Add unsafe-no-cors mode

fetch.bs

@@ -39,6 +39,10 @@ urlPrefix:https://tc39.es/ecma262/#;type:dfn;spec:ecma-262
     url:sec-list-and-record-specification-type;text:Record
 </pre>
 
+<pre class=link-defaults>
+  spec:infra; type:dfn; text:user agent
+</pre>
+
 <pre class=biblio>
 {
     "HTTP": {
@@ -1773,8 +1777,8 @@ to not have to set <a for=/>request</a>'s <a for=request>referrer</a>.
 <p>A <a for=/>request</a> has an associated
 <dfn export for=request id=concept-request-mode>mode</dfn>, which is
 "<code>same-origin</code>", "<code>cors</code>", "<code>no-cors</code>",
-"<code>navigate</code>", or "<code>websocket</code>". Unless stated otherwise, it is
-"<code>no-cors</code>".
+"<code>navigate</code>", "<code>user-agent-no-cors</code>", or "<code>websocket</code>".
+Unless stated otherwise, it is "<code>no-cors</code>".
 
 <div class="note no-backref">
  <dl>
@@ -1796,15 +1800,38 @@ to not have to set <a for=/>request</a>'s <a for=request>referrer</a>.
   <dt>"<code>navigate</code>"
   <dd>This is a special mode used only when <a>navigating</a> between documents.
 
+  <dt>"<code>user-agent-no-cors</code>"
+  <dd>This is a special mode for the [=user agent=] to use internally to wittingly make
+  requests that are unsafe. It restricts a <a for=/>request</a> to using <a>CORS-safelisted methods</a>,
+  <a>CORS-safelisted request-headers</a>, and the <a for=/>request</a> must have a <a>parallel queue</a>
+  <a for="fetch params">task destination</a>. A <a for=/>request</a> with this mode cannot use
+  <a>service-workers mode</a> "<code>all</code>". However, the request will not be required to
+  pass a <a>cross-origin resource policy check</a> or to test if
+  <a>Cross-Origin-Embedder-Policy allows credentials</a>. Upon success a fetch will
+  return a <a>basic filtered response</a>.
+
+  <p class=warning> Using <a for=/>request</a> <a for=request>mode</a> "<code>user-agent-no-cors</code>"
+  is even more discouraged and unsafe than "<code>no-cors</code>". Any use of this mode must be
+  memory-isolated to the [=user agent=] to contain its results and prevent their disclosure or misuse.
+  This <a for=request>mode</a> is deliberately not exposed in the {{RequestMode}}.
+
   <dt>"<code>websocket</code>"
   <dd>This is a special mode used only when
   <a spec=websockets lt="establish a WebSocket connection">establishing a WebSocket connection</a>.
  </dl>
 
  <p>Even though the default <a for=/>request</a> <a for=request>mode</a> is "<code>no-cors</code>",
  standards are highly discouraged from using it for new features. It is rather unsafe.
+
+
 </div>
 
+<p>A <a for=/>request</a> has an associated
+<dfn for=request>omit origin flag</dfn>. Unless stated otherwise it is unset.
+
+<p class="note no-backref">The <a for=request>omit origin flag</a> only has effect when
+<a for=/>request</a>'s <a for=request>mode</a> is "<code>user-agent-no-cors</code>".
+
 <p>A <a for=/>request</a> has an associated
 <dfn id=use-cors-preflight-flag export for=request>use-CORS-preflight flag</dfn>. Unless stated
 otherwise, it is unset.
@@ -3074,8 +3101,9 @@ given a <a for=/>request</a> <var>request</var>, run these steps:
  with <var>request</var>.
 
  <li><p>If <var>request</var>'s <a for=request>response tainting</a> is "<code>cors</code>" or
- <var>request</var>'s <a for=request>mode</a> is "<code>websocket</code>", then
- <a for="header list">append</a> (`<code>Origin</code>`, <var>serializedOrigin</var>) to
+ <var>request</var>'s <a for=request>mode</a> is "<code>websocket</code>" or
+ "<code>user-agent-no-cors</code>", then <a for="header list">append</a>
+ (`<code>Origin</code>`, <var>serializedOrigin</var>) to
  <var>request</var>'s <a for=request>header list</a>.
 
  <li>
@@ -3981,6 +4009,10 @@ the request.
   <p><a for=/>Assert</a>: <var>request</var>'s <a for=request>mode</a> is "<code>navigate</code>" or
   <var>processEarlyHintsResponse</var> is null.
 
+  <p>If <var>fetchParams</var>'s <a for="fetch params">request</a>'s <a for=request>mode</a> is
+  "<code>user-agent-no-cors</code>": <a for=/>assert</a>: <var>fetchParams</var>'s
+  <a for="fetch params">task destination</a> is a <a for=/>parallel queue</a>.
+
   <p class=note>Processing of early hints (<a for=/>responses</a> whose <a for=response>status</a>
   is 103) is only vetted for navigations.
 
@@ -4039,7 +4071,9 @@ the request.
  <a for="environment settings object">global object</a> is a {{Window}} object; otherwise
  "<code>no-window</code>".
 
- <li><p>If <var>request</var>'s <a for=request>origin</a> is "<code>client</code>", then set
+ <li><p>If <var>request</var>'s <a for=request>origin</a> is "<code>client</code>" and either
+ <var>request</var>'s <a for=request>mode</a> is not "<code>user-agent-no-cors</code>" or
+ and <var>request</var>'s <a for=request>omit origin flag</a> is unset, then set
  <var>request</var>'s <a for=request>origin</a> to  <var>request</var>'s <a for=request>client</a>'s
  <a for="environment settings object">origin</a>.
 
@@ -4051,7 +4085,7 @@ the request.
    <a>HTTP(S) scheme</a>
 
    <li><p><var>request</var>'s <a for=request>mode</a> is "<code>same-origin</code>",
-   "<code>cors</code>", or "<code>no-cors</code>"
+   "<code>cors</code>", "<code>no-cors</code>", or "<code>user-agent-no-cors</code>"
 
    <li><p><var>request</var>'s <a for=request>window</a> is not null
 
@@ -4066,7 +4100,8 @@ the request.
   <ol>
    <li><p><a for=/>Assert</a>: <var>request</var>'s <a for=request>origin</a> is <a>same origin</a>
    with <var>request</var>'s <a for=request>client</a>'s
-   <a for="environment settings object">origin</a>.
+   <a for="environment settings object">origin</a> or <var>request</var>'s <a for=request>mode</a>
+   is "<code>user-agent-no-cors</code>".
 
    <li><p>Let <var>onPreloadedResponseAvailable</var> be an algorithm that runs the following
    step given a <a for=/>response</a> <var>response</var>: set <var>fetchParams</var>'s
@@ -4302,6 +4337,15 @@ steps:
      <li><p>Return <var>corsWithPreflightResponse</var>.
     </ol>
 
+   <dt><var>request</var>'s <a for=request>mode</a> is "<code>user-agent-no-cors</code>"
+   <dd>
+    <ol>
+     <li><p>Set <var>request</var>'s <a for=request>response tainting</a> to
+     "<code>basic</code>".
+
+     <li><p>Return the result of running <a>HTTP fetch</a> given <var>fetchParams</var>.
+    </ol>
+
    <dt>Otherwise
    <dd>
     <ol>
@@ -4788,6 +4832,8 @@ these steps:
        <li><p><var>request</var>'s <a for=request>mode</a> is not "<code>no-cors</code>" and
        <var>response</var>'s <a for=response>type</a> is "<code>opaque</code>"
 
+       <li><p><var>request</var>'s <a for=request>mode</a> is "<code>user-agent-no-cors</code>"
+
        <li><var>request</var>'s <a for=request>redirect mode</a> is not "<code>manual</code>" and
        <var>response</var>'s <a for=response>type</a> is "<code>opaqueredirect</code>"
 
@@ -5144,7 +5190,9 @@ run these steps:
      <var>httpRequest</var>'s <a for=request>header list</a>.
     </ol>
 
-   <li><p><a>Append a request `<code>Origin</code>` header</a> for <var>httpRequest</var>.
+   <li>If either <var>request</var>'s <a for=request>mode</a> is not "<code>user-agent-no-cors</code>"
+   or <var>request</var>'s <a for=request>omit origin flag</a> is not set,
+   <p><a>append a request `<code>Origin</code>` header</a> for <var>httpRequest</var>.
 
    <li><p><a abstract-op lt="append the Fetch metadata headers for a request">Append the Fetch metadata headers for <var>httpRequest</var></a>.
    [[!FETCH-METADATA]]
@@ -8303,6 +8351,7 @@ Axel Rauschmayer,
 Ben Kelly,
 Benjamin Gruenbaum,
 Benjamin Hawkes-Lewis,
+Benjamin VanderSloot,
 Bert Bos,
 Björn Höhrmann,
 Boris Zbarsky,