From 32411c753f46a10fd20d2ad3610244e7fdf44d4a Mon Sep 17 00:00:00 2001 From: Marijn Kruisselbrink Date: Mon, 28 Mar 2016 16:10:15 -0700 Subject: [PATCH] Editorial: change how a CORS filtered response filters headers Rather than just directling taking the exposed headers from the `Access-Control-Expose-Headers` header, this adds a separate list of exposed headers to a response, initialized from that header. This makes foreign fetch integration easier. PR: https://github.com/whatwg/fetch/pull/265 --- Overview.html | 77 ++++++++++++++++++++++++++++++----------------- Overview.src.html | 75 ++++++++++++++++++++++++++++----------------- 2 files changed, 97 insertions(+), 55 deletions(-) diff --git a/Overview.html b/Overview.html index e040ffccc..067463a6f 100644 --- a/Overview.html +++ b/Overview.html @@ -7,7 +7,7 @@

Fetch

-

Living Standard — Last Updated 25 March 2016

+

Living Standard — Last Updated 31 March 2016

Participate: @@ -451,8 +451,9 @@

3.1.2 Headers

A CORS-safelisted response-header name, given a -header list list, is a -header name that is one of: +CORS-exposed header-name list +list, is a header +name that is one of:

@@ -1111,6 +1110,18 @@

3.1.6 Responses

for the response. The list is empty unless otherwise specified. [CSP] +

A response has an associated +CORS-exposed header-name list (a +list of zero or more header +names). The list is empty unless otherwise specified. + +

A response will typically get its +CORS-exposed header-name list +set by parsing the +`Access-Control-Expose-Headers` header. This +list is used by a CORS filtered response to +determine which headers to expose. +

A response whose @@ -1162,7 +1173,7 @@

3.1.6 Responses

name is not a CORS-safelisted response-header name, given internal response's -header list. +CORS-exposed header-name list.

An opaque filtered response is a filtered response whose @@ -2101,25 +2112,34 @@

5.1 Main fetch

  • If the recursive flag is set, return response.

  • -

    If response is not a - network error and - response is not a - filtered response, set - response to the following - filtered response with - response as its - internal response, depending on - request's - response tainting: - -

    -
    "basic" -
    basic filtered response -
    "cors" -
    CORS filtered response -
    "opaque" -
    opaque filtered response -
    +

    If response is not a network error and + response is not a filtered response, then + run these substeps: + +

      +

    1. If request's + response tainting is + "cors", then set response's + CORS-exposed header-name list + to the result of parsing + `Access-Control-Expose-Headers` in + response's header list. + +

    2. +

      Set response to the following + filtered response with response as its + internal response, depending on + request's response tainting: + +

      +
      "basic" +
      basic filtered response +
      "cors" +
      CORS filtered response +
      "opaque" +
      opaque filtered response +
      +

  • Let internalResponse be response, if response is a network error, and response's @@ -5205,6 +5225,7 @@

    Acknowledgments

    Manish Goregaokar, Marc Silbey, Marcos Caceres, +Marijn Kruisselbrink, Mark Nottingham, Mark S. Miller, Martin Dürst, diff --git a/Overview.src.html b/Overview.src.html index 0119a0ca1..670fe7f18 100644 --- a/Overview.src.html +++ b/Overview.src.html @@ -382,8 +382,9 @@

    Headers

    A CORS-safelisted response-header name, given a -header list list, is a -header name that is one of: +CORS-exposed header-name list +list, is a header +name that is one of:

    • `Cache-Control` @@ -391,11 +392,9 @@

      Headers

    • `Content-Type`
    • `Expires`
    • `Last-Modified` -
    • `Pragma`. -
    • Any value resulting from - parsing - `Access-Control-Expose-Headers` in - list that is not a forbidden response-header name. +
    • `Pragma` +
    • Any value in list that is not a + forbidden response-header name.
    @@ -1042,6 +1041,18 @@

    Responses

    for the response. The list is empty unless otherwise specified. CSP +

    A response has an associated +CORS-exposed header-name list (a +list of zero or more header +names). The list is empty unless otherwise specified. + +

    A response will typically get its +CORS-exposed header-name list +set by parsing the +`Access-Control-Expose-Headers` header. This +list is used by a CORS filtered response to +determine which headers to expose. +

    A response whose @@ -1093,7 +1104,7 @@

    Responses

    name is not a CORS-safelisted response-header name, given internal response's -header list. +CORS-exposed header-name list.

    An opaque filtered response is a filtered response whose @@ -2032,25 +2043,34 @@

    Main fetch

  • If the recursive flag is set, return response.

  • -

    If response is not a - network error and - response is not a - filtered response, set - response to the following - filtered response with - response as its - internal response, depending on - request's - response tainting: - -

    -
    "basic" -
    basic filtered response -
    "cors" -
    CORS filtered response -
    "opaque" -
    opaque filtered response -
    +

    If response is not a network error and + response is not a filtered response, then + run these substeps: + +

      +

    1. If request's + response tainting is + "cors", then set response's + CORS-exposed header-name list + to the result of parsing + `Access-Control-Expose-Headers` in + response's header list. + +

    2. +

      Set response to the following + filtered response with response as its + internal response, depending on + request's response tainting: + +

      +
      "basic" +
      basic filtered response +
      "cors" +
      CORS filtered response +
      "opaque" +
      opaque filtered response +
      +

  • Let internalResponse be response, if response is a network error, and response's @@ -5047,6 +5067,7 @@

    Acknowledgments

    Manish Goregaokar, Marc Silbey, Marcos Caceres, +Marijn Kruisselbrink, Mark Nottingham, Mark S. Miller, Martin Dürst,