From eb261a9411c26090a4cdee33d0b12ca7f53daa5f Mon Sep 17 00:00:00 2001
From: Jun <jkokatsu@google.com>
Date: Tue, 5 Sep 2023 17:18:55 -0700
Subject: [PATCH] Update index.src.html

---
 index.src.html | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

diff --git a/index.src.html b/index.src.html
index a6a81f1..be7c3f2 100644
--- a/index.src.html
+++ b/index.src.html
@@ -1095,17 +1095,11 @@ <h3 id="origin-allowed" algorithm>
   1.  If |response|'s <a for="response">url</a>'s <a for="url">scheme</a> is
       a <a>local scheme</a>, return "`Allowed`".
 
-      Note: The embedder has direct access to same-origin responses, so if it
-      wishes to enforce a policy on that same-origin response, we simply do so.
-
-  2.  If |response|'s <a for="response">url</a>'s <a for="url">origin</a> is the
-      same as |request|'s <a for="request">origin</a>, return "`Allowed`".
-
-      Note: Likewise, <a>local scheme</a> responses already inherit their policy
+      Note: The <a>local scheme</a> responses already inherit their policy
       from the embedder, so we allow the embedder to tighten that policy via this
       embedding mechanism.
 
-  3.  If |response|'s <a for="response">header list</a> has a header named
+  2.  If |response|'s <a for="response">header list</a> has a header named
       <a http-header>`Allow-CSP-From`</a> (|header|):
 
       1.  If |header|'s value is "`*`", return "`Allowed`".
@@ -1114,7 +1108,7 @@ <h3 id="origin-allowed" algorithm>
           <a lt="ASCII serialization of an origin">serialized</a> and <a>UTF-8
           encoded</a> is |header|'s value, return "`Allowed`".
 
-  4.  Return "`Not Allowed`".
+  3.  Return "`Not Allowed`".
 
   <h4 id="intersection-source-expressions" algorithm>
     What is an intersection of two expressions matching