diff --git a/spec/index.bs b/spec/index.bs
index dacb621c..e900862b 100644
--- a/spec/index.bs
+++ b/spec/index.bs
@@ -354,6 +354,26 @@ value |value|:
+### Infrastructure algorithm ### {#infra-algorithm}
+
+
+An [=environment settings object=] (|settings|) is same-site with its
+ ancestors if the following algorithm returns `true`:
+
+1. If |settings|'s [=relevant global object=] has no [=associated Document=],
+ return `false`.
+1. Let |document| be |settings|' [=relevant global object=]'s [=associated Document=].
+1. If |document| has no [=Document/browsing context=], return `false`.
+1. Let |origin| be |settings|' [=environment settings object/origin=].
+1. Let |navigable| be |document|'s [=node navigable=].
+1. While |navigable| has a non-null [=navigable/parent=]:
+ 1. Set |navigable| to |navigable|'s [=navigable/parent=].
+ 1. If |navigable|'s [=active document=]'s [=Document/origin=] is not
+ [=/same site=] with |origin|, return `false`.
+1. Return `true`.
+
+
+
### HTTP header API ### {#login-status-http}
[=IDPs=] can set the login status using an HTTP [=response=] [=header=] as follows.
@@ -366,14 +386,15 @@ be the result of [=get a structured field value=] from the response's header
list with name "Set-Login
" and type "`item`". If |value| is not null,
process this header as follows:
+
1. Let |origin| be the response's [=response/URL=]'s [=/origin=].
1. Let |client| be the [=/request=]'s [=request/client=].
1. If the request's [=request/destination=] is not `"document"`:
1. If |client| is null, return.
- 1. If |origin| is not [=same origin=] with the [=/request=]'s
+ 1. If |origin| is not [=/same site=] with the [=/request=]'s
[=request/origin=], return.
- 1. If |client| is not [=same-origin with its ancestors=], return.
+ 1. If |client| is not [=same-site with its ancestors=], return.
1. Assert that |value| is a tuple.
1. Let |token| be the first entry of |value|.
1. If |token| is `"logged-in"`, [=set the login status=] for |origin|
@@ -406,7 +427,7 @@ partial interface Navigator {
When {{NavigatorLogin/setStatus()}} is called with argument |status|:
-1. If the [=current settings object=] is not [=same-origin with its ancestors=],
+1. If the [=current settings object=] is not [=same-site with its ancestors=],
throw a {{SecurityError}} {{DOMException}}.
1. Let |origin| be the [=current settings object=]'s
[=environment settings object/origin=].