From e63e41a87403c9a986bf5a3644043a76018da07e Mon Sep 17 00:00:00 2001 From: Anne van Kesteren Date: Fri, 29 Jan 2021 10:18:38 +0100 Subject: [PATCH] Remove location URL as field on responses It does not need to be stored on a response and therefore resulted in confusion. Also clarify that synthetic responses need to have an absolute URL in the Location header field value (Response.redirect() does this automatically). Corresponding HTML PR: TODO. Tests: TODO. Closes #631, closes #633, closes #958, and closes #1146. (Some of these can be closed due to #1030 making response's URL no longer null for network responses.) --- fetch.bs | 88 +++++++++++++++++++++++++++++--------------------------- 1 file changed, 46 insertions(+), 42 deletions(-) diff --git a/fetch.bs b/fetch.bs index 6dd4e13bf..d9b92ff56 100644 --- a/fetch.bs +++ b/fetch.bs @@ -1879,16 +1879,6 @@ allowed on the resource fetched by looking at the flag of the response returned. the response of a redirect has to be set if it was set for previous responses in the redirect chain, this is also tracked internally using the request's timing allow failed flag. -

A response can have an associated -location URL (null, failure, or a -URL). Unless specified otherwise, response has no -location URL. - -

This concept is used for redirect handling in Fetch and in HTML's -navigate algorithm. It ensures `Location` has -its value extracted consistently and only once. -[[!HTML]] -


A response whose @@ -2006,6 +1996,36 @@ is a filtered response whose

A stale response is a response that is not a fresh response or a stale-while-revalidate response. +


+ +

The location URL algorithm of +given a response response is the following steps. They return null, failure, +or a URL. + +

    +
  1. If response's status is not a redirect status, then + return null. + +

  2. Let location be the result of extracting header list values given + `Location` and response's header list. + + +

  3. +

    If location is a value, then set location to the result + of parsing location with response's + URL. + +

    If response was constructed through the {{Response}} constructor, + response's URL will be null, meaning that location will + only parse successfully if it is an absolute-URL-with-fragment string. + +

  4. Return location. +

+ +

The location URL algorithm is exclusively used for redirect +handling in this standard and in HTML's navigate algorithm which handles redirects +manually. [[!HTML]] +

Miscellaneous

@@ -3953,16 +3973,6 @@ optional CORS-preflight flag, run these steps:

303 is excluded as certain communities ascribe special status to it. -

  • Let location be the result of extracting header list values given - `Location` and actualResponse's header list. - -

  • If location is a value, then set location to the - result of parsing location with actualResponse's - URL. - -

  • Set actualResponse's - location URL to location. -

  • Switch on request's redirect mode: @@ -4003,18 +4013,14 @@ optional CORS-preflight flag, run these steps: filtered response, and response's internal response otherwise. -

  • If actualResponse's location URL - is null, then return response. +

  • Let locationURL be actualResponse's location URL. -

  • If actualResponse's location URL - is failure, then return a network error. - +

  • If locationURL is null, then return response. -

  • If actualResponse's - location URL's - scheme is not an - HTTP(S) scheme, then return a - network error. +

  • If locationURL is failure, then return a network error. + +

  • If locationURL's scheme is not an HTTP(S) scheme, then + return a network error.

  • If request's redirect count is twenty, return a network error. @@ -4023,15 +4029,13 @@ optional CORS-preflight flag, run these steps: redirect count by one.

  • If request's mode is "cors", - actualResponse's location URL - includes credentials, and request's - origin is not same origin with actualResponse's - location URL's origin, then return a network error. + locationURL includes credentials, and request's + origin is not same origin with locationURL's + origin, then return a network error.

  • If request's response tainting is "cors" and - actualResponse's location URL - includes credentials, then return a network error. + locationURL includes credentials, then return a network error.

    This catches a cross-origin resource redirecting to a same-origin URL. @@ -4039,11 +4043,11 @@ optional CORS-preflight flag, run these steps: body is non-null, and request's body's source is null, then return a network error. -

  • If actualResponse's location URL's origin is - not same origin with request's current URL's - origin and request's origin is not same origin - with request's current URL's origin, then set - request's tainted origin flag. +

  • If locationURL's origin is not same origin with + request's current URL's origin and + request's origin is not same origin with request's + current URL's origin, then set request's + tainted origin flag.

  • If one of the following is true @@ -4074,7 +4078,7 @@ optional CORS-preflight flag, run these steps:

    request's body's source's nullity has already been checked. -

  • Append actualResponse's location URL to request's +

  • Append locationURL to request's URL list.

  • Invoke set request's referrer policy on redirect on request and