From 044dd09562c90a5c243170f3946bb6f6251577b1 Mon Sep 17 00:00:00 2001 From: "Michael[tm] Smith" Date: Tue, 16 Feb 2021 18:58:33 +0900 Subject: [PATCH 1/3] Clarify cors requests need cors response tainting MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This change clarifies a (non-normative) statement that "cors" request mode is what makes a request into a cors request. In fact, for requests with "cors" request mode, "cors" response tainting is also necessary in order for the request to be considered a cors request. So this change refines the relevant statement to make that clear. Otherwise, without this change, considering the case of a same-origin GET request whose mode is "cors", the spec is claiming that same-origin GET request is a cors request. But because the spec defines a "cors request" as “an HTTP request that includes an `Origin` header”, a same-origin GET request cannot in fact be a cors request — because it doesn’t include an `Origin` header. (And that’s because for GET requests, the spec requires an `Origin` header to be appended only if the request’s response tainting is "cors"; but for same-origin requests, the request’s response tainting will be "basic".) --- fetch.bs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fetch.bs b/fetch.bs index b3f80fc39..367f6582c 100644 --- a/fetch.bs +++ b/fetch.bs @@ -1390,7 +1390,8 @@ to not have to set request's referrer. network error if the request is not made to a same-origin URL.
"cors" -
Makes the request a CORS request. Fetch will return a network error if the +
For requests whose response tainting is also "cors", makes the + request a CORS request — in which case, fetch will return a network error if the requested resource does not understand the CORS protocol.
"no-cors" From f7e51fdbec069bfba6d04919a94797f674a853e6 Mon Sep 17 00:00:00 2001 From: "Michael[tm] Smith" Date: Wed, 17 Feb 2021 19:10:14 +0900 Subject: [PATCH 2/3] =?UTF-8?q?Change=20to=20=E2=80=9Cresponse=20tainting?= =?UTF-8?q?=20gets=20set=20to=E2=80=9D?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- fetch.bs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fetch.bs b/fetch.bs index 367f6582c..6706d62a2 100644 --- a/fetch.bs +++ b/fetch.bs @@ -1390,8 +1390,8 @@ to not have to set request's referrer. network error if the request is not made to a same-origin URL.
"cors" -
For requests whose response tainting is also "cors", makes the - request a CORS request — in which case, fetch will return a network error if the +
For requests whose response tainting gets set to "cors", makes + the request a CORS request — in which case, fetch will return a network error if the requested resource does not understand the CORS protocol.
"no-cors" From 73a43d4ec4ae51d840386afd11a6080491e29227 Mon Sep 17 00:00:00 2001 From: "Michael[tm] Smith" Date: Wed, 17 Feb 2021 19:22:28 +0900 Subject: [PATCH 3/3] Mention intentionally not participating in CORS --- fetch.bs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fetch.bs b/fetch.bs index 6706d62a2..c17629dce 100644 --- a/fetch.bs +++ b/fetch.bs @@ -1392,7 +1392,8 @@ to not have to set request's referrer.
"cors"
For requests whose response tainting gets set to "cors", makes the request a CORS request — in which case, fetch will return a network error if the - requested resource does not understand the CORS protocol. + requested resource does not understand the CORS protocol, or if the requested resource is + one that intentionally does not participate in the CORS protocol.
"no-cors"
Restricts requests to using CORS-safelisted methods and