Editorial: assert that request's origin is not "client"

simonwuelker · pmeenan · commit 805b769ba22a · 2025-08-25T10:41:31.000-04:00
It's guaranteed that request's origin cannot be "client" after step 10 of the fetch algorithm, but asserting it makes that clearer.

Also always link to the definition of "Assert".
diff --git a/fetch.bs b/fetch.bs
@@ -465,7 +465,8 @@ and an optional boolean <var>extract-value</var> (default false):
 
  <li><p>Let <var>value</var> be the empty string.
 
- <li><p>Assert: the <a>code point</a> at <var>position</var> within <var>input</var> is U+0022 (").
+ <li><p><a for=/>Assert</a>: the <a>code point</a> at <var>position</var> within <var>input</var> is
+ U+0022 (").
 
  <li><p>Advance <var>position</var> by 1.
 
@@ -501,7 +502,7 @@ and an optional boolean <var>extract-value</var> (default false):
     <p>Otherwise:
 
     <ol>
-     <li><p>Assert: <var>quoteOrBackslash</var> is U+0022 (").
+     <li><p><a for=/>Assert</a>: <var>quoteOrBackslash</var> is U+0022 (").
 
      <li><p><a for=iteration>Break</a>.
     </ol>
@@ -598,8 +599,8 @@ given a <a for=/>header name</a> <var>name</var> and a string <var>type</var> fr
 <a>structured field value</a>.
 
 <ol>
- <li><p>Assert: <var>type</var> is one of "<code>dictionary</code>", "<code>list</code>", or
- "<code>item</code>".
+ <li><p><a for=/>Assert</a>: <var>type</var> is one of "<code>dictionary</code>",
+ "<code>list</code>", or "<code>item</code>".
 
  <li><p>Let <var>value</var> be the result of <a for="header list">getting</a> <var>name</var> from
  <var>list</var>.
@@ -938,7 +939,7 @@ directly. Use <a for="header list">get, decode, and split</a> instead.
      <li><p>Let <var>value</var> be the result of <a for="header list">getting</a> <var>name</var>
      from <var>list</var>.
 
-     <li><p>Assert: <var>value</var> is non-null.
+     <li><p><a for=/>Assert</a>: <var>value</var> is non-null.
 
      <li><p><a for=list>Append</a> (<var>name</var>, <var>value</var>) to <var>headers</var>.
     </ol>
@@ -2238,6 +2239,9 @@ or "<code>object</code>".
 return true:
 
 <ol>
+ <li><p><a for=/>Assert</a>: <var>request</var>'s <a for=request>origin</a> is not
+ "<code>client</code>".
+
  <li><p>Let <var>lastURL</var> be null.
 
  <li>
@@ -2263,6 +2267,9 @@ return true:
 run these steps:
 
 <ol>
+ <li><p><a for=/>Assert</a>: <var>request</var>'s <a for=request>origin</a> is not
+ "<code>client</code>".
+
  <li><p>If <var>request</var> has a <a for=request>redirect-tainted origin</a>, then return
  "<code>null</code>".
 
@@ -2303,8 +2310,8 @@ is to return the result of <a>serializing a request origin</a> with <var>request
 <var>last</var>, run these steps:
 
 <ol>
- <li><p>Assert: <var>last</var> is not given, or <var>first</var> is less than or equal to
- <var>last</var>.
+ <li><p><a for=/>Assert</a>: <var>last</var> is not given, or <var>first</var> is less than or equal
+ to <var>last</var>.
 
  <li><p>Let <var>rangeValue</var> be `<code>bytes=</code>`.
 
@@ -2334,7 +2341,8 @@ source of security bugs. Please seek security review for features that deal with
 <var>response</var>, run these steps:
 
 <ol>
- <li><p>Assert: <var>response</var>'s <a for=response>URL list</a> <a for=list>is not empty</a>.
+ <li><p><a for=/>Assert</a>: <var>response</var>'s <a for=response>URL list</a>
+ <a for=list>is not empty</a>.
 
  <li>
   <p>Let <var>url</var> be a copy of <var>response</var>'s <a for=response>URL list</a>[0].
@@ -2358,6 +2366,9 @@ source of security bugs. Please seek security review for features that deal with
 <a for=/>request</a> <var>request</var>, run these steps:
 
 <ol>
+ <li><p><a for=/>Assert</a>: <var>request</var>'s <a for=request>origin</a> is not
+ "<code>client</code>".
+
  <li><p>If <var>request</var>'s <a for=request>mode</a> is not "<code>no-cors</code>", then return
  true.</p>
 
@@ -2502,7 +2513,7 @@ this is also tracked internally using the request's <a for=request>timing allow
 <var>fetchParams</var>:
 
 <ol>
- <li><p>Assert: <var>fetchParams</var> is <a for="fetch params">canceled</a>.
+ <li><p><a for=/>Assert</a>: <var>fetchParams</var> is <a for="fetch params">canceled</a>.
 
  <li><p>Return an <a>aborted network error</a> if <var>fetchParams</var> is
  <a for="fetch params">aborted</a>; otherwise return a <a>network error</a>.
@@ -2701,7 +2712,7 @@ manually. [[!HTML]]
 <ol>
  <li><p>If <var>potentialDestination</var> is "<code>fetch</code>", then return the empty string.
 
- <li><p>Assert: <var>potentialDestination</var> is a <a for=request>destination</a>.
+ <li><p><a for=/>Assert</a>: <var>potentialDestination</var> is a <a for=request>destination</a>.
 
  <li><p>Return <var>potentialDestination</var>.
 </ol>
@@ -3097,7 +3108,7 @@ or an <a>implementation-defined</a> value.
  <li><p>If <var>topLevelOrigin</var> is null, then set <var>topLevelOrigin</var> to
  <var>environment</var>'s <a for="environment">top-level creation URL</a>'s <a for=url>origin</a>.
 
- <li><p>Assert: <var>topLevelOrigin</var> is an <a for=/>origin</a>.
+ <li><p><a for=/>Assert</a>: <var>topLevelOrigin</var> is an <a for=/>origin</a>.
 
  <li><p>Let <var>topLevelSite</var> be the result of <a lt="obtain a site">obtaining a site</a>,
  given <var>topLevelOrigin</var>.
@@ -3317,6 +3328,9 @@ request <a for=/>header</a> indicates where a
 given a <a for=/>request</a> <var>request</var>, run these steps:
 
 <ol>
+ <li><p><a for=/>Assert</a>: <var>request</var>'s <a for=request>origin</a> is not
+ "<code>client</code>".
+
  <li><p>Let <var>serializedOrigin</var> be the result of <a>byte-serializing a request origin</a>
  with <var>request</var>.
 
@@ -5429,7 +5443,8 @@ run these steps:
   <p>If <var>request</var>'s <a for=request>redirect mode</a> is "<code>manual</code>", then:
 
   <ol>
-   <li><p>Assert: <var>request</var>'s <a for=request>mode</a> is "<code>navigate</code>".
+   <li><p><a for=/>Assert</a>: <var>request</var>'s <a for=request>mode</a> is
+   "<code>navigate</code>".
 
    <li><p>Set <var>recursive</var> to false.
   </ol>
@@ -6693,6 +6708,9 @@ agent's <a>CORS-preflight cache</a> for which there is a <a>cache entry match</a
 <var>response</var>, run these steps:
 
 <ol>
+ <li><p><a for=/>Assert</a>: <var>request</var>'s <a for=request>origin</a> is not
+ "<code>client</code>".
+
  <li><p>If <var>request</var>'s <a for=request>timing allow failed flag</a> is set, then return
  failure.
 
@@ -7093,7 +7111,7 @@ typedef (ReadableStream or XMLHttpRequestBodyInit) BodyInit;</pre>
   <p>If <var>object</var> is a {{ReadableStream}} object, then:
 
   <ol>
-   <li><p>Assert: <var>object</var> is neither <a for=ReadableStream>disturbed</a> nor
+   <li><p><a for=/>Assert</a>: <var>object</var> is neither <a for=ReadableStream>disturbed</a> nor
    <a for=ReadableStream>locked</a>.
   </ol>
 
@@ -7741,7 +7759,7 @@ constructor steps are:
   <p>Otherwise:
 
   <ol>
-   <li><p>Assert: <var>input</var> is a {{Request}} object.
+   <li><p><a for=/>Assert</a>: <var>input</var> is a {{Request}} object.
 
    <li><p>Set <var>request</var> to <var>input</var>'s
    <a for=Request>request</a>.
@@ -8660,7 +8678,7 @@ that RFC's normative processing requirements to be compatible with deployed cont
 <var>dataURL</var> and then runs these steps:
 
 <ol>
- <li><p>Assert: <var>dataURL</var>'s <a for=url>scheme</a> is "<code>data</code>".
+ <li><p><a for=/>Assert</a>: <var>dataURL</var>'s <a for=url>scheme</a> is "<code>data</code>".
 
  <li><p>Let <var>input</var> be the result of running the <a>URL serializer</a> on
  <var>dataURL</var> with <a for="URL serializer"><i>exclude fragment</i></a> set to true.
@@ -9250,6 +9268,7 @@ Shivani Sharma,
 Sigbjørn Finne,
 Simon Pieters,
 Simon Sapin,
+Simon Wülker,
 Srirama Chandra Sekhar Mogali,
 Stephan Paul,
 Steven Salat,
