Enum rollup, fix capitalization, and add a cookie section

bvandersloot-mozilla · bvandersloot-mozilla · commit 853595b5ffa7 · 2025-03-10T15:49:16.000-04:00
diff --git a/fetch.bs b/fetch.bs
@@ -2249,7 +2249,7 @@ or "<code>object</code>".
 
 <div algorithm>
 <p>A <a for=/>request</a> has a <dfn for=request id=concept-request-redirect-taint>redirect-taint</dfn>,
-which is "<code>None</code>", "<code>Cross-Origin</code>", or "<code>Cross-Site</code>".
+which is "<code>same-origin</code>", "<code>same-site</code>", or "<code>cross-site</code>".
 <p>To get <a for=/>request</a> <var>request</var>'s <a>redirect-taint</a>:
 
 <ol>
@@ -2258,7 +2258,7 @@ which is "<code>None</code>", "<code>Cross-Origin</code>", or "<code>Cross-Site<
 
  <li><p>Let <var>lastURL</var> be null.
 
- <li><p>Let <var>crossOriginTaint</var> be "<code>None</code>".
+ <li><p>Let <var>computedTaint</var> be "<code>same-origin</code>".
 
  <li>
   <p><a for=list>For each</a> <var>url</var> of <var>request</var>'s <a for=request>URL list</a>:
@@ -2269,17 +2269,17 @@ which is "<code>None</code>", "<code>Cross-Origin</code>", or "<code>Cross-Site<
 
    <li><p>If <var>url</var>'s <a for=url>origin</a> is not <a for=/>same site</a> with
    <var>lastURL</var>'s <a for=url>origin</a> and <var>request</var>'s <a for=request>origin</a> is
-   not <a for=/>same site</a> with <var>lastURL</var>'s <a for=url>origin</a>, then return "<code>Cross-Site</code>".
+   not <a for=/>same site</a> with <var>lastURL</var>'s <a for=url>origin</a>, then return "<code>cross-site</code>".
 
    <li><p>If <var>url</var>'s <a for=url>origin</a> is not <a>same origin</a> with
    <var>lastURL</var>'s <a for=url>origin</a> and <var>request</var>'s <a for=request>origin</a> is
    not <a>same origin</a> with <var>lastURL</var>'s <a for=url>origin</a>,
-   then let <var>crossOriginTaint</var> be "<code>Cross-Origin</code>"..
+   then set <var>computedTaint</var> to "<code>same-site</code>".
 
    <li>Set <var>lastURL</var> to <var>url</var>.
   </ol>
 
- <li>Return <var>crossOriginTaint</var>.
+ <li>Return <var>computedTaint</var>.
 </ol>
 </div>
 
@@ -2291,7 +2291,7 @@ run these steps:
  <li><p><a for=/>Assert</a>: <var>request</var>'s <a for=request>origin</a> is not
  "<code>client</code>".
 
- <li><p>If <var>request</var>'s <a for=request>redirect-taint</a> is not "<code>None</code>",
+ <li><p>If <var>request</var>'s <a for=request>redirect-taint</a> is not "<code>same-origin</code>",
  then return "<code>null</code>".
 
  <li><p>Return <var>request</var>'s <a for=request>origin</a>,
@@ -2402,7 +2402,7 @@ source of security bugs. Please seek security review for features that deal with
 
  <li><p>If <var>request</var>'s <a for=request>origin</a> is <a>same origin</a> with
  <var>request</var>'s <a for=request>current URL</a>'s <a for=url>origin</a> and <var>request</var>'s
- <a for=request>redirect-taint</a> is not "<code>None</code>", then return true.</p>
+ <a for=request>redirect-taint</a> is not "<code>same-origin</code>", then return true.</p>
 
  <li><p>Return false.</p>
 </ol>
@@ -2515,11 +2515,8 @@ this is also tracked internally using the request's <a for=request>timing allow
 <dfn export for=response>service worker timing info</dfn> (null or a
 <a for=/>service worker timing info</a>), which is initially null.
 
-<p>A <a for=/>response</a> has an associated <dfn for=response>has-cross-origin-redirects</dfn>
-(a boolean), which is initially false.
-
-<p>A <a for=/>response</a> has an associated <dfn for=response>has-cross-site-redirects</dfn>
-(a boolean), which is initially false.
+<p>A <a for=/>response</a> has an associated <dfn for=response>redirect taint</dfn> ("<code>same-origin</code>",
+"<code>same-site</code>", or "<code>cross-site</code>", which is initially "<code>same-origin</code>".
 
 <hr>
 
@@ -3324,72 +3321,6 @@ through TLS using ALPN. The protocol cannot be spoofed through HTTP requests in
 
 <h2 id=http-extensions>HTTP extensions</h2>
 
-<h3 id=cookie-header>`<code>Cookie</code>` header</h3>
-
-<p>The `<dfn export http-header id=http-cookie><code>Cookie</code></dfn>`
-request <a for=/>header</a> allows the request to carry locally stored state, such as user credentials.
-
-<div algorithm>
-<p>To <dfn id=append-a-request-cookie-header>append a request `<code>Cookie</code>` header</dfn>,
-given a <a for=/>request</a> <var>request</var>:
-  <ol>
-     <li><p>Let |sameSite| be the result of [=determining the same-site mode=] for <var>request</var>.
-     <li><p>Let |isSecure| be false.
-     <li><p>If <var>request</var>'s <a for=request>client</a> is a <a>secure context</a>, then set |isSecure| to true.
-     <li><p>Let |httpOnlyAllowed| be true.
-     <p class=note>Fetch implies that the request is http-only, as opposed to document.cookie
-     <li><p>Let |cookies| be the result of running <a>retrieve cookies</a> given
-      |isSecure|,
-      <var>request</var>'s <a for=request>current URL</a>'s <a for=url>host</a>,
-      <var>request</var>'s <a for=request>current URL</a>'s <a for=url>path</a>,
-      |httpOnlyAllowed|, and
-      |sameSite|
-
-     <p class=note>It is expected that the cookie store returns an ordered list of cookies
-     <li>If |cookies| <a for="list">is empty</a>, then return.
-     <li>Let |value| be the result of <a>serializing cookies</a> given |cookies|.
-     <li><a for="header list">Append</a> (`<code>Cookie</code>`, <var>value</var>) to <var>request</var>'s <a for=request>header list</a>.
-  </ol>
-</div>
-
-<div algorithm>
-<p>To <dfn id=parse-and-store-response-cookie-headers>parse and store response `<code>Set-Cookie</code>` headers</dfn>,
-given a <a for=/>request</a> <var>request</var> and a <a for=/>response</a> <var>response</var>, run these steps:
-  <ol>
-     <li><p>Let |allowNonHostOnlyCookieForPublicSuffix| be false.
-     <li><p>Let |isSecure| be false.
-     <li><p>If <var>request</var>'s <a for=request>client</a> is a <a>secure context</a>, then set |isSecure| to true.
-     <li><p>Let |httpOnlyAllowed| be true.
-     <p class=note>Fetch implies that the request is http-only, as opposed to document.cookie
-     <li><p>Let |sameSiteStrictOrLaxAllowed| be true if the result of [=determine the same-site mode=] for |request| is "<code>StrictOrLess</code>", and false otherwise.
-     <li><p><a for=list>For each</a> <var>header</var> of <var>response</var>'s <a for=response>header list</a>:
-     <ol>
-      <li><p>If <var>header</var>'s <a for=header>name</a> is not a <a>byte-case-insensitive</a> match for `<code>Set-Cookie</code>`, then <a for=iteration>continue</a>.
-      <li><p><a>Parse and store a cookie</a> given
-      <var>header</var>'s <a for=header>value</a>,
-      |isSecure|,
-      <var>request</var>'s <a for=request>current URL</a>'s <a for=url>host</a>,
-      <var>request</var>'s <a for=request>current URL</a>'s <a for=url>path</a>,
-      |httpOnlyAllowed|,
-      |allowNonHostOnlyCookieForPublicSuffix|, and
-      |sameSiteStrictOrLaxAllowed|
-     </ol>
-  </ol>
-</div>
-
-<div algorithm>
-<p>To <dfn>determine the same-site mode</dfn> for a given <a for=/>request</a> <var>request</var>, run these steps:
-  <ol>
-   <li><p><a for=/>Assert</a>: <var>request</var>'s <a for=request>method</a> is "GET" or "POST".
-   <li><p>If <var>request</var>'s <a for=request>top-level navigation initiator origin</a> is not null and is not <a for=/>same site</a> to <var>request</var>'s <a for=request>URL</a>'s <a for=url>origin</a>, return "<code>UnsetOrLess</code>".
-   <li><p>If <var>request</var>'s <a for=request>method</a> is "GET" and
-    <var>request</var>'s <a for=request>destination</a> is "document", return "<code>LaxOrLess</code>".
-   <li><p>If <var>request</var>'s <a for=request>client</a>'s <a for=environment>ancestry</a> is "<code>cross-site</code>", return "<code>UnsetOrLess</code>".
-   <li><p>If <var>request</var>'s <a for=request>redirect-taint</a> is "<code>Cross-Site</code>", return "<code>UnsetOrLess</code>".
-   <li><p>Return "StrictOrLess".
-  </ol>
-</div>
-
 <h3 id=origin-header>`<code>Origin</code>` header</h3>
 
 <p>The `<dfn export http-header id=http-origin><code>Origin</code></dfn>`
@@ -4323,7 +4254,75 @@ indicates the request’s purpose is to fetch a resource that is anticipated to
 <p class=note>The server can use this to adjust the caching expiry for prefetches, to disallow the
 prefetch, or to treat it differently when counting page visits.
 
+<h2 id=cookies>Cookies</h2>
 
+<h3 id=cookie-header>`<code>Cookie</code>` header</h3>
+
+<p>The `<code>Cookie</code>` header is largely defined in its own specification. [[COOKIES]].
+We define infrastructure to be able to use conveniently here.
+
+<div algorithm>
+<p>To <dfn id=append-a-request-cookie-header>append a request `<code>Cookie</code>` header</dfn>,
+given a <a for=/>request</a> <var>request</var>, run these steps:
+  <ol>
+     <li><p>If the user-agent is configured to disable cookies for <var>request</var>, it should return.
+     <li><p>Let |sameSite| be the result of [=determining the same-site mode=] for <var>request</var>.
+     <li><p>Let |isSecure| be false.
+     <li><p>If <var>request</var>'s <a for=request>client</a> is a <a>secure context</a>, then set |isSecure| to true.
+     <li><p>Let |httpOnlyAllowed| be true.
+     <p class=note>Fetch implies that the request is http-only, as opposed to document.cookie
+     <li><p>Let |cookies| be the result of running <a>retrieve cookies</a> given
+      |isSecure|,
+      <var>request</var>'s <a for=request>current URL</a>'s <a for=url>host</a>,
+      <var>request</var>'s <a for=request>current URL</a>'s <a for=url>path</a>,
+      |httpOnlyAllowed|, and
+      |sameSite|
+
+     <p class=note>It is expected that the cookie store returns an ordered list of cookies
+     <li>If |cookies| <a for="list">is empty</a>, then return.
+     <li>Let |value| be the result of running <a>serialize cookies</a> given |cookies|.
+     <li><a for="header list">Append</a> (`<code>Cookie</code>`, <var>value</var>) to <var>request</var>'s <a for=request>header list</a>.
+  </ol>
+</div>
+
+<div algorithm>
+<p>To <dfn id=parse-and-store-response-cookie-headers>parse and store response `<code>Set-Cookie</code>` headers</dfn>,
+given a <a for=/>request</a> <var>request</var> and a <a for=/>response</a> <var>response</var>, run these steps:
+  <ol>
+     <li><p>If the user-agent is configured to disable cookies for <var>request</var>, it should return.
+     <li><p>Let |allowNonHostOnlyCookieForPublicSuffix| be false.
+     <li><p>Let |isSecure| be false.
+     <li><p>If <var>request</var>'s <a for=request>client</a> is a <a>secure context</a>, then set |isSecure| to true.
+     <li><p>Let |httpOnlyAllowed| be true.
+     <p class=note>Fetch implies that the request is http-only, as opposed to document.cookie
+     <li><p>Let |sameSiteStrictOrLaxAllowed| be true if the result of [=determine the same-site mode=] for |request| is "<code>StrictOrLess</code>", and false otherwise.
+     <li><p><a for=list>For each</a> <var>header</var> of <var>response</var>'s <a for=response>header list</a>:
+     <ol>
+      <li><p>If <var>header</var>'s <a for=header>name</a> is not a <a>byte-case-insensitive</a> match for `<code>Set-Cookie</code>`, then <a for=iteration>continue</a>.
+      <li><p><a>Parse and store a cookie</a> given
+      <var>header</var>'s <a for=header>value</a>,
+      |isSecure|,
+      <var>request</var>'s <a for=request>current URL</a>'s <a for=url>host</a>,
+      <var>request</var>'s <a for=request>current URL</a>'s <a for=url>path</a>,
+      |httpOnlyAllowed|,
+      |allowNonHostOnlyCookieForPublicSuffix|, and
+      |sameSiteStrictOrLaxAllowed|
+     </ol>
+  </ol>
+</div>
+
+<div algorithm>
+<p>To <dfn>determine the same-site mode</dfn> for a given <a for=/>request</a> <var>request</var>, run these steps:
+  <ol>
+   <li><p><a for=/>Assert</a>: <var>request</var>'s <a for=request>method</a> is "GET" or "POST".
+   <li><p>If <var>request</var>'s <a for=request>top-level navigation initiator origin</a> is not null and is not <a for=/>same site</a> to <var>request</var>'s <a for=request>URL</a>'s <a for=url>origin</a>, return "<code>UnsetOrLess</code>".
+   <li><p>If <var>request</var>'s <a for=request>method</a> is "GET" and
+    <var>request</var>'s <a for=request>destination</a> is "document", return "<code>LaxOrLess</code>".
+   <li><p>If <var>request</var>'s <a for=request>client</a>'s <a for=environment>ancestry</a> is "<code>cross-site</code>", return "<code>UnsetOrLess</code>".
+   <li><p>If <var>request</var>'s <a for=request>redirect-taint</a> is "<code>cross-site</code>", return "<code>UnsetOrLess</code>".
+   <li><p>Return "StrictOrLess".
+  </ol>
+</div>
 
 <h2 id=fetching>Fetching</h2>
 
@@ -4778,11 +4777,8 @@ steps:
  <!-- If you are ever tempted to move this around, carefully consider responses from about URLs,
       blob URLs, service workers, HTTP cache, HTTP network, etc. -->
 
- <li><p>If <var>request</var>'s <a for=request>redirect-taint</a> is not "<code>None</code>", then set
- <var>internalResponse</var>'s <a for=response>has-cross-origin-redirects</a> to true.
-
- <li><p>If <var>request</var>'s <a for=request>redirect-taint</a> is "<code>Cross-Site</code>", then set
- <var>internalResponse</var>'s <a for=response>has-cross-site-redirects</a> to true.
+ <li><p>Set <var>internalResponse</var>'s <a for=response>redirect taint</a> to <var>request</var>'s
+ <a for=request>redirect-taint</a>.
 
  <li><p>If <var>request</var>'s <a for=request>timing allow failed flag</a> is unset, then set
  <var>internalResponse</var>'s <a for=response>timing allow passed flag</a>.
@@ -4935,7 +4931,7 @@ steps:
      <li>
       <p>If <var>fetchParams</var>'s <a for="fetch params">request</a>'s <a for=request>mode</a> is
       not "<code>navigate</code>" or <var>response</var>'s
-      <a for=response>has-cross-origin-redirects</a> is false:
+      <a for=response>redirect taint</a> is "<code>same-origin</code>":
 
       <ol>
        <li><p>Set <var>responseStatus</var> to <var>response</var>'s <a for=response>status</a>.
@@ -5811,9 +5807,7 @@ run these steps:
     <p>If <var>includeCredentials</var> is true, then:
 
     <ol>
-     <p class=note>This permits some implementations to choose to not support cookies for some or all <var>httpRequest</var>s.
-
-     <li><p>The user agent should <a>append a request `<code>Cookie</code>` header</a> for <var>httpRequest</var>.
+     <li><p><a>Append a request `<code>Cookie</code>` header</a> for <var>httpRequest</var>.
 
      <li>
       <p>If <var>httpRequest</var>'s <a for=request>header list</a>
