nonce| to the user agent's [=network revocation nonce set=].
 
-  1. [=fetch group/terminated|Terminate=] [=this=]'s [=relevant settings object=]'s
-     [=fetch/fetch group=].
+  1. [=fetch group/terminated|Terminate=] |settings|'s [=fetch/fetch group=].
 </div>
 
 <div algorithm>
@@ -2123,21 +2132,6 @@ The network revocation mechanism requires the following monkeypatches to the [[F
 
 The network revocation mechanism requires the following monkeypatches to the [[HTML]] Standard.
 
-<div algorithm=network-status-document-abort>
-  Add a new step to the [=abort a document=] algorithm after step 4 that says:
-
-  5. [=Recalculate the untrusted network status of all fenced frame descendants=] given <var
-     ignore>document</var>'s [=node navigable=]'s [=navigable/top-level traversable=].
-</div>
-
-<div algorithm=network-status-navigate>
-  Modify the call to [=attempt to populate the history entry's document=] in the [=navigate=]
-  algorithm. Update the [=completionSteps=] to include the following new step:
-
-  2. [=Recalculate the untrusted network status of all fenced frame descendants=] given <var
-     ignore>navigable</var>'s [=navigable/top-level traversable=].
-</div>
-
 <h3 id=new-request-destination>New [=request=] [=request/destination=]</h3>
 
 The processing model of a <{fencedframe}>'s navigation request deviates from that of the normal

From adfb311ac27b94b04ca773ae414582508bcacf7f Mon Sep 17 00:00:00 2001
From: Liam Brady <blu2.5@me.com>
Date: Mon, 23 Dec 2024 11:51:40 -0500
Subject: [PATCH 28/30] address review comments

---
 spec.bs | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/spec.bs b/spec.bs
index ccc5a89..20ae9d1 100644
--- a/spec.bs
+++ b/spec.bs
@@ -859,14 +859,16 @@ be sent.
 
 An <dfn for=fencedframetype>untrusted network status</dfn> is either "<dfn export for='untrusted
 network status'>`enabled`</dfn>", "<dfn export for='untrusted network status'>`disabled for this
-tree`</dfn>", or "<dfn export for='untrusted network status'>`disabled for all subtrees`</dfn>".
+tree`</dfn>", or "<dfn export for='untrusted network status'>`disabled for this tree and fenced
+subtrees`</dfn>".
 
 Note: [=untrusted network status/Disabled for this tree=] is not the final network cutoff state. It
-is an intermediate state where the frame has had its network access revoked, but at least one
-subframe still has network access. It does not get special API access at this stage as any
-information it gets access to can still be exfiltrated via the subframe with network access. Once
-all sub-fenced frames have also had their untrusted network disabled, the fenced frame's status
-will switch to the final [=untrusted network status/disabled for all subtrees=] state.
+is an intermediate state where every frame within the frame tree that is not across a fenced frame
+boundary has had its network access revoked, but at least one sub-fenced frame tree still has
+network access. It does not get special API access at this stage as any information it gets access
+to can still be exfiltrated via the subframe with network access. Once all sub-fenced frames have
+also had their untrusted network disabled, the fenced frame's status will switch to the final
+[=untrusted network status/disabled for this tree and fenced subtrees=] state.
 
 <div algorithm>
   In order to <dfn export>finalize a reporting destination</dfn>, given a [=fencedframetype/fenced
@@ -1354,7 +1356,7 @@ A <dfn export>fenced frame config instance</dfn> is a [=struct=] with the follow
      {{Fence/disableUntrustedNetwork()}}. We store them here so that we can resolve all of them at
      once when the <{fencedframe}> and its descendants have their network access fully revoked
      (i.e., the [=fenced frame config instance/untrusted network status=] is [=untrusted network
-     status/disabled for all subtrees=]).
+     status/disabled for this tree and fenced subtrees=]).
 
   : <dfn>cross-origin reporting allowed</dfn>
   :: A [=boolean=], initially false.
@@ -2040,7 +2042,7 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
         context/fenced frame config instance=].
 
      1. If |config|'s [=fenced frame config instance/untrusted network status=] is [=untrusted
-        network status/disabled for all subtrees=], then [=iteration/continue=].
+        network status/disabled for this tree and fenced subtrees=], then [=iteration/continue=].
 
      1. Let |networkCutoffReady| be true if |navigablesWithNetworkChildren| does not [=set/contain=]
         |currentNavigable| and |config|'s [=fenced frame config instance/untrusted network status=]
@@ -2053,7 +2055,7 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
      1. If |networkCutoffReady| is true:
 
         1. Set |config|'s [=fenced frame config instance/untrusted network status=] to [=untrusted
-           network status/disabled for all subtrees=].
+           network status/disabled for this tree and fenced subtrees=].
 
         1. [=map/For each=] |global| → |promises| in |config|'s [=fenced frame config instance/on
            network disabled promises=]:

From 589ca575697a149ce9f336243b99d8e159bd4e5b Mon Sep 17 00:00:00 2001
From: Liam Brady <blu2.5@me.com>
Date: Fri, 27 Dec 2024 13:17:33 -0500
Subject: [PATCH 29/30] add iframe call and run in parallel

---
 spec.bs | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/spec.bs b/spec.bs
index 20ae9d1..4d6f6e1 100644
--- a/spec.bs
+++ b/spec.bs
@@ -491,8 +491,8 @@ attribute.
   
   1. <p class=XXX>TODO: destroy the nested traversable.</p>
 
-  1. [=Recalculate the untrusted network status of all fenced frame descendants=] given the
-     {{Document}}'s [=node navigable=]'s [=navigable/top-level traversable=].
+  1. [=In parallel=], [=recalculate the untrusted network status of all fenced frame descendants=]
+     given the {{Document}}'s [=node navigable=]'s [=navigable/top-level traversable=].
 </div>
 
 The <dfn attribute for=HTMLFencedFrameElement>config</dfn> IDL attribute getter steps are to return
@@ -2075,6 +2075,14 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
            [=set/append=] |ancestorFencedRoot| to |navigablesWithNetworkChildren|.
 </div>
 
+<div algorithm=iframe-remove-patch>
+  When an <{iframe}> element is [=removed from a document=], the user agent must run the following
+  step:
+  
+  1. [=In parallel=], [=recalculate the untrusted network status of all fenced frame descendants=]
+     given the {{Document}}'s [=node navigable=]'s [=navigable/top-level traversable=].
+</div>
+
 A user agent has an associated <dfn>network revocation nonce set</dfn>, which is a [=set=] of
 [=partition nonces=], and a <dfn>network revocation exemption map</dfn>, which is a [=map=] whose
 [=map/keys=] are [=partition nonces=] and [=map/values=] are [=sets=] of [=URLs=].

From dfbe2c2b16793df29e697ad99487940183de2033 Mon Sep 17 00:00:00 2001
From: Liam Brady <blu2.5@me.com>
Date: Thu, 2 Jan 2025 15:03:37 -0500
Subject: [PATCH 30/30] use html element removing steps

---
 spec.bs | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/spec.bs b/spec.bs
index 4d6f6e1..100ef22 100644
--- a/spec.bs
+++ b/spec.bs
@@ -100,6 +100,7 @@ spec: html; urlPrefix: https://html.spec.whatwg.org/multipage/
     urlPrefix: document-sequences.html
       text: valid navigable target name or keyword; url: valid-navigable-target-name-or-keyword
       text: the rules for choosing a navigable; url: the-rules-for-choosing-a-navigable
+      text: destroy a child navigable; url: destroy-a-child-navigable
     urlPrefix: dom.html
       text: categories; url: concept-element-categories
       text: contexts in which this element can be used; url: concept-element-contexts
@@ -191,6 +192,7 @@ spec: html; urlPrefix: https://html.spec.whatwg.org/multipage/
       text: sequential navigation search algorithm; url: sequential-navigation-search-algorithm
     urlPefix: infrastructure.html
       text: immediately; url: immediately
+      text: HTML element removing steps; url: html-element-removing-steps
     urlPrefix: nav-history-apis.html
       for: Window
         text: navigable; url: window-navigable
@@ -215,6 +217,9 @@ spec: html; urlPrefix: https://html.spec.whatwg.org/multipage/
       text: fire a click event; url: fire-a-click-event
     urlPrefix: urls-and-fetching.html
       text: about:srcdoc; url: about:srcdoc
+    urlPrefix: iframe-embed-object.html
+      for: iframe
+        text: HTML iframe element removing steps; url: the-iframe-element:html-element-removing-steps
 spec: fetch; urlPrefix: https://fetch.spec.whatwg.org/
   type: dfn
     text: queue a cross-origin embedder policy CORP violation report; url: queue-a-cross-origin-embedder-policy-corp-violation-report
@@ -2076,11 +2081,17 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
 </div>
 
 <div algorithm=iframe-remove-patch>
-  When an <{iframe}> element is [=removed from a document=], the user agent must run the following
-  step:
-  
+  Rewrite the <{iframe}> element's [=iframe/HTML iframe element removing steps=] to read:
+
+  The <{iframe}> [=HTML Element removing steps=], given |removedNode|, are:
+
+  1. Let |topLevelTraversable| be |removedNode| [=navigable container/content navigable=]'s
+     [=navigable/top-level traversable=].
+
+  1. [=Destroy a child navigable=] given |removedNode|.
+
   1. [=In parallel=], [=recalculate the untrusted network status of all fenced frame descendants=]
-     given the {{Document}}'s [=node navigable=]'s [=navigable/top-level traversable=].
+     given |topLevelTraversable|.
 </div>
 
 A user agent has an associated <dfn>network revocation nonce set</dfn>, which is a [=set=] of