The Presentation API imposes a well-defined environment for the receiving browsing context when it is created, but it does not say anything about nested browsing contexts that this browsing context could create (e.g. with an <iframe>).

I'm not clear how the restrictions on cookies, Application cache, Permissions, IndexedDB, Web Storage, and Service Workers propagate to nested browsing contexts in particular. Should the spec rather attach the steps that deal with these constraints to the create a browsing context algorithm in HTML so that they apply to all browsing contexts on the receiving side?

(This issue is unrelated to but still triggered by the discussion around [SameObject] and receiving browsing contexts in #365)