Change how CORS filtered response filters the headers.

Overview.html

@@ -7,7 +7,7 @@
 
 <p><a class="logo" href="https://whatwg.org/"><img alt="WHATWG" height="100" src="https://resources.whatwg.org/logo-fetch.svg" width="100"></a>
 <h1 id="cors">Fetch</h1>
-<h2 class="no-num no-toc" id="living-standard-—-last-updated-25-march-2016">Living Standard — Last Updated 25 March 2016</h2>
+<h2 class="no-num no-toc" id="living-standard-—-last-updated-29-march-2016">Living Standard — Last Updated 29 March 2016</h2>
 
 <dl>
  <dt>Participate:
@@ -451,7 +451,7 @@ <h4 id="terminology-headers"><span class="secno">3.1.2 </span>Headers</h4>
 </ul>
 
 <p>A <dfn id="cors-safelisted-response-header-name">CORS-safelisted response-header name</dfn>, given a
-<a href="#concept-response-header-list" title="concept-response-header-list">header list</a> <var>list</var>, is a
+<a href="#concept-response-cors-exposed-header-name-list" title="concept-response-cors-exposed-header-name-list">CORS-exposed header-name list</a> <var>list</var>, is a
 <a href="#concept-header" title="concept-header">header</a> <a href="#concept-header-name" title="concept-header-name">name</a> that is one of:
 
 <ul>
@@ -461,9 +461,7 @@ <h4 id="terminology-headers"><span class="secno">3.1.2 </span>Headers</h4>
  <li>`<code title="">Expires</code>`
  <li>`<code title="">Last-Modified</code>`
  <li>`<code title="">Pragma</code>`.
- <li>Any <a href="#concept-header-value" title="concept-header-value">value</a> resulting from
- <a href="#concept-header-parse" title="concept-header-parse">parsing</a>
- `<a href="#http-access-control-expose-headers"><code title="http-access-control-expose-headers">Access-Control-Expose-Headers</code></a>` in
+ <li>Any <a href="#concept-header-value" title="concept-header-value">value</a> in
  <var>list</var> that is not a <a href="#forbidden-response-header-name">forbidden response-header name</a>.
 </ul>
 
@@ -1111,6 +1109,19 @@ <h4 id="responses"><span class="secno">3.1.6 </span>Responses</h4>
 for the <a href="#concept-response" title="concept-response">response</a>. The list is empty unless otherwise
 specified. <a href="#refsCSP">[CSP]</a>
 
+<p>A <a href="#concept-response" title="concept-response">response</a> has an associated
+<dfn id="concept-response-cors-exposed-header-name-list" title="concept-response-cors-exposed-header-name-list">CORS-exposed header-name list</dfn>
+(a list of zero or more
+<a href="#concept-header" title="concept-header">header</a> <a href="#concept-header-name" title="concept-header-name">names</a>).
+The list is empty unless otherwise specified.
+
+<p class="note no-backref">A <a href="#concept-response" title="concept-response">response</a> will typically get its
+<a href="#concept-response-cors-exposed-header-name-list" title="concept-response-cors-exposed-header-name-list">CORS-exposed header-name list</a>
+set by <a href="#concept-header-parse" title="concept-header-parse">parsing</a> the
+`<a href="#http-access-control-expose-headers"><code title="http-access-control-expose-headers">Access-Control-Expose-Headers</code></a>` header. This
+list is used by a <a href="#concept-filtered-response-cors" title="concept-filtered-response-cors">CORS filtered response</a> to
+determine which headers to expose.
+
 <hr>
 
 <p>A <a href="#concept-response" title="concept-response">response</a> whose
@@ -1162,7 +1173,7 @@ <h4 id="responses"><span class="secno">3.1.6 </span>Responses</h4>
 <a href="#concept-header-name" title="concept-header-name">name</a> is <em>not</em> a
 <a href="#cors-safelisted-response-header-name">CORS-safelisted response-header name</a>, given
 <a href="#concept-internal-response" title="concept-internal-response">internal response</a>'s
-<a href="#concept-response-header-list" title="concept-response-header-list">header list</a>.
+<a href="#concept-response-cors-exposed-header-name-list" title="concept-response-cors-exposed-header-name-list">CORS-exposed header-name list</a>.
 
 <p>An <dfn id="concept-filtered-response-opaque" title="concept-filtered-response-opaque">opaque filtered response</dfn> is a
 <a href="#concept-filtered-response" title="concept-filtered-response">filtered response</a> whose
@@ -2104,22 +2115,34 @@ <h3 id="main-fetch"><span class="secno">5.1 </span>Main fetch</h3>
   <p>If <var>response</var> is not a
   <a href="#concept-network-error" title="concept-network-error">network error</a> and
   <var>response</var> is not a
-  <a href="#concept-filtered-response" title="concept-filtered-response">filtered response</a>, set
-  <var>response</var> to the following
-  <a href="#concept-filtered-response" title="concept-filtered-response">filtered response</a> with
-  <var>response</var> as its
-  <a href="#concept-internal-response" title="concept-internal-response">internal response</a>, depending on
-  <var>request</var>'s
-  <a href="#concept-request-response-tainting" title="concept-request-response-tainting">response tainting</a>:
-
-  <dl class="switch compact">
-   <dt>"<code title="">basic</code>"
-   <dd><a href="#concept-filtered-response-basic" title="concept-filtered-response-basic">basic filtered response</a>
-   <dt>"<code title="">cors</code>"
-   <dd><a href="#concept-filtered-response-cors" title="concept-filtered-response-cors">CORS filtered response</a>
-   <dt>"<code title="">opaque</code>"
-   <dd><a href="#concept-filtered-response-opaque" title="concept-filtered-response-opaque">opaque filtered response</a>
-  </dl>
+  <a href="#concept-filtered-response" title="concept-filtered-response">filtered response</a>, run these substeps:
+
+  <ol>
+   <li>
+    <p>Set <var>response</var>'s
+    <a href="#concept-response-cors-exposed-header-name-list" title="concept-response-cors-exposed-header-name-list">CORS-exposed header-name list</a>
+    to the result of <a href="#concept-header-parse" title="concept-header-parse">parsing</a>
+    `<a href="#http-access-control-expose-headers"><code title="http-access-control-expose-headers">Access-Control-Expose-Headers</code></a>` in
+    <var>response</var>'s
+    <a href="#concept-response-header-list" title="concept-response-header-list">header list</a>.
+
+   <li>
+    <p>Set <var>response</var> to the following
+    <a href="#concept-filtered-response" title="concept-filtered-response">filtered response</a> with
+    <var>response</var> as its
+    <a href="#concept-internal-response" title="concept-internal-response">internal response</a>, depending on
+    <var>request</var>'s
+    <a href="#concept-request-response-tainting" title="concept-request-response-tainting">response tainting</a>:
+
+    <dl class="switch compact">
+     <dt>"<code title="">basic</code>"
+     <dd><a href="#concept-filtered-response-basic" title="concept-filtered-response-basic">basic filtered response</a>
+     <dt>"<code title="">cors</code>"
+     <dd><a href="#concept-filtered-response-cors" title="concept-filtered-response-cors">CORS filtered response</a>
+     <dt>"<code title="">opaque</code>"
+     <dd><a href="#concept-filtered-response-opaque" title="concept-filtered-response-opaque">opaque filtered response</a>
+    </dl>
+  </ol>
 
  <li><p>Let <var>internalResponse</var> be <var>response</var>, if <var>response</var> is a
  <a href="#concept-network-error" title="concept-network-error">network error</a>, and <var>response</var>'s
@@ -5205,6 +5228,7 @@ <h2 class="no-num" id="acknowledgments">Acknowledgments</h2>
 Manish Goregaokar,
 Marc Silbey,
 Marcos Caceres,
+Marijn Kruisselbrink,
 Mark Nottingham,
 Mark S. Miller,
 Martin Dürst,

Overview.src.html

@@ -382,7 +382,7 @@ <h4 id=terminology-headers>Headers</h4>
 </ul>
 
 <p>A <dfn>CORS-safelisted response-header name</dfn>, given a
-<span title=concept-response-header-list>header list</span> <var>list</var>, is a
+<span title=concept-response-cors-exposed-header-name-list>CORS-exposed header-name list</span> <var>list</var>, is a
 <span title=concept-header>header</span> <span title=concept-header-name>name</span> that is one of:
 
 <ul>
@@ -392,9 +392,7 @@ <h4 id=terminology-headers>Headers</h4>
  <li>`<code title>Expires</code>`
  <li>`<code title>Last-Modified</code>`
  <li>`<code title>Pragma</code>`.
- <li>Any <span title=concept-header-value>value</span> resulting from
- <span title=concept-header-parse>parsing</span>
- `<code title=http-access-control-expose-headers>Access-Control-Expose-Headers</code>` in
+ <li>Any <span title=concept-header-value>value</span> in
  <var>list</var> that is not a <span>forbidden response-header name</span>.
 </ul>
 
@@ -1042,6 +1040,19 @@ <h4>Responses</h4>
 for the <span title=concept-response>response</span>. The list is empty unless otherwise
 specified. <span data-anolis-ref>CSP</span>
 
+<p>A <span title=concept-response>response</span> has an associated
+<dfn title=concept-response-cors-exposed-header-name-list>CORS-exposed header-name list</dfn>
+(a list of zero or more
+<span title=concept-header>header</span> <span title=concept-header-name>names</span>).
+The list is empty unless otherwise specified.
+
+<p class="note no-backref">A <span title=concept-response>response</span> will typically get its
+<span title=concept-response-cors-exposed-header-name-list>CORS-exposed header-name list</span>
+set by <span title=concept-header-parse>parsing</span> the
+`<code title=http-access-control-expose-headers>Access-Control-Expose-Headers</code>` header. This
+list is used by a <span title=concept-filtered-response-cors>CORS filtered response</span> to
+determine which headers to expose.
+
 <hr>
 
 <p>A <span title=concept-response>response</span> whose
@@ -1093,7 +1104,7 @@ <h4>Responses</h4>
 <span title=concept-header-name>name</span> is <em>not</em> a
 <span>CORS-safelisted response-header name</span>, given
 <span title=concept-internal-response>internal response</span>'s
-<span title=concept-response-header-list>header list</span>.
+<span title=concept-response-cors-exposed-header-name-list>CORS-exposed header-name list</span>.
 
 <p>An <dfn title=concept-filtered-response-opaque>opaque filtered response</dfn> is a
 <span title=concept-filtered-response>filtered response</span> whose
@@ -2035,22 +2046,34 @@ <h3>Main fetch</h3>
   <p>If <var>response</var> is not a
   <span title=concept-network-error>network error</span> and
   <var>response</var> is not a
-  <span title=concept-filtered-response>filtered response</span>, set
-  <var>response</var> to the following
-  <span title=concept-filtered-response>filtered response</span> with
-  <var>response</var> as its
-  <span title=concept-internal-response>internal response</span>, depending on
-  <var>request</var>'s
-  <span title=concept-request-response-tainting>response tainting</span>:
-
-  <dl class="switch compact">
-   <dt>"<code title>basic</code>"
-   <dd><span title=concept-filtered-response-basic>basic filtered response</span>
-   <dt>"<code title>cors</code>"
-   <dd><span title=concept-filtered-response-cors>CORS filtered response</span>
-   <dt>"<code title>opaque</code>"
-   <dd><span title=concept-filtered-response-opaque>opaque filtered response</span>
-  </dl>
+  <span title=concept-filtered-response>filtered response</span>, run these substeps:
+
+  <ol>
+   <li>
+    <p>Set <var>response</var>'s
+    <span title=concept-response-cors-exposed-header-name-list>CORS-exposed header-name list</span>
+    to the result of <span title=concept-header-parse>parsing</span>
+    `<code title=http-access-control-expose-headers>Access-Control-Expose-Headers</code>` in
+    <var>response</var>'s
+    <span title=concept-response-header-list>header list</span>.
+
+   <li>
+    <p>Set <var>response</var> to the following
+    <span title=concept-filtered-response>filtered response</span> with
+    <var>response</var> as its
+    <span title=concept-internal-response>internal response</span>, depending on
+    <var>request</var>'s
+    <span title=concept-request-response-tainting>response tainting</span>:
+
+    <dl class="switch compact">
+     <dt>"<code title>basic</code>"
+     <dd><span title=concept-filtered-response-basic>basic filtered response</span>
+     <dt>"<code title>cors</code>"
+     <dd><span title=concept-filtered-response-cors>CORS filtered response</span>
+     <dt>"<code title>opaque</code>"
+     <dd><span title=concept-filtered-response-opaque>opaque filtered response</span>
+    </dl>
+  </ol>
 
  <li><p>Let <var>internalResponse</var> be <var>response</var>, if <var>response</var> is a
  <span title=concept-network-error>network error</span>, and <var>response</var>'s
@@ -5047,6 +5070,7 @@ <h2 class=no-num>Acknowledgments</h2>
 Manish Goregaokar,
 Marc Silbey,
 Marcos Caceres,
+Marijn Kruisselbrink,
 Mark Nottingham,
 Mark S. Miller,
 Martin D&uuml;rst,