With the change in data: URLs I think whether a document-based environment is a secure context can be a function of the top-level creation URL. Basically, if an environment's top-level creation URL is a secure context, environment is a secure context.

If that's the case we could maybe change #5491 to store the top-level creation URL rather than its origin. And chose between the top-level creation URL and the top-level origin as appropriate.

@mikewest @shivanigithub @domenic thoughts?

For workers we'd still have to explicitly inherit, but we should do that anyway to fix w3c/webappsec-secure-contexts#56 and w3c/webappsec-secure-contexts#74. (I was thinking that the "is secure context" operation either returns an explicit secure context value or assumes the environment is for a document and runs that function on a creation URL.)

There's also the smaller issue of defining windowOrWorker.isSecureContext in HTML. We should probably do that after we figure out how to define it for settings objects.