CSP3: Note that the `disown-opener` directive needs to be sent in the HTTP headers

[jwatt]

https://w3c.github.io/webappsec-csp/#directive-disown-opener

While it is possible to disown the opener after document construction has begun/completed it is not possible to change certain properties, such as whether a context is a secure context or not. This state is decided very early on during prototype object construction, so the disown-opener directive would need to be sent in the HTTP headers in order to allow an opened document to be a secure context.

[andypaicu]

I think this has been addressed since https://w3c.github.io/webappsec-csp/#directive-disown-opener) but the bug was not closed:

"This directive has no reporting requirements; it will be ignored entirely when delivered in a Content-Security-Policy-Report-Only header, or within a meta element."