From 7ee7a08a3e4393bf6d8e9de29f801cbc4b831311 Mon Sep 17 00:00:00 2001 From: Anne van Kesteren Date: Thu, 24 May 2018 12:33:40 +0200 Subject: [PATCH] Define Cross-Origin-Resource-Policy response header This header makes it easier for sites to block unwanted "no-cors" cross-origin requests. Tests: ... Fixes #687. --- fetch.bs | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/fetch.bs b/fetch.bs index daafe5d45..f98ae171c 100644 --- a/fetch.bs +++ b/fetch.bs @@ -2455,6 +2455,64 @@ run these steps:

+

`Cross-Origin-Resource-Policy` header

+ +

The +`Cross-Origin-Resource-Policy` +response header can be used to require checking a request's +current url's origin against a request's +origin when request's mode is +"no-cors". + +

Its value ABNF: + +

+Cross-Origin-Resource-Policy     = %x73.61.6D.65 / %x73.61.6D.65.2D.73.69.74.65 ; "same" / "same-site"; case-sensitive
+ +

To perform a cross-origin resource policy check, given a request and +response, run these steps:

+ +
    +
  1. If request's mode is not "no-cors", then return + allowed. + +

  2. +

    If request's origin is same origin with + request's current url's origin, then return + allowed. + +

    A cross-origin response redirecting to a same or same-site resource with the + `Cross-Origin-Resource-Policy` header specified does not affect + anything. + + +

  3. Let policy be the combined value with + `Cross-Origin-Resource-Policy` and response's + header list. + +

  4. If policy is `same`, then return blocked. + +

  5. +

    If policy is `same-site` and neither of the following is true + +

    + +

    then return blocked + +

  6. Return allowed. +

+ +

Fetching

@@ -3751,6 +3809,9 @@ Range Requests. [[HTTP-RANGE]] However, this is not widely supported by b +
  • If the cross-origin resource policy check with request and + response returns blocked, then return a network error. +

  • If response's status is 401, CORS flag is unset, credentials flag is set, and request's window is an @@ -6390,6 +6451,7 @@ Jeffrey Yasskin, Jesse M. Heines, Jinho Bang, Jochen Eisinger, +John Wilander, Jonas Sicking, Jonathan Kingston, Jonathan Watt,