Skip to content

Commit

Permalink
Move the opaque-response-safelist check invocation
Browse files Browse the repository at this point in the history
(CORB as specified applied to service worker responses, but that seems wrong.)
  • Loading branch information
annevk committed Jun 1, 2022
1 parent 8feb3d6 commit cc2afed
Showing 1 changed file with 12 additions and 14 deletions.
26 changes: 12 additions & 14 deletions fetch.bs
Original file line number Diff line number Diff line change
Expand Up @@ -4390,14 +4390,8 @@ steps:

<li><p>Set <var>request</var>'s <a for=request>response tainting</a> to "<code>opaque</code>".

<li><p>Let <var>opaqueResponse</var> be the result of running <a>scheme fetch</a> given
<var>fetchParams</var>.
<li><p>Return the result of running <a>scheme fetch</a> given <var>fetchParams</var>.
<!-- file URLs end up here as they are not same-origin typically. -->

<li><p>If the <a>opaque-response-safelist check</a> given <var>request</var> and
<var>opaqueResponse</var> returns true, then return <var>opaqueResponse</var>.

<li><p>Return a <a>network error</a>.
</ol>

<dt><var>request</var>'s <a for=request>current URL</a>'s <a for=url>scheme</a> is not an
Expand Down Expand Up @@ -4971,19 +4965,23 @@ these steps:
<li><p>Set <var>response</var> and <var>actualResponse</var> to the result of running
<a>HTTP-network-or-cache fetch</a> given <var>fetchParams</var>.

<li>
<p>If <var>request</var>'s <a for=request>response tainting</a> is "<code>cors</code>" and a
<a>CORS check</a> for <var>request</var> and <var>response</var> returns failure, then return a
<a>network error</a>.
<li><p>If <var>request</var>'s <a for=request>response tainting</a> is "<code>opaque</code>",
<var>response</var>'s <a for=response>status</a> is not a <a>redirect status</a>, and the
<a>opaque-response-safelist check</a> given <var>request</var> and <var>response</var> returns
false, then return a <a>network error</a>.

<p class="note no-backref">As the <a>CORS check</a> is not to be applied to
<a for=/>responses</a> whose <a for=response>status</a> is 304 or 407, or <a for=/>responses</a>
from a service worker for that matter, it is applied here.
<li><p>If <var>request</var>'s <a for=request>response tainting</a> is "<code>cors</code>" and
the <a>CORS check</a> for <var>request</var> and <var>response</var> returns failure, then return
a <a>network error</a>.

<li><p>If the <a>TAO check</a> for <var>request</var> and <var>response</var> returns failure,
then set <var>request</var>'s <a for=request>timing allow failed flag</a>.
</ol>

<p class=note>As the <a>opaque-response-safelist check</a>, <a>CORS check</a>, and
<a>TAO check</a> are not to be applied to <a for=/>responses</a> whose <a for=response>status</a>
is 304 or 407, or to <a for=/>responses</a> from a service worker, they are applied here.

<li>
<p>If either <var>request</var>'s <a for=request>response tainting</a> or <var>response</var>'s
<a for=response>type</a> is "<code>opaque</code>", and the
Expand Down

0 comments on commit cc2afed

Please sign in to comment.