Editorial: use origin-based "same site" definition

fetch.bs

@@ -3107,9 +3107,22 @@ Cross-Origin-Resource-Policy     = %s"same-origin" / %s"same-site" ; case-sensit
 
  <li><p>If <var>policy</var> is `<code>same-origin</code>`, then return <b>blocked</b>.
 
- <li><p>If <var>request</var>'s <a for=request>origin</a> is <a>same site</a> with
- <var>request</var>'s <a for=request>current URL</a>'s <a for=url>origin</a>, then return
- <b>allowed</b>.
+ <li>
+  <p>If the following are true
+
+  <ul class=brief>
+   <li><var>request</var>'s <a for=request>origin</a> is <a>schemelessly same site</a> with
+   <var>request</var>'s <a for=request>current URL</a>'s <a for=url>origin</a>
+   <li><var>request</var>'s <a for=request>origin</a>'s <a for=url>scheme</a> is
+   "<code>https</code>" or <var>response</var>'s <a for=response>HTTPS state</a> is
+   "<code>none</code>"
+  </ul>
+
+  <p>then return <b>allowed</b>.
+
+  <p class=note>This prevents HTTPS responses with
+  `<code>Cross-Origin-Resource-Policy: same-site</code>` from being accessed without secure
+  transport.
 
  <li><p>If <var>policy</var> is `<code>same-site</code>`, then return <b>blocked</b>.