Commits on Sep 10, 2018
  1. Editorial: use "append" to modify the header list

    ryzokuken authored and annevk committed Sep 10, 2018
    Use "append" instead of "set" to modify the header list, improving consistency.
    Fixes #758.
Commits on Aug 28, 2018
  1. Make extract throw for a disturbed/locked ReadableStream

    annevk committed Aug 28, 2018
    This also introduces "safely extract" which mainly serves to make it explicit which extraction operations cannot throw.
    Tests: web-platform-tests/wpt#12639.
    Fixes #792.
Commits on Aug 24, 2018
  1. Rename target client id to replaces client id

    jungkees authored and annevk committed Aug 24, 2018
    We had decided to change the name of FetchEvent's targetClientId to replacesClientId to clarify the meaning that this client is a to be replaced client: w3c/ServiceWorker#1091 (comment). Accordingly, this changes the name of request's target client id to replaces client id.
    See also: 
    * w3c/ServiceWorker#1245
    * w3c/ServiceWorker#1333
    * whatwg/html#3788
Commits on Aug 23, 2018
  1. Editorial: be more consistent about the context object

    annevk committed Aug 22, 2018
    And in general be more explicit about the objects involved.
Commits on Aug 21, 2018
  1. Editorial: url ➡️ URL

    annevk committed Aug 17, 2018
    Fixes #697.
Commits on Aug 20, 2018
  1. Editorial: use Infra maps for dictionaries

    annevk committed Aug 20, 2018
    And linkify TypeError.
    Fixes #513.
Commits on Aug 17, 2018
  1. Preserve HEAD method on 303 redirect

    annevk committed Aug 17, 2018
    Tests: already tested by fetch/api/redirect/redirect-method.any.js.
    Fixes #753.
Commits on Aug 16, 2018
  1. Editorial: turn CORS-preflight cache into a list

    annevk committed Aug 16, 2018
    This grounds it a bit more in an Infra data structure.
    Fixes #735.
  2. Strengthen requirements on CORS-safelisted request-headers

    annevk committed May 25, 2018
    This should reduce the attack surface of non-preflighted requests quite a bit.
    Tests: web-platform-tests/wpt#11432.
    Fixes #382. Closes #313.
  3. Meta: align .travis.yml

    annevk committed Aug 15, 2018
Commits on Aug 10, 2018
  1. Meta: remove Bikeshed errors

    jyasskin authored and annevk committed Aug 10, 2018
Commits on Jul 31, 2018
  1. Remove Reporting API from CORS exceptions

    dcreager authored and annevk committed Jul 31, 2018
    As of w3c/reporting#41, the Reporting spec sends CORS preflights for report uploads if the origin of the collector is different than the origin of the reports in the upload.  That means we can remove Reporting from the CORS protocol exception list.
Commits on Jul 23, 2018
Commits on Jun 21, 2018
  1. Review Draft Publication: June 2018

    annevk authored and domenic committed Jun 21, 2018
Commits on Jun 18, 2018
  1. Define Cross-Origin-Resource-Policy response header

    annevk committed Jun 18, 2018
    This header makes it easier for sites to block unwanted "no-cors"
    cross-origin requests.
    * web-platform-tests/wpt#11171
    * web-platform-tests/wpt#11427
    * web-platform-tests/wpt#11428
    Follow-up: #760 & #767.
    Fixes #687.
Commits on Jun 16, 2018
  1. Stop saying HTTP authentication over WebSocket is disallowed

    ricea authored and annevk committed Jun 16, 2018
    Closes #565. Follow-up: #766.
Commits on Jun 15, 2018
Commits on Jun 6, 2018
Commits on May 31, 2018
  1. Block more ports (427, 548, 6697)

    annevk committed May 31, 2018
    This blocks ports used for the Apple File Protocol (427, 548) and thereby fixes #694, and blocks another IRC port (6697) as discussed in #482 and shipped by Chrome.
    Tests: web-platform-tests/wpt#11249.
Commits on May 30, 2018
  1. Fix variable definitions and scoping

    jakearchibald authored and annevk committed May 30, 2018
    Fixes #706.
Commits on May 29, 2018
  1. Editorial: replace UTF-8 encode with isomorphic encode

    annevk committed May 28, 2018
    This more clearly indicates the input is (supposed to be) ASCII safe.
  2. Allow Range header to be set by APIs

    jakearchibald authored and annevk committed May 29, 2018
    This is part of #144.
    The aim is to allow APIs to use the Range header for "no-cors"
    requests, and allow them to pass through a service worker, but
    disallow modification of these requests, and disallow developers
    creating their own "no-cors" ranged requests.
    Tests: web-platform-tests/wpt#10348.
  3. Make CORS-preflight fetches set the CORS flag

    annevk committed May 28, 2018
    Otherwise a 401 response would not necessarily result in rejection.
    Fixes #741.
  4. Meta: Review Draft infrastructure

    annevk authored and domenic committed May 29, 2018
    See whatwg/ and whatwg/meta#92 for details.
    This also updates the web-platform-tests and IRC URLs.
  5. Add Request's isHistoryNavigation

    yutakahirano authored and annevk committed May 29, 2018
    And also a member on the request concept (history-navigation flag) to support this API. See w3c/ServiceWorker#1167 for the discussion that led to this.
    Tests: web-platform-tests/wpt#10909.
    Corresponding HTML change: whatwg/html#3674.
Commits on May 28, 2018
  1. Fix Origin header and "no-cors" redirects behavior

    annevk committed May 28, 2018
    Before this change "no-cors" POST redirects would not have their Origin header value reset as appropriate for certain cross-origin redirects.
    This is now accomplished by rather than resetting request's origin (which we only did for "cors" fetches and would have bad side effects if we started doing that for "no-cors"), we set request's tainted origin flag. A new flag that indicates when request's origin is tainted and needs to be serialized as null.
    Tests: web-platform-tests/wpt#11164.
    Fixes #593.
Commits on May 25, 2018
Commits on May 17, 2018
  1. CORB: protecting certain nosniff and 206 responses

    anforowicz authored and annevk committed May 17, 2018
    CORB is an additional filter for responses of cross-origin "no-cors" 
    fetches. It aims to provide defense-in-depth protection for JSON, 
    HTML, XML (though not image/svg+xml), and (sometimes) text/plain 
    resources against cross-process CPU exploits. It also makes it harder 
    to use incorrectly labeled resources as scripts, images, fonts, etc.
    Discussion and further work is tracked by #681 and #721.
    Tests are in web-platform-tests's fetch/corb directory.