@@ -1789,10 +1789,6 @@ Unless stated otherwise, it is false.
17891789
17901790<hr>
17911791
1792- <p> A <a for=/>request</a> has an associated
1793- <dfn for=request id=concept-request-tainted-origin>tainted origin flag</dfn> . Unless stated
1794- otherwise, it is unset.
1795-
17961792<p> A <a for=/>request</a> has an associated
17971793<dfn export for=request id=concept-request-url-list>URL list</dfn> (a <a for=/>list</a> of one or
17981794more <a for=/>URLs</a> ). Unless stated otherwise, it is a list containing a copy of
@@ -1822,11 +1818,10 @@ Unless stated otherwise, it is unset.
18221818<dfn export for=request id=timing-allow-failed>timing allow failed flag</dfn> . Unless stated
18231819otherwise, it is unset.
18241820
1825- <p class="note no-backref"> A <a for=/>request</a> 's <a for=request>tainted origin flag</a> ,
1826- <a for=request>URL list</a> , <a for=request>current URL</a> , <a for=request>redirect count</a> ,
1827- <a for=request>response tainting</a> , <a for=request>done flag</a> , and
1828- <a for=request>timing allow failed flag</a> are used as bookkeeping details by the
1829- <a for=/>fetch</a> algorithm.
1821+ <p class=note> A <a for=/>request</a> 's <a for=request>URL list</a> , <a for=request>current URL</a> ,
1822+ <a for=request>redirect count</a> , <a for=request>response tainting</a> ,
1823+ <a for=request>done flag</a> , and <a for=request>timing allow failed flag</a> are used as
1824+ bookkeeping details by the <a for=/>fetch</a> algorithm.
18301825
18311826<hr>
18321827
@@ -1851,11 +1846,35 @@ or "<code>object</code>".
18511846
18521847<hr>
18531848
1849+ <p> A <a for=/>request</a> <var> request</var> has a
1850+ <dfn for=request id=concept-request-tainted-origin>redirect-tainted origin</dfn> if these steps
1851+ return true:
1852+
1853+ <ol>
1854+ <li><p> Let <var> lastURL</var> be null.
1855+
1856+ <li>
1857+ <p> <a for=list>For each</a> <var> url</var> in <var> request</var> 's <a for=request>URL list</a> :
1858+
1859+ <ol>
1860+ <li><p> If <var> lastURL</var> is null, then set <var> lastURL</var> to <var> url</var> and
1861+ <a for=iteration>continue</a> .
1862+
1863+ <li><p> If <var> url</var> 's <a for=url>origin</a> is not <a>same origin</a> with
1864+ <var> lastURL</var> 's <a for=url>origin</a> and <var>request</var>' s <a for=request>origin</a> is
1865+ not <a>same origin</a> with <var> lastURL</var> 's <a for=url>origin</a> , then return true.
1866+
1867+ <li> Set <var> lastURL</var> to <var> url</var> .
1868+ </ol>
1869+
1870+ <li> Return false.
1871+ </ol>
1872+
18541873<p> <dfn>Serializing a request origin</dfn> , given a <a for=/>request</a> <var> request</var> , is to
18551874run these steps:
18561875
18571876<ol>
1858- <li><p> If <var> request</var> 's <a for=request>tainted origin flag </a> is set , then return
1877+ <li><p> If <var> request</var> has a <a for=request>redirect- tainted origin</a> , then return
18591878 "<code> null</code> ".
18601879
18611880 <li><p> Return <var> request</var> 's <a for=request>origin</a> ,
@@ -1952,8 +1971,8 @@ source of security bugs. Please seek security review for features that deal with
19521971 "<a for="embedder policy value"><code>credentialless</code></a> ", then return true.</p>
19531972
19541973 <li><p> If <var> request</var> 's <a for=request>origin</a> is <a>same origin</a> with
1955- <var> request</var> 's <a for=request>current URL</a>' s <a for=url>origin</a> and
1956- <var> request </var> 's <a for=request>tainted origin flag </a> is not set , then return true.</p>
1974+ <var> request</var> 's <a for=request>current URL</a>' s <a for=url>origin</a> and <var> request </var>
1975+ does not have a <a for=request>redirect- tainted origin</a> , then return true.</p>
19571976
19581977 <li><p> Return false.</p>
19591978</ol>
@@ -4623,12 +4642,6 @@ run these steps:
46234642 <a for=request>body</a> is non-null, and <var> request</var> 's <a for=request>body</a>' s
46244643 <a for=body>source</a> is null, then return a <a>network error</a> .
46254644
4626- <li><p> If <var> locationURL</var> 's <a for=url>origin</a> is not <a>same origin</a> with
4627- <var> request</var> 's <a for=request>current URL</a>' s <a for=url>origin</a> and
4628- <var> request</var> 's <a for=request>origin</a> is not <a>same origin</a> with <var>request</var>' s
4629- <a for=request>current URL</a> 's <a for=url>origin</a>, then set <var>request</var>' s
4630- <a for=request>tainted origin flag</a> .
4631-
46324645 <li>
46334646 <p> If one of the following is true
46344647
@@ -5636,15 +5649,14 @@ number of these <a lt="CORS-preflight fetch">fetches</a>.
56365649 <li>
56375650 <p> Let <var> preflight</var> be a new <a for=/>request</a> whose
56385651 <a for=request>method</a> is `<code> OPTIONS</code> `,
5639- <a for=request>URL</a> is <var> request</var> 's <a for=request>current URL</a> ,
5652+ <a for=request>URL list</a> is a <a for=list>clone</a> of <var> request</var> 's
5653+ <a for=request>URL list</a> ,
56405654 <a for=request>initiator</a> is <var> request</var> 's <a for=request>initiator</a> ,
56415655 <a for=request>destination</a> is <var> request</var> 's <a for=request>destination</a> ,
56425656 <a for=request>origin</a> is <var> request</var> 's <a for=request>origin</a> ,
56435657 <a for=request>referrer</a> is <var> request</var> 's <a for=request>referrer</a> ,
56445658 <a for=request>referrer policy</a> is <var> request</var> 's <a for=request>referrer policy</a> ,
5645- <a for=request>mode</a> is "<code> cors</code> ",
5646- <a for=request>tainted origin flag</a> is <var> request</var> 's
5647- <a for=request>tainted origin flag</a> , and
5659+ <a for=request>mode</a> is "<code> cors</code> ", and
56485660 <a for=request>response tainting</a> is "<code> cors</code> ".
56495661
56505662 <p class="note no-backref"> The <a for=request>service-workers mode</a> of <var> preflight</var>
0 commit comments