From a2fd262730a9a8623a0dbe0b0ad72581ff2d8070 Mon Sep 17 00:00:00 2001
From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 29 May 2018 10:52:31 +0200
Subject: [PATCH] address review comments

---
 fetch.bs | 45 ++++++++++++++++++++-------------------------
 1 file changed, 20 insertions(+), 25 deletions(-)

diff --git a/fetch.bs b/fetch.bs
index f98ae171c..d8287a00c 100644
--- a/fetch.bs
+++ b/fetch.bs
@@ -2467,7 +2467,7 @@ response <a for=/>header</a> can be used to require checking a <a for=/>request<
 <p>Its <a for=header>value</a> <a>ABNF</a>:
 
 <pre>
-Cross-Origin-Resource-Policy     = %x73.61.6D.65 / %x73.61.6D.65.2D.73.69.74.65 ; "same" / "same-site"; case-sensitive</pre>
+Cross-Origin-Resource-Policy     = %x73.61.6D.65 / %x73.61.6D.65.2D.73.69.74.65 ; "same" / "same-site", case-sensitive</pre>
 
 <p>To perform a <dfn>cross-origin resource policy check</dfn>, given a <var>request</var> and
 <var>response</var>, run these steps:</p>
@@ -2481,33 +2481,27 @@ Cross-Origin-Resource-Policy     = %x73.61.6D.65 / %x73.61.6D.65.2D.73.69.74.65
   <var>request</var>'s <a for=request>current url</a>'s <a for=url>origin</a>, then return
   <b>allowed</b>.
 
-  <p class=note>A cross-origin response redirecting to a same or same-site resource with the
-  `<a http-header><code>Cross-Origin-Resource-Policy</code></a>` header specified does not affect
-  anything.
-  <!-- We could make this have an effect if we fix https://github.com/whatwg/fetch/pull/594 first,
-       but even then we normally do not let this have any effect for "no-cors" so it would be
-       somewhat inconsistent if it did here, but might still be better... -->
-
- <li><p>Let <var>policy</var> be the <a>combined value</a> with
- `<a http-header><code>Cross-Origin-Resource-Policy</code></a>` and <var>response</var>'s
- <a for=response>header list</a>.
-
- <li><p>If <var>policy</var> is `<code>same</code>`, then return <b>blocked</b>.
+  <p class="note no-backref">A cross-origin response redirecting to a response that is
+  <a>same origin</a> or <a>same site</a> with the initial request and has a
+  `<a http-header><code>Cross-Origin-Resource-Policy</code></a>` header specified, does not affect
+  anything. I.e., <var>request</var>'s <a for=request>tainted origin flag</a> is not checked.
 
  <li>
-  <p>If <var>policy</var> is `<code>same-site</code>` and neither of the following is true
+  <p>Let <var>policy</var> be the <a>combined value</a> with
+  `<a http-header><code>Cross-Origin-Resource-Policy</code></a>` and <var>response</var>'s
+  <a for=response>header list</a>.
 
-  <ul class=brief>
-   <li><p><var>request</var>'s <a for=request>origin</a>'s <a for=origin>host</a>
-   <a>is a registrable domain suffix of or is equal to</a> <var>request</var>'s
-   <a for=request>current url</a>'s <a for=url>host</a>
+  <p class=note>This means that `<code>Cross-Origin-Resource-Policy: same-site, same</code>` ends up
+  as <b>allowed</b> below as it will never match anything. Two or more
+  `<a http-header><code>Cross-Origin-Resource-Policy</code></a>` headers will have the same effect.
 
-   <li><p><var>request</var>'s <a for=request>current url</a>'s <a for=url>host</a>
-   <a>is a registrable domain suffix of or is equal to</a> <var>request</var>'s
-   <a for=request>origin</a>'s <a for=origin>host</a>
-  </ul>
+ <li><p>If <var>policy</var> is `<code>same</code>`, then return <b>blocked</b>.
 
-  <p>then return <b>blocked</b>
+ <li><p>If <var>request</var>'s <a for=request>origin</a>'s <a for=url>host</a> is <a>same site</a>
+ with <var>request</var>'s <a for=request>current url</a>'s <a for=url>host</a>, then return
+ <b>allowed</b>.
+
+ <li><p>If <var>policy</var> is `<code>same-site</code>`, then return <b>blocked</b>.
 
  <li><p>Return <b>allowed</b>.
 </ol>
@@ -3809,8 +3803,9 @@ Range Requests</cite>. [[HTTP-RANGE]] However, this is not widely supported by b
     </ol>
   </ol>
 
- <li><p>If the <a>cross-origin resource policy check</a> with <var>request</var> and
- <var>response</var> returns <b>blocked</b>, then return a <a>network error</a>.
+ <li><p>If the <i>CORS flag</i> is unset and the <a>cross-origin resource policy check</a> with
+ <var>request</var> and <var>response</var> returns <b>blocked</b>, then return a
+ <a>network error</a>.
 
  <li>
   <p>If <var>response</var>'s <a for=response>status</a> is <code>401</code>, <i>CORS flag</i>