diff --git a/fetch.bs b/fetch.bs index 6e55ecf3f..2f340ca33 100644 --- a/fetch.bs +++ b/fetch.bs @@ -1548,10 +1548,15 @@ Unless stated otherwise, it is unset.
A request has an associated done flag. Unless stated otherwise, it is unset. +
A request has an associated +timing allow failed flag. Unless stated +otherwise, it is unset. +
A request's tainted origin flag, URL list, current URL, redirect count, -response tainting, and done flag are used as bookkeeping -details by the fetch algorithm. +response tainting, done flag, and +timing allow failed flag are used as bookkeeping details by the +fetch algorithm.
If request's tainted origin flag is set, then return
- `null
`.
+ "null
".
Return request's origin, - serialized and isomorphic encoded. + serialized.
Byte-serializing a request origin, given a request request, +is to return the result of serializing a request origin with request, +isomorphic encoded. +
To clone a @@ -1800,6 +1809,15 @@ initially unset. being provided to an API that didn't make a range request. See the flag's usage for a detailed description of the attack. +
A response has an associated +timing allow passed flag, which is +initially unset. + +
This is used so that the caller to a fetch can determine if sensitive timing data is +allowed on the resource fetched by looking at the flag of the response returned. Because the flag on +the response of a redirect has to be set if it was set for previous responses in the redirect chain, +this is also tracked internally using the request's timing allow failed flag. +
A response can have an associated location URL (null, failure, or a URL). Unless specified otherwise, response has no @@ -2416,8 +2434,8 @@ origin = scheme "://" host given a request request with an optional CORS flag, run these steps:
Let serializedOrigin be the result of serializing a request origin with - request. +
Let serializedOrigin be the result of byte-serializing a request origin + with request.
If the CORS flag is set or request's mode is
"websocket
", then append
@@ -3528,6 +3546,9 @@ with a CORS flag and recursive flag, run these steps:
+
If request's timing allow failed flag is unset, then set + internalResponse's timing allow passed flag. +
Set internalResponse's CSP list. [[!CSP]] @@ -3894,6 +3915,9 @@ optional CORS flag and CORS-preflight flag, run these steps:
As the CORS check is not to be applied to
responses whose status is 304
or 407
,
or responses from a service worker for that matter, it is applied here.
+
+
If the TAO check for request and response returns failure, + then set request's timing allow failed flag.
A cache entry consists of:
Let entry be a cache entry, initialized as follows:
The result of serializing a request origin with request +
The result of byte-serializing a request origin with request
request's current URL @@ -5003,15 +5027,15 @@ be removed before that moment arrives.
To clear cache entries, given a request, remove any cache entries in the user agent's CORS-preflight cache -whose serialized origin is the result of -serializing a request origin with request and whose URL -is request's current URL. +whose byte-serialized origin is the result of +byte-serializing a request origin with request and whose +URL is request's current URL.
There is a cache entry match for a cache entry entry with request if entry's -serialized origin is the result of serializing a request origin with -request, entry's URL is request's -current URL, and one of +byte-serialized origin is the result of +byte-serializing a request origin with request, entry's +URL is request's current URL, and one of
If request's credentials mode is not "include
"
and origin is `*
`, then return success.
-
If the result of serializing a request origin with request is not +
If the result of byte-serializing a request origin with request is not origin, then return failure.
If request's credentials mode is not "include
",
@@ -5075,6 +5099,31 @@ agent's CORS-preflight cache for which there is a cache entry match
+
To perform a TAO check for a request and +response, run these steps: + +
If request's timing allow failed flag is set, then return + failure. + +
If request's response tainting is "basic
", then
+ return success.
+
+
Let values be the result of
+ getting, decoding, and splitting `Timing-Allow-Origin
` from
+ response's header list.
+
+
If values contains "*
", then return success.
+
+
If values contains the result of + serializing a request origin with request, then return success. + +
Return failure. +