From 7ee7a08a3e4393bf6d8e9de29f801cbc4b831311 Mon Sep 17 00:00:00 2001
From: Anne van Kesteren
Cross-Origin-Resource-Policy
` headerThe
+`Cross-Origin-Resource-Policy
`
+response header can be used to require checking a request's
+current url's origin against a request's
+origin when request's mode is
+"no-cors
".
+
+
+Cross-Origin-Resource-Policy = %x73.61.6D.65 / %x73.61.6D.65.2D.73.69.74.65 ; "same" / "same-site"; case-sensitive+ +
To perform a cross-origin resource policy check, given a request and +response, run these steps:
+ +If request's mode is not "no-cors
", then return
+ allowed.
+
+
If request's origin is same origin with + request's current url's origin, then return + allowed. + +
A cross-origin response redirecting to a same or same-site resource with the
+ `Cross-Origin-Resource-Policy
` header specified does not affect
+ anything.
+
+
+
Let policy be the combined value with
+ `Cross-Origin-Resource-Policy
` and response's
+ header list.
+
+
If policy is `same
`, then return blocked.
+
+
If policy is `same-site
` and neither of the following is true
+
+
request's origin's host + is a registrable domain suffix of or is equal to request's + current url's host + +
request's current url's host + is a registrable domain suffix of or is equal to request's + origin's host +
then return blocked + +
Return allowed. +
If the cross-origin resource policy check with request and + response returns blocked, then return a network error. +
If response's status is 401
, CORS flag
is unset, credentials flag is set, and request's window is an
@@ -6390,6 +6451,7 @@ Jeffrey Yasskin,
Jesse M. Heines,
Jinho Bang,
Jochen Eisinger,
+John Wilander,
Jonas Sicking,
Jonathan Kingston,
Jonathan Watt,