Editorial: change how a CORS filtered response filters headers

Rather than just directling taking the exposed headers from the
`Access-Control-Expose-Headers` header, this adds a separate list of
exposed headers to a response, initialized from that header. This makes
foreign fetch integration easier.

PR: #265

Overview.html

@@ -7,7 +7,7 @@
 
 <p><a class="logo" href="https://whatwg.org/"><img alt="WHATWG" height="100" src="https://resources.whatwg.org/logo-fetch.svg" width="100"></a>
 <h1 id="cors">Fetch</h1>
-<h2 class="no-num no-toc" id="living-standard-—-last-updated-25-march-2016">Living Standard — Last Updated 25 March 2016</h2>
+<h2 class="no-num no-toc" id="living-standard-—-last-updated-31-march-2016">Living Standard — Last Updated 31 March 2016</h2>
 
 <dl>
  <dt>Participate:
@@ -451,20 +451,19 @@ <h4 id="terminology-headers"><span class="secno">3.1.2 </span>Headers</h4>
 </ul>
 
 <p>A <dfn id="cors-safelisted-response-header-name">CORS-safelisted response-header name</dfn>, given a
-<a href="#concept-response-header-list" title="concept-response-header-list">header list</a> <var>list</var>, is a
-<a href="#concept-header" title="concept-header">header</a> <a href="#concept-header-name" title="concept-header-name">name</a> that is one of:
+<a href="#concept-response-cors-exposed-header-name-list" title="concept-response-cors-exposed-header-name-list">CORS-exposed header-name list</a>
+<var>list</var>, is a <a href="#concept-header" title="concept-header">header</a>
+<a href="#concept-header-name" title="concept-header-name">name</a> that is one of:
 
 <ul>
  <li>`<code title="">Cache-Control</code>`
  <li>`<code title="">Content-Language</code>`
  <li>`<code title="">Content-Type</code>`
  <li>`<code title="">Expires</code>`
  <li>`<code title="">Last-Modified</code>`
- <li>`<code title="">Pragma</code>`.
- <li>Any <a href="#concept-header-value" title="concept-header-value">value</a> resulting from
- <a href="#concept-header-parse" title="concept-header-parse">parsing</a>
- `<a href="#http-access-control-expose-headers"><code title="http-access-control-expose-headers">Access-Control-Expose-Headers</code></a>` in
- <var>list</var> that is not a <a href="#forbidden-response-header-name">forbidden response-header name</a>.
+ <li>`<code title="">Pragma</code>`
+ <li>Any <a href="#concept-header-value" title="concept-header-value">value</a> in <var>list</var> that is not a
+ <a href="#forbidden-response-header-name">forbidden response-header name</a>.
 </ul>
 
 <hr>
@@ -1111,6 +1110,18 @@ <h4 id="responses"><span class="secno">3.1.6 </span>Responses</h4>
 for the <a href="#concept-response" title="concept-response">response</a>. The list is empty unless otherwise
 specified. <a href="#refsCSP">[CSP]</a>
 
+<p>A <a href="#concept-response" title="concept-response">response</a> has an associated
+<dfn id="concept-response-cors-exposed-header-name-list" title="concept-response-cors-exposed-header-name-list">CORS-exposed header-name list</dfn> (a
+list of zero or more <a href="#concept-header" title="concept-header">header</a>
+<a href="#concept-header-name" title="concept-header-name">names</a>). The list is empty unless otherwise specified.
+
+<p class="note no-backref">A <a href="#concept-response" title="concept-response">response</a> will typically get its
+<a href="#concept-response-cors-exposed-header-name-list" title="concept-response-cors-exposed-header-name-list">CORS-exposed header-name list</a>
+set by <a href="#concept-header-parse" title="concept-header-parse">parsing</a> the
+`<a href="#http-access-control-expose-headers"><code title="http-access-control-expose-headers">Access-Control-Expose-Headers</code></a>` header. This
+list is used by a <a href="#concept-filtered-response-cors" title="concept-filtered-response-cors">CORS filtered response</a> to
+determine which headers to expose.
+
 <hr>
 
 <p>A <a href="#concept-response" title="concept-response">response</a> whose
@@ -1162,7 +1173,7 @@ <h4 id="responses"><span class="secno">3.1.6 </span>Responses</h4>
 <a href="#concept-header-name" title="concept-header-name">name</a> is <em>not</em> a
 <a href="#cors-safelisted-response-header-name">CORS-safelisted response-header name</a>, given
 <a href="#concept-internal-response" title="concept-internal-response">internal response</a>'s
-<a href="#concept-response-header-list" title="concept-response-header-list">header list</a>.
+<a href="#concept-response-cors-exposed-header-name-list" title="concept-response-cors-exposed-header-name-list">CORS-exposed header-name list</a>.
 
 <p>An <dfn id="concept-filtered-response-opaque" title="concept-filtered-response-opaque">opaque filtered response</dfn> is a
 <a href="#concept-filtered-response" title="concept-filtered-response">filtered response</a> whose
@@ -2101,25 +2112,34 @@ <h3 id="main-fetch"><span class="secno">5.1 </span>Main fetch</h3>
  <li><p>If the <i>recursive flag</i> is set, return <var>response</var>.
 
  <li>
-  <p>If <var>response</var> is not a
-  <a href="#concept-network-error" title="concept-network-error">network error</a> and
-  <var>response</var> is not a
-  <a href="#concept-filtered-response" title="concept-filtered-response">filtered response</a>, set
-  <var>response</var> to the following
-  <a href="#concept-filtered-response" title="concept-filtered-response">filtered response</a> with
-  <var>response</var> as its
-  <a href="#concept-internal-response" title="concept-internal-response">internal response</a>, depending on
-  <var>request</var>'s
-  <a href="#concept-request-response-tainting" title="concept-request-response-tainting">response tainting</a>:
-
-  <dl class="switch compact">
-   <dt>"<code title="">basic</code>"
-   <dd><a href="#concept-filtered-response-basic" title="concept-filtered-response-basic">basic filtered response</a>
-   <dt>"<code title="">cors</code>"
-   <dd><a href="#concept-filtered-response-cors" title="concept-filtered-response-cors">CORS filtered response</a>
-   <dt>"<code title="">opaque</code>"
-   <dd><a href="#concept-filtered-response-opaque" title="concept-filtered-response-opaque">opaque filtered response</a>
-  </dl>
+  <p>If <var>response</var> is not a <a href="#concept-network-error" title="concept-network-error">network error</a> and
+  <var>response</var> is not a <a href="#concept-filtered-response" title="concept-filtered-response">filtered response</a>, then
+  run these substeps:
+
+  <ol>
+   <li><p>If <var>request</var>'s
+   <a href="#concept-request-response-tainting" title="concept-request-response-tainting">response tainting</a> is
+   "<code title="">cors</code>", then set <var>response</var>'s
+   <a href="#concept-response-cors-exposed-header-name-list" title="concept-response-cors-exposed-header-name-list">CORS-exposed header-name list</a>
+   to the result of <a href="#concept-header-parse" title="concept-header-parse">parsing</a>
+   `<a href="#http-access-control-expose-headers"><code title="http-access-control-expose-headers">Access-Control-Expose-Headers</code></a>` in
+   <var>response</var>'s <a href="#concept-response-header-list" title="concept-response-header-list">header list</a>.
+
+   <li>
+    <p>Set <var>response</var> to the following
+    <a href="#concept-filtered-response" title="concept-filtered-response">filtered response</a> with <var>response</var> as its
+    <a href="#concept-internal-response" title="concept-internal-response">internal response</a>, depending on
+    <var>request</var>'s <a href="#concept-request-response-tainting" title="concept-request-response-tainting">response tainting</a>:
+
+    <dl class="switch compact">
+     <dt>"<code title="">basic</code>"
+     <dd><a href="#concept-filtered-response-basic" title="concept-filtered-response-basic">basic filtered response</a>
+     <dt>"<code title="">cors</code>"
+     <dd><a href="#concept-filtered-response-cors" title="concept-filtered-response-cors">CORS filtered response</a>
+     <dt>"<code title="">opaque</code>"
+     <dd><a href="#concept-filtered-response-opaque" title="concept-filtered-response-opaque">opaque filtered response</a>
+    </dl>
+  </ol>
 
  <li><p>Let <var>internalResponse</var> be <var>response</var>, if <var>response</var> is a
  <a href="#concept-network-error" title="concept-network-error">network error</a>, and <var>response</var>'s
@@ -5205,6 +5225,7 @@ <h2 class="no-num" id="acknowledgments">Acknowledgments</h2>
 Manish Goregaokar,
 Marc Silbey,
 Marcos Caceres,
+Marijn Kruisselbrink,
 Mark Nottingham,
 Mark S. Miller,
 Martin Dürst,

Overview.src.html

@@ -382,20 +382,19 @@ <h4 id=terminology-headers>Headers</h4>
 </ul>
 
 <p>A <dfn>CORS-safelisted response-header name</dfn>, given a
-<span title=concept-response-header-list>header list</span> <var>list</var>, is a
-<span title=concept-header>header</span> <span title=concept-header-name>name</span> that is one of:
+<span title=concept-response-cors-exposed-header-name-list>CORS-exposed header-name list</span>
+<var>list</var>, is a <span title=concept-header>header</span>
+<span title=concept-header-name>name</span> that is one of:
 
 <ul>
  <li>`<code title>Cache-Control</code>`
  <li>`<code title>Content-Language</code>`
  <li>`<code title>Content-Type</code>`
  <li>`<code title>Expires</code>`
  <li>`<code title>Last-Modified</code>`
- <li>`<code title>Pragma</code>`.
- <li>Any <span title=concept-header-value>value</span> resulting from
- <span title=concept-header-parse>parsing</span>
- `<code title=http-access-control-expose-headers>Access-Control-Expose-Headers</code>` in
- <var>list</var> that is not a <span>forbidden response-header name</span>.
+ <li>`<code title>Pragma</code>`
+ <li>Any <span title=concept-header-value>value</span> in <var>list</var> that is not a
+ <span>forbidden response-header name</span>.
 </ul>
 
 <hr>
@@ -1042,6 +1041,18 @@ <h4>Responses</h4>
 for the <span title=concept-response>response</span>. The list is empty unless otherwise
 specified. <span data-anolis-ref>CSP</span>
 
+<p>A <span title=concept-response>response</span> has an associated
+<dfn title=concept-response-cors-exposed-header-name-list>CORS-exposed header-name list</dfn> (a
+list of zero or more <span title=concept-header>header</span>
+<span title=concept-header-name>names</span>). The list is empty unless otherwise specified.
+
+<p class="note no-backref">A <span title=concept-response>response</span> will typically get its
+<span title=concept-response-cors-exposed-header-name-list>CORS-exposed header-name list</span>
+set by <span title=concept-header-parse>parsing</span> the
+`<code title=http-access-control-expose-headers>Access-Control-Expose-Headers</code>` header. This
+list is used by a <span title=concept-filtered-response-cors>CORS filtered response</span> to
+determine which headers to expose.
+
 <hr>
 
 <p>A <span title=concept-response>response</span> whose
@@ -1093,7 +1104,7 @@ <h4>Responses</h4>
 <span title=concept-header-name>name</span> is <em>not</em> a
 <span>CORS-safelisted response-header name</span>, given
 <span title=concept-internal-response>internal response</span>'s
-<span title=concept-response-header-list>header list</span>.
+<span title=concept-response-cors-exposed-header-name-list>CORS-exposed header-name list</span>.
 
 <p>An <dfn title=concept-filtered-response-opaque>opaque filtered response</dfn> is a
 <span title=concept-filtered-response>filtered response</span> whose
@@ -2032,25 +2043,34 @@ <h3>Main fetch</h3>
  <li><p>If the <i>recursive flag</i> is set, return <var>response</var>.
 
  <li>
-  <p>If <var>response</var> is not a
-  <span title=concept-network-error>network error</span> and
-  <var>response</var> is not a
-  <span title=concept-filtered-response>filtered response</span>, set
-  <var>response</var> to the following
-  <span title=concept-filtered-response>filtered response</span> with
-  <var>response</var> as its
-  <span title=concept-internal-response>internal response</span>, depending on
-  <var>request</var>'s
-  <span title=concept-request-response-tainting>response tainting</span>:
-
-  <dl class="switch compact">
-   <dt>"<code title>basic</code>"
-   <dd><span title=concept-filtered-response-basic>basic filtered response</span>
-   <dt>"<code title>cors</code>"
-   <dd><span title=concept-filtered-response-cors>CORS filtered response</span>
-   <dt>"<code title>opaque</code>"
-   <dd><span title=concept-filtered-response-opaque>opaque filtered response</span>
-  </dl>
+  <p>If <var>response</var> is not a <span title=concept-network-error>network error</span> and
+  <var>response</var> is not a <span title=concept-filtered-response>filtered response</span>, then
+  run these substeps:
+
+  <ol>
+   <li><p>If <var>request</var>'s
+   <span title=concept-request-response-tainting>response tainting</span> is
+   "<code title>cors</code>", then set <var>response</var>'s
+   <span title=concept-response-cors-exposed-header-name-list>CORS-exposed header-name list</span>
+   to the result of <span title=concept-header-parse>parsing</span>
+   `<code title=http-access-control-expose-headers>Access-Control-Expose-Headers</code>` in
+   <var>response</var>'s <span title=concept-response-header-list>header list</span>.
+
+   <li>
+    <p>Set <var>response</var> to the following
+    <span title=concept-filtered-response>filtered response</span> with <var>response</var> as its
+    <span title=concept-internal-response>internal response</span>, depending on
+    <var>request</var>'s <span title=concept-request-response-tainting>response tainting</span>:
+
+    <dl class="switch compact">
+     <dt>"<code title>basic</code>"
+     <dd><span title=concept-filtered-response-basic>basic filtered response</span>
+     <dt>"<code title>cors</code>"
+     <dd><span title=concept-filtered-response-cors>CORS filtered response</span>
+     <dt>"<code title>opaque</code>"
+     <dd><span title=concept-filtered-response-opaque>opaque filtered response</span>
+    </dl>
+  </ol>
 
  <li><p>Let <var>internalResponse</var> be <var>response</var>, if <var>response</var> is a
  <span title=concept-network-error>network error</span>, and <var>response</var>'s
@@ -5047,6 +5067,7 @@ <h2 class=no-num>Acknowledgments</h2>
 Manish Goregaokar,
 Marc Silbey,
 Marcos Caceres,
+Marijn Kruisselbrink,
 Mark Nottingham,
 Mark S. Miller,
 Martin D&uuml;rst,