diff --git a/fetch.bs b/fetch.bs index 9468109d0..308efcd32 100644 --- a/fetch.bs +++ b/fetch.bs @@ -2517,6 +2517,71 @@ run these steps:

+

`Cross-Origin-Resource-Policy` header

+ +

The +`Cross-Origin-Resource-Policy` +response header can be used to require checking a request's +current url's origin against a request's +origin when request's mode is +"no-cors". + +

Its value ABNF: + +

+Cross-Origin-Resource-Policy     = %x73.61.6D.65.2D.6F.72.69.67.69.6E / %x73.61.6D.65.2D.73.69.74.65 ; "same-origin" / "same-site", case-sensitive
+ +

To perform a cross-origin resource policy check, given a request and +response, run these steps:

+ +
    +
  1. If request's mode is not "no-cors", then return + allowed. + +

  2. +

    If request's origin is same origin with + request's current url's origin, then return + allowed. + +

    While redirects that carry a + `Cross-Origin-Resource-Policy` header are checked, redirects + without such a header resulting in response do not contribute to this algorithm. I.e., + request's tainted origin flag is not checked. + +

  3. +

    Let policy be the combined value with + `Cross-Origin-Resource-Policy` and response's + header list. + +

    This means that `Cross-Origin-Resource-Policy: same-site, same-origin` + ends up as allowed below as it will never match anything. Two or more + `Cross-Origin-Resource-Policy` headers will have the same effect. + +

  4. If policy is `same-origin`, then return blocked. + +

  5. +

    If the following are true + +

    + +

    then return allowed. + +

    This prevents HTTPS responses with + `Cross-Origin-Resource-Policy: same-site` from being accessed without secure + transport. + +

  6. If policy is `same-site`, then return blocked. + +

  7. Return allowed. +

+ +

Fetching

@@ -3850,6 +3915,10 @@ Range Requests. [[HTTP-RANGE]] However, this is not widely supported by b
  • If httpRequest's header list contains `Range`, then set response's range-requested flag. +

  • If the CORS flag is unset and the cross-origin resource policy check with + request and response returns blocked, then return a + network error. +

  • If response's status is 401, CORS flag is unset, credentials flag is set, and request's window is an @@ -6548,6 +6617,7 @@ Jeffrey Yasskin, Jesse M. Heines, Jinho Bang, Jochen Eisinger, +John Wilander, Jonas Sicking, Jonathan Kingston, Jonathan Watt,