Skip to content
Permalink
Browse files

Fix the order of CSP, HSTS, Mixed Content, and Referrer https://www.w…

  • Loading branch information...
annevk committed Jan 27, 2015
1 parent 1ed10e8 commit b8c2c4964c233cd3616042c04e2c14e0ff25485d
Showing with 36 additions and 26 deletions.
  1. +18 −13 Overview.html
  2. +18 −13 Overview.src.html
@@ -1132,10 +1132,16 @@ <h2 id="fetching"><span class="secno">4 </span>Fetching</h2>
redirects. Only use the <var title="">request</var> parameter in other standards.

<ol>
<li><p>If <var title="">request</var>'s <a title="concept-request-url" href="#concept-request-url">url</a> contains
a Known HSTS Host, modify it per the requirements of the
<a href="http://tools.ietf.org/html/rfc6797#section-8.3">"URI [sic] Loading and Port Mapping" chapter of HTTP Strict Transport Security</a>.
<a href="#refsHSTS">[HSTS]</a>
<li><p>Let <var title="">response</var> be null.

<li><p>If
<a href="https://w3c.github.io/webappsec/specs/mixedcontent/#should-block-fetch">should fetching <var title="">request</var> be blocked as mixed content</a>
or
<span class="XXX">should fetching <var title="">request</var> be blocked as content security</span>
returns <b title="">blocked</b>, set <var title="">response</var> to a
<a title="concept-network-error" href="#concept-network-error">network error</a>.
<a href="#refsMIX">[MIX]</a>
<a href="#refsCSP">[CSP]</a>

<li>
<p>If <var title="">request</var>'s <a title="concept-request-referrer" href="#concept-request-referrer">referrer</a>
@@ -1149,22 +1155,21 @@ <h2 id="fetching"><span class="secno">4 </span>Fetching</h2>
<a title="concept-request-referrer" href="#concept-request-referrer">referrer</a> to <i title="">no referrer</i> or have
it expose less sensitive information.

<li><p>If <var title="">request</var>'s <a title="concept-request-url" href="#concept-request-url">url</a> contains
a Known HSTS Host, modify it per the requirements of the
<a href="http://tools.ietf.org/html/rfc6797#section-8.3">"URI [sic] Loading and Port Mapping" chapter of HTTP Strict Transport Security</a>.
<a href="#refsHSTS">[HSTS]</a>
<!-- Per Mike West HSTS happens "probably after" Referrer -->

<li><p>If <var title="">request</var>'s <a href="#synchronous-flag">synchronous flag</a> is unset and
<a title="concept-fetch" href="#concept-fetch">fetch</a> is not invoked recursively, run the remaining
steps <a class="external" href="https://html.spec.whatwg.org/multipage/infrastructure.html#in-parallel">in parallel</a>.

<li>
<p>Let <var title="">response</var> be the value corresponding to the first matching
statement:
<p>If <var title="">response</var> is null, set <var title="">response</var> to the value
corresponding to the first matching statement:

<dl class="switch">
<dt><a href="https://w3c.github.io/webappsec/specs/mixedcontent/#should-block-fetch">should fetching <var title="">request</var> be blocked as mixed content</a>
returns <b title="">blocked</b> <a href="#refsMIX">[MIX]</a>
<dt><span class="XXX">should fetching <var title="">request</var> be blocked as content security</span>
returns <b title="">blocked</b> <a href="#refsCSP">[CSP]</a>

<dd><p>A <a title="concept-network-error" href="#concept-network-error">network error</a>.

<dt><var title="">request</var>'s <a title="concept-request-url" href="#concept-request-url">url</a>'s
<a title="concept-url-origin" class="external" href="https://url.spec.whatwg.org/#concept-url-origin">origin</a> is
<var title="">request</var>'s <a title="concept-request-origin" href="#concept-request-origin">origin</a> and the
@@ -1086,10 +1086,16 @@ <h2>Fetching</h2>
redirects. Only use the <var title>request</var> parameter in other standards.

<ol>
<li><p>If <var title>request</var>'s <span title=concept-request-url>url</span> contains
a Known HSTS Host, modify it per the requirements of the
<a href="http://tools.ietf.org/html/rfc6797#section-8.3">"URI [sic] Loading and Port Mapping" chapter of HTTP Strict Transport Security</a>.
<span data-anolis-ref>HSTS</span>
<li><p>Let <var title>response</var> be null.

<li><p>If
<a href="https://w3c.github.io/webappsec/specs/mixedcontent/#should-block-fetch">should fetching <var title>request</var> be blocked as mixed content</a>
or
<span class=XXX>should fetching <var title>request</var> be blocked as content security</span>
returns <b title>blocked</b>, set <var title>response</var> to a
<span title=concept-network-error>network error</span>.
<span data-anolis-ref>MIX</span>
<span data-anolis-ref>CSP</span>

<li>
<p>If <var title>request</var>'s <span title=concept-request-referrer>referrer</span>
@@ -1103,22 +1109,21 @@ <h2>Fetching</h2>
<span title=concept-request-referrer>referrer</span> to <i title>no referrer</i> or have
it expose less sensitive information.

<li><p>If <var title>request</var>'s <span title=concept-request-url>url</span> contains
a Known HSTS Host, modify it per the requirements of the
<a href="http://tools.ietf.org/html/rfc6797#section-8.3">"URI [sic] Loading and Port Mapping" chapter of HTTP Strict Transport Security</a>.
<span data-anolis-ref>HSTS</span>
<!-- Per Mike West HSTS happens "probably after" Referrer -->

<li><p>If <var title>request</var>'s <span>synchronous flag</span> is unset and
<span title=concept-fetch>fetch</span> is not invoked recursively, run the remaining
steps <span data-anolis-spec=html>in parallel</span>.

<li>
<p>Let <var title>response</var> be the value corresponding to the first matching
statement:
<p>If <var title>response</var> is null, set <var title>response</var> to the value
corresponding to the first matching statement:

<dl class=switch>
<dt><a href="https://w3c.github.io/webappsec/specs/mixedcontent/#should-block-fetch">should fetching <var title>request</var> be blocked as mixed content</a>
returns <b title>blocked</b> <span data-anolis-ref>MIX</span>
<dt><span class=XXX>should fetching <var title>request</var> be blocked as content security</span>
returns <b title>blocked</b> <span data-anolis-ref>CSP</span>

<dd><p>A <span title=concept-network-error>network error</span>.

<dt><var title>request</var>'s <span title=concept-request-url>url</span>'s
<span data-anolis-spec=url title=concept-url-origin>origin</span> is
<var title>request</var>'s <span title=concept-request-origin>origin</span> and the

0 comments on commit b8c2c49

Please sign in to comment.
You can’t perform that action at this time.