diff --git a/fetch.bs b/fetch.bs index 9468109d0..5d5e094eb 100644 --- a/fetch.bs +++ b/fetch.bs @@ -2517,6 +2517,58 @@ run these steps:
+Cross-Origin-Resource-Policy
` headerThe
+`Cross-Origin-Resource-Policy
`
+response header can be used to require checking a request's
+current url's origin against a request's
+origin when request's mode is
+"no-cors
".
+
+
+Cross-Origin-Resource-Policy = %x73.61.6D.65.2D.6F.72.69.67.69.6E / %x73.61.6D.65.2D.73.69.74.65 ; "same-origin" / "same-site", case-sensitive+ +
To perform a cross-origin resource policy check, given a request and +response, run these steps:
+ +If request's mode is not "no-cors
", then return
+ allowed.
+
+
If request's origin is same origin with + request's current url's origin, then return + allowed. + +
A cross-origin response redirecting to a response that is
+ same origin or same site with the initial request and has a
+ `Cross-Origin-Resource-Policy
` header specified, does not affect
+ anything. I.e., request's tainted origin flag is not checked.
+
+
Let policy be the combined value with
+ `Cross-Origin-Resource-Policy
` and response's
+ header list.
+
+
This means that `Cross-Origin-Resource-Policy: same-site, same-origin
`
+ ends up as allowed below as it will never match anything. Two or more
+ `Cross-Origin-Resource-Policy
` headers will have the same effect.
+
+
If policy is `same-origin
`, then return blocked.
+
+
If request's origin's host is same site + with request's current url's host, then return + allowed. + +
If policy is `same-site
`, then return blocked.
+
+
Return allowed. +
If httpRequest's header list contains
`Range
`, then set response's range-requested flag.
+
If the CORS flag is unset and the cross-origin resource policy check with + request and response returns blocked, then return a + network error. +
If response's status is 401
, CORS flag
is unset, credentials flag is set, and request's window is an
@@ -6548,6 +6604,7 @@ Jeffrey Yasskin,
Jesse M. Heines,
Jinho Bang,
Jochen Eisinger,
+John Wilander,
Jonas Sicking,
Jonathan Kingston,
Jonathan Watt,