Editorial: set response's CSP list once

Fixes #364.
whatwg · Apr 17, 2018 · 860922f · 860922f
1 parent 5b7dae0
commit 860922f
Showing 1 changed file with 3 additions and 7 deletions.
diff --git a/fetch.bs b/fetch.bs
@@ -2799,6 +2799,9 @@ with a <i>CORS flag</i> and <i>recursive flag</i>, run these steps:
  <!-- If you are ever tempted to move this around, carefully consider responses from about URLs,
       blob URLs, service workers, HTTP cache, HTTP network, etc. -->
 
+ <li><p><a href=https://w3c.github.io/webappsec-csp/#set-response-csp-list>Set <var>internalResponse</var>'s CSP list</a>.
+ [[!CSP]]
+
  <li>
   <p>If <var>response</var> is not a <a>network error</a> and any
   of the following algorithms returns <b>blocked</b>, then set <var>response</var> and
@@ -3072,9 +3075,6 @@ optional <i>CORS flag</i> and <i>CORS-preflight flag</i>, run these steps:
        not "<code>follow</code>" and <var>response</var>'s
        <a for=response>url list</a> has more than one item.
       </ul>
-
-     <li><p>Execute <a href=https://w3c.github.io/webappsec-csp/#set-response-csp-list>set <var>response</var>'s CSP list</a>
-     on <var>actualResponse</var>. [[!CSP]]
     </ol>
   </ol>
 
@@ -3917,10 +3917,6 @@ Range Requests</cite>. [[HTTP-RANGE]] However, this is not widely supported by b
     <a href=https://bugzilla.mozilla.org/show_bug.cgi?id=1030660>bug 1030660</a> looks
     into whether this quirk can be removed.
 
-   <li><p>Execute
-   <a href=https://w3c.github.io/webappsec-csp/#set-response-csp-list>set <var>response</var>'s CSP list</a>
-   on <var>response</var>. [[!CSP]]
-
    <li><p>If <var>response</var> is not a
    <a>network error</a> and <var>request</var>'s
    <a for=request>cache mode</a> is not "<code>no-store</code>",