Do not allow CORS responses to "same-origin" requests

Tests will be done as part of https://bugzilla.mozilla.org/show_bug.cgi?id=1427978. Fixes #629.
whatwg · Jan 8, 2018 · 548bca2 · 548bca2
1 parent b21fdeb
commit 548bca2
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/fetch.bs b/fetch.bs
@@ -3009,13 +3009,15 @@ optional <i>CORS flag</i> and <i>CORS-preflight flag</i>, run these steps:
      <a for=internal>internal response</a> otherwise.
 
      <li>
-      <p>If one of the following conditions is true, then return a
-      <a>network error</a>:
+      <p>If one of the following conditions is true, then return a <a>network error</a>:
 
       <ul class=brief>
        <li><var>response</var>'s
        <a for=response>type</a> is "<code>error</code>".
 
+       <li><var>request</var>'s <a for=request>mode</a> is "<code>same-origin</code>" and
+       <var>response</var>'s <a for=response>type</a> is "<code>cors</code>".
+
        <li><var>request</var>'s <a for=request>mode</a> is not
        "<code>no-cors</code>" and <var>response</var>'s
        <a for=response>type</a> is "<code>opaque</code>".