Overview.src.html

<!doctype html>
<html lang=en-US>
<meta charset=utf-8>
<title>Fetch Standard</title>
<link rel=stylesheet href=//whatwg.org/style/specification>
<link rel=icon href=//resources.whatwg.org/logo-fetch.svg>

<div class=head>

<p><a class=logo href=//whatwg.org/><img alt=WHATWG src=//resources.whatwg.org/logo-fetch.svg width=100 height=100></a>
<h1 id=cors>Fetch</h1>
<h2 class="no-num no-toc">Living Standard &mdash; Last Updated [DATE: 3 August 2002]</h2>

<dl>
 <dt>Participate:
 <dd>Send feedback to <a href="//whatwg.org/mailing-list">whatwg@whatwg.org</a>
 (<a href="http://lists.w3.org/Archives/Public/public-whatwg-archive/">archives</a>)
  or
  <a href="https://www.w3.org/Bugs/Public/enter_bug.cgi?product=WHATWG&amp;component=Fetch">file a bug</a>
  (<a href="https://www.w3.org/Bugs/Public/buglist.cgi?product=WHATWG&amp;component=Fetch&amp;resolution=---">open bugs</a>)
 <dd>Temporary: ServiceWorker <a href="https://github.com/slightlyoff/ServiceWorker/labels/fetch">issues labeled "fetch"</a>
 <dd><a href=//wiki.whatwg.org/wiki/IRC>IRC: #whatwg on Freenode</a>

 <dt>Commits:
 <dd><a href=https://github.com/whatwg/fetch/commits>https://github.com/whatwg/fetch/commits</a>
 <dd><a href=https://twitter.com/fetchstandard>@fetchstandard</a>
</dl>

<script src=//resources.whatwg.org/file-bug.js async></script>

</div>



<h2 class="no-num no-toc short">Abstract</h2>

<p>The Fetch standard defines requests, responses, and the process that binds them;
fetching.



<h2 class="no-num no-toc">Table of Contents</h2>
<!-- toc -->



<h2 class="no-num short">Goals</h2>

<p>To unify fetching across the web platform this specification supplants a number of algorithms and specifications:

<ul class="brief no-backref">
 <li>HTML Standard's fetch and potentially CORS-enabled fetch algorithms
 <span data-anolis-ref class=informative>HTML</span>
 <li>CORS <span data-anolis-ref class=informative>CORS</span>
 <li>HTTP `<code title=http-origin>Origin</code>` header semantics
 <span data-anolis-ref class=informative>ORIGIN</span>
</ul>

<p>Unifying fetching provides consistent handling of:

<ul class=brief>
 <li>URL schemes
 <li>Redirects
 <li>Cross-origin semantics
 <li>CSP <span data-anolis-ref>CSP</span>
 <li>Service Workers <span data-anolis-ref>SW</span>
 <li>Mixed Content <span data-anolis-ref>MIX</span>
 <li>`<code title>Referer</code>` <span data-anolis-ref>REFERRER</span>
</ul>



<h2 class="short">Conformance</h2>

<p>All diagrams, examples, and notes in this specification are
non-normative, as are all sections explicitly marked non-normative.
Everything else in this specification is normative.

<p>The key words "MUST", "MUST NOT", "REQUIRED", <!--"SHALL", "SHALL
NOT",--> "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in the normative parts of this specification are to be
interpreted as described in RFC2119. For readability, these words do
not appear in all uppercase letters in this specification.
<span data-anolis-ref>RFC2119</span>



<h2>Infrastructure</h2>

<p>This specification uses terminology from the Encoding, HTML, and URL Standards.
<span data-anolis-ref>ENCODING</span>
<span data-anolis-ref>HTML</span>
<span data-anolis-ref>URL</span>

<p>A <span data-anolis-spec=encoding>byte</span> sequence with bytes in the range 0x00 to
0x7F is represented as a <span data-anolis-spec=encoding>utf-8</span> encoded
<span data-anolis-spec=encoding>string</span> with code points in the range U+0000 to
U+007F. To avoid confusion with an actual string backticks are used.

<p class=example>"<code title>true</code>" is a
<span data-anolis-spec=encoding>string</span>, while `<code title>true</code>` is a
byte sequence.

<p>Comparing two byte sequences in a <dfn>byte case-insensitive</dfn> manner means
comparing them exactly, byte for byte, except that the bytes in the range 0x41 to 0x5A are
considered to also match their corresponding byte in the range 0x61 to 0x7A.

<p>A <dfn>case-insensitive byte sequence</dfn> is a byte sequence that when compared to
another byte sequence does so in a <span>byte case-insensitive</span> manner.

<p class=example>The
<span title="case-insensitive byte sequence">case-insensitive byte sequences</span>
`<code title>Content-Type</code>` and `<code title>content-TYPE</code>` are equal.

<p>To <dfn>byte lowercase</dfn> a byte sequence, increase each byte it contains, in the
range 0x41 to 0x5A, by 0x20.

<p>To <dfn>byte uppercase</dfn> a byte sequence, subtract each byte it contains, in the
range 0x61 to 0x7A, by 0x20.

<hr>

<p>To <dfn>queue a fetch task</dfn> on <span title=concept-request>request</span>
<var title>request</var> to <var title>run an operation</var>,
<span data-anolis-spec=html>queue a task</span> to <var title>run an operation</var> on
<var title>request</var>'s <span title=concept-request-client>client</span>'s
<span data-anolis-spec=html>responsible event loop</span> using the
<span data-anolis-spec=html>networking task source</span>.


<h3>HTTP</h3>

<p>While <span title=concept-fetch>fetching</span> encompasses more than just HTTP, it
borrows a number of concepts from HTTP and applies these to resources obtained via other
means (e.g. <code title>data</code> URLs).


<h4>Methods</h4>

<p>A <dfn title=concept-method>method</dfn> is a byte sequence that matches the
<span data-anolis-spec=http>Method</span> token production.

<p>A <dfn>simple method</dfn> is a <span title=concept-method>method</span> that is
`<code title>GET</code>`, `<code title>HEAD</code>`, or `<code title>POST</code>`.

<p>A <dfn>forbidden method</dfn> is a <span title=concept-method>method</span> that is a
<span>byte case-insensitive</span> match for one of `<code title>CONNECT</code>`,
`<code title>TRACE</code>`, and `<code title>TRACK</code>`.
<span data-anolis-ref class=informative>HTTPVERBSEC</span>

<p>To <dfn title=concept-method-normalize>normalize</dfn> a
<span title=concept-method>method</span>, if it is a <span>byte case-insensitive</span>
match for `<code title>DELETE</code>`, `<code title>GET</code>`,
`<code title>HEAD</code>`, `<code title>OPTIONS</code>`, `<code title>POST</code>`, or
`<code title>PUT</code>`, <span>byte uppercase</span> it.

<p class="note no-backref"><span title=concept-method-normalize>Normalization</span> is
done for backwards compatibility and consistency across APIs as
<span title=concept-method>methods</span> are actually "case-sensitive".


<h4 id=terminology-headers>Headers</h4>

<p>A <dfn title=concept-header-list>header list</dfn> consists of zero or more
<span title=concept-header>headers</span>.

<p>To <dfn title=concept-header-list-append>append</dfn> a
<span title=concept-header-name>name</span>/<span title=concept-header-value>value</span>
(<var title>name</var>/<var title>value</var>) pair to a
<span title=concept-header-list>header list</span> (<var title>list</var>), append a new
<span title=concept-header>header</span> whose <span title=concept-header-name>name</span>
is <var title>name</var>, <span title="byte lowercase">byte lowercased</span>, and
<span title=concept-header-value>value</span> is <var title>value</var>, to
<var title>list</var>.

<p>To <dfn title=concept-header-list-delete>delete</dfn> a
<span title=concept-header-name>name</span> (<var title>name</var>) from a
<span title=concept-header-list>header list</span> (<var title>list</var>), remove all
<span title=concept-header>headers</span> whose
<span title=concept-header-name>name</span> is <var title>name</var>,
<span title="byte lowercase">byte lowercased</span>, from <var title>list</var>.

<p>To <dfn title=concept-header-list-set>set</dfn> a
<span title=concept-header-name>name</span>/<span title=concept-header-value>value</span>
(<var title>name</var>/<var title>value</var>) pair in a
<span title=concept-header-list>header list</span> (<var title>list</var>), run these
steps:

<ol>
 <li><p><span>Byte lowercase</span> <var title>name</var>.

 <li><p>If there are any <span title=concept-header>headers</span> in
 <var title>list</var> whose <span title=concept-header-name>name</span> is
 <var title>name</var>, set the <span title=concept-header-value>value</span> of the first
 such <span title=concept-header>header</span> to <var title>value</var> and remove the
 others.

 <li><p>Otherwise, append a new <span title=concept-header>header</span> whose
 <span title=concept-header-name>name</span> is <var title>name</var> and
 <span title=concept-header-value>value</span> is <var title>value</var>, to
 <var title>list</var>.
</ol>

<p>To <dfn title=concept-header-list-combine>combine</dfn> a
<span title=concept-header-name>name</span>/<span title=concept-header-value>value</span>
(<var title>name</var>/<var title>value</var>) pair in a
<span title=concept-header-list>header list</span> (<var title>list</var>), run these
steps:

<ol>
 <li><p><span>Byte lowercase</span> <var title>name</var>.

 <li><p>If there are any <span title=concept-header>headers</span> in
 <var title>list</var> whose <span title=concept-header-name>name</span> is
 <var title>name</var>, set the <span title=concept-header-value>value</span> of the first
 such <span title=concept-header>header</span> to
 <span title=concept-header-value>value</span>, followed by 0x2C 0x20, followed by <var title>value</var>.

 <li><p>Otherwise, append a new <span title=concept-header>header</span> whose
 <span title=concept-header-name>name</span> is <var title>name</var> and
 <span title=concept-header-value>value</span> is <var title>value</var>, to
 <var title>list</var>.
</ol>

<p class="note no-backref"><span title=concept-header-list-combine>Combine</span> solely
exists for <code data-anolis-spec=xhr>XMLHttpRequest</code>.

<hr>

<p>A <dfn title=concept-header>header</dfn> consists of a
<dfn title=concept-header-name>name</dfn> and <dfn title=concept-header-value>value</dfn>.
A <span title=concept-header-name>name</span> is a
<span>case-insensitive byte sequence</span> that matches the
<span data-anolis-spec=http>field-name</span> token production. A
<span title=concept-header-value>value</span> is a byte sequence that matches the
<span data-anolis-spec=http>field-value</span> token production and contains no 0x0A or
0x0D bytes.

<p class=note>Allowing 0x0A and 0x0D bytes can lead to reparsing issues.

<hr>

<p>A <dfn>simple header</dfn> is a <span title=concept-header>header</span> whose
<span title=concept-header-name>name</span> is either one of `<code title>Accept</code>`,
`<code title>Accept-Language</code>`, and `<code title>Content-Language</code>`, or whose
<span title=concept-header-name>name</span> is `<code title>Content-Type</code>` and
<span title=concept-header-value>value</span>,
<span title=concept-header-parse>once parsed</span>, has a MIME type (ignoring parameters)
that is one of `<code title>application/x-www-form-urlencoded</code>`,
`<code title>multipart/form-data</code>`, and `<code title>text/plain</code>`.
<!-- XXX * needs better xref
         * ignoring parameters has been the standard for a long time now
         * interesting test: "Content-Type: text/plain;" -->

<p>A <dfn>forbidden header name</dfn> is a <span title=concept-header>header</span>
<span title=concept-header-name>name</span> that either is one of

<ul class=brief>
 <li>`<code title>Accept-Charset</code>`
 <li>`<code title>Accept-Encoding</code>`
 <li>`<code title>Access-Control-Request-Headers</code>`
 <li>`<code title>Access-Control-Request-Method</code>`
 <li>`<code title>Connection</code>`
 <li>`<code title>Content-Length</code>`
 <li>`<code title>Cookie</code>`
 <li>`<code title>Cookie2</code>`
 <li>`<code title>Date</code>`
 <li>`<code title>DNT</code>`
 <li>`<code title>Expect</code>`
 <li>`<code title>Host</code>`
 <li>`<code title>Keep-Alive</code>`
 <li>`<code title=http-origin>Origin</code>`
 <li>`<code title>Referer</code>`
 <li>`<code title>TE</code>`
 <li>`<code title>Trailer</code>`
 <li>`<code title>Transfer-Encoding</code>`
 <li>`<code title>Upgrade</code>`
 <li>`<code title>User-Agent</code>`
 <li>`<code title>Via</code>`
</ul>

<p>or starts with `<code title>Proxy-</code>` or `<code title>Sec-</code>`
(including when it is just `<code title>Proxy-</code>` or `<code title>Sec-</code>`).

<p class=note>These are forbidden so the user agent remains in full control over them.
<span title=concept-header-name>Names</span> starting with `<code title>Sec-</code>` are
reserved to allow new <span title=concept-header>headers</span> to be minted that are safe
from APIs using <span title=concept-fetch>fetch</span> that allow control over
<span title=concept-header>headers</span> by developers, such as
<code data-anolis-spec=xhr>XMLHttpRequest</code>.
<span data-anolis-ref class=informative>XHR</span>

<p>A <dfn>forbidden response header name</dfn> is a <span title=concept-header>header</span>
<span title=concept-header-name>name</span> that is one of:

<ul class=brief>
 <li>`<code title>Set-Cookie</code>`
 <li>`<code title>Set-Cookie2</code>`
</ul>

<hr>

<p>To <dfn title=concept-header-parse>parse a header value</dfn> given a
<span title=concept-header-name>name</span> (<var title>name</var>)  and either a
<span title=concept-header>header</span> or a
<span title=concept-header-list>header list</span> (<var title>headers</var>), run these
steps:

<ol>
 <li><p>If <var title>name</var> is not in <var title>headers</var>, return null.

 <li>
  <p>If the ABNF for <var title>name</var> allows a single
  <span title=concept-header>header</span> and <var title>headers</var> contains more than
  one, return failure.

  <p class="note no-backref">That if you require different error handling, you need to
  extract the desired <span title=concept-header>header</span> first.

 <li><p>If parsing all the <span title=concept-header>headers</span>
 <span title=concept-header-name>named</span> <var title>name</var> in
 <var title>headers</var>, per the ABNF for <var title>name</var>, failed, return failure.

 <li><p>Return one or more <span title=concept-header-value>values</span> resulting from
 parsing all the <span title=concept-header>headers</span>
 <span title=concept-header-name>named</span> <var title>name</var> in
 <var title>headers</var>, per the ABNF for <var title>name</var>.
</ol>

<p>To <dfn title=concept-header-extract-MIME-type>extract a MIME type</dfn> from a
<span title=concept-header-list>header list</span> (<var title>headers</var>), run these
steps:

<ol>
 <li><p>Let <var title>MIMEType</var> be the result of
 <span title=concept-header-parse>parsing</span> `<code title>Content-Type</code>` in
 <var title>headers</var>.

 <li><p>If <var title>MIMEType</var> is null or failure, return the empty byte sequence.

 <li><p>Return <var title>MIMEType</var>,
 <span title="byte lowercase">byte lowercased</span>.
</ol>

<h4>Bodies</h4>

<p>A <dfn title=concept-body>body</dfn> is a byte stream. It has an associated
<dfn title=concept-body-transmitted>transmitted</dfn> which is an integer and initially 0,
<dfn title=concept-body-length>length</dfn> which is an integer and initially 0, and
<dfn title=concept-body-error-flag>error flag</dfn> which is initially unset.

<p>To <dfn>handle content codings</dfn> given <var title>codings</var> and
<var title>bytes</var>, run these substeps:

<ol>
 <li><p>If <var title>codings</var> are not supported, return <var title>bytes</var>.

 <li><p>Return the result of decoding bytes with the given
 <var title>codings</var> as explained in HTTP. <span data-anolis-ref>HTTP</span>
</ol>
<!-- XXX no hook in HTTP -->

<h4>Requests</h4>

<p>The input to <span title=concept-fetch>fetch</span> is a
<dfn title=concept-request>request</dfn>.

<p>A <span title=concept-request>request</span> has an associated
<dfn title=concept-request-method>method</dfn> (a
<span title=concept-method>method</span>). Unless stated otherwise it is
`<code title>GET</code>`.

<p>A <span title=concept-request>request</span> has an associated
<dfn title=concept-request-url>url</dfn> (a
<span data-anolis-spec=url title=concept-url>URL</span>).

<p class="note no-backref">This is updated during redirects as described in
<span title=concept-http-fetch>HTTP fetch</span>.

<p>A <span title=concept-request>request</span> has an associated
<dfn>sandboxed storage area URLs flag</dfn>. Unless stated otherwise it is unset.

<p>A <span title=concept-request>request</span> has an associated
<dfn title=concept-request-header-list>header list</dfn> (a
<span title=concept-header-list>header list</span>). Unless stated otherwise it is empty.

<p>A <span title=concept-request>request</span> has an associated
<dfn>unsafe request flag</dfn>. Unless stated otherwise it is unset.

<p class="note no-backref">The <span>unsafe request flag</span> is set by APIs such as
<code title=dom-global-fetch>fetch()</code>  and
<code data-anolis-spec=xhr>XMLHttpRequest</code> to ensure a
<span>CORS preflight fetch</span> is done based on the supplied
<span title=concept-request-method>method</span> and
<span title=concept-request-header-list>header list</span>. It does not free an API from
outlawing <span title="forbidden method">forbidden methods</span> and
<span title="forbidden header name">forbidden header names</span>.

<p>A <span title=concept-request>request</span> has an associated
<dfn title=concept-request-body>body</dfn> (null or a
<span title=concept-body>body</span>). Unless stated otherwise it is null.

<hr>

<p>A <span title=concept-request>request</span> has an associated
<dfn title=concept-request-client>client</dfn> (an
<span data-anolis-spec=html>environment settings object</span>).

<p>A <span title=concept-request>request</span> has an associated
<dfn>skip service worker flag</dfn>. Unless stated otherwise it is unset.

<p>A <span title=concept-request>request</span> has an associated
<dfn title=concept-request-context>context</dfn>, which is one of
<i title>audio</i>,
<i title>beacon</i>,
<i title>cspreport</i>,
<i title>download</i>,
<i title>embed</i>,
<i title>eventsource</i>,
<i title>favicon</i>,
<i title>fetch</i>,
<i title>font</i>,
<i title>form</i>,
<i title>frame</i>,
<i title>hyperlink</i>,
<i title>iframe</i>,
<i title>image</i>,
<i title>imageset</i>,
<i title>import</i>,
<i title>internal</i>,
<i title>location</i>,
<i title>manifest</i>,
<i title>object</i>,
<i title>ping</i>,
<i title>plugin</i>,
<i title>prefetch</i>,
<i title>script</i>,
<i title>serviceworker</i>,
<i title>sharedworker</i>,
<i title>subresource</i>,
<i title>style</i>,
<i title>track</i>,
<i title>video</i>,
<i title>worker</i>,
<i title>xmlhttprequest</i>, and
<i title>xslt</i>.
<!--
https://wiki.whatwg.org/wiki/Contexts
https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsIContentPolicy
-->

<p>A <span title=concept-request>request</span> has an associated
<dfn title=concept-request-context-frame-type>context frame type</dfn>, which is one of
<i title>auxiliary</i>, <i title>top-level</i>, <i title>nested</i>, and
<i title>none</i>. Unless stated otherwise it is <i title>none</i>.

<p class=XXX>Remove <i title>auxiliary</i>? Not sure it is distinctive enough.

<div class=note>
 <p>The following table illustrates the relationship between a
 <span title=concept-request>request</span>'s
 <span title=concept-request-context>context</span>, its
 <span title=concept-request-context-frame-type>context frame type</span>, and
 CSP directives:

 <table>
  <tr>
   <th><span title=concept-request-context>context</span>
   <th><span title=concept-request-context-frame-type>context frame type</span>
   <th>CSP directive
   <th>Platform feature example
  <tr>
   <td><i title>audio</i>
   <td><i title>none</i>
   <td><code title>media-src</code>
   <td>HTML's <code>audio</code> element
  <tr>
   <td><i title>beacon</i>
   <td><i title>none</i>
   <td><code title>connect-src</code>
   <td><code>navigator.sendBeacon()</code>
  <tr>
   <td><i title>cspreport</i>
   <td><i title>none</i>
   <td><code title>connect-src</code>
   <td>CSP's report feature
  <tr>
   <td><i title>download</i>
   <td><i title>none</i>
   <td>&mdash;
   <td>HTML's <code>a</code> element when its <code>download</code> attribute is set
  <tr>
   <td><i title>embed</i>
   <td><i title>none</i>
   <td><code title>object-src</code>
   <td>HTML's <code>embed</code> element
  <tr>
   <td><i title>eventsource</i>
   <td><i title>none</i>
   <td><code title>connect-src</code>
   <td><code>EventSource</code>
  <tr>
   <td><i title>favicon</i>
   <td><i title>none</i>
   <td>&mdash;
   <td><code title>/favicon.ico</code> resource
  <tr>
   <td><i title>fetch</i>
   <td><i title>none</i>
   <td><code title>connect-src</code>
   <td><code title=dom-global-fetch>fetch()</code>
  <tr>
   <td><i title>font</i>
   <td><i title>none</i>
   <td><code title>font-src</code>
   <td>CSS' <code>@font-face</code>
  <tr>
   <td><i title>form</i>
   <td>any but <i title>none</i>
   <td><code title>form-action</code>, potentially <code title>child-src</code>
   <td>HTML's <code>form</code> element
  <tr>
   <td><i title>frame</i>
   <td><i title>nested</i>
   <td><code title>child-src</code>
   <td>HTML's <code>frame</code> element
  <tr>
   <td><i title>hyperlink</i>
   <td>any but <i title>none</i>
   <td>potentially <code title>child-src</code>
   <td>HTML's <code>a</code> element
  <tr>
   <td><i title>iframe</i>
   <td><i title>nested</i>
   <td><code title>child-src</code>
   <td>HTML's <code>iframe</code> element
  <tr>
   <td><i title>image</i>
   <td><i title>none</i>
   <td><code title>img-src</code>
   <td>SVG's <code>image</code> element
  <tr>
   <td><i title>imageset</i>
   <td><i title>none</i>
   <td><code title>img-src</code>
   <td>HTML's <code>picture</code> element
  <tr>
   <td><i title>import</i>
   <td><i title>none</i>
   <td><code title>script-src</code>
   <td>HTML's <code>link</code> element when its <code>rel</code> attribute is set to
   "<code>import</code>"
  <tr>
   <td><i title>internal</i>
   <td>any
   <td>&mdash;
   <td>User agent actions such as refresh, back, forward; other user agent usage
  <tr>
   <td><i title>location</i>
   <td>any but <i title>none</i>
   <td>potentially <code title>child-src</code>
   <td><code title>window.location</code>
  <tr>
   <td><i title>manifest</i>
   <td><i title>none</i>
   <td>&mdash;
   <td>HTML's <code>link</code> element when its <code>rel</code> attribute is set to
   "<code>manifest</code>"
  <tr>
   <td><i title>object</i>
   <td><i title>none</i>
   <td><code title>object-src</code>
   <td>HTML's <code>object</code> element
  <tr>
   <td><i title>ping</i>
   <td><i title>none</i>
   <td><code title>connect-src</code>
   <td>HTML's <code>ping</code> attribute
  <tr>
   <td><i title>plugin</i>
   <td><i title>none</i>
   <td>&mdash;
   <td>A <span title=concept-fetch>fetch</span> from a plugin
  <tr>
   <td><i title>prefetch</i>
   <td><i title>none</i>
   <td>&mdash;
   <td>HTML's <code>link</code> element when its <code>rel</code> attribute is set to
   "<code>prefetch</code>"
  <tr>
   <td><i title>script</i>
   <td><i title>none</i>
   <td><code title>script-src</code>
   <td>HTML's <code>script</code> element
  <tr>
   <td><i title>serviceworker</i>
   <td><i title>none</i>
   <td>&mdash;
   <td><code title>navigator.serviceWorker.register()</code>
  <tr>
   <td><i title>sharedworker</i>
   <td><i title>none</i>
   <td><code title>child-src</code>
   <td><code>SharedWorker</code>
  <tr>
   <td><i title>subresource</i>
   <td><i title>none</i>
   <td>&mdash;
   <td>HTML's <code>link</code> element when its <code>rel</code> attribute is set to
   "<code>subresource</code>"
  <tr>
   <td><i title>style</i>
   <td><i title>none</i>
   <td><code title>style-src</code>
   <td>HTML's <code>link</code> element when its <code>rel</code> attribute is set to
   "<code>stylesheet</code>"
  <tr>
   <td><i title>track</i>
   <td><i title>none</i>
   <td><code title>media-src</code>
   <td>HTML's <code>track</code> element
  <tr>
   <td><i title>video</i>
   <td><i title>none</i>
   <td><code title>media-src</code>
   <td>HTML's <code>video</code> element
  <tr>
   <td><i title>worker</i>
   <td><i title>none</i>
   <td><code title>child-src</code>
   <td><code>Worker</code>
  <tr>
   <td><i title>xmlhttprequest</i>
   <td><i title>none</i>
   <td><code title>connect-src</code>
   <td><code data-anolis-spec=xhr>XMLHttpRequest</code>
  <tr>
   <td><i title>xslt</i>
   <td><i title>none</i>
   <td><code title>script-src</code>
   <td><code>&lt;?xml-stylesheet></code>
 </table>
</div>

<hr>

<p>A <span title=concept-request>request</span> has an associated
<dfn title=concept-request-origin>origin</dfn> (an
<span data-anolis-spec=html>origin</span>). Unless stated otherwise it is an
opaque identifier.

<p>A <span title=concept-request>request</span> has an associated
<dfn>force <code title>Origin</code> header flag</dfn>. Unless stated otherwise it is unset.

<p>A <span title=concept-request>request</span> has an associated
<dfn>same-origin data URL flag</dfn>. Unless stated otherwise it is unset.

<p>A <span title=concept-request>request</span> has an associated
<dfn title=concept-request-referrer>referrer</dfn>, which is <i title>no referrer</i>,
<i title>client</i>, or a <span data-anolis-spec=url title=concept-url>URL</span>. Unless
stated otherwise it is <i title>client</i>.

<p>A <span title=concept-request>request</span> has an associated
<dfn>authentication flag</dfn>. Unless stated otherwise it is unset.

<p>A <span title=concept-request>request</span> has an associated
<dfn>synchronous flag</dfn>. Unless stated otherwise it is unset.

<p>A <span title=concept-request>request</span> has an associated
<dfn title=concept-request-mode>mode</dfn>, which is one of <i title>same-origin</i>,
<i title>no CORS</i>, <i title>CORS</i>, and
<i title>CORS-with-forced-preflight</i>. Unless stated otherwise, it is
<i title>no CORS</i>.

<p>A <span title=concept-request>request</span> has an associated
<dfn title=concept-request-credentials-mode>credentials mode</dfn>, which is
one of <i title>omit</i>, <i title>same-origin</i>, and <i title>include</i>. Unless
stated otherwise, it is <i title>omit</i>.

<p>A <span title=concept-request>request</span> has an associated
<dfn title=concept-request-use-url-credentials-flag>use URL credentials flag</dfn>.
Unless stated otherwise, it is unset.

<p>A <span title=concept-request>request</span> has an associated
<dfn title=concept-request-cache-mode>cache mode</dfn>, which is one of
<i title>default</i>, <i title>no-store</i>, <i title>reload</i>, <i title>no-cache</i>,
<i title>force cache</i>, and <i title>only-if-cached</i>. Unless stated otherwise, it is
<i title>default</i>.

<p class="note no-backref">If <span title=concept-request-header-list>header list</span>
contains a <span title=concept-header>header</span> whose
<span title=concept-header-name>name</span> is one of
`<code title>If-Modified-Since</code>`,
`<code title>If-None-Match</code>`,
`<code title>If-Unmodified-Since</code>`,
`<code title>If-Match</code>`, and
`<code title>If-Range</code>`, <span title=concept-fetch>fetch</span> will set
<span title=concept-request-cache-mode>cache mode</span> to <i title>no-store</i> if it is
<i title>default</i>.

<p>A <span title=concept-request>request</span> has an associated
<dfn title=concept-request-manual-redirect-flag>manual redirect flag</dfn>. Unless stated
otherwise, it is unset.

<hr>

<p>A <span title=concept-request>request</span> has an associated
<dfn title=concept-request-redirect-count>redirect count</dfn>. Unless stated otherwise,
it is zero.

<p>A <span title=concept-request>request</span> has an associated
<dfn title=concept-request-response-tainting>response tainting</dfn>, which is one of
<i title>basic</i>, <i title>CORS</i>, and <i title>opaque</i>. Unless stated otherwise,
it is <i title>basic</i>.

<p class="note no-backref">A <span title=concept-request>request</span>'s
<span title=concept-request-redirect-count>redirect count</span> and
<span title=concept-request-response-tainting>response tainting</span> are used as
bookkeeping details by the <span title=concept-fetch>fetch</span> algorithm.

<hr>

<p>A <dfn>client request</dfn> is a <span title=concept-request>request</span> whose
<span title=concept-request-context>context</span> is one of
<i title>form</i>,
<i title>frame</i>,
<i title>hyperlink</i>,
<i title>iframe</i>,
<i title>internal</i> (as long as <span title=concept-request-context-frame-type>context frame type</span> is not <i title>none</i>),
<i title>location</i>,
<i title>serviceworker</i>,
<i title>sharedworker</i>, and
<i title>worker</i>.

<p>A <dfn>potential client request</dfn> is a <span title=concept-request>request</span>
whose <span title=concept-request-context>context</span> is <i title>embed</i> or
<i title>object</i>.

<p>A <dfn>resource request</dfn> is a <span title=concept-request>request</span> that is
neither a <span>client request</span> nor a <span>potential client request</span>.

<!-- These concepts are introduced for service workers. At some point we should xref that. -->


<h4>Responses</h4>

<p>The result of <span title=concept-fetch>fetch</span> is a
<dfn title=concept-response>response</dfn>. A <span title=concept-response>response</span>
evolves over time. That is, not all its fields are available straight away.

<p>A <span title=concept-response>response</span> has an associated
<dfn title=concept-response-type>type</dfn> which is one of
<i title>basic</i>,
<i title>CORS</i>,
<i title>default</i>,
<i title>error</i>, and
<i title>opaque</i>.
Unless stated otherwise, it is <i title>default</i>.

<p>A <span title=concept-response>response</span> can have an associated
<dfn title=concept-response-termination-reason>termination reason</dfn> which is one of
<i title>end-user abort</i>, <i title>fatal</i>, and <i title>timeout</i>.

<p>A <span title=concept-response>response</span> has an associated
<dfn title=concept-response-url>url</dfn> (null or a
<span data-anolis-spec=url title=concept-url>URL</span>). Unless stated otherwise it is
null.

<p>A <span title=concept-response>response</span> has an associated
<dfn title=concept-response-final-url-flag>final url flag</dfn>. Unless stated otherwise
it is unset.

<p>A <span title=concept-response>response</span> has an associated
<dfn title=concept-response-status>status</dfn>. Unless stated otherwise it is
<code title>200</code>.

<p>A <span title=concept-response>response</span> has an associated
<dfn title=concept-response-status-message>status message</dfn>. Unless stated otherwise
it is `<code title>OK</code>`.

<p>A <span title=concept-response>response</span> has an associated
<dfn title=concept-response-header-list>header list</dfn> (a
<span title=concept-header-list>header list</span>). Unless stated otherwise it is empty.

<p>A <span title=concept-response>response</span> has an associated
<dfn title=concept-response-body>body</dfn> (null or a
<span title=concept-body>body</span>). Unless stated otherwise it is null.

<p>A <span title=concept-response>response</span> has an associated
<dfn title=concept-response-cache-state>cache state</dfn> which is one of
<i title>none</i>,
<i title>local</i>,
<i title>validated</i>, and
<i title>partial</i>. Unless stated otherwise, it is <i title>none</i>.

<p>A <span title=concept-response>response</span> has an associated
<dfn title=concept-response-tls-state>TLS state</dfn> which is one of
<i title>unauthenticated</i>,
<i title>deprecated authentication</i>, and
<i title>authenticated</i>. Unless stated otherwise, it is <i title>unauthenticated</i>.

<p class="note no-backref">A <span title=concept-response>response</span> delivered over
TLS will typically have its <span title=concept-response-tls-state>TLS state</span> set to
<i title>authenticated</i>.

<hr>

<p>A <span title=concept-response>response</span> whose
<span title=concept-response-type>type</span> is <i title>error</i> is known as a
<dfn title=concept-network-error>network error</dfn>.

<p>A <span title=concept-network-error>network error</span> is a
<span title=concept-response>response</span> whose
<span title=concept-response-status>status</span> is always <code title>0</code>,
<span title=concept-response-status-message>status message</span> is always the empty byte sequence,
<span title=concept-response-header-list>header list</span> is always empty,
<span title=concept-response-body>body</span> is always null, and
<span title=concept-response-cache-state>cache state</span> is always <i title>none</i>.

<!-- XXX Introduce concept-redirect and concept-redirect-location for navigate algorithm? -->

<hr>

<p>A <dfn title=concept-filtered-response>filtered response</dfn> is a limited view on a
<span title=concept-response>response</span> that is not a
<span title=concept-network-error>network error</span>. This
<span title=concept-response>response</span> is referred to as the
<span title=concept-filtered-response>filtered response</span>'s associated
<dfn title=concept-internal-response>internal response</dfn>.

<p class="note no-backref">The <span title=concept-fetch>fetch</span> algorithm returns
such a view to ensure APIs do not accidentally leak information. If the information is
required, e.g. to feed image data to a decoder, the associated
<span title=concept-internal-response>internal response</span> can be used, which is only
"accessible" to internal specification algorithms.

<p>A <dfn title=concept-filtered-response-basic>basic filtered response</dfn> is a
<span title=concept-filtered-response>filtered response</span> whose
<span title=concept-response-type>type</span> is <i title>basic</i>,
<span title=concept-response-header-list>header list</span> excludes any
<span title=concept-header>headers</span> in
<span title=concept-internal-response>internal response</span>'s
<span title=concept-response-header-list>header list</span> whose
<span title=concept-header-name>name</span> is `<code title>Set-Cookie</code>` or
`<code title>Set-Cookie2</code>`.

<p>A <dfn title=concept-filtered-response-cors>CORS filtered response</dfn> is a
<span title=concept-filtered-response>filtered response</span> whose
<span title=concept-response-type>type</span> is <i title>CORS</i>,
<span title=concept-response-header-list>header list</span> excludes all
<span title=concept-header>headers</span> in
<span title=concept-internal-response>internal response</span>'s
<span title=concept-response-header-list>header list</span>, except those whose
<span title=concept-header-name>name</span> is either one of
`<code title>Cache-Control</code>`, `<code title>Content-Language</code>`,
`<code title>Content-Type</code>`, `<code title>Expires</code>`,
`<code title>Last-Modified</code>`, and `<code title>Pragma</code>`, and except those
whose <span title=concept-header-name>name</span> is one of the
<span title=concept-header-value>values</span> resulting from
<span title=concept-header-parse>parsing</span>
`<code title=http-access-control-expose-headers>Access-Control-Expose-Headers</code>` in
<span title=concept-internal-response>internal response</span>'s
<span title=concept-response-header-list>header list</span>.

<p>An <dfn title=concept-filtered-response-opaque>opaque filtered response</dfn> is a
<span title=concept-filtered-response>filtered response</span> whose
<span title=concept-response-type>type</span> is <i title>opaque</i>,
<span title=concept-response-status>status</span> is <code title>0</code>,
<span title=concept-response-status-message>status message</span> is the empty byte sequence,
<span title=concept-response-header-list>header list</span> is an empty list,
<span title=concept-response-body>body</span> is null, and
<span title=concept-response-cache-state>cache state</span> is <i title>none</i>.

<p class="note no-backref">In other words, an
<span title=concept-filtered-response-opaque>opaque filtered response</span> is nearly
indistinguishable from a <span title=concept-network-error>network error</span>. When
introducing new APIs, do not use the
<span title=concept-internal-response>internal response</span> for internal specification
algorithms as you will leak information.


<h3>Authentication entries</h3>

<p>An <dfn>authentication entry</dfn> and a <dfn>proxy authentication entry</dfn> are
tuples of username, password, and realm, associated with one or more
<span title=concept-request>requests</span>.

<p>User agents should allow either to be cleared together with HTTP cookies and similar
tracking functionality.
<!-- fingerprinting -->

<p>Further details are defined by HTTP.
<span data-anolis-ref>HTTPAUTH</span>



<h2>HTTP extensions</h2>

<h3>`<code title>Origin</code>` header</h3>

<p>The `<dfn title=http-origin><code>Origin</code></dfn>` request
<span title=concept-header>header</span> indicates where a
<span title=concept-fetch>fetch</span> originates from.

<p class="note no-backref">The `<code title=http-origin>Origin</code>` header is a version
of the `<code title=http-referer>Referer</code>` [sic] header that does not reveal a
<span data-anolis-spec=url title=concept-url-path>path</span>. It is used for
all <span title=concept-http-fetch>HTTP fetches</span> whose <i title>CORS flag</i> is
set as well as those where <span title=concept-request>request</span>'s
<span title=concept-request-method>method</span> is `<code title>POST</code>`. Due to
compatibility constraints it is not included in all
<span title=concept-fetch>fetches</span>.
<!-- Ian Hickson told me Adam Barth researched that -->

<p>Its <span title=concept-header-value>value</span> ABNF:

<pre>Origin                           = origin-or-null

origin-or-null                   = origin / %x6E.75.6C.6C ; "null", case-sensitive
origin                           = <span data-anolis-spec=url title=concept-url-scheme>scheme</span> "://" <span data-anolis-spec=url title=concept-url-host>host</span> [ ":" <span data-anolis-spec=url title=concept-url-port>port</span> ]</pre>

<p class="note no-backref">This supplants the `<code title=http-origin>Origin</code>`
<span title=concept-header>header</span>.
<span data-anolis-ref class=informative>ORIGIN</span>


<h3 id=http-cors-protocol>CORS protocol</h3>

<p>To allow sharing resources cross-origin and allow for more versatile HTTP requests than
possible with HTML's <code data-anolis-spec=html>form</code> element, the platform has
a <dfn>CORS protocol</dfn> layered on top of HTTP. It allows resources to declare they
can be shared with resources residing on a different
<span data-anolis-spec=html>origin</span>.

<p class=note>It needs to be an opt-in mechanism to prevent leaking data from resources
behind a firewall (intranets). Additionally, for credentialed HTTP requests it needs to be
opt-in to prevent leaking potentially-sensitive data.

<p>This section explains the <span>CORS protocol</span> as it pertains to servers.
Requirements for user agents are part of the <span title=concept-fetch>fetch</span>
algorithm.

<h4>General</h4>

<p>The <span>CORS protocol</span> consists of a set of headers that indicates whether a
particular resource can be shared cross-origin.

<p>For HTTP requests that are more involved than what is possible with HTML's
<code data-anolis-spec=html>form</code> element, a <span>CORS preflight fetch</span> is
performed, to ensure the resource understands the <span>CORS protocol</span>.


<h4>HTTP requests</h4>

<p>An HTTP request can be identified as pertaining in the <span>CORS protocol</span> if it
includes an `<code title=http-origin>Origin</code>` header. This is named a
<dfn>CORS request</dfn>.

<p>An HTTP request can be identified as being a check to see if the
<span>CORS protocol</span> is understood if it is a <span>CORS request</span>, uses
`<code title>OPTIONS</code>` as <span title=concept-method>method</span>, and includes
these <span title=concept-header>headers</span>:

<dl>
 <dt>`<dfn title=http-access-control-request-method><code>Access-Control-Request-Method</code></dfn>`
 <dd><p>Indicates which <span title=concept-method>method</span> a future
 <span>CORS request</span> to the same resource might use.

 <dt>`<dfn title=http-access-control-request-headers><code>Access-Control-Request-Headers</code></dfn>`
 <dd><p>Indicates which <span title=concept-header>headers</span> a future
 <span>CORS request</span> to the same resource might use.
</dl>

<p>This is named a <dfn>CORS preflight request</dfn>.


<h4>HTTP responses</h4>

<p>An HTTP response to a <span>CORS request</span> can include the following
<span title=concept-header>headers</span>:

<dl>
 <dt>`<dfn title=http-access-control-allow-origin><code>Access-Control-Allow-Origin</code></dfn>`
 <dd><p>Indicates whether a resource can be shared, via returning the literal
 <span title=concept-header-value>value</span> of the
 `<code title=http-origin>Origin</code>` request <span title=concept-header>header</span>
 (which can be `<code title>null</code>`) or `<code title>*</code>` in a response.

 <dt>`<dfn title=http-access-control-allow-credentials><code>Access-Control-Allow-Credentials</code></dfn>`
 <dd>
  <p>Indicates whether a resource can be shared when
  <span title=concept-request>request</span>'s
  <span title=concept-request-credentials-mode>credentials mode</span> is
  <i title>include</i>.

  <p class=note>For a <span>CORS preflight request</span>,
  <span title=concept-request>request</span>'s
  <span title=concept-request-credentials-mode>credentials mode</span> is always
  <i title>omit</i>, but for any subsequent
  <span title="CORS request">CORS requests</span> it might not be. Support therefore needs
  to be indicated as part of the HTTP response to the <span>CORS preflight request</span>
  as well.
</dl>

<p>An HTTP response to a <span>CORS preflight request</span> can include the following
<span title=concept-header>headers</span>:

<dl>
 <dt>`<dfn title=http-access-control-allow-methods><code>Access-Control-Allow-Methods</code></dfn>`
 <dd>
  <p>Indicates which <span title=concept-method>methods</span> are supported by the
  resource for the purposes of the <span>CORS protocol</span>.

  <p class=note>The `<code title>Allow</code>` <span title=concept-header>header</span> is
  not relevant for the purposes of the <span>CORS protocol</span>.

 <dt>`<dfn title=http-access-control-allow-headers><code>Access-Control-Allow-Headers</code></dfn>`
 <dd><p>Indicates which <span title=concept-header>headers</span> are supported by the
 resource for the purposes of the <span>CORS protocol</span>.

 <dt>`<dfn title=http-access-control-max-age><code>Access-Control-Max-Age</code></dfn>`
 <dd><p>Indicates how long the information provided by the
 `<code title=http-access-control-allow-methods>Access-Control-Allow-Methods</code>` and
 `<code title=http-access-control-allow-headers>Access-Control-Allow-Headers</code>`
 <span title=concept-header>headers</span> can be cached.
</dl>

<p>An HTTP response to a <span>CORS request</span> that is not a
<span>CORS preflight request</span> can also include the following
<span title=concept-header>header</span>:

<dl>
 <dt>`<dfn title=http-access-control-expose-headers><code>Access-Control-Expose-Headers</code></dfn>`
 <dd><p>Indicates which <span title=concept-header>headers</span> can be exposed as part
 of the HTTP response, via listing their <span title=concept-header-name>names</span>.
</dl>


<h4>HTTP new header syntax</h4>

<p>ABNF for the <span title=concept-header-value>values</span> of the
<span title=concept-header>headers</span> used by the <span>CORS protocol</span>:

<pre>Access-Control-Request-Method    = <span data-anolis-spec=http>Method</span>
Access-Control-Request-Headers   = #<span data-anolis-spec=http>field-name</span>

Access-Control-Allow-Origin      = origin-or-null / "*"
Access-Control-Allow-Credentials = %x74.72.75.65 ; "true", case-sensitive
Access-Control-Expose-Headers    = #<span data-anolis-spec=http>field-name</span>
Access-Control-Max-Age           = <span data-anolis-spec=http>delta-seconds</span>
Access-Control-Allow-Methods     = #<span data-anolis-spec=http>Method</span>
Access-Control-Allow-Headers     = #<span data-anolis-spec=http>field-name</span></pre>



<h2>Fetching</h2>

<div class="note no-backref">
 <p>The algorithm below defines <span title=concept-fetch>fetching</span>. In broad
 strokes, it takes a <span title=concept-request>request</span> and outputs a
 <span title=concept-response>response</span>.

 <p>That is, it either returns a <span title=concept-response>response</span> if
 <span title=concept-request>request</span>'s <span>synchronous flag</span> is set, or it
 <span title="queue a fetch task">queues tasks</span> annotated
 <span>process response</span>, <span>process response body</span>, and
 <span>process response end-of-file</span> for the
 <span title=concept-response>response</span>.

 <p>To capture uploads, if <span title=concept-request>request</span>'s
 <span>synchronous flag</span> is unset,
 <span data-anolis-spec=html title=concept-task>tasks</span> annotated
 <span>process request body</span> and <span>process request end-of-file</span> for the
 <span title=concept-request>request</span> can be
 <span title="queue a fetch task">queued</span>.
</div>

<p>To perform a <dfn title=concept-fetch>fetch</dfn> using <var title>request</var>,
optionally with a <i title>CORS flag</i>, run the steps below. An ongoing
<span title=concept-fetch>fetch</span> can be
<dfn title=concept-fetch-terminate>terminated</dfn> with reason <var title>reason</var>,
which must be one of <i title>end-user abort</i>, <i title>fatal</i>, or
<i title>timeout</i>.

<p class="note no-backref">The <i title>CORS flag</i> is a bookkeeping detail for handling
redirects. Only use the <var title>request</var> parameter in other standards.

<ol>
 <li><p>Let <var title>response</var> be null.

 <li><p>If
 <a href="https://w3c.github.io/webappsec/specs/mixedcontent/#should-block-fetch">should fetching <var title>request</var> be blocked as mixed content</a>
 or
 <span class=XXX>should fetching <var title>request</var> be blocked as content security</span>
 returns <b title>blocked</b>, set <var title>response</var> to a
 <span title=concept-network-error>network error</span>.
 <span data-anolis-ref>MIX</span>
 <span data-anolis-ref>CSP</span>

 <li>
  <p>If <var title>request</var>'s <span title=concept-request-referrer>referrer</span>
  is not <i title>no referrer</i>, set <var title>request</var>'s
  <span title=concept-request-referrer>referrer</span> to the result of invoking
  <a href="//w3c.github.io/webappsec/specs/referrer-policy/#determine-requests-referrer">determine <var title>request</var>'s referrer</a>.
  <span data-anolis-ref>REFERRER</span>

  <p class="note no-backref">As stated in <cite>Referrer Policy</cite>, user agents can
  provide the end user with options to override <var title>request</var>'s
  <span title=concept-request-referrer>referrer</span> to <i title>no referrer</i> or have
  it expose less sensitive information.

 <li><p>If <var title>request</var>'s <span title=concept-request-url>url</span> contains
 a Known HSTS Host, modify it per the requirements of the
 <a href="http://tools.ietf.org/html/rfc6797#section-8.3">"URI [sic] Loading and Port Mapping" chapter of HTTP Strict Transport Security</a>.
 <span data-anolis-ref>HSTS</span>
 <!-- Per Mike West HSTS happens "probably after" Referrer -->

 <li><p>If <var title>request</var>'s <span>synchronous flag</span> is unset and
 <span title=concept-fetch>fetch</span> is not invoked recursively, run the remaining
 steps <span data-anolis-spec=html>in parallel</span>.

 <li>
  <p>If <var title>response</var> is null, set <var title>response</var> to the value
  corresponding to the first matching statement:

  <dl class=switch>
   <dt><var title>request</var>'s <span title=concept-request-url>url</span>'s
   <span data-anolis-spec=url title=concept-url-origin>origin</span> is
   <var title>request</var>'s <span title=concept-request-origin>origin</span> and the
   <i title>CORS flag</i> is unset
   <dt><var title>request</var>'s <span title=concept-request-url>url</span>'s
   <span data-anolis-spec=url title=concept-url-scheme>scheme</span> is
   "<code title>data</code>" and <var title>request</var>'s
   <span>same-origin data URL flag</span> is set
   <dt><var title>request</var>'s <span title=concept-request-url>url</span>'s
   <span data-anolis-spec=url title=concept-url-scheme>scheme</span> is
   "<code title>about</code>"

   <dd><p>The result of performing a <span title=concept-basic-fetch>basic fetch</span> using <var title>request</var>.

   <dt><var title>request</var>'s <span title=concept-request-mode>mode</span> is
   <i title>same-origin</i>

   <dd><p>A <span title=concept-network-error>network error</span>.

   <dt><var title>request</var>'s <span title=concept-request-mode>mode</span> is
   <i title>no CORS</i>
   <dd>
    <p>Set <var title>request</var>'s
    <span title=concept-request-response-tainting>response tainting</span> to
    <i title>opaque</i>.
    <p>The result of performing a <span title=concept-basic-fetch>basic fetch</span> using
    <var title>request</var>.
    <!-- file URLs end up here as they are not same-origin typically. -->

   <dt><var title>request</var>'s <span title=concept-request-url>url</span>'s
   <span data-anolis-spec=url title=concept-url-scheme>scheme</span> is not one of
   "<code title>http</code>" and "<code title>https</code>"

   <dd><p>A <span title=concept-network-error>network error</span>.

   <dt><var title>request</var>'s <span title=concept-request-mode>mode</span> is
   <i title>CORS-with-forced-preflight</i>
   <dt><var title>request</var>'s <span>unsafe request flag</span> is set and either
   <var title>request</var>'s <span title=concept-request-method>method</span> is not
   a <span>simple method</span> or a <span title=concept-header>header</span> in
   <var title>request</var>'s <span title=concept-header-list>header list</span> is not a
   <span>simple header</span>
   <dd>
    <p>Set <var title>request</var>'s
    <span title=concept-request-response-tainting>response tainting</span> to
    <i title>CORS</i>.
    <p>The result of performing an <span title=concept-http-fetch>HTTP fetch</span> using
    <var title>request</var> with the <i title>CORS flag</i> and
    <i title>CORS preflight flag</i> set.

   <dt>Otherwise
   <dd>
    <p>Set <var title>request</var>'s
    <span title=concept-request-response-tainting>response tainting</span> to
    <i title>CORS</i>.
    <p>The result of performing an <span title=concept-http-fetch>HTTP fetch</span> using
    <var title>request</var> with the <i title>CORS flag</i> set.
  </dl>

 <li><p>If <span title=concept-fetch>fetch</span> is invoked recursively, return <var title>response</var>.

 <li><p>If <var title>response</var>'s
 <span title=concept-response-final-url-flag>final url flag</span> is unset, set
 <var title>response</var>'s <span title=concept-response-url>url</span> to
 <var title>request</var>'s <span title=concept-request-url>url</span>.

 <li><p>If
 <a href="https://w3c.github.io/webappsec/specs/mixedcontent/#should-block-response">should <var title>response</var> to <var title>request</var> be blocked as mixed content</a>
 returns <b title>blocked</b>, set <var title>response</var> to a
 <span title=concept-network-error>network error</span>.
 <span data-anolis-ref>MIX</span>

 <li>
  <p>If <var title>response</var> is not a
  <span title=concept-network-error>network error</span>, set <var title>response</var> to
  the following <span title=concept-filtered-response>filtered response</span> with
  <var title>response</var> as its
  <span title=concept-internal-response>internal response</span>, depending on
  <var title>request</var>'s
  <span title=concept-request-response-tainting>response tainting</span>:

  <dl class="switch compact">
   <dt><i title>basic</i>
   <dd><span title=concept-filtered-response-basic>basic filtered response</span>
   <dt><i title>CORS</i>
   <dd><span title=concept-filtered-response-cors>CORS filtered response</span>
   <dt><i title>opaque</i>
   <dd><span title=concept-filtered-response-opaque>opaque filtered response</span>
  </dl>

 <li>
  <p>If <var title>request</var>'s <span>synchronous flag</span> is set, wait for
  either end-of-file to have been pushed to
  <var title>response</var>'s <span title=concept-response-body>body</span> or for
  <var title>response</var> to have a
  <span title=concept-response-termination-reason>termination reason</span>, and then
  return <var title>response</var>.

  <p class="note no-backref">This terminates <span title=concept-fetch>fetch</span>.

 <li><p>If <var title>request</var>'s <span title=concept-request-body>body</span> is
 non-null and <var title>request</var>'s <span title=concept-request-url>url</span>'s
 <span data-anolis-spec=url title=concept-url-scheme>scheme</span> is
 "<code title>http</code>" or "<code title>https</code>",
 <span>queue a fetch task</span> on <var title>request</var> to
 <dfn>process request end-of-file</dfn> for <var title>request</var>.

 <li><p><span>Queue a fetch task</span> on <var title>request</var> to
 <dfn>process response</dfn> for <var title>response</var>.

 <li>
  <p>If <var title>response</var>'s
  <span title=concept-response-body>body</span> is null, run these substeps:

  <ol>
   <li><span>Queue a fetch task</span> on <var title>request</var> to
   <dfn>process response body</dfn> for <var title>response</var>.

   <li><p><span>Queue a fetch task</span> on <var title>request</var> to
   <dfn>process response end-of-file</dfn> for <var title>response</var>.
  </ol>

 <li>
  <p>Otherwise, if <var title>response</var>'s
  <span title=concept-response-body>body</span> is non-null, run these substeps:

  <ol>
   <li><p>Whenever <var title>response</var>'s
   <span title=concept-response-body>body</span>'s is pushed to, for and as long as
   <var title>response</var> has no
   <span title=concept-response-termination-reason>termination reason</span> and
   end-of-file has not been pushed,
   <span>queue a fetch task</span> on <var title>request</var> to
   <span>process response body</span> for <var title>response</var>.

   <li>
    <p>Once end-of-file has been pushed to <var title>response</var>'s
    <span title=concept-response-body>body</span> or <var title>response</var> has a
    <span title=concept-response-termination-reason>termination reason</span>,
    <span>queue a fetch task</span> on <var title>request</var> to
    <span>process response end-of-file</span> for <var title>response</var>.

    <p class=note>Ideally FTP/HTTP define this in more detail and this becomes a set of
    simple hooks.
  </ol>

  <p>Use the <span data-anolis-spec=html>networking task source</span> for these
  <span data-anolis-spec=html title=concept-task>tasks</span>.
</ol>


<h3>Basic fetch</h3>

<p>To perform a <dfn title=concept-basic-fetch>basic fetch</dfn> using
<var title>request</var>, switch on <var title>request</var>'s
<span title=concept-request-url>url</span>'s
<span data-anolis-spec=url title=concept-url-scheme>scheme</span>, and run the associated
steps:

<dl class=switch>
 <dt>"<code title>about</code>"
 <dd>
  <p>If <var title>request</var>'s <span title=concept-request-url>url</span>'s
  <span data-anolis-spec=url title=concept-url-scheme-data>scheme data</span> is
  "<code title>blank</code>", return a <span title=concept-response>response</span> whose
  <span title=concept-response-header-list>header list</span> consist of a single
  <span title=concept-header>header</span> whose
  <span title=concept-header-name>name</span> is `<code title>Content-Type</code>` and
  <span title=concept-header-value>value</span> is
  `<code title>text/html;charset=utf-8</code>`,
  <span title=concept-response-body>body</span> is the empty byte sequence, and
  <span title=concept-response-tls-state>TLS state</span> is <var title>request</var>'s
  <span title=concept-request-client>client</span>'s <span>TLS state</span>.
  <!-- XXX xref TLS state -->

  <!-- introduce about:unicorn
       https://html5.org/temp/unicorn.svg -->

  <p>Otherwise, return a <span title=concept-network-error>network error</span>.

  <p class="note no-backref"><span data-anolis-spec=url title=concept-url>URLs</span> such
  as "<code title>about:config</code>" are handled during
  <span data-anolis-spec=html title=navigate>navigation</span> and result in a
  <span title=concept-network-error>network error</span> in the context of
  <span title=concept-fetch>fetching</span>.

 <dt>"<code title>blob</code>"
 <dd>
  <ol>
   <li><p>Let <var title>blob</var> be <var title>request</var>'s
   <span title=concept-request-url>url</span>'s
   <span data-anolis-spec=url title=concept-url-object>object</span>.

   <li><p>If <var title>blob</var> is null, return a
   <span title=concept-network-error>network error</span>.

   <li><p>Let <var title>response</var> be a new
   <span title=concept-response>response</span>.

   <li><p><span title=concept-header-list-append>Append</span>
   `<code title>Content-Length</code>`/<var title>blob</var>'s
   <code data-anolis-spec=fileapi title=dom-Blob-size>size</code> attribute value to
   <var title>response</var>'s
   <span title=concept-response-header-list>header list</span>.

   <li><p><span title=concept-header-list-append>Append</span>
   `<code title>Content-Type</code>`/<var title>blob</var>'s
   <code data-anolis-spec=fileapi title=dom-Blob-type>type</code> attribute value to
   <var title>response</var>'s
   <span title=concept-response-header-list>header list</span>.

   <li><p>Set <var title>response</var>'s
   <span title=concept-response-tls-state>TLS state</span> to <var title>request</var>'s
   <span title=concept-request-client>client</span>'s <span>TLS state</span>.
   <!-- XXX xref TLS state -->

   <li><p>Set <var title>response</var>'s <span title=concept-response-body>body</span> to
   the result of performing the <span data-anolis-spec=fileapi>read operation</span> on
   <var title>blob</var>.
   <!-- This takes care of setting length, transmitted, and error flag as well -->

   <li><p>Return <var title>response</var>.
  </ol>

 <dt>"<code title>data</code>"
 <dd>
  <p>If <var title>request</var>'s <span title=concept-request-method>method</span> is
  `<code title>GET</code>` and
  <a href="http://simonsapin.github.io/data-urls/">obtaining a resource</a> from
  <var title>request</var>'s <span title=concept-request-url>url</span> does not return
  failure, return a <span title=concept-response>response</span> whose
  <span title=concept-response-header-list>header list</span> consist of a single
  <span title=concept-header>header</span> whose
  <span title=concept-header-name>name</span> is `<code title>Content-Type</code>` and
  <span title=concept-header-value>value</span> is the MIME type and parameters returned
  from <a href="http://simonsapin.github.io/data-urls/">obtaining a resource</a>,
  <span title=concept-response-body>body</span> is the data returned from
  <a href="http://simonsapin.github.io/data-urls/">obtaining a resource</a>, and
  <span title=concept-response-tls-state>TLS state</span> is <var title>request</var>'s
  <span title=concept-request-client>client</span>'s <span>TLS state</span>.
  <!-- XXX xref TLS state -->
  <span data-anolis-ref>DATAURL</span>
  <!-- XXX "obtaining a resource" needs a better reference -->

  <p>Otherwise, return a <span title=concept-network-error>network error</span>.

 <dt>"<code title>file</code>"
 <dt>"<code title>ftp</code>"
 <dd>
  <p>For now, unfortunate as it is, <code title>file</code> and <code title>ftp</code>
  <span data-anolis-spec=url title=concept-url>URLs</span> are left as an exercise for the
  reader.

  <p>When in doubt, return a <span title=concept-network-error>network error</span>.

 <dt>"<code title>filesystem</code>"</dt> <!-- flag below also applies to "indexeddb" -->
 <dd>
  <p>If <var title>request</var>'s <span>sandboxed storage area URLs flag</span> is set,
  return a <span title=concept-network-error>network error</span>.

  <p class=XXX>Otherwise, &hellip; this scheme still needs to be defined.

 <dt>"<code title>http</code>"
 <dt>"<code title>https</code>"
 <dd>
  <p>Return the result of performing an <span title=concept-http-fetch>HTTP fetch</span>
  using <var title>request</var>.

 <dt>Otherwise
 <dd><p>Return a <span title=concept-network-error>network error</span>.
</dl>


<h3>HTTP fetch</h3>

<p>To perform an <dfn title=concept-http-fetch>HTTP fetch</dfn> using
<var title>request</var> with an optional <i title>CORS flag</i>,
<i title>CORS preflight flag</i>, and <i title>authentication fetch flag</i>, run these
steps:

<p class="note no-backref">The <i title>CORS flag</i> is still a bookkeeping detail. The
<i title>CORS preflight flag</i> and <i title>authentication fetch flag</i> are too. The
former indicates a <span>CORS preflight request</span> is required and the latter
indicates an attempt to authenticate.

<ol>
 <li><p>Let <var title>response</var> be null.

 <li>
  <p>If <var title>request</var>'s <span>skip service worker flag</span> is unset and
  <var title>request</var>'s <span title=concept-request-client>client</span>'s
  <span data-anolis-spec=html>global object</span> is not a
  <code data-anolis-spec=sw>ServiceWorkerGlobalScope</code> object, run these substeps:
  <span data-anolis-ref>HTML</span>
  <span data-anolis-ref>SW</span>

  <ol>
   <li><p>Set <var title>response</var> to the result of invoking
   <span data-anolis-spec=sw>handle fetch</span> for <var title>request</var>.
   <span data-anolis-ref>SW</span>

   <li><p>If either <var title>response</var>'s
   <span title=concept-response-type>type</span> is <i title>opaque</i> and
   <var title>request</var>'s <span title=concept-request-mode>mode</span> is not
   <i title>no CORS</i> or <var title>response</var>'s
   <span title=concept-response-type>type</span> is <i title>error</i>, return a
   <span title=concept-network-error>network error</span>.
  </ol>

 <li>
  <p>If <var title>response</var> is null, run these substeps:

  <ol>
   <li>
    <p>If the <i title>CORS preflight flag</i> is set and one of these conditions is true:

    <ul>
     <li>There is no <span title=concept-cache-match-method>method cache match</span> for
     <var title>request</var>'s <span title=concept-request-method>method</span> using
     <var title>request</var>, and either <var title>request</var>'s
     <span title=concept-request-method>method</span> is a not <span>simple method</span>
     or <var title>request</var>'s <span title=concept-request-mode>mode</span> is
     <i title>CORS-with-forced-preflight</i>.

     <li>There is at least one <span title=concept-header>header</span> in
     <var title>request</var>'s <span title=concept-request-header-list>header list</span>
     for whose <span title=concept-header-name>name</span> there is no
     <span title=concept-cache-match-header>header name cache match</span> using
     <var title>request</var> and which is not a <span>simple header</span>.
    </ul>

    <p>Then run these subsubsteps:

    <ol>
     <li><p>Let <var title>response</var> be the result of performing a
     <span>CORS preflight fetch</span> using <var title>request</var>.

     <li><p>If <var title>response</var> is a
     <span title=concept-network-error>network error</span>, return
     <var title>response</var>.
    </ol>

   <li>
    <p>Set <var title>request</var>'s <span>skip service worker flag</span>.

    <p class="note no-backref">There might be redirects. Alternatively,
    <var title>request</var>'s <span>authentication flag</span> is set and the
    <i title>CORS flag</i> is unset.</span>

   <li><p>Let <var title>credentials flag</var> be set if either
   <var title>request</var>'s
   <span title=concept-request-credentials-mode>credentials mode</span> is
   <i title>include</i>, or <var title>request</var>'s
   <span title=concept-request-credentials-mode>credentials mode</span> is
   <i title>same-origin</i> and the <i title>CORS flag</i> is unset, and unset otherwise.

   <li><p>If <var title>request</var>'s
   <span title=concept-request-cache-mode>cache mode</span> is <i title>default</i> and
   <var title>request</var>'s <span title=concept-request-header-list>header list</span>
   contains a <span title=concept-header>header</span>
   <span title=concept-header-named>named</span>
   `<code title>If-Modified-Since</code>`,
   `<code title>If-None-Match</code>`,
   `<code title>If-Unmodified-Since</code>`,
   `<code title>If-Match</code>`, or
   `<code title>If-Range</code>`, set <var title>request</var>'s
   <span title=concept-request-cache-mode>cache mode</span> to <i title>no-store</i>.

   <li><p>Set <var title>response</var> to the result of performing an
   <span title=concept-http-network-or-cache-fetch>HTTP network or cache fetch</span>
   using <var title>request</var> with <var title>credentials flag</var> if set and
   <i title>authentication fetch flag</i> if set.

   <li>
    <p>If the <i title>CORS flag</i> is set and a
    <span title=concept-cors-check>CORS check</span> for <var title>request</var> and
    <var title>response</var> returns failure, return a
    <span title=concept-network-error>network error</span>.

    <p class=note>There is no need to apply this to a
    <span title=concept-response>response</span> from a service worker.
  </ol>

 <li>
  <p>Then, switch on <var title>response</var>'s
  <span title=concept-response-status>status</span>:

  <dl class=switch>
   <dt><code title>304</code>
   <dd>
    <ol>
     <li><p>If <var title>request</var>'s
     <span title=concept-request-cache-mode>cache mode</span> is neither
     <i title>default</i> nor <i title>no-cache</i>, do nothing.

     <li>
      <p>Otherwise, run these subsubsteps:

      <ol>
       <li><p>If there is no entry in the HTTP cache for <var title>request</var> and
       <var title>response</var>, return a
       <span title=concept-network-error>network error</span>.
       <!-- XXX xref "HTTP cache" -->

       <li>
        <p>Set <var title>response</var> to the result of obtaining a
        <span title=concept-response>response</span> from the HTTP cache using
        <var title>request</var> and <var title>response</var>.
        <!-- XXX xref "HTTP cache" -->

        <p class="note no-backref">This changes <var title>response</var> entirely,
        including its <span title=concept-response-status>status</span> which is most
        likely <code title>200</code> now.

        <p>Set <var title>response</var>'s
        <span title=concept-response-cache-state>cache state</span> to
        <i title>validated</i>.
      </ol>
    </ol>

   <dt><code title>301</code>
   <dt><code title>302</code>
   <dt><code title>303</code>
   <dt><code title>307</code>
   <dt><code title>308</code>
   <dd>
    <ol>
     <li>
      <p>Let <var title>location</var> be the result of
      <span title=concept-header-parse>parsing</span> `<code title>Location</code>` in
      <var title>response</var>'s
      <span title=concept-response-header-list>header list</span>.

     <li><p>If <var title>location</var> is null, return <var title>response</var>.

     <li><p>If <var title>location</var> is failure, return a
     <span title=concept-network-error>network error</span>.
     <!-- only Gecko does this; and even that is currently more complicated -->

     <li><p>Let <var title>locationURL</var> be the result of
     <span data-anolis-spec=url title=concept-url-parser>parsing</span>
     <var title>location</var> with <var title>request</var>'s
     <span title=concept-request-url>url</span>.

     <li><p>If <var title>locationURL</var> is failure, return a
     <span title=concept-network-error>network error</span>.

     <li><p>If <var title>request</var>'s
     <span title=concept-request-redirect-count>redirect count</span> is twenty, return a
     <span title=concept-network-error>network error</span>.

     <li><p>Increase <var title>request</var>'s
     <span title=concept-request-redirect-count>redirect count</span> by one.

     <li><p>Unset <var title>request</var>'s <span>same-origin data URL flag</span>.

     <li><p>If the <i title>CORS preflight flag</i> is set, set
     <var title>response</var>'s <span title=concept-response-type>type</span> to
     <i title>error</i> and set <var title>request</var>'s
     <span title=concept-request-manual-redirect-flag>manual redirect flag</span>.
     <span class=note>This way we avoid running the substeps below.</span>

     <li>
      <p>If <var title>request</var>'s
      <span title=concept-request-manual-redirect-flag>manual redirect flag</span> is unset,
      run these substeps:

      <ol>
       <li><p>If the <i title>CORS flag</i> is set and <var title>locationURL</var>'s
       <span data-anolis-spec=url title=concept-url-origin>origin</span> is not
       <var title>request</var>'s <span title=concept-request-url>url</span>'s
       <span data-analis-spec=url title=concept-url-origin>origin</span>, set
       <var title>request</var>'s <span title=concept-request-origin>origin</span> to an
       opaque identifier.

       <li><p>If the <i title>CORS flag</i> is set and either
       <var title>locationURL</var>'s
       <span data-anolis-spec=url title=concept-url-username>username</span> is not the
       empty string or <var title>locationURL</var>'s
       <span data-anolis-spec=url title=concept-url-password>password</span> is non-null,
       return a <span title=concept-network-error>network error</span>.

       <li><p>Set <var title>request</var>'s <span title=concept-request-url>url</span> to
       <var title>locationURL</var>.

       <li><p>Return the result of performing a <span title=concept-fetch>fetch</span> using
       <var title>request</var>, with the <i title>CORS flag</i> set if set.
       <!-- Unfortunately this has to invoke fetch to get response tainting correct -->
      </ol>
    </ol>

   <dt><code title>401</code>
   <dd>
    <ol>
     <li><p>If <var title>request</var>'s <span>authentication flag</span> is unset or the
     <i title>CORS flag</i> is set, return <var title>response</var>.

     <li class=XXX><p>Needs testing: multiple `<code>WWW-Authenticate</code>` headers,
     missing, parsing issues.

     <li>
      <p>If <var title>request</var>'s
      <span title=concept-request-use-url-credentials-flag>use URL credentials flag</span>
      is unset, or the <i title>authentication fetch flag</i> is set, run these substeps:

      <ol>
       <li><p>Let <var title>username</var> and <var title>password</var> be the result of
       prompting the end user for a username and password, respectively.

       <li><p><span data-anolis-spec=url>Set the username</span> given
       <var title>request</var>'s <span title=concept-request-url>url</span> and
       <var title>username</var>.

       <li><p><span data-anolis-spec=url>Set the password</span> given
       <var title>request</var>'s <span title=concept-request-url>url</span> and
       <var title>password</var>.
      </ol>

     <li><p>Return the result of performing an
     <span title=concept-http-fetch>HTTP fetch</span> using <var title>request</var>, with
     the <i title>authentication fetch flag</i> set.
     <!-- cannot invoke >HTTP network or cache fetch< as that would not come back here -->
    </ol>

   <dt><code title>407</code>
   <dd>
    <ol>
     <li class=XXX><p>Needs testing: multiple `<code>Proxy-Authenticate</code>` headers,
     missing, parsing issues.

     <li>
      <p>Prompt the end user as appropriate and store the result as appropriate as a
      <span>proxy authentication entry</span>.
      <span data-anolis-ref>HTTP</span>

      <p class=note>Remaining details surrounding proxy authentication are defined by HTTP.

     <li><p>Return the result of performing an
     <span title=concept-http-fetch>HTTP fetch</span> using <var title>request</var>.
     <!-- cannot invoke >HTTP network or cache fetch< as that would not come back here -->
    </ol>

   <dt>Otherwise
   <dd><p>Do nothing.
  </dl>

 <li><p>If the <i title>authentication fetch flag</i> is set, create an
 <span>authentication entry</span> for <var title>request</var> and the given realm.
 <span data-anolis-ref>HTTPAUTH</span>

 <li><p>If the <i title>CORS preflight flag</i> is set and <var title>response</var> is a
 <span title=concept-network-error>network error</span>,
 <span title=concept-cache-clear>clear cache entries</span> using
 <var title>request</var>.

 <li><p>Return <var title>response</var>. <span class="note no-backref">Typically
 <var title>response</var>'s <span title=concept-response-body>body</span> is still being
 pushed to after returning.</span>
</ol>


<h3>HTTP network or cache fetch</h3>

<p>To perform a
<dfn title=concept-http-network-or-cache-fetch>HTTP network or cache fetch</dfn> using
<var title>request</var> with an optional <i title>credentials flag</i> and
<i title>authentication fetch flag</i>, run these steps:

<p class=note>The <i title>authentication fetch flag</i> is still a bookkeeping detail.
The <i title>credentials flag</i> is one too.

<ol>
 <li>
  <p>Let <var title>HTTPRequest</var> be a copy of <var title>request</var>, except that
  <var title>HTTPRequest</var>'s <span title=concept-request-body>body</span> is a tee of
  <var title>request</var>'s <span title=concept-request-body>body</span>.

  <p class="note no-backref"><span title=concept-header>Headers</span> need to be added
  without affecting <var title>request</var>. Due to redirects or authentication failure,
  it can get reused.

 <li><p><span title=concept-header-list-append>Append</span>
 `<code title>Referer</code>`/empty byte sequence, if <var title>HTTPRequest</var>'s
 <span title=concept-request-referrer>referrer</span> is <i title>no referrer</i>, and
 `<code title>Referer</code>`/<var title>HTTPRequest</var>'s
 <span title=concept-request-referrer>referrer</span>,
 <span data-anolis-spec=url title=concept-url-serializer>serialized</span> and
 <span data-anolis-spec=encoding title="utf-8 encode">utf-8 encoded</span>, otherwise, to
 <var title>HTTPRequest</var>'s
 <span title=concept-request-header-list>header list</span>.
 <!-- XXX ideally we have an easier way to convert something ASCII-safe into bytes
          concept-as-bytes -->

 <li><p>If <var title>HTTPRequest</var>'s
 <span>force <code>Origin</code> header flag</span> is set,
 <span title=concept-header-list-append>append</span>
 `<code title>Origin</code>`/<var title>HTTPRequest</var>'s
 <span title=concept-request-origin>origin</span>,
 <span data-anolis-spec=html title="ASCII serialization of an origin">serialized</span>
 and <span data-anolis-spec=encoding title="utf-8 encode">utf-8 encoded</span>, to
 <var title>HTTPRequest</var>'s
 <span title=concept-request-header-list>header list</span>.
 <!-- XXX concept-as-bytes -->

 <li>
  <p>If <var title>credentials flag</var> is set, run these substeps:

  <ol>
   <li><p>Modify <var title>HTTPRequest</var>'s
   <span title=concept-request-header-list>header list</span>
   per HTTP State Management Mechanism.
   <span data-anolis-ref>COOKIES</span>
   <!-- XXX proper hook? -->

   <!-- https://wiki.whatwg.org/wiki/HTTP_Authentication -->
   <li><p>Let <var title>authorizationValue</var> be null.

   <li><p>If there's an <span>authentication entry</span> for <var title>HTTPRequest</var>
   and either <var title>HTTPRequest</var>'s
   <span title=concept-request-use-url-credentials-flag>use URL credentials flag</span> is
   unset or <var title>HTTPRequest</var>'s <span title=concept-request-url>url</span> does
   not <span data-anolis-spec=url>include credentials</span>, set
   <var title>authorizationValue</var> to <span>authentication entry</span>.
   <!-- need to define the cache concept -->

   <li><p>Otherwise, if <var title>HTTPRequest</var>'s
   <span title=concept-request-url>url</span> does
   <span data-anolis-spec=url>include credentials</span> and the
   <i title>authentication fetch flag</i> is set, set
   <var title>authorizationValue</var> to <var title>HTTPRequest</var>'s
   <span title=concept-request-url>url</span>,
   <span class=XXX>converted to an `<code title>Authorization</code>` value</span>.

   <li><p>If <var title>authorizationValue</var> is non-null,
   <span title=concept-header-list-append>append</span>
   `<code title>Authorization</code>`/<var title>authorizationValue</var> to
   <var title>HTTPRequest</var>'s
   <span title=concept-request-header-list>header list</span>.
  </ol>

 <li>
  <p>If there's a <span>proxy authentication entry</span>, use it as appropriate.

  <p class="note no-backref">This intentionally does not depend on
  <var title>HTTPRequest</var>'s
  <span title=concept-request-credentials-mode>credentials mode</span>.

 <li><p>Let <var title>response</var> be null.

 <li>
  <p>If <var title>request</var>'s
  <span title=concept-request-cache-mode>cache mode</span> is neither
  <i title>no-store</i> nor <i title>reload</i>, and there is a <em>complete</em>
  <span title=concept-response>response</span> in the HTTP cache for
  <var title>request</var> run these substeps:
  <!-- XXX xref "HTTP cache" -->

  <ol>
   <li><p>If <var title>request</var>'s
   <span title=concept-request-cache-mode>cache mode</span> is either
   <i title>force cache</i> or <i title>only-if-cached</i>, set <var title>response</var>
   to the <span title=concept-response>response</span> in the HTTP cache for
   <var title>request</var>.

   <li><p>Otherwise, if <var title>request</var>'s
   <span title=concept-request-cache-mode>cache mode</span> is <i title>default</i> and
   the <span title=concept-response>response</span> in the HTTP cache for
   <var title>request</var> does not require revalidation, set <var title>response</var>
   to that <span title=concept-response>response</span> and set
   <var title>response</var>'s <span title=concept-response-cache-state>cache state</span>
   to <i title>local</i>.
   <!-- XXX xref "revalidation" -->

   <li><p>Otherwise, if <var title>request</var>'s
   <span title=concept-request-cache-mode>cache mode</span> is either <i title>default</i>
   or <i title>no-cache</i>, and the <span title=concept-response>response</span> in the
   HTTP cache for <var title>request</var> does require revalidation, modify
   <var title>HTTPRequest</var>'s
   <span title=concept-request-header-list>header list</span> with revalidation
   <span title=concept-header>headers</span>.
   <!-- XXX modify, revalidation headers -->
  </ol>

 <li><p>Otherwise, if <var title>request</var>'s
 <span title=concept-request-cache-mode>cache mode</span> is either <i title>default</i>
 or <i title>force cache</i>, and there is a <em>partial</em>
 <span title=concept-response>response</span> in the HTTP cache for
 <var title>request</var>, modify <var title>HTTPRequest</var>'s
 <span title=concept-request-header-list>header list</span> with resume
 <span title=concept-header>headers</span>.
 <!-- XXX xref partial, modify, resume headers -->

 <li>If <var title>response</var> is null and <var title>request</var>'s
 <span title=concept-request-cache-mode>cache mode</span> is <i title>only-if-cached</i>,
 return a <span title=concept-network-error>network error</span>.

 <li>
  <p>If <var title>response</var> is null, modify <var title>HTTPRequest</var>'s
  <span title=concept-request-header-list>header list</span> per HTTP.

  <p class="note no-backref">It would be great if we could make this more normative
  somehow. At this point <span title=concept-header>headers</span> such as
  `<code title=http-accept-encoding>Accept-Encoding</code>`,
  `<code title=http-connection>Connection</code>`,
  `<code title=http-dnt>DNT</code>`, and
  `<code title=http-host>Host</code>`,
  are to be <span title=concept-header-list-append>appended</span> if necessary.

  <p>`<code title=http-accept-charset>Accept-Charset</code>` must not be included.
  `<code title=http-accept>Accept</code>` and
  `<code title=http-accept-language>Accept-Language</code>` must not be included at this
  point. <span class=note>See <span>HTTP header layer division</span>.</span>

 <li>
  <p>If <var title>response</var> is null, set <var title>response</var> to the result of
  making an HTTP request, using <var title>HTTPRequest</var>, following the requirements
  from HTTP, and waiting until either all the <span title=concept-header>headers</span>
  are transmitted or a <span title=concept-network-error>network error</span> was
  returned. If a <span title=concept-network-error>network error</span> was returned due
  to <span title=concept-fetch>fetch</span> being
  <span title=concept-fetch-terminate>terminated</span> with reason
  <var title>reason</var>, set <var title>response</var>'s
  <span title=concept-response-termination-reason>termination reason</span> to
  <var title>reason</var>.
  <span data-anolis-ref>HTTP</span>

  <p>If <var title>response</var> is not a
  <span title=concept-network-error>network error</span> and <var title>request</var>'s
  <span title=concept-request-cache-mode>cache mode</span> is not <i title>no-store</i>,
  update <var title>response</var> in the HTTP cache for <var title>request</var>.
  <!-- XXX xref HTTP cache -->
  <!-- Note: at this point cache mode cannot be /only-if-cached/ -->

  <p>If <var title>response</var> was retrieved over TLS set its
  <span title=concept-response-tls-state>TLS state</span> to either
  <i title>deprecated authentication</i> or <i title>authenticated</i>.
  <span data-anolis-ref>TLS</span>

  <p class=note>The exact determination here is up to user agents for the time being.
  User agents are strongly encouraged to only succeed TLS connections with strong security
  properties and return <span title=concept-network-error>network errors</span> otherwise.

  <p>If <var title>HTTPRequest</var>'s <span title=concept-request-body>body</span> is
  non-null, run these substeps:

  <ol>
   <li><p>If <var title>HTTPRequest</var>'s
   <span title=concept-request-body>body</span>'s payload body length is known, set
   <var title>HTTPRequest</var>'s <span title=concept-request-body>body</span>'s
   <span title=concept-body-length>length</span> to <var title>HTTPRequest</var>'s
   <span title=concept-request-body>body</span>'s payload body length.
   <!-- XXX xref payload body -->

   <li>
    <p>Whenever <var title>HTTPRequest</var>'s
    <span title=concept-request-body>body</span> is read from (i.e. is transmitted),
    increase <var title>HTTPRequest</var>'s <span title=concept-request-body>body</span>'s
    <span title=concept-body-transmitted>transmitted</span> with the amount of
    payload body bytes transmitted and then <span>queue a fetch task</span> on
    <var title>request</var> to <dfn>process request body</dfn> for
    <var title>HTTPRequest</var>.
    <!-- XXX xref "read", "payload body" -->

    <p>Use the <span data-anolis-spec=html>networking task source</span>.
  </ol>

  <p>Run these substeps <span data-anolis-spec=html>in parallel</span>, after the outer
  set of steps has returned:

  <ol>
   <li><p>If <var title>response</var>'s <span title=concept-response-body>body</span> is
   non-null, set <var title>response</var>'s
   <span title=concept-response-body>body</span>'s
   <span title=concept-body-length>length</span> to <var title>response</var>'s
   <span title=concept-response-body>body</span>'s payload body length.
   <!-- XXX xref payload body -->

   <li>
    <p>Whenever one or more bytes are transmitted, let <var title>bytes</var> be the
    transmitted bytes and run these subsubsteps:

    <ol>
     <li><p>Increase <var title>response</var>'s
     <span title=concept-response-body>body</span>'s
     <span title=concept-body-transmitted>transmitted</span> with <var title>bytes</var>'
     length.

     <li><p>Let <var title>codings</var> be the result of
     <span title=concept-header-parse>parsing</span> `<code title>Content-Encoding</code>`
     in <var title>response</var>'s
     <span title=concept-response-header-list>header list</span>.

     <li><p>Set <var title>bytes</var> to the result of
     <span title="handle content codings">handling content codings</span> given
     <var title>codings</var> and <var title>bytes</var>.

     <li><p>Push <var title>bytes</var> to <var title>response</var>'s
     <span title=concept-response-body>body</span>.
     <!-- XXX xref payload body / streams -->
    </ol>

   <li>If at any point <span title=concept-fetch>fetch</span> is
   <span title=concept-fetch-terminate>terminated</span> with reason
   <var title>reason</var>, set <var title>response</var>'s
   <span title=concept-response-termination-reason>termination reason</span> to
   <var title>reason</var>.
  </ol>

  <p class="note no-backref">These are run <span data-anolis-spec=html>in parallel</span>
  as at this point it is unclear whether <var title>response</var>'s
  <span title=concept-response-body>body</span> is relevant (<var title>response</var>
  might be a redirect).

 <li>
  <p><span title=concept-header-list-delete>Delete</span>
  `<code title>Content-Encoding</code>` from <var title>response</var>'s
  <span title=concept-response-header-list>header list</span> if one of the following
  conditions is true:

  <ul class=brief>
   <li><span title=concept-header-parse>Parsing</span>
   `<code title>Content-Encoding</code>` in <var title>response</var>'s
   <span title=concept-response-header-list>header list</span> returns
   `<code title>gzip</code>` and <span title=concept-header-parse>parsing</span>
   `<code title>Content-Type</code> in <var title>response</var>'s
   <span title=concept-response-header-list>header list</span> returns
   `<code title>application/gzip</code>`, `<code title>application/x-gunzip</code>`, or
   `<code title>application/x-gzip</code>`.
   <li><span title=concept-header-parse>Parsing</span>
   `<code title>Content-Encoding</code>` in <var title>response</var>'s
   <span title=concept-response-header-list>header list</span> returns
   `<code title>compress</code>` and <span title=concept-header-parse>parsing</span>
   `<code title>Content-Type</code> in <var title>response</var>'s
   <span title=concept-response-header-list>header list</span> returns
   `<code title>application/compress</code>` or
   `<code title>application/x-compress</code>.
  </ul>

  <p class=note>This deals with broken Apache configurations. Ideally HTTP would define
  this.
  <!-- https://wiki.whatwg.org/wiki/HTTP -->

  <p class=XXX>Gecko
  <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1030660">bug 1030660</a> looks
  into whether this quirk can be removed.

 <li>
  <p>If <var title>credentials flag</var> is set and <var title>response</var>'s
  <span title=concept-response-header-list>header list</span> contains one or more
  <span title=concept-header>headers</span> <span title=concept-header-name>named</span>
  `<code title>Set-Cookie</code>`, run these substeps:

  <ol>
   <li><p>Wait until ownership of the <span data-anolis-spec=html>storage mutex</span> can
   be taken by this instance of the <span title=concept-fetch>fetch</span> algorithm.

   <li><p>Take ownership of the <span data-anolis-spec=html>storage mutex</span>.

   <li>
    <p>Update the cookies. <span data-anolis-ref>COOKIES</span>
    <!-- XXX proper hook? -->

    <p class=note>This is a fingerprinting vector.

   <li><p>Release the <span data-anolis-spec=html>storage mutex</span> so that it is once
   again free.
  </ol>

 <li><p>Return <var title>response</var>. <span class="note no-backref">Typically
 <var title>response</var>'s <span title=concept-response-body>body</span> is still being
 pushed to after returning.</span>
</ol>


<h3>CORS preflight fetch</h3>

<p>To perform a <dfn>CORS preflight fetch</dfn> using <var title>request</var>, run these
steps:

<ol>
 <li><p>Let <var title>preflight</var> be a new <span title=concept-request>request</span>
 whose <span title=concept-request-method>method</span> is `<code title>OPTIONS</code>`,
 <span title=concept-request-url>url</span> is <var title>request</var>'s
 <span title=concept-request-url>url</span>,
 <span title=concept-request-context>context</span> is <var title>request</var>'s
 <span title=concept-request-context>context</span>,
 <span title=concept-request-context-frame-type>context frame type</span> is
 <var title>request</var>'s
 <span title=concept-request-context-frame-type>context frame type</span>,
 <span title=concept-request-origin>origin</span> is <var title>request</var>'s
 <span title=concept-request-origin>origin</span>,
 <span>force <code>Origin</code> header flag</span> is set, and
 <span title=concept-request-referrer>referrer</span> is <var title>request</var>'s
 <span title=concept-request-referrer>referrer</span>.

 <li><p><span title=concept-header-list-set>Set</span>
 `<code title=http-access-control-request-method>Access-Control-Request-Method</code>` to
 <var title>request</var>'s <span title=concept-request-method>method</span> in
 <var title>preflight</var>'s <span title=concept-request-header-list>header list</span>.

 <li><p>Let <var title>headers</var> be the <span title=concept-header-name>names</span>
 of <var title>request</var>'s
 <span title=concept-request-header-list>header list</span>'s
 <span title=concept-header>headers</span>, excluding duplicates,
 sorted lexicographically, and <span title="byte lowercase">byte lowercased</span>.

 <li><p>Let <var title>value</var> be the items in <var title>headers</var> separated from
 each other by 0x2C 0x20.

 <li><p><span title=concept-header-list-set>Set</span>
 `<code title=http-access-control-request-headers>Access-Control-Request-Headers</code>`
 to <var title>value</var> in
 <var title>preflight</var>'s <span title=concept-request-header-list>header list</span>.

 <li><p>Let <var title>response</var> be the result of performing an
 <span title=concept-http-network-or-cache-fetch>HTTP network or cache fetch</span> using
 <var title>preflight</var>.

 <li>
  <p>If a <span title=concept-cors-check>CORS check</span> for <var title>request</var>
  and <var title>response</var> returns success and <var title>response</var>'s
  <span title=concept-response-status>status</span> is in the range 200 to 299, run these
  substeps:
  <!-- CORS said 200 here but nobody implemented that:
       http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0078.html -->

  <p class="note no-backref">The <span title=concept-cors-check>CORS check</span> is done
  on <var title>request</var> rather than <var title>preflight</var> to ensure the correct
  <span title=concept-request-credentials-mode>credentials mode</span> is used.

  <ol>
   <li><p>Let <var title>methods</var> be the result of
   <span title=concept-header-parse>parsing</span>
   `<code title=http-access-control-allow-methods>Access-Control-Allow-Methods</code>` in
   <var title>response</var>'s
   <span title=concept-response-header-list>header list</span>.

   <li><p>Let <var title>headerNames</var> be the result of
   <span title=concept-header-parse>parsing</span>
   `<code title=http-access-control-allow-headers>Access-Control-Allow-Headers</code>` in
   <var title>response</var>'s
   <span title=concept-response-header-list>header list</span>.

   <li><p>If either <var title>methods</var> or <var title>headerNames</var> is failure,
   return a <span title=concept-network-error>network error</span>.

   <li>
    <p>If <var title>methods</var> is null and <var title>request</var>'s
    <span title=concept-request-mode>mode</span> is
    <i title>CORS-with-forced-preflight</i>, set <var title>methods</var> to
    <var title>request</var>'s <span title=concept-request-method>method</span>.

    <p class="note no-backref">This ensures that a <span>CORS preflight fetch</span> that
    happened due to <var title>request</var>'s
    <span title=concept-request-mode>mode</span> being
    <i title>CORS-with-forced-preflight</i> is <span title=concept-cache>cached</span>.

   <li><p>If <var title>request</var>'s <span title=concept-request-method>method</span>
   is not in <var title>methods</var> and is not a <span>simple method</span>, return a
   <span title=concept-network-error>network error</span>.

   <li><p>If one of <var title>request</var>'s
   <span title=concept-request-header-list>header list</span>'
   <span title=concept-header-name>names</span> is not in <var title>headerNames</var> and
   its corresponding <span title=concept-header>header</span> is not a
   <span>simple header</span>, return a <span title=concept-network-error>network error</span>.

   <li><p>Let <var title>max-age</var> be the result of
   <span title=concept-header-parse>parsing</span>
   `<code title=http-access-control-max-age>Access-Control-Max-Age</code>` in
   <var title>response</var>'s
   <span title=concept-response-header-list>header list</span>.

   <li><p>If <var title>max-age</var> is failure or null, set <var title>max-age</var> to
   zero.

   <li><p>If <var title>max-age</var> is greater than an imposed limit on
   <span title=concept-cache-max-age>max-age</span>, set <var title>max-age</var> to the imposed
   limit.

   <li><p>If the user agent does not provide for a <span title=concept-cache>cache</span>,
   return <var title>response</var>.

   <li><p>For each <var title>method</var> in <var title>methods</var> for which there is
   a <span title=concept-cache-match-method>method cache match</span> using
   <var title>request</var>, set matching entry's
   <span title=concept-cache-max-age>max-age</span> to <var title>max-age</var>.

   <li>
    <p>For each <var title>method</var> in <var title>methods</var> for which there is
    <em>no</em>  <span title=concept-cache-match-method>method cache match</span> using
    <var title>request</var>, create a new entry in
    <span title=concept-cache>CORS preflight cache</span> as follows:

    <dl>
     <dt><span title=concept-cache-origin>origin</span>
     <dd><var title>request</var>'s <span title=concept-request-origin>origin</span>

     <dt><span title=concept-cache-url>url</span>
     <dd><var title>request</var>'s <span title=concept-request-url>url</span>

     <dt><span title=concept-cache-max-age>max-age</span>
     <dd><var title>max-age</var>

     <dt><span title=concept-cache-credentials>credentials</span>
     <dd>False if <var title>request</var>'s
     <span title=concept-request-credentials-mode>credentials mode</span> is not
     <i title>include</i>, and true otherwise

     <dt><span title=concept-cache-method>method</span></dt>
     <dd><var title>method</var>
    </dl>

   <li><p>For each <var title>headerName</var> in <var title>headerNames</var> for which
   there is a <span title=concept-cache-match-header>header name cache match</span> using
   <var title>request</var>, set matching entry's
   <span title=concept-cache-max-age>max-age</span> to <var title>max-age</var>.

   <li>
    <p>For each <var title>headerName</var> in <var title>headerNames</var> for which
    there is <em>no</em>
    <span title=concept-cache-match-header>header name cache match</span> using
    <var title>request</var>, create a new entry in
    <span title=concept-cache>CORS preflight cache</span> as follows:

    <dl>
     <dt><span title=concept-cache-origin>origin</span>
     <dd><var title>request</var>'s <span title=concept-request-origin>origin</span>

     <dt><span title=concept-cache-url>url</span>
     <dd><var title>request</var>'s <span title=concept-request-url>url</span>

     <dt><span title=concept-cache-max-age>max-age</span>
     <dd><var title>max-age</var>

     <dt><span title=concept-cache-credentials>credentials</span>
     <dd>False if <var title>request</var>'s
     <span title=concept-request-credentials-mode>credentials mode</span> is not
     <i title>include</i>, and true otherwise

     <dt><span title=concept-cache-header-name>header name</span></dt>
     <dd><var title>headerName</var>
    </dl>

   <li><p>Return <var title>response</var>.
  </ol>

 <li><p>Otherwise, return a <span title=concept-network-error>network error</span>.
</ol>


<h3>CORS preflight cache</h3>

<p>A <dfn title=concept-cache>CORS preflight cache</dfn> consists of a collection of
entries where each entry has these fields:
<dfn title=concept-cache-origin>origin</dfn>,
<dfn title=concept-cache-url>url</dfn>,
<dfn title=concept-cache-max-age>max-age</dfn>,
<dfn title=concept-cache-credentials>credentials</dfn>,
<dfn title=concept-cache-method>method</dfn>, and
<dfn title=concept-cache-header-name>header name</dfn>.

<p>Entries must be removed after the seconds specified in the
<span title=concept-cache-max-age>max-age</span> field have passed since storing the entry.
Entries may be removed before that moment arrives.

<p>To <dfn title=concept-cache-clear>clear cache entries</dfn> given a
<var title>request</var>, remove any entries in the
<span title=concept-cache>CORS preflight cache</span> whose
<span title=concept-cache-origin>origin</span> is <var title>request</var>'s
<span title=concept-request-origin>origin</span> and whose
<span title=concept-cache-url>url</span> is <var title>request</var>'s
<span title=concept-request-url>url</span>.

<p>There is a <dfn title=concept-cache-match>cache match</dfn> for
<var title>request</var> if <span title=concept-cache-origin>origin</span> is
<var title>request</var>'s <span title=concept-request-origin>origin</span>,
<span title=concept-cache-url>url</span> is <var title>request</var>'s
<span title=concept-request-url>url</span>, and either
<span title=concept-cache-credentials>credentials</span> is false and
<var title>request</var>'s
<span title=concept-request-credentials-mode>credentials mode</span> is not
<i title>include</i> or <span title=concept-cache-credentials>credentials</span> is true.

<p>There is a <dfn title=concept-cache-match-method>method cache match</dfn> for
<var title>method</var> using <var title>request</var> when there is an entry in
<span title=concept-cache>CORS preflight cache</span> for which there is a
<span title=concept-cache-match>cache match</span> for <var title>request</var> and its
<span title=concept-cache-method>method</span> is <var title>method</var>.

<p>There is a <dfn title=concept-cache-match-header>header name cache match</dfn> for
<var title>headerName</var> using <var title>request</var> when there is an entry in
<span title=concept-cache>CORS preflight cache</span> for which there is a
<span title=concept-cache-match>cache match</span> for <var title>request</var> and its
<span title=concept-cache-header-name>header name</span> is <var title>headerName</var>.


<h3>CORS check</h3>

<p>To perform a <dfn title=concept-cors-check>CORS check</dfn> for a
<var title>request</var> and <var title>response</var>, run these steps:

<ol>
 <li><p>Let <var title>origin</var> be the result of
 <span title=concept-header-parse>parsing</span>
 `<code title=http-access-control-allow-origin>Access-Control-Allow-Origin</code>` in
 <var title>response</var>'s <span title=concept-response-header-list>header list</span>.

 <li>
  <p>If <var title>origin</var> is null or failure, return failure.

  <p class=note>Null is not `<code title>null</code>`.

 <li><p>If <var title>request</var>'s
 <span title=concept-request-credentials-mode>credentials mode</span> is not
 <i title>include</i> and <var title>origin</var> is `<code title>*</code>`, return success.

 <li><p>If <var title>request</var>'s <span title=concept-request-origin>origin</span>,
 <span data-anolis-spec=html title="ASCII serialization of an origin">serialized</span>
 and <span data-anolis-spec=encoding title="utf-8 encode">utf-8 encoded</span>, is not
 <var title>origin</var>, return failure.
 <!-- XXX concept-as-bytes -->

 <li><p>If <var title>request</var>'s
 <span title=concept-request-credentials-mode>credentials mode</span> is not
 <i title>include</i>, return success.

 <li><p>Let <var title>credentials</var> be the result of
 <span title=concept-header-parse>parsing</span>
 `<code title=http-access-control-allow-credentials>Access-Control-Allow-Credentials</code>`
 in <var title>response</var>'s
 <span title=concept-response-header-list>header list</span>.

 <li>
  <p>If <var title>credentials</var> is `<code title>true</code>`, return success.

  <p class=XXX>It has been suggested to check for <var title>origin</var> not being
  `<code title>null</code>` here as that would be equal to allowing credentials and
  `<code title>*</code>` which is also forbidden.

 <li><p>Return failure.
</ol>



<h2>Fetch API</h2>

<p class=no-backref>The <code title=dom-global-fetch>fetch()</code> method is relatively
low-level API for <span title=concept-fetch>fetching</span> resources. It covers slightly
more ground than <code data-anolis-spec=xhr>XMLHttpRequest</code>, although it is
currently lacking when it comes to reporting progression.

<div class="example no-backref">
 <p>The <code title=dom-global-fetch>fetch()</code> method makes it quite straightforward
 to <span title=concept-fetch>fetch</span> a resource and extract its contents as a
 <code data-anolis-spec=fileapi>Blob</code>:

 <pre>fetch("/music/pk/altes-kamuffel.flac")
  .then(res => res.blob()).then(playBlob)</pre>

 <p>If you just care to log a particular response header:

 <pre>fetch("/", {method:"HEAD"})
  .then(res => log(res.headers.get("strict-transport-security")))</pre>

 <p>If you want to check a particular response header and then process the response of a
 cross-origin resources:

 <pre>fetch("https://pk.example/berlin-calling.json", {mode:"cors"})
  .then(res => {
    if(res.headers.get("content-type") == "application/json") {
      return res.json()
    } else {
      throw new TypeError()
    }
  }).then(processJSON)</pre>
</div>


<h3>Headers class</h3>

<pre class=idl>typedef (<span>Headers</span> or sequence&lt;sequence&lt;ByteString>> or OpenEndedDictionary&lt;ByteString>) <dfn>HeadersInit</dfn>;</pre>

<div class=XXX>
 <p>OpenEndedDictionary&lt;T> is a future IDL construct. Expect it to be used as such:

 <pre>var meta = { "Content-Type": "text/xml", "Breaking-Bad": "&lt;3" }
new Headers(meta)</pre>
</div>

<pre class=idl>[<span title=dom-Headers>Constructor</span>(optional <span>HeadersInit</span> <var title>init</var>),
 Exposed=(Window,Worker)]
interface <dfn>Headers</dfn> {
  void <span title=dom-Headers-append>append</span>(ByteString <var title>name</var>, ByteString <var title>value</var>);
  void <span title=dom-Headers-delete>delete</span>(ByteString <var title>name</var>);
  ByteString? <span title=dom-Headers-get>get</span>(ByteString <var title>name</var>);
  sequence&lt;ByteString> <span title=dom-Headers-getAll>getAll</span>(ByteString <var title>name</var>);
  boolean <span title=dom-Headers-has>has</span>(ByteString <var title>name</var>);
  void <span title=dom-Headers-set>set</span>(ByteString <var title>name</var>, ByteString <var title>value</var>);
  iterable&lt;ByteString, ByteString>;
};</pre>

<p>A <code>Headers</code> object has an associated
<dfn title=concept-Headers-header-list>header list</dfn> (a
<span title=concept-header-list>header list</span>), which is initially empty.

<p>A <code>Headers</code> object also has an associated
<dfn title=concept-Headers-guard>guard</dfn>, which is one of <i title>immutable</i>,
<i title>request</i>, <i title>request-no-CORS</i>, <i title>response</i> and
<i title>none</i> (initially <i title>none</i>).

<p class="note no-backref"><i title>immutable</i> exists for service workers.
<span data-anolis-ref>SW</span>

<p>To <dfn title=concept-Headers-fill>fill</dfn> a <code>Headers</code> object
(<var title>headers</var>) with a given object (<var title>object</var>), run these steps:

<ol>
 <li>
  <p>If <var title>object</var> is a <code>Headers</code> object, copy its
  <span title=concept-Headers-header-list>header list</span> as
  <var title>headerListCopy</var> and then for each <var title>header</var> in
  <var title>headerListCopy</var>, retaining order,
  <span title=concept-Headers-append>append</span>
  <var title>header</var>'s <span title=concept-header-name>name</span>/<var title>header</var>'s <span title=concept-header-value>value</span>
  to <var title>headers</var>. Rethrow any exception.

  <p class=note>Once <code title>Headers.prototype[Symbol.iterator]</code> is defined this
  special casing will no longer be needed.

 <li>
  <p>Otherwise, if <var title>object</var> is a sequence, then for each
  <var title>header</var> in <var title>object</var>, run these substeps:

  <ol>
   <li><p>If <var title>header</var> does not contain exactly two items,
   <span data-anolis-spec=webidl>throw</span> a <code title>TypeError</code>.

   <li><p><span title=concept-Headers-append>Append</span>
   <var title>header</var>'s first item/<var title>header</var>'s second item to
   <var title>headers</var>. Rethrow any exception.
  </ol>

 <li>
  <p>Otherwise, if <var title>object</var> is an open-ended dictionary, then for each
  <var title>header</var> in <var title>object</var>, run these substeps:

  <ol>
   <li><p>Set <var title>header</var>'s key to <var title>header</var>'s key,
   <span data-anolis-spec=webidl title=es-ByteString>converted to ByteString</span>.
   Rethrow any exception.

   <li><p><span title=concept-Headers-append>Append</span>
   <var title>header</var>'s key/<var title>header</var>'s value to
   <var title>headers</var>. Rethrow any exception.
  </ol>
</ol>

<p>The <dfn title=dom-Headers><code>Headers(<var>init</var>)</code></dfn> constructor,
when invoked, must run these steps:

<ol>
 <li><p>Let <var title>headers</var> be a new <code>Headers</code> object.

 <li><p>If <var title>init</var> is given, <span title=concept-Headers-fill>fill</span>
 <var title>headers</var> with <var title>init</var>. Rethrow any exception.

 <li><p>Return <var title>headers</var>.
</ol>

<p>To <dfn title=concept-Headers-append>append</dfn> a
<span title=concept-header-name>name</span>/<span title=concept-header-value>value</span>
(<var title>name</var>/<var title>value</var>) pair to a
<code>Headers</code> object (<var title>headers</var>), run these steps:

<ol>
 <li><p>If <var title>name</var> is not a <span title=concept-header-name>name</span> or
 <var title>value</var> is not a <span title=concept-header-value>value</span>,
 <span data-anolis-spec=webidl>throw</span> a <code title>TypeError</code>.

 <li><p>If <span title=concept-Headers-guard>guard</span> is <i title>immutable</i>,
 <span data-anolis-spec=webidl>throw</span> a <code title>TypeError</code>.

 <li><p>Otherwise, if <span title=concept-Headers-guard>guard</span> is
 <i title>request</i> and <var title>name</var> is a <span>forbidden header name</span>,
 return.

 <li><p>Otherwise, if <span title=concept-Headers-guard>guard</span> is
 <i title>request-no-CORS</i> and <var title>name</var>/<var title>value</var> is not a
 <span>simple header</span>, return.

 <li><p>Otherwise, if <span title=concept-Headers-guard>guard</span> is
 <i title>response</i> and <var title>name</var> is a
 <span>forbidden response header name</span>, return.

 <li><p><span title=concept-header-list-append>Append</span>
 <var title>name</var>/<var title>value</var> to
 <span title=concept-Headers-header-list>header list</span>.
</ol>

<p>The
<dfn title=dom-Headers-append><code>append(<var>name</var>, <var>value</var>)</code></dfn>
method, when invoked, must <span title=concept-Headers-append>append</span>
<var title>name</var>/<var title>value</var> to the
<span data-anolis-spec=dom>context object</span> and rethrow any exception.

<p>The <dfn title=dom-Headers-delete><code>delete(<var>name</var>)</code></dfn>
method, when invoked, must run these steps:

<ol>
 <li><p>If <var title>name</var> is not a <span title=concept-header-name>name</span>,
 <span data-anolis-spec=webidl>throw</span> a <code title>TypeError</code>.

 <li><p>If <span title=concept-Headers-guard>guard</span> is <i title>immutable</i>,
 <span data-anolis-spec=webidl>throw</span> a <code title>TypeError</code>.

 <li><p>Otherwise, if <span title=concept-Headers-guard>guard</span> is
 <i title>request</i> and <var title>name</var> is a <span>forbidden header name</span>,
 return.

 <li><p>Otherwise, if <span title=concept-Headers-guard>guard</span> is
 <i title>request-no-CORS</i> and <var title>name</var>/`<code title>invalid</code>` is
 not a <span>simple header</span>, return.

 <li><p>Otherwise, if <span title=concept-Headers-guard>guard</span> is
 <i title>response</i> and <var title>name</var> is a
 <span>forbidden response header name</span>, return.

 <li><p><span title=concept-header-list-delete>Delete</span> <var title>name</var> from
 <span title=concept-Headers-header-list>header list</span>.
</ol>

<p>The <dfn title=dom-Headers-get><code>get(<var>name</var>)</code></dfn> method, when
invoked, must run these steps:

<ol>
 <li><p>If <var title>name</var> is not a <span title=concept-header-name>name</span>,
 <span data-anolis-spec=webidl>throw</span> a <code title>TypeError</code>.

 <li><p>Return the <span title=concept-header-value>value</span> of the first
 <span title=concept-header>header</span> in
 <span title=concept-Headers-header-list>header list</span> whose
 <span title=concept-header-name>name</span> is <var title>name</var>, and null otherwise.
</ol>

<p>The <dfn title=dom-Headers-getAll><code>getAll(<var>name</var>)</code></dfn> method,
when invoked, must run these steps:

<ol>
 <li><p>If <var title>name</var> is not a <span title=concept-header-name>name</span>,
 <span data-anolis-spec=webidl>throw</span> a <code title>TypeError</code>.

 <li><p>Return the <span title=concept-header-value>values</span> of all
 <span title=concept-header>headers</span> in
 <span title=concept-Headers-header-list>header list</span> whose
 <span title=concept-header-name>name</span> is <var title>name</var>, in list order, and
 the empty sequence otherwise.
</ol>

<p>The <dfn title=dom-Headers-has><code>has(<var title>name</var>)</code></dfn> method,
when invoked, must run these steps:

<ol>
 <li><p>If <var title>name</var> is not a <span title=concept-header-name>name</span>,
 <span data-anolis-spec=webidl>throw</span> a <code title>TypeError</code>.

 <li><p>Return true if there is a <span title=concept-header>header</span> in
 <span title=concept-Headers-header-list>header list</span> whose
 <span title=concept-header-name>name</span> is <var title>name</var>, and false
 otherwise.
</ol>

<p>The
<dfn title=dom-Headers-set><code>set(<var>name</var>, <var>value</var>)</code></dfn>
method, when invoked, must run these steps:

<ol>
 <li><p>If <var title>name</var> is not a <span title=concept-header-name>name</span> or
 <var title>value</var> is not a <span title=concept-header-value>value</span>,
 <span data-anolis-spec=webidl>throw</span> a <code title>TypeError</code>.

 <li><p>If <span title=concept-Headers-guard>guard</span> is <i title>immutable</i>,
 <span data-anolis-spec=webidl>throw</span> a <code title>TypeError</code>.

 <li><p>Otherwise, if <span title=concept-Headers-guard>guard</span> is
 <i title>request</i> and <var title>name</var> is a <span>forbidden header name</span>,
 return.

 <li><p>Otherwise, if <span title=concept-Headers-guard>guard</span> is
 <i title>request-no-CORS</i> and <var title>name</var>/<var title>value</var> is not a
 <span>simple header</span>, return.

 <li><p>Otherwise, if <span title=concept-Headers-guard>guard</span> is
 <i title>response</i> and <var title>name</var> is a
 <span>forbidden response header name</span>, return.

 <li><p><span title=concept-header-list-set>Set</span>
 <var title>name</var>/<var title>value</var> in
 <span title=concept-Headers-header-list>header list</span>.
</ol>

<p>The <span data-anolis-spec=webidl>value pairs to iterate over</span> are the
<span title=concept-header>headers</span> in the
<span title=concept-Headers-header-list>header list</span> with the key being the
<span title=concept-header-name>name</span> and value the
<span title=concept-header-value>value</span>.


<h3>Body mixin</h3>

<pre class=idl>typedef object <dfn>JSON</dfn>;
typedef (<span data-anolis-spec=fileapi>Blob</span> or BufferSource or <span data-anolis-spec=xhr>FormData</span> or <span data-anolis-spec=url>URLSearchParams</span> or USVString) <dfn>BodyInit</dfn>;</pre>

<p>To <dfn title=concept-BodyInit-extract>extract</dfn> a byte stream and a
`<code title>Content-Type</code>` <span title=concept-header-value>value</span> from
<var title>object</var>, run these steps:

<ol>
 <li><p>Let <var title>stream</var> be an empty byte stream.

 <li><p>Let <var title>Content-Type</var> be null.

 <li>
  <p>Switch on <var title>object</var>'s type:

  <dl class=switch>
   <dt><code data-anolis-spec=fileapi>Blob</code>
   <dd>
    <p>Push a copy of <var title>object</var>'s contents to <var title>stream</var>.

    <p>If <var title>object</var>'s
    <code data-anolis-spec=fileapi title=dom-Blob-type>type</code> attribute is not the
    empty byte sequence, set <var title>Content-Type</var> to its value.

   <dt><code title>BufferSource</code>
   <dd>
    <p>Push a
    <span data-anolis-spec=webidl title="get a copy of the bytes held by the buffer source">copy of</span>
    <var title>object</var> to <var title>stream</var>.

   <dt><code data-anolis-spec=xhr>FormData</code>
   <dd>
    <p>Push the result of running the
    <span data-anolis-spec=html><code>multipart/form-data</code> encoding algorithm</span>,
    with <var>object</var> as <var>form data set</var> and with
    <span data-anolis-spec=encoding>utf-8</span> as the explicit character encoding, to
    <var title>stream</var>.
    <!-- need to provide explicit character encoding because otherwise the encoding of the
         document is used -->

    <p>Set <var>Content-Type</var> to `<code title>multipart/form-data;boundary=</code>`,
    followed by the
    <span data-anolis-spec=html><code>multipart/form-data</code> boundary string</span>
    generated by the
    <span data-anolis-spec=html><code>multipart/form-data</code> encoding algorithm</span>.

   <dt><code data-anolis-spec=url>URLSearchParams</code>
   <dd>
    <p>Push the result of running the
    <span data-anolis-spec=url title=concept-urlencoded-serializer><code>application/x-www-form-urlencoded</code> serializer</span>,
    with <var>object</var>'s
    <span data-anolis-spec=url title=concept-URLSearchParams-list>list</span>, to
    <var title>stream</var>.
    <!-- utf-8 implied -->

    <p>Set <var>Content-Type</var> to
    `<code title>application/x-www-form-urlencoded;charset=UTF-8</code>`.

   <dt><code title>USVString</code>
   <dd>
    <p>Push the result of running <span data-anolis-spec=encoding>utf-8 encode</span> on
    <var title>object</var> to <var title>stream</var>.
    <p>Set <var title>Content-Type</var> to `<code title>text/plain;charset=UTF-8</code>`.
  </dl>

 <li><p>Return <var title>stream</var> and <var title>Content-Type</var>.
</ol>


<pre class=idl>[NoInterfaceObject,
 Exposed=(Window,Worker)]
interface <dfn>Body</dfn> {
  readonly attribute boolean <span title=dom-Body-bodyUsed>bodyUsed</span>;
  [NewObject] Promise&lt;ArrayBuffer> <span title=dom-Body-arrayBuffer>arrayBuffer</span>();
  [NewObject] Promise&lt;<span data-anolis-spec=fileapi>Blob</span>> <span title=dom-Body-blob>blob</span>();
  [NewObject] Promise&lt;<span data-anolis-spec=xhr>FormData</span>> <span title=dom-Body-formData>formData</span>();
  [NewObject] Promise&lt;<span>JSON</span>> <span title=dom-Body-json>json</span>();
  [NewObject] Promise&lt;USVString> <span title=dom-Body-text>text</span>();
};</pre>

<p class=note>Formats you would not want a network layer to be dependent upon, such as
HTML, will likely not be exposed here. Rather, an HTML parser API might accept a stream in
due course.
<!-- http://lists.w3.org/Archives/Public/public-whatwg-archive/2014Jun/thread.html#msg72 -->

<p>Objects implementing the <code>Body</code> mixin gain an associated
<dfn title=concept-Body-body>body</dfn> (a byte stream), a
<dfn title=concept-Body-used-flag>used flag</dfn> (initially unset), and a
<dfn title=concept-Body-MIME-type>MIME type</dfn> (initially the empty byte sequence).

<p>The <dfn title=dom-Body-bodyUsed><code>bodyUsed</code></dfn> attribute's getter must
return true if the <span title=concept-Body-used-flag>used flag</span> is set, and false
otherwise.

<p>Objects implementing the <code>Body</code> mixin also have an associated
<dfn title=concept-Body-consume-body>consume body</dfn> algorithm, which given a
<var title>type</var>, runs these steps:

<ol>
 <li><p>Let <var title>p</var> be a new promise.

 <li><p>If <span title=concept-Body-used-flag>used flag</span> is set, reject
 <var title>p</var> with a <code title>TypeError</code>.

 <li>
  <p>Otherwise, set <span title=concept-Body-used-flag>used flag</span> and then run these
  substeps <span data-anolis-spec=html>in parallel</span>:
  <!-- We do not check for body being null to make this API work consistently.
       Otherwise we'd need an additional flag. -->

  <ol>
   <li><p>Let <var title>stream</var> be <span title=concept-Body-body>body</span>.

   <li><p>If <var title>stream</var> is null, set <var title>stream</var> to an empty byte
   sequence.

   <li><p>Let <var title>bytes</var> be the result of reading from <var title>stream</var>
   until it returns end-of-stream.
   <!-- XXX stream -->

   <li>
    <p>Switch on <var title>type</var>:

    <dl class=switch>
     <dt><i title>ArrayBuffer</i>
     <dd><p>Resolve <var title>p</var> with an <code>ArrayBuffer</code> whose contents are
     <var title>bytes</var>.

     <dt><i title>Blob</i>
     <dd><p>Resolve <var title>p</var> with a <code data-anolis-spec=fileapi>Blob</code>
     whose contents are <var title>bytes</var> and
     <code data-anolis-spec=fileapi title=dom-Blob-type>type</code> is
     <span title=concept-Body-MIME-type>MIME type</span>.

     <dt><i title>FormData</i>
     <dd>
      <p>If <span title=concept-Body-MIME-type>MIME type</span> (ignoring parameters)
      is `<code>multipart/form-data</code>`, run these subsubsteps:

      <ol>
       <li><p>Parse <var title>bytes</var>, using the value of the
       `<code title>boundary</code>` parameter from
       <span title=concept-Body-MIME-type>MIME type</span> and
       <span data-anolis-spec=encoding>utf-8</span> as encoding, per the rules set forth
       in <cite>Returning Values from Forms: multipart/form-data</cite>.
       <span data-anolis-ref>RFC2388</span>

       <li><p>If that fails for some reason, reject <var title>p</var> with a
       <code title>TypeError</code>.

       <li><p>Otherwise, resolve <var title>p</var> with a new
       <code data-anolis-spec=xhr>FormData</code> object, running
       <span data-anolis-spec=xhr>create an entry</span> for each entry as the result of
       the parsing operation and appending it to
       <span data-anolis-spec=xhr title=concept-FormData-entry>entries</span>.
      </ol>

      <p class=XXX>The above is a rough approximation of what is required for
      `<code>multipart/form-data</code>`, a more detailed parsing specification is to be
      written. Volunteers welcome.

      <p>Otherwise, if <span title=concept-Body-MIME-type>MIME type</span>
      (ignoring parameters) is `<code>application/x-www-form-urlencoded</code>`, run these
      subsubsteps:

      <ol>
       <li><p>Let <var title>entries</var> be the result of
       <span data-anolis-spec=url title=concept-urlencoded-parser>parsing</span>
       <var title>bytes</var>.

       <li><p>If <var title>entries</var> is failure, reject <var title>p</var> with a
       <code title>TypeError</code>.

       <li><p>Resolve <var title>p</var> with a new
       <code data-anolis-spec=xhr>FormData</code> object whose
       <span data-anolis-spec=xhr title=concept-FormData-entry>entries</span> are
       <var title>entries</var>.
      </ol>

      <p>Otherwise, reject <var title>p</var> with a <code title>TypeError</code>.

     <dt><i title>JSON</i>
     <dd>
      <p>Let <var title>JSON</var> be the result of invoking the initial value of the
      <code title>parse</code> property of the <code title>JSON</code> object with the
      result of running <span data-anolis-spec=encoding>utf-8 decode</span> on
      <var title>bytes</var> as argument.

      <p>If that threw an exception, reject <var title>p</var> with that exception.

      <p>Otherwise, resolve <var title>p</var> with <var title>JSON</var>.

     <dt><i title>text</i>
     <dd><p>Resolve <var title>p</var> with the result of running
     <span data-anolis-spec=encoding>utf-8 decode</span> on <var title>bytes</var>.
    </dl>
  </ol>

 <li><p>Return <var title>p</var>.
</ol>

<p>The <dfn title=dom-Body-arrayBuffer><code>arrayBuffer()</code></dfn>
method, when invoked, must return the result of running
<span title=concept-Body-consume-body>consume body</span> with <i title>ArrayBuffer</i>.

<p>The <dfn title=dom-Body-blob><code>blob()</code></dfn> method, when
invoked, must return the result of running
<span title=concept-Body-consume-body>consume body</span> with <i title>Blob</i>.

<p>The <dfn title=dom-Body-formData><code>formData()</code></dfn> method,
when invoked, must return the result of running
<span title=concept-Body-consume-body>consume body</span> with <i title>FormData</i>.

<p>The <dfn title=dom-Body-json><code>json()</code></dfn> method, when
invoked, must return the result of running
<span title=concept-Body-consume-body>consume body</span> with <i title>JSON</i>.

<p>The <dfn title=dom-Body-text><code>text()</code></dfn> method, when
invoked, must return the result of running
<span title=concept-Body-consume-body>consume body</span> with <i title>text</i>.


<h3>Request class</h3>

<!-- No client member, see
  https://github.com/slightlyoff/ServiceWorker/issues/318
  https://github.com/slightlyoff/ServiceWorker/issues/575 -->

<pre class=idl>typedef (<span>Request</span> or USVString) <dfn>RequestInfo</dfn>;

[<span title=dom-Request>Constructor</span>(<span>RequestInfo</span> <var title>input</var>, optional <span>RequestInit</span> <var title>init</var>),
 Exposed=(Window,Worker)]
interface <dfn>Request</dfn> {
  readonly attribute ByteString <span title=dom-Request-method>method</span>;
  readonly attribute USVString <span title=dom-Request-url>url</span>;
  [SameObject] readonly attribute <span>Headers</span> <span title=dom-Request-headers>headers</span>;

  readonly attribute <span>RequestContext</span> <span title=dom-Request-context>context</span>;<!--
  readonly attribute DOMString <span title=dom-Request-origin>origin</span>;-->
  readonly attribute DOMString <span title=dom-Request-referrer>referrer</span>;<!--
  readonly attribute boolean <span title=dom-Request-handles401>handles401</span>;
  readonly attribute boolean <span title=dom-Request-isSynchronous>isSynchronous</span>;-->
  readonly attribute <span>RequestMode</span> <span title=dom-Request-mode>mode</span>;
  readonly attribute <span>RequestCredentials</span> <span title=dom-Request-credentials>credentials</span>;<!--
  readonly attribute boolean <span title=dom-Request-usingURLCredentials>usingURLCredentials</span>;-->
  readonly attribute <span>RequestCache</span> <span title=dom-Request-cache>cache</span>;<!--
  readonly attribute boolean <span title=dom-Request-handlesRedirects>handlesRedirects</span>;-->

  [NewObject] <span>Request</span> <span title=dom-Request-clone>clone</span>();
};
<span>Request</span> implements <span>Body</span>;

dictionary <dfn>RequestInit</dfn> {
  ByteString method;
  <span>HeadersInit</span> headers;
  <span>BodyInit</span> body;
  <span>RequestMode</span> mode;
  <span>RequestCredentials</span> credentials;
  <span>RequestCache</span> cache;
};

enum <dfn>RequestContext</dfn> {
  "audio", "beacon", "cspreport", "download", "embed", "eventsource", "favicon", "fetch",
  "font", "form", "frame", "hyperlink", "iframe", "image", "imageset", "import",
  "internal", "location", "manifest", "object", "ping", "plugin", "prefetch", "script",
  "serviceworker", "sharedworker", "subresource", "style", "track", "video", "worker",
  "xmlhttprequest", "xslt"
};
enum <dfn>RequestMode</dfn> { "same-origin", "no-cors", "cors" };
enum <dfn>RequestCredentials</dfn> { "omit", "same-origin", "include" };
enum <dfn>RequestCache</dfn> { "default", "no-store", "reload", "no-cache", "force-cache", "only-if-cached" };</pre>

<p>A <code>Request</code> object has an associated
<dfn title=concept-Request-request>request</dfn> (a
<span title=concept-request>request</span>).

<p>A <code>Request</code> object also has an associated <code>Headers</code> object which
is itself associated with <span title=concept-Request-request>request</span>'s
<span title=concept-request-header-list>header list</span> and whose
<span title=concept-Headers-guard>guard</span> is <i title>request</i>.

<p>A <code>Request</code> object's <span title=concept-Body-body>body</span> is its
<span title=concept-Request-request>request</span>'s
<span title=concept-request-body>body</span>.

<hr>

<p>The
<dfn title=dom-Request><code>Request(<var>input</var>, <var>init</var>)</code></dfn>
constructor must run these steps:

<ol>
 <li>
  <p>If <var title>input</var> is a <code>Request</code> object and
  <var title>input</var>'s <span title=concept-Body-body>body</span> is non-null, run
  these substeps:

  <ol>
   <li><p>If <var title>input</var>'s <span title=concept-Body-used-flag>used flag</span>
   is set, <span data-anolis-spec=webidl>throw</span> a <code title>TypeError</code>.

   <li><p>Set <var title>input</var>'s
   <span title=concept-Body-used-flag>used flag</span>.
  </ol>

 <li><p>Let <var title>request</var> be <var title>input</var>'s
 <span title=concept-Request-request>request</span>, if <var title>input</var> is a
 <code>Request</code> object, and a new <span title=concept-request>request</span>
 otherwise.

 <li><p>Set <var title>request</var> to a new <span title=concept-request>request</span>
 whose <span title=concept-request-url>url</span> is <var title>request</var>'s
 <span title=concept-request-url>url</span>,
 <span title=concept-request-method>method</span> is <var title>request</var>'s
 <span title=concept-request-method>method</span>,
 <span title=concept-request-header-list>header list</span> is a copy of
 <var title>request</var>'s <span title=concept-request-header-list>header list</span>,
 <span title=concept-unsafe-request-flag>unsafe request flag</span> is set,
 <span title=concept-request-body>body</span> is <var title>request</var>'s
 <span title=concept-request-body>body</span>,
 <span title=concept-request-client>client</span> is
 <span data-anolis-spec=html>entry settings object</span>,
 <span title=concept-request-origin>origin</span> is
 <span data-anolis-spec=html>entry settings object</span>'s
 <span data-anolis-spec=html>origin</span>,
 <span>force <code>Origin</code> header flag</span> is set,
 <span>same-origin data URL flag</span> is set,
 <span title=concept-request-context>context</span> is <i title>fetch</i>,
 <span title=concept-request-mode>mode</span> is <var title>request</var>'s
 <span title=concept-request-mode>mode</span>,
 <span title=concept-request-credentials-mode>credentials mode</span> is
 <var title>request</var>'s
 <span title=concept-request-credentials-mode>credentials mode</span>,
 and
 <span title=concept-request-cache-mode>cache mode</span> is
 <var title>request</var>'s
 <span title=concept-request-cache-mode>cache mode</span>.

 <li><p>Let <var title>fallbackMode</var> be null.

 <li><p>Let <var title>fallbackCredentials</var> be null.

 <li><p>Let <var title>fallbackCache</var> be null.

 <li>
  <p>If <var title>input</var> is a string, run these substeps:

  <ol>
   <li><p>Let <var title>parsedURL</var> be the result of
   <span data-anolis-spec=url title=concept-url-parser>parsing</span>
   <var title>input</var> with <span data-anolis-spec=html>entry settings object</span>'s
   <span data-anolis-spec=html>API base URL</span>.

   <li><p>If <var title>parsedURL</var> is failure,
   <span data-anolis-spec=webidl>throw</span> a <code title>TypeError</code>.

   <li><p>Set <var title>request</var>'s <span title=concept-request-url>url</span> to
   <var title>parsedURL</var>.

   <li><p>Set <var title>fallbackMode</var> to "<code title>cors</code>".

   <li><p>Set <var title>fallbackCredentials</var> to "<code title>omit</code>".

   <li><p>Set <var title>fallbackCache</var> to "<code title>default</code>".
  </ol>

 <li><p>Let <var title>mode</var> be <var title>init</var>'s <code title>mode</code>
 member if it is present, and <var title>fallbackMode</var> otherwise.

 <li>
  <p>If <var title>mode</var> is non-null, set <var title>request</var>'s
  <span title=concept-request-mode>mode</span> to the value corresponding to the first
  matching statement, switching on <var title>mode</var>:

  <dl class=switch>
   <dt>"<code title>same-origin</code>"
   <dd><i title>same-origin</i>
   <dt>"<code title>no-cors</code>"
   <dd><i title>no CORS</i>
   <dt>"<code title>cors</code>"
   <dd><i title>CORS</i>
  </dl>

 <li><p>Let <var title>credentials</var> be <var title>init</var>'s
 <code title>credentials</code> member if it is present, and
 <var title>fallbackCredentials</var> otherwise.

 <li><p>If <var title>credentials</var> is non-null, set <var title>request</var>'s
 <span title=concept-request-credentials-mode>credentials mode</span> to
 <var title>credentials</var>.

 <li><p>Let <var title>cache</var> be <var title>init</var>'s <code title>cache</code>
 member if it is present, and <var title>fallbackCache</var> otherwise.

 <li>
  <p>If <var title>cache</var> is non-null, set <var title>request</var>'s
  <span title=concept-request-cache-mode>cache mode</span> to the value corresponding to
  the first matching statement, switching on <var title>cache</var>:

  <dl class=switch>
   <dt>"<code title>force-cache</code>"
   <dd><i title>force cache</i>
   <dt>Otherwise
   <dd>Value as is.
  </dl>

 <li>
  <p>If <var title>init</var>'s <code title>method</code> member is present, let
  <var title>method</var> be it and run these substeps:

  <ol>
   <li><p>If <var title>method</var> is not a <span title=concept-method>method</span> or
   <var title>method</var> is a <span>forbidden method</span>,
   <span data-anolis-spec=webidl>throw</span> a <code title>TypeError</code>.

   <li><p><span title=concept-method-normalize>Normalize</span> <var title>method</var>.

   <li><p>Set <var title>request</var>'s <span title=concept-request-method>method</span>
   to <var title>method</var>.
  </ol>

 <li><p>Let <var title>r</var> be a new <code>Request</code> object associated with
 <var title>request</var> and a new <code>Headers</code> object.

 <li><p>Let <var title>headers</var> be a copy of <var title>r</var>'s
 <code>Headers</code> object.
 <!-- it might contain a header that is no longer allowed per the mode change -->

 <li><p>If <var title>init</var>'s <code title>headers</code> member is present, set
 <var title>headers</var> to <var title>init</var>'s <code title>headers</code> member.

 <li><p>Empty <var title>r</var>'s <span title=concept-Request-request>request</span>'s
 <span title=concept-request-header-list>header list</span>.

 <li>
  <p>If <var title>r</var>'s <span title=concept-Request-request>request</span>'s
  <span title=concept-request-mode>mode</span> is <i title>no CORS</i>, run these
  substeps:

  <ol>
   <li><p>If <var title>r</var>'s <span title=concept-Request-request>request</span>'s
   <span title=concept-request-method>method</span> is not a <span>simple method</span>,
   <span data-anolis-spec=webidl>throw</span> a <code title>TypeError</code>.

   <li><p>Set <var title>r</var>'s <code>Headers</code> object's
   <span title=concept-Headers-guard>guard</span> to <i title>request-no-CORS</i>.
  </ol>

 <li><p><span title=concept-Headers-fill>Fill</span> <var title>r</var>'s
 <code>Headers</code> object with <var title>headers</var>. Rethrow any exceptions.

 <li>
  <p>If <var title>init</var>'s <code title>body</code> member is present, run these
  substeps:

  <ol>
   <li><p>If <var title>request</var>'s <span title=concept-request-method>method</span>
   is `<code title>GET</code>` or `<code title>HEAD</code>`,
   <span data-anolis-spec=webidl>throw</span> a <code title>TypeError</code>.

   <li><p>Let <var title>stream</var> and <var title>Content-Type</var> be the result of
   <span title=concept-BodyInit-extract>extracting</span> <var title>init</var>'s
   <code title>body</code> member.

   <li><p>Set <var title>r</var>'s <span title=concept-Request-request>request</span>'s
   <span title=concept-request-body>body</span> to <var title>stream</var>.

   <li><p>If <var title>Content-Type</var> is non-null and <var title>r</var>'s
   <span title=concept-Request-request>request</span>'s
   <span title=concept-request-header-list>header list</span> contains no
   <span title=concept-header>header</span> <span title=concept-header-name>named</span>
   `<code title>Content-Type</code>`, <span title=concept-Headers-append>append</span>
   `<code title>Content-Type</code>`/<var title>Content-Type</var> to <var title>r</var>'s
   <code>Headers</code> object. Rethrow any exception.
  </ol>

 <li><p>Set <var title>r</var>'s <span title=concept-Body-MIME-type>MIME type</span> to
 the result of <span title=concept-header-extract-MIME-type>extracting a MIME type</span>
 from <var title>r</var>'s <span title=concept-Request-request>request</span>'s
 <span title=concept-request-header-list>header list</span>.

 <li><p>Return <var title>r</var>.
</ol>

<p>The <dfn title=dom-Request-method><code>method</code></dfn> attribute's getter must
return <span title=concept-Request-request>request</span>'s
<span title=concept-request-method>method</span>.

<p>The <dfn title=dom-Request-url><code>url</code></dfn> attribute's getter must
return <span title=concept-Request-request>request</span>'s
<span title=concept-request-url>url</span>,
<span data-anolis-spec=url title=concept-url-serializer>serialized</span> with the
<i title>exclude fragment flag</i> set.

<p>The <dfn title=dom-Request-headers><code>headers</code></dfn> attribute's getter must
return the associated <code>Headers</code> object.

<p>The <dfn title=dom-Request-context><code>context</code></dfn> attribute's getter must
return <span title=concept-Request-request>request</span>'s
<span title=concept-Request-context>context</span>.

<p>The <dfn title=dom-Request-referrer><code>referrer</code></dfn> attribute's getter must
return the empty string if <span title=concept-Request-request>request</span>'s
<span title=concept-Request-referrer>referrer</span> is <i title>no referrer</i>,
"<code title>about:client</code>" if <span title=concept-Request-request>request</span>'s
<span title=concept-Request-referrer>referrer</span> is <i title>client</i> and
<span title=concept-Request-request>request</span>'s
<span title=concept-Request-referrer>referrer</span>,
<span data-anolis-spec=url title=concept-url-serializer>serialized</span>, otherwise.

<p>The <dfn title=dom-Request-mode><code>mode</code></dfn> attribute's getter must
return the value corresponding to the first matching statement, switching on
<span title=concept-Request-request>request</span>'s
<span title=concept-request-mode>mode</span>:

<dl class=switch>
 <dt><i title>same-origin</i>
 <dd>"<code title>same-origin</code>"
 <dt><i title>no CORS</i>
 <dd>"<code title>no-cors</code>"
 <dt><i title>CORS</i>
 <dt><i title>CORS-with-forced-preflight</i>
 <dd>"<code title>cors</code>"
</dl>

<p>The <dfn title=dom-Request-credentials><code>credentials</code></dfn> attribute's
getter must return <span title=concept-Request-request>request</span>'s
<span title=concept-request-credentials-mode>credentials mode</span>.

<p>The <dfn title=dom-Request-cache><code>cache</code></dfn> attribute's getter must
return the value corresponding to the first matching statement, switching on
<span title=concept-Request-request>request</span>'s
<span title=concept-request-cache-mode>cache mode</span>:

<dl class=switch>
 <dt><i title>force cache</i>
 <dd>"<code title>force-cache</code>"
 <dt>Otherwise
 <dd>Value as is.
</dl>

<hr>

<p>The <dfn title=dom-Request-clone><code>clone()</code></dfn> method, when invoked, must
run these steps:

<ol>
 <li><p>If <span title=concept-Body-used-flag>used flag</span> is set,
 <span data-anolis-spec=webidl>throw</span> a <code title>TypeError</code>.

 <li><p>Let <var title>newRequest</var> be a copy of
 <span title=concept-Request-request>request</span>, except that
 <var title>newRequest</var>'s <span title=concept-request-body>body</span> is a tee of
 <span title=concept-Request-request>request</span>'s
 <span title=concept-request-body>body</span>.
 <!-- Similar text in: HTTP network or cache fetch -->

 <li><p>Let <var title>r</var> be a new <code>Request</code> object associated with
 <var title>newRequest</var> and a new <code>Headers</code> object.

 <li><p>Return <var title>r</var>.
</ol>


<h3>Response class</h3>

<pre class=idl>[<span title=dom-Response>Constructor</span>(optional <span>BodyInit</span> <var title>body</var>, optional <span>ResponseInit</span> <var title>init</var>),
 Exposed=(Window,Worker)]
interface <dfn>Response</dfn> {
  [NewObject] static <span>Response</span> <span title=dom-Response-error>error</span>();
  [NewObject] static <span>Response</span> <span title=dom-Response-redirect>redirect</span>(USVString <var title>url</var>, optional unsigned short <var title>status</var> = 302);

  readonly attribute <span>ResponseType</span> <span title=dom-Response-type>type</span>;

  readonly attribute USVString <span title=dom-Response-url>url</span>;
           attribute boolean <span title=dom-Response-finalURL>finalURL</span>;
  readonly attribute unsigned short <span title=dom-Response-status>status</span>;
  readonly attribute boolean <span title=dom-Response-ok>ok</span>;
  readonly attribute ByteString <span title=dom-Response-statusText>statusText</span>;
  [SameObject] readonly attribute <span>Headers</span> <span title=dom-Response-headers>headers</span>;

  [NewObject] <span>Response</span> <span title=dom-Response-clone>clone</span>();
};
<span>Response</span> implements <span>Body</span>;

dictionary <dfn>ResponseInit</dfn> {
  unsigned short status = 200;
  ByteString statusText = "OK";
  <span>HeadersInit</span> headers;
};

enum <dfn>ResponseType</dfn> { "basic", "cors", "default", "error", "opaque" };</pre>

<p>A <code>Response</code> object has an associated
<dfn title=concept-Response-response>response</dfn> (a
<span title=concept-response>response</span>).

<p>A <code>Response</code> object also has an associated <code>Headers</code> object which
is itself associated with <span title=concept-Response-response>response</span>'s
<span title=concept-response-header-list>header list</span> and whose
<span title=concept-Headers-guard>guard</span> is <i title>response</i>.

<p>A <code>Response</code> object's <span title=concept-Body-body>body</span> is its
<span title=concept-Response-response>response</span>'s
<span title=concept-response-body>body</span>.

<p>The
<dfn title=dom-Response><code>Response(<var>body</var>, <var>init</var>)</code></dfn>
constructor, when invoked, must run these steps:

<ol>
 <li><p>If <var title>init</var>'s <code title>status</code> member is not in the range
 200 to 599, <span data-anolis-spec=webidl>throw</span> a <code title>RangeError</code>.

 <li><p>If <var title>init</var>'s <code title>statusText</code> member does not match the
 <span data-anolis-spec=http>Reason-Phrase</span> token production,
 <span data-anolis-spec=webidl>throw</span> a <code title>TypeError</code>.

 <li><p>Let <var title>r</var> be a new <code>Response</code> object, associated with a
 new <span title=concept-response>response</span> and a new <code>Headers</code> object.

 <li><p>Set <var title>r</var>'s <span title=concept-Response-response>response</span>'s
 <span title=concept-response-status>status</span> to <var title>init</var>'s
 <code title>status</code> member.

 <li><p>Set <var title>r</var>'s <span title=concept-Response-response>response</span>'s
 <span title=concept-response-status-message>status message</span> to
 <var title>init</var>'s <code title>statusText</code> member.

 <li>
  <p>If <var title>init</var>'s <code title>headers</code> member is present, run these
  substeps:

  <ol>
   <li><p>Empty <var title>r</var>'s
   <span title=concept-Response-response>response</span>'s
   <span title=concept-response-header-list>header list</span>.

   <li><p><span title=concept-Headers-fill>Fill</span> <var title>r</var>'s
   <code>Headers</code> object with <var title>init</var>'s <code title>headers</code>
   member. Rethrow any exceptions.
  </ol>

 <li>
  <p>If <var title>body</var> is given, run these substeps:

  <ol>
   <li><p>Let <var title>stream</var> and <var title>Content-Type</var> be the result of
   <span title=concept-BodyInit-extract>extracting</span> <var title>body</var>.

   <li><p>Set <var title>r</var>'s <span title=concept-Response-response>response</span>'s
   <span title=concept-response-body>body</span> to <var title>stream</var>.

   <li><p>If <var title>Content-Type</var> is non-null and <var title>r</var>'s
   <span title=concept-Response-response>response</span>'s
   <span title=concept-response-header-list>header list</span> contains no
   <span title=concept-header>header</span> <span title=concept-header-name>named</span>
   `<code title>Content-Type</code>`, <span title=concept-header-list-append>append</span>
   `<code title>Content-Type</code>`/<var title>Content-Type</var> to
   <var title>r</var>'s <span title=concept-Response-response>response</span>'s
   <span title=concept-response-header-list>header list</span>.
  </ol>

 <li><p>Set <var title>r</var>'s <span title=concept-Body-MIME-type>MIME type</span> to
 the result of <span title=concept-header-extract-MIME-type>extracting a MIME type</span>
 from <var title>r</var>'s <span title=concept-Response-response>response</span>'s
 <span title=concept-response-header-list>header list</span>.

 <li><p>Set <var title>r</var>'s <span title=concept-Response-response>response</span>'s
 <span title=concept-response-tls-state>TLS state</span> to
 <span data-anolis-spec=html>entry settings object</span>'s
 <span>TLS state</span>.
 <!-- XXX xref TLS state -->

 <li><p>Return <var title>r</var>.
</ol>

<p>The static <dfn title=dom-Response-error><code>error()</code></dfn> method, when
invoked, must run return a new <code>Response</code> object, associated with a new
<span title=concept-network-error>network error</span> and a new <code>Headers</code>
object.

<p>The static
<dfn title=dom-Response-redirect><code>redirect(<var>url</var>, <var>status</var>)</code></dfn>
method, when invoked, must run these steps:

<ol>
 <li><p>Let <var title>parsedURL</var> be the result of
 <span data-anolis-spec=url title=concept-url-parser>parsing</span>
 <var title>url</var> with <span data-anolis-spec=html>entry settings object</span>'s
 <span data-anolis-spec=html>API base URL</span>.

 <li><p>If <var title>parsedURL</var> is failure,
 <span data-anolis-spec=webidl>throw</span> a <code title>TypeError</code>.

 <li><p>If <var title>status</var> is not one of
 301,
 302,
 303,
 307, and
 308,
 <span data-anolis-spec=webidl>throw</span> a <code title>RangeError</code>.

 <li><p>Let <var title>r</var> be a new <code>Response</code> object, associated with a
 new <span title=concept-response>response</span> and a new <code>Headers</code> object.

 <li><p>Set <var title>r</var>'s <span title=concept-Response-response>response</span>'s
 <span title=concept-response-status>status</span> to <var title>status</var>.

 <li><p><span title=concept-header-list-set>Set</span> `<code title>Location</code>` to
 <var title>parsedURL</var>,
 <span data-anolis-spec=url title=concept-url-serializer>serialized</span> and
 <span data-anolis-spec=encoding title="utf-8 encode">utf-8 encoded</span>, in
 <var title>r</var>'s <span title=concept-Response-response>response</span>'s
 <span title=concept-response-header-list>header list</span>.

 <li><p>Return <var title>r</var>.
</ol>

<p>The <dfn title=dom-Response-type><code>type</code></dfn> attribute's getter must return
<span title=concept-Response-response>response</span>'s
<span title=concept-response-type>type</span>.

<p>The <dfn title=dom-Response-url><code>url</code></dfn> attribute's getter must return
the empty string if <span title=concept-Response-response>response</span>'s
<span title=concept-response-url>url</span> is null and
<span title=concept-Response-response>response</span>'s
<span title=concept-response-url>url</span>,
<span data-anolis-spec=url title=concept-url-serializer>serialized</span> with the
<i title>exclude fragment flag</i> set, otherwise.
<span data-anolis-ref>URL</span>

<p>The <dfn title=dom-Response-finalURL><code>finalURL</code></dfn> attribute's setter
must run these steps:

<ol>
 <li><p>If <span title=concept-Response-response>response</span>'s
 <span title=concept-response-url>url</span> is null,
 <span data-anolis-spec=webidl>throw</span> a <code title>TypeError</code>.

 <li><p>If the given value is true, set
 <span title=concept-Response-response>response</span>'s
 <span title=concept-response-final-url-flag>final url flag</span>, and unset it
 otherwise.
</ol>

<p>The <code title=dom-Response-finalURL>finalURL</code> attribute's getter must return
true if <span title=concept-Response-response>response</span>'s
<span title=concept-response-final-url-flag>final url flag</span> is set, and false
otherwise.

<p>The <dfn title=dom-Response-status><code>status</code></dfn> attribute's getter must
return <span title=concept-Response-response>response</span>'s
<span title=concept-response-status>status</span>.

<p>The <dfn title=dom-Response-ok><code>ok</code></dfn> attribute's getter must
return true if <span title=concept-Response-response>response</span>'s
<span title=concept-response-status>status</span> is in the range 200 to 299, and false
otherwise.

<p>The <dfn title=dom-Response-statusText><code>statusText</code></dfn> attribute's getter
must return <span title=concept-Response-response>response</span>'s
<span title=concept-response-status-message>status message</span>.

<p>The <dfn title=dom-Response-headers><code>headers</code></dfn> attribute's getter must
return the associated <code>Headers</code> object.

<hr>

<p>The <dfn title=dom-Response-clone><code>clone()</code></dfn> method, when invoked, must
run these steps:

<ol>
 <li><p>If <span title=concept-Body-used-flag>used flag</span> is set,
 <span data-anolis-spec=webidl>throw</span> a <code title>TypeError</code>.

 <li><p>Let <var title>newResponse</var> be a copy of
 <span title=concept-Response-response>response</span>, except that
 <var title>newResponse</var>'s <span title=concept-response-body>body</span> is a tee of
 <span title=concept-Response-response>response</span>'s
 <span title=concept-response-body>body</span>.
 <!-- Similar text in: HTTP network or cache fetch -->

 <li><p>Let <var title>r</var> be a new <code>Response</code> object associated with
 <var title>newResponse</var> and a new <code>Headers</code> object.

 <li><p>Return <var title>r</var>.
</ol>


<h3>Structured cloning of <code>Headers</code>, <code>Request</code>, and <code>Response</code> objects</h3>

<p class=note>Unlikely to happen anytime soon due to difficulty of cloning promises and
streams. See <a href="https://github.com/slightlyoff/ServiceWorker/issues/313">SW #313</a>
for details.


<h3>Fetch method</h3>

<pre class=idl>[NoInterfaceObject,
 Exposed=(Window,Worker)]
interface <dfn>GlobalFetch</dfn> {
  [NewObject] Promise&lt;<span>Response</span>> <span title=dom-global-fetch>fetch</span>(<span>RequestInfo</span> <var title>input</var>, optional <span>RequestInit</span> <var title>init</var>);
};
<span data-anolis-spec=html>Window</span> implements <span>GlobalFetch</span>;
<span data-anolis-spec=html>WorkerGlobalScope</span> implements <span>GlobalFetch</span>;</pre>

<p>The
<dfn title=dom-global-fetch><code>fetch(<var>input</var>, <var>init</var>)</code></dfn>
method, must run these steps:

<ol>
 <li><p>Let <var title>p</var> be a new promise.

 <li><p>Let <var title>r</var> be the associated
 <span title=concept-request>request</span> of the result of invoking the initial value of
 <code title=dom-Request>Request</code> as constructor with <var title>input</var> and
 <var title>init</var> as arguments. If this throws an exception, reject
 <var title>p</var> with it.

 <li>
  <p>Run the following <span data-anolis-spec=html>in parallel</span>:

  <p><span title=concept-fetch>Fetch</span> <var title>r</var>.

  <p>To <span>process response</span> for <var title>response</var>, run these substeps:

  <ol>
   <li><p>If <var title>response</var>'s <span title=concept-response-type>type</span> is
   <i title>error</i>, reject <var title>p</var> with a <code title>TypeError</code>.

   <li><p>Otherwise, resolve <var title>p</var> with new <code>Response</code> object
   associated with <var title>response</var>.
  </ol>

  <p>To <span>process response body</span> for <var title>response</var>, do nothing.

  <p>To <span>process response end-of-file</span> for <var title>response</var>,
  do nothing.

 <li><p>Return <var title>p</var>.
</ol>



<!-- XMLHttpRequest API -->



<h2 class=no-num>Background reading</h2>

<p><em>This section and its subsections are informative only.</em>

<h3 class=no-num><dfn>HTTP header layer division</dfn></h3>

<p>For the purposes of fetching, the platform has an API layer (HTML's
<code title>img</code>, CSS' <code title>background-image</code>), service worker layer,
and network &amp; cache layer. `<code title=http-accept>Accept</code>` and
`<code title=http-accept-language>Accept-Language</code>` are set at the API layer
(typically by the user agent). Most other headers controlled by the user agent, such as
`<code title=http-accept-encoding>Accept-Encoding</code>`,
`<code title=http-host>Host</code>`, and `<code title=http-referer>Referer</code>`, are
set in the network &amp; cache layer. Developers can set headers either at the API layer
or in the service worker layer (typically through a <code>Request</code> object).
Developers have almost no control over
<span title="forbidden header name">forbidden headers</span>, but can control
`<code title=http-accept>Accept</code>` and have the means to constrain and disable
`<code title=http-referer>Referer</code>` for instance.


<h3 class=no-num>Atomic HTTP redirect handling</h3>

<p>Throughout the platform, redirects (a
<span title=concept-response>response</span> whose
<span title=concept-response-status>status</span> is one of 301, 302, 303, 307, and 308)
are not exposed to APIs. Exposing redirects might leak information not otherwise available
through a cross-site scripting attack.

<p class=example>A fetch to <code>https://example.org/auth</code> that includes a
<code title>Cookie</code> marked <code title>HttpOnly</code> could result in a redirect to
<code>https://other-origin.invalid/4af955781ea1c84a3b11</code>. This new URL contains a
secret. If we expose redirects that secret would be available through a cross-site
scripting attack.


<h3 class=no-num>Basic safe CORS protocol setup</h3>

<p>For resources where data is protected through IP authentication or a firewall
(unfortunately relatively common still), using the <span>CORS protocol</span> is
<strong>unsafe</strong>. (This is the reason why the <span>CORS protocol</span> had to be
invented.)

<p>However, otherwise using the following <span title=concept-header>header</span> is:

<pre>Access-Control-Allow-Origin: *</pre>

<p>Even if a resource exposes additional information based on cookie or HTTP
authentication, using the above <span title=concept-header>header</span> will not reveal
it. It will share the resource with APIs such as
<code data-anolis-spec=xhr>XMLHttpRequest</code>, much like it is already shared with
<code title>curl</code> and <code title>wget</code>.

<p>Thus in other words, if a resource cannot be accessed from a random device connected to
the web using <code title>curl</code> and <code title>wget</code> the aforementioned
<span title=concept-header>header</span> is not to be included. If it can be accessed
however, it is perfectly fine to do so.


<h3 class=no-num>CORS protocol and HTTP caches</h3>

<p>If <span>CORS protocol</span> requirements are more complicated than setting
`<code title=http-access-control-allow-origin>Access-Control-Allow-Origin</code>` to
<code title>*</code> or a static <span data-anolis-spec=html>origin</span>,
`<code title>Vary</code>` is to be used.
<span data-anolis-ref>HTML</span>
<span data-anolis-ref>HTTP</span>

<pre class=example>Vary: Access-Control-Allow-Origin</pre>




<h2 class=no-num>References</h2>
<div id=anolis-references></div>



<h2 class=no-num>Acknowledgments</h2>

<p>Thanks to
Adam Barth,
Alexey Proskuryakov,
Ángel González,
Anssi Kostiainen,
Arkadiusz Michalski,
Arne Johannessen,
Arthur Barstow,
Axel Rauschmayer,
Ben Kelly,
Benjamin Hawkes-Lewis,
Bert Bos,
Bj&ouml;rn H&ouml;hrmann,
Boris Zbarsky,
Brad Hill,
Brad Porter,
Cameron McCormack,
Clement Pellerin,
Collin Jackson,
David H&aring;s&auml;ther,
David Orchard,
Domenic Denicola,
Dean Jackson,
Eric Lawrence,
Frank Ellerman,
Frederick Hirsch,
Gavin Carothers,
Glenn Maynard,
Graham Klyne,
Hal Lockhart,
Hallvord R. M. Steen,
Henri Sivonen,
Honza Bambas,
Ian Hickson,
Jake Archibald<!-- technically B.J. Archibald -->,
James Graham,
Janusz Majnert,
Jeff Hodges,
Jeffrey Yasskin,
Jesse M. Heines,
Jonas Sicking,
Julian Reschke,
송정기 (Jungkee Song),
Jussi Kalliokoski,
Kenji Baheux,
Lachlan Hunt,
Lucas Gonze,
呂康豪 (Kang-Hao Lu),
Maciej Stachowiak,
Marc Silbey,
Marcos Caceres,
Mark Nottingham,
Mark S. Miller,
Martin D&uuml;rst,
Matt Andrews,
Matt Falkenhagen,
Matt Oshry,
Matt Womer,
Mhano Harkness,
Michael Smith,
Mike West,
Mohamed Zergaoui,
Nikhil Marathe,
Nikunj Mehta,
Odin H&oslash;rthe Omdal,
Ondřej Žára,
Philip Jägenstedt,
R. Auburn,
Sharath Udupa,
Shivakumar Jagalur Matt,
Simon Pieters,
Sunava Dutta,
Surya Ismail,
吉野剛史 (Takeshi Yoshino),
Thomas Roessler,
Tobie Langel,
Tomás Aparicio,
保呂毅 (Tsuyoshi Horo),
Tyler Close,
Vladimir Dzhuvinov,
Wayne Carr, and
Zhenbin Xu
for being awesome.

<p>This standard is written by
<a lang=nl href=//annevankesteren.nl/>Anne van Kesteren</a>
(<a href=//www.mozilla.org/>Mozilla</a>,
<a href=mailto:annevk@annevk.nl>annevk@annevk.nl</a>).

<p>Per <a rel="license" href="//creativecommons.org/publicdomain/zero/1.0/">CC0</a>, to
the extent possible under law, the editor has waived all copyright and related or
neighboring rights to this work.

<script id=head src=//resources.whatwg.org/dfn.js></script>