Policy Lookup

To look up a policy P for a property or external interface, our implementation first checks whether there is a site security policy for the executing script's origin URL. Otherwise it uses the current default global security policy. It then checks whether there is a preference for P in that security policy.

Because we allow site security policies to apply to URLs, and not just to hostnames, the site security policy lookup uses the longest (and, therefore, presumably most specific) policy that matches the subject URL. For example, assume there are site security policies for e-mall.com and https://e-mall.com/store1/. The subject origin URLs https://e-mall.com/index.html and https://e-mall.com/store2/ would both use the first policy, whereas, https://e-mall.com/store1/catalog.html would use the second.