Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clarify that request.origin cannot be "client" at certain points #1776

Merged
merged 3 commits into from
Oct 1, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 34 additions & 15 deletions fetch.bs
Original file line number Diff line number Diff line change
Expand Up @@ -458,7 +458,8 @@ and an optional boolean <var>extract-value</var> (default false):

<li><p>Let <var>value</var> be the empty string.

<li><p>Assert: the <a>code point</a> at <var>position</var> within <var>input</var> is U+0022 (").
<li><p><a for=/>Assert</a>: the <a>code point</a> at <var>position</var> within <var>input</var> is
U+0022 (").

<li><p>Advance <var>position</var> by 1.

Expand Down Expand Up @@ -494,7 +495,7 @@ and an optional boolean <var>extract-value</var> (default false):
<p>Otherwise:

<ol>
<li><p>Assert: <var>quoteOrBackslash</var> is U+0022 (").
<li><p><a for=/>Assert</a>: <var>quoteOrBackslash</var> is U+0022 (").

<li><p><a for=iteration>Break</a>.
</ol>
Expand Down Expand Up @@ -591,8 +592,8 @@ given a <a for=/>header name</a> <var>name</var> and a string <var>type</var> fr
<a>structured field value</a>.

<ol>
<li><p>Assert: <var>type</var> is one of "<code>dictionary</code>", "<code>list</code>", or
"<code>item</code>".
<li><p><a for=/>Assert</a>: <var>type</var> is one of "<code>dictionary</code>",
"<code>list</code>", or "<code>item</code>".

<li><p>Let <var>value</var> be the result of <a for="header list">getting</a> <var>name</var> from
<var>list</var>.
Expand Down Expand Up @@ -931,7 +932,7 @@ directly. Use <a for="header list">get, decode, and split</a> instead.
<li><p>Let <var>value</var> be the result of <a for="header list">getting</a> <var>name</var>
from <var>list</var>.

<li><p>Assert: <var>value</var> is non-null.
<li><p><a for=/>Assert</a>: <var>value</var> is non-null.

<li><p><a for=list>Append</a> (<var>name</var>, <var>value</var>) to <var>headers</var>.
</ol>
Expand Down Expand Up @@ -2230,6 +2231,9 @@ or "<code>object</code>".
return true:

<ol>
<li><p><a for=/>Assert</a>: <var>request</var>'s <a for=request>origin</a> is not
"<code>client</code>".

<li><p>Let <var>lastURL</var> be null.

<li>
Expand All @@ -2255,6 +2259,9 @@ return true:
run these steps:

<ol>
<li><p><a for=/>Assert</a>: <var>request</var>'s <a for=request>origin</a> is not
"<code>client</code>".

<li><p>If <var>request</var> has a <a for=request>redirect-tainted origin</a>, then return
"<code>null</code>".

Expand Down Expand Up @@ -2295,8 +2302,8 @@ is to return the result of <a>serializing a request origin</a> with <var>request
<var>last</var>, run these steps:

<ol>
<li><p>Assert: <var>last</var> is not given, or <var>first</var> is less than or equal to
<var>last</var>.
<li><p><a for=/>Assert</a>: <var>last</var> is not given, or <var>first</var> is less than or equal
to <var>last</var>.

<li><p>Let <var>rangeValue</var> be `<code>bytes=</code>`.

Expand Down Expand Up @@ -2326,7 +2333,8 @@ source of security bugs. Please seek security review for features that deal with
<var>response</var>, run these steps:

<ol>
<li><p>Assert: <var>response</var>'s <a for=response>URL list</a> <a for=list>is not empty</a>.
<li><p><a for=/>Assert</a>: <var>response</var>'s <a for=response>URL list</a>
<a for=list>is not empty</a>.

<li>
<p>Let <var>url</var> be a copy of <var>response</var>'s <a for=response>URL list</a>[0].
Expand All @@ -2350,6 +2358,9 @@ source of security bugs. Please seek security review for features that deal with
<a for=/>request</a> <var>request</var>, run these steps:

<ol>
<li><p><a for=/>Assert</a>: <var>request</var>'s <a for=request>origin</a> is not
"<code>client</code>".

<li><p>If <var>request</var>'s <a for=request>mode</a> is not "<code>no-cors</code>", then return
true.</p>

Expand Down Expand Up @@ -2494,7 +2505,7 @@ this is also tracked internally using the request's <a for=request>timing allow
<var>fetchParams</var>:

<ol>
<li><p>Assert: <var>fetchParams</var> is <a for="fetch params">canceled</a>.
<li><p><a for=/>Assert</a>: <var>fetchParams</var> is <a for="fetch params">canceled</a>.

<li><p>Return an <a>aborted network error</a> if <var>fetchParams</var> is
<a for="fetch params">aborted</a>; otherwise return a <a>network error</a>.
Expand Down Expand Up @@ -2693,7 +2704,7 @@ manually. [[!HTML]]
<ol>
<li><p>If <var>potentialDestination</var> is "<code>fetch</code>", then return the empty string.

<li><p>Assert: <var>potentialDestination</var> is a <a for=request>destination</a>.
<li><p><a for=/>Assert</a>: <var>potentialDestination</var> is a <a for=request>destination</a>.

<li><p>Return <var>potentialDestination</var>.
</ol>
Expand Down Expand Up @@ -3089,7 +3100,7 @@ or an <a>implementation-defined</a> value.
<li><p>If <var>topLevelOrigin</var> is null, then set <var>topLevelOrigin</var> to
<var>environment</var>'s <a for="environment">top-level creation URL</a>'s <a for=url>origin</a>.

<li><p>Assert: <var>topLevelOrigin</var> is an <a for=/>origin</a>.
<li><p><a for=/>Assert</a>: <var>topLevelOrigin</var> is an <a for=/>origin</a>.

<li><p>Let <var>topLevelSite</var> be the result of <a lt="obtain a site">obtaining a site</a>,
given <var>topLevelOrigin</var>.
Expand Down Expand Up @@ -3309,6 +3320,9 @@ request <a for=/>header</a> indicates where a
given a <a for=/>request</a> <var>request</var>, run these steps:

<ol>
<li><p><a for=/>Assert</a>: <var>request</var>'s <a for=request>origin</a> is not
"<code>client</code>".

<li><p>Let <var>serializedOrigin</var> be the result of <a>byte-serializing a request origin</a>
with <var>request</var>.

Expand Down Expand Up @@ -5421,7 +5435,8 @@ run these steps:
<p>If <var>request</var>'s <a for=request>redirect mode</a> is "<code>manual</code>", then:

<ol>
<li><p>Assert: <var>request</var>'s <a for=request>mode</a> is "<code>navigate</code>".
<li><p><a for=/>Assert</a>: <var>request</var>'s <a for=request>mode</a> is
"<code>navigate</code>".

<li><p>Set <var>recursive</var> to false.
</ol>
Expand Down Expand Up @@ -6632,6 +6647,9 @@ agent's <a>CORS-preflight cache</a> for which there is a <a>cache entry match</a
<var>response</var>, run these steps:

<ol>
<li><p><a for=/>Assert</a>: <var>request</var>'s <a for=request>origin</a> is not
"<code>client</code>".

<li><p>If <var>request</var>'s <a for=request>timing allow failed flag</a> is set, then return
failure.

Expand Down Expand Up @@ -7032,7 +7050,7 @@ typedef (ReadableStream or XMLHttpRequestBodyInit) BodyInit;</pre>
<p>If <var>object</var> is a {{ReadableStream}} object, then:

<ol>
<li><p>Assert: <var>object</var> is neither <a for=ReadableStream>disturbed</a> nor
<li><p><a for=/>Assert</a>: <var>object</var> is neither <a for=ReadableStream>disturbed</a> nor
<a for=ReadableStream>locked</a>.
</ol>

Expand Down Expand Up @@ -7680,7 +7698,7 @@ constructor steps are:
<p>Otherwise:

<ol>
<li><p>Assert: <var>input</var> is a {{Request}} object.
<li><p><a for=/>Assert</a>: <var>input</var> is a {{Request}} object.

<li><p>Set <var>request</var> to <var>input</var>'s
<a for=Request>request</a>.
Expand Down Expand Up @@ -8599,7 +8617,7 @@ that RFC's normative processing requirements to be compatible with deployed cont
<var>dataURL</var> and then runs these steps:

<ol>
<li><p>Assert: <var>dataURL</var>'s <a for=url>scheme</a> is "<code>data</code>".
<li><p><a for=/>Assert</a>: <var>dataURL</var>'s <a for=url>scheme</a> is "<code>data</code>".

<li><p>Let <var>input</var> be the result of running the <a>URL serializer</a> on
<var>dataURL</var> with <a for="URL serializer"><i>exclude fragment</i></a> set to true.
Expand Down Expand Up @@ -9189,6 +9207,7 @@ Shivani Sharma,
Sigbjørn Finne,
Simon Pieters,
Simon Sapin,
Simon Wülker,
Srirama Chandra Sekhar Mogali,
Stephan Paul,
Steven Salat,
Expand Down