diff --git a/fetch.bs b/fetch.bs index 568d86f13..82611591e 100644 --- a/fetch.bs +++ b/fetch.bs @@ -438,18 +438,7 @@ each other by 0x2C 0x20, in order.
accept
`
If one of the following is true - -
value contains a byte less than 0x20 that is not 0x09 HT -
value contains 0x22 ("), 0x28 (left parenthesis), 0x29 (right parenthesis), - 0x3A (:), 0x3C (<), 0x3E (>), 0x3F (?), 0x40 (@), 0x5B ([), 0x5C (\), 0x5D (]), 0x7B ({), - 0x7D (}), or 0x7F DEL -
then return false. +
If value contains a CORS-unsafe request-header byte, then return false.
accept-language
`
content-language
`
@@ -460,12 +449,20 @@ each other by 0x2C 0x20, in order.
content-type
`
- If value, once extracted, does not have a
- MIME type (ignoring parameters) that is application/x-www-form-urlencoded
,
- multipart/form-data
, or text/plain
, then return false.
-
+
If value contains a CORS-unsafe request-header byte, then return + false. + +
Let mimeType be the result of parsing + value. + +
If mimeType is falure, then return false. + +
If mimeType's essence is not
+ "application/x-www-form-urlencoded
", "multipart/form-data
", or
+ "text/plain
", then return false.
+
DPR
`
Downlink
`
@@ -488,6 +485,18 @@ each other by 0x2C 0x20, in order.
There are limited exceptions to the `Content-Type
` header safelist, as
documented in CORS protocol exceptions.
+
A CORS-unsafe request-header byte is a byte byte for which one of the +following is true: + +
byte is less than 0x20 and is not 0x09 HT +
byte is 0x22 ("), 0x28 (left parenthesis), 0x29 (right parenthesis), 0x3A (:), + 0x3C (<), 0x3E (>), 0x3F (?), 0x40 (@), 0x5B ([), 0x5C (\), 0x5D (]), 0x7B ({), 0x7D (}), or + 0x7F DEL. + +
The CORS-unsafe request-header names, given a header list headers, are determined as follows: