Skip to content
Permalink
Browse files

[giow] (1) Cleanup of the 'potentially CORS-enabled fetch' algorithm …

…to actually make sense.

Affected topics: HTML

git-svn-id: http://svn.whatwg.org/webapps@7297 340c8d12-0b0e-0410-8428-c7bf67bfef74
  • Loading branch information...
Hixie committed Aug 29, 2012
1 parent 3e835a0 commit f1ae779d7d9e23ba27e16f09f517a1b43a252ec2
Showing with 208 additions and 190 deletions.
  1. +69 −62 complete.html
  2. +69 −62 index
  3. +70 −66 source
<dfn id=cors-cross-origin>CORS-cross-origin</dfn>, or blocks the resource entirely.</p>

<dl class=switch><dt>If the <var title="">URL</var> has the <a href=#same-origin>same origin</a> as <var title="">origin</var></dt>

<dt>If <var title="">mode</var> is "<a href=#attr-crossorigin-none title=attr-crossorigin-none>No CORS</a>"</dt>
<dt>If the <var title="">URL</var> is a <a href=#data-protocol title="data protocol"><code title="">data:</code> URL</a></dt>
<dt>If the <var title="">URL</var> is a <a href=#javascript-protocol title="javascript protocol"><code title="">javascript:</code> URL</a></dt>
<dt>If the <var title="">URL</var> is <code><a href=#about:blank>about:blank</a></code></dt>

<dd>

<p>Run these substeps:</p>

<ol><li><p>Let <var title="">result</var> have no value.</li>

<li><p><a href=#fetch>Fetch</a> <var title="">URL</var>, with the
<ol><li><p><a href=#fetch>Fetch</a> <var title="">URL</var>, with the
<i>manual redirect flag</i> set.</li> <!-- http-origin privacy
sensitive -->


<li>

<p>If the result of the <a href=#fetch>fetch</a> is a redirect, and
the <var title="">mode</var> is not "<a href=#attr-crossorigin-none title=attr-crossorigin-none>No CORS</a>", and the
<a href=#origin>origin</a> of the target URL of the redirect is not the
<a href=#same-origin>same origin</a> as <var title="">origin</var>, then set
<var title="">URL</var> to the the target URL of the redirect
and return to the top of the <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled
fetch</a> algorithm (this time, the branch below will be
taken, resulting in the fetch being done in a CORS-aware
fashion).</p>

<p>Otherwise, if the result of the <a href=#fetch>fetch</a> is a
redirect, and <var title="">result</var> still has no value,
then apply the CORS <a href=#redirect-steps>redirect steps</a>, with the CORS
<a href=#omit-credentials-flag>omit credentials flag</a> not set and the <i>request
rules</i> being that the user agent continue to follow these
steps. If this resumes the <a href=#fetch>fetch</a> algorithm, then
return to the <i>loop</i> step. If it failed due to a failure of
the CORS <a href=#resource-sharing-check>resource sharing check</a>, then: if <var title="">default</var> is <i>fail</i>, then set <var title="">result</var> to <i>fail</i> and jump to the step
labeled <i>end</i>; if <var title="">default</var> is
<i>taint</i>, then set <var title="">result</var> to
<i>taint</i>, <a href=#transparently-follow-the-redirect>transparently follow the redirect</a> but
with the <i>manual redirect flag</i> no longer set, and jump to
the step labeled <i>end</i> below.</p>

<p>Otherwise, if the resource is not available (e.g. there is
a network error) then set <var title="">result</var> to the
same value as <var title="">default</var>, and jump to the
step labeled <i>end</i> below.</p>

<p>Otherwise, perform a <a href=#resource-sharing-check>resource sharing check</a>,
with the CORS <a href=#omit-credentials-flag>omit credentials flag</a> not set. If it
returns fail, then set <var title="">result</var> to the same
value as <var title="">default</var>; otherwise, set <var title="">result</var> to <i>success</i>. Then, jump to the step
labeled <i>end</i> below.</p>

</li>

<li>

<p><i>End</i>: Jump to the appropriate step from the following
list:</p>
<p>Follow the first appropriate steps from the following list:</p>

<dl class=switch><dt>If <var title="">result</var> is <i>fail</i></dt>
<dl class=switch><dt>If the result of the <a href=#fetch>fetch</a> is a redirect, and
the <a href=#origin>origin</a> of the target URL of the redirect is
not the <a href=#same-origin>same origin</a> as <var title="">origin</var></dt>

<dd>

<p>Discard all fetched data and prevent any <a href=#concept-task title=concept-task>tasks</a> from the <a href=#fetch>fetch</a>
algorithm from being <a href=#queue-a-task title="queue a task">queued</a>.
For the purposes of the calling algorithm, the user agent must
act as if there was a fatal network error and no resource was
obtained. The user agent may report a cross-origin resource
access failure to the user (e.g. in a debugging console).</p>
<p>Set <var title="">URL</var> to the the target URL of the
redirect and return to the top of the <a href=#potentially-cors-enabled-fetch>potentially
CORS-enabled fetch</a> algorithm (this time, one of the
other branches below might be taken, based on the value of
<var title="">mode</var><!-- but if it's a data: or
javascript: URL, we'll stay here -->).</p>

</dd>

<dt>If <var title="">result</var> is <i>taint</i></dt>
<dt>If the result of the <a href=#fetch>fetch</a> is a redirect</dt>

<dd>

<p>The <a href=#concept-task title=concept-task>tasks</a> from the
<a href=#fetch>fetch</a> algorithm are <a href=#queue-a-task title="queue a
task">queued</a> normally, but for the purposes of the
calling algorithm, the obtained resource is
<a href=#cors-cross-origin>CORS-cross-origin</a>. The user agent may report a
cross-origin resource access failure to the user (e.g. in a
debugging console).</p>
<p class=note>The <a href=#origin>origin</a> of the target URL of
the redirect is the <a href=#same-origin>same origin</a> as <var title="">origin</var>.</p>

<p><a href=#transparently-follow-the-redirect>Transparently follow the redirect</a> and jump to
the step labeled <i>loop</i> above.</p>

</dd>

<dt>If <var title="">result</var> is <i>success</i></dt>
<dt>Otherwise</dt>

<dd>

<p class=note>The resource is available, it is not a
redirect, and its <a href=#origin>origin</a> is the <a href=#same-origin>same
origin</a> as <var title="">origin</var>.</p>

<p>The <a href=#concept-task title=concept-task>tasks</a> from the
<a href=#fetch>fetch</a> algorithm are <a href=#queue-a-task title="queue a
task">queued</a> normally, and for the purposes of the
</ol></dd>


<dt>If <var title="">mode</var> is "<a href=#attr-crossorigin-none title=attr-crossorigin-none>No CORS</a>" and <var title="">default</var> is <i>taint</i></dt>

<dd>

<p class=note>The <var title="">URL</var> does not have the
<a href=#same-origin>same origin</a> as <var title="">origin</var>.</p>

<p><a href=#fetch>Fetch</a> <var title="">URL</var>.</p> <!--
http-origin privacy sensitive -->

<p>The <a href=#concept-task title=concept-task>tasks</a> from the
<a href=#fetch>fetch</a> algorithm are <a href=#queue-a-task title="queue a
task">queued</a> normally, but for the purposes of the calling
algorithm, the obtained resource is
<a href=#cors-cross-origin>CORS-cross-origin</a>. The user agent may report a
cross-origin resource access failure to the user (e.g. in a
debugging console).</p>

</dd>


<dt>If <var title="">mode</var> is "<a href=#attr-crossorigin-none title=attr-crossorigin-none>No CORS</a>"</dt>

<dd>

<p class=note>The <var title="">URL</var> does not have the
<a href=#same-origin>same origin</a> as <var title="">origin</var>, and <var title="">default</var> is <i>fail</i>.</p>

<p>Discard any data fetched as part of this algorithm, and prevent
any <a href=#concept-task title=concept-task>tasks</a> from such invocations
of the <a href=#fetch>fetch</a> algorithm from being <a href=#queue-a-task title="queue
a task">queued</a>.

For the purposes of the calling algorithm, the user agent must act
as if there was a fatal network error and no resource was
obtained. The user agent may report a cross-origin resource access
failure to the user (e.g. in a debugging console).</p>

</dd>


<dt>If <var title="">mode</var> is "<a href=#attr-crossorigin-anonymous title=attr-crossorigin-anonymous>Anonymous</a>" or "<a href=#attr-crossorigin-use-credentials title=attr-crossorigin-use-credentials>Use
Credentials</a>"</dt>

<dd>

<p class=note>The <var title="">URL</var> does not have the
<a href=#same-origin>same origin</a> as <var title="">origin</var>.</p>

<p>Run these steps:</p>

<ol><li><p>Perform a <a href=#cross-origin-request>cross-origin request</a> with the
131 index
<dfn id=cors-cross-origin>CORS-cross-origin</dfn>, or blocks the resource entirely.</p>

<dl class=switch><dt>If the <var title="">URL</var> has the <a href=#same-origin>same origin</a> as <var title="">origin</var></dt>

<dt>If <var title="">mode</var> is "<a href=#attr-crossorigin-none title=attr-crossorigin-none>No CORS</a>"</dt>
<dt>If the <var title="">URL</var> is a <a href=#data-protocol title="data protocol"><code title="">data:</code> URL</a></dt>
<dt>If the <var title="">URL</var> is a <a href=#javascript-protocol title="javascript protocol"><code title="">javascript:</code> URL</a></dt>
<dt>If the <var title="">URL</var> is <code><a href=#about:blank>about:blank</a></code></dt>

<dd>

<p>Run these substeps:</p>

<ol><li><p>Let <var title="">result</var> have no value.</li>

<li><p><a href=#fetch>Fetch</a> <var title="">URL</var>, with the
<ol><li><p><a href=#fetch>Fetch</a> <var title="">URL</var>, with the
<i>manual redirect flag</i> set.</li> <!-- http-origin privacy
sensitive -->


<li>

<p>If the result of the <a href=#fetch>fetch</a> is a redirect, and
the <var title="">mode</var> is not "<a href=#attr-crossorigin-none title=attr-crossorigin-none>No CORS</a>", and the
<a href=#origin>origin</a> of the target URL of the redirect is not the
<a href=#same-origin>same origin</a> as <var title="">origin</var>, then set
<var title="">URL</var> to the the target URL of the redirect
and return to the top of the <a href=#potentially-cors-enabled-fetch>potentially CORS-enabled
fetch</a> algorithm (this time, the branch below will be
taken, resulting in the fetch being done in a CORS-aware
fashion).</p>

<p>Otherwise, if the result of the <a href=#fetch>fetch</a> is a
redirect, and <var title="">result</var> still has no value,
then apply the CORS <a href=#redirect-steps>redirect steps</a>, with the CORS
<a href=#omit-credentials-flag>omit credentials flag</a> not set and the <i>request
rules</i> being that the user agent continue to follow these
steps. If this resumes the <a href=#fetch>fetch</a> algorithm, then
return to the <i>loop</i> step. If it failed due to a failure of
the CORS <a href=#resource-sharing-check>resource sharing check</a>, then: if <var title="">default</var> is <i>fail</i>, then set <var title="">result</var> to <i>fail</i> and jump to the step
labeled <i>end</i>; if <var title="">default</var> is
<i>taint</i>, then set <var title="">result</var> to
<i>taint</i>, <a href=#transparently-follow-the-redirect>transparently follow the redirect</a> but
with the <i>manual redirect flag</i> no longer set, and jump to
the step labeled <i>end</i> below.</p>

<p>Otherwise, if the resource is not available (e.g. there is
a network error) then set <var title="">result</var> to the
same value as <var title="">default</var>, and jump to the
step labeled <i>end</i> below.</p>

<p>Otherwise, perform a <a href=#resource-sharing-check>resource sharing check</a>,
with the CORS <a href=#omit-credentials-flag>omit credentials flag</a> not set. If it
returns fail, then set <var title="">result</var> to the same
value as <var title="">default</var>; otherwise, set <var title="">result</var> to <i>success</i>. Then, jump to the step
labeled <i>end</i> below.</p>

</li>

<li>

<p><i>End</i>: Jump to the appropriate step from the following
list:</p>
<p>Follow the first appropriate steps from the following list:</p>

<dl class=switch><dt>If <var title="">result</var> is <i>fail</i></dt>
<dl class=switch><dt>If the result of the <a href=#fetch>fetch</a> is a redirect, and
the <a href=#origin>origin</a> of the target URL of the redirect is
not the <a href=#same-origin>same origin</a> as <var title="">origin</var></dt>

<dd>

<p>Discard all fetched data and prevent any <a href=#concept-task title=concept-task>tasks</a> from the <a href=#fetch>fetch</a>
algorithm from being <a href=#queue-a-task title="queue a task">queued</a>.
For the purposes of the calling algorithm, the user agent must
act as if there was a fatal network error and no resource was
obtained. The user agent may report a cross-origin resource
access failure to the user (e.g. in a debugging console).</p>
<p>Set <var title="">URL</var> to the the target URL of the
redirect and return to the top of the <a href=#potentially-cors-enabled-fetch>potentially
CORS-enabled fetch</a> algorithm (this time, one of the
other branches below might be taken, based on the value of
<var title="">mode</var><!-- but if it's a data: or
javascript: URL, we'll stay here -->).</p>

</dd>

<dt>If <var title="">result</var> is <i>taint</i></dt>
<dt>If the result of the <a href=#fetch>fetch</a> is a redirect</dt>

<dd>

<p>The <a href=#concept-task title=concept-task>tasks</a> from the
<a href=#fetch>fetch</a> algorithm are <a href=#queue-a-task title="queue a
task">queued</a> normally, but for the purposes of the
calling algorithm, the obtained resource is
<a href=#cors-cross-origin>CORS-cross-origin</a>. The user agent may report a
cross-origin resource access failure to the user (e.g. in a
debugging console).</p>
<p class=note>The <a href=#origin>origin</a> of the target URL of
the redirect is the <a href=#same-origin>same origin</a> as <var title="">origin</var>.</p>

<p><a href=#transparently-follow-the-redirect>Transparently follow the redirect</a> and jump to
the step labeled <i>loop</i> above.</p>

</dd>

<dt>If <var title="">result</var> is <i>success</i></dt>
<dt>Otherwise</dt>

<dd>

<p class=note>The resource is available, it is not a
redirect, and its <a href=#origin>origin</a> is the <a href=#same-origin>same
origin</a> as <var title="">origin</var>.</p>

<p>The <a href=#concept-task title=concept-task>tasks</a> from the
<a href=#fetch>fetch</a> algorithm are <a href=#queue-a-task title="queue a
task">queued</a> normally, and for the purposes of the
</ol></dd>


<dt>If <var title="">mode</var> is "<a href=#attr-crossorigin-none title=attr-crossorigin-none>No CORS</a>" and <var title="">default</var> is <i>taint</i></dt>

<dd>

<p class=note>The <var title="">URL</var> does not have the
<a href=#same-origin>same origin</a> as <var title="">origin</var>.</p>

<p><a href=#fetch>Fetch</a> <var title="">URL</var>.</p> <!--
http-origin privacy sensitive -->

<p>The <a href=#concept-task title=concept-task>tasks</a> from the
<a href=#fetch>fetch</a> algorithm are <a href=#queue-a-task title="queue a
task">queued</a> normally, but for the purposes of the calling
algorithm, the obtained resource is
<a href=#cors-cross-origin>CORS-cross-origin</a>. The user agent may report a
cross-origin resource access failure to the user (e.g. in a
debugging console).</p>

</dd>


<dt>If <var title="">mode</var> is "<a href=#attr-crossorigin-none title=attr-crossorigin-none>No CORS</a>"</dt>

<dd>

<p class=note>The <var title="">URL</var> does not have the
<a href=#same-origin>same origin</a> as <var title="">origin</var>, and <var title="">default</var> is <i>fail</i>.</p>

<p>Discard any data fetched as part of this algorithm, and prevent
any <a href=#concept-task title=concept-task>tasks</a> from such invocations
of the <a href=#fetch>fetch</a> algorithm from being <a href=#queue-a-task title="queue
a task">queued</a>.

For the purposes of the calling algorithm, the user agent must act
as if there was a fatal network error and no resource was
obtained. The user agent may report a cross-origin resource access
failure to the user (e.g. in a debugging console).</p>

</dd>


<dt>If <var title="">mode</var> is "<a href=#attr-crossorigin-anonymous title=attr-crossorigin-anonymous>Anonymous</a>" or "<a href=#attr-crossorigin-use-credentials title=attr-crossorigin-use-credentials>Use
Credentials</a>"</dt>

<dd>

<p class=note>The <var title="">URL</var> does not have the
<a href=#same-origin>same origin</a> as <var title="">origin</var>.</p>

<p>Run these steps:</p>

<ol><li><p>Perform a <a href=#cross-origin-request>cross-origin request</a> with the

0 comments on commit f1ae779

Please sign in to comment.
You can’t perform that action at this time.