@@ -41,6 +41,10 @@ urlPrefix:https://tc39.es/ecma262/#;type:dfn;spec:ecma-262
4141 url:sec-list-and-record-specification-type;text:Record
4242</pre>
4343
44+ <pre class=link-defaults>
45+ spec:infra; type:dfn; text:user agent
46+ </pre>
47+
4448<pre class=biblio>
4549{
4650 "HTTP": {
@@ -1799,13 +1803,18 @@ Unless stated otherwise, it is "<code>no-cors</code>".
17991803 <dd> This is a special mode used only when <a>navigating</a> between documents.
18001804
18011805 <dt> "<code> unsafe-no-cors</code> "
1802- <dd> This is a special mode for the <a>host environment</a> to use internally to wittingly make
1806+ <dd> This is a special mode for the [=user agent=] to use internally to wittingly make
18031807 requests that are unsafe. It restricts requests to using <a>CORS-safelisted methods</a> and
1804- <a>CORS-safelisted request-headers</a> . However, the request will not be required to pass a
1805- <a>cross-origin resource policy check</a> or to test if
1806- <a>Cross-Origin-Embedder-Policy allows credentials</a> . Additionally, upon success a fetch will
1807- return a <a>cors filtered response</a> . However, a request with this mode cannot
1808- use <a>service-workers mode</a> "<code> all</code> ".
1808+ <a>CORS-safelisted request-headers</a> and a request with this mode cannot use
1809+ <a>service-workers mode</a> "<code> all</code> ". However, the request will not be required to
1810+ pass a <a>cross-origin resource policy check</a> or to test if
1811+ <a>Cross-Origin-Embedder-Policy allows credentials</a> . Upon success a fetch will
1812+ return a <a>cors filtered response</a> .
1813+
1814+ <p class=warning> Using <a for=/>request</a> <a for=request>mode</a> "<code> unsafe-no-cors</code> "
1815+ is even more discouraged and unsafe than "<code> no-cors</code> ". Any use of this mode must be in an
1816+ <a>agent cluster</a> associated with the <a>host environment</a> itself to isolate its results from
1817+ misuse. This <a for=request>mode</a> is deliberately not exposed in the {{RequestMode}} .
18091818
18101819 <dt> "<code> websocket</code> "
18111820 <dd> This is a special mode used only when
@@ -1815,10 +1824,7 @@ Unless stated otherwise, it is "<code>no-cors</code>".
18151824 <p> Even though the default <a for=/>request</a> <a for=request>mode</a> is "<code> no-cors</code> ",
18161825 standards are highly discouraged from using it for new features. It is rather unsafe.
18171826
1818- <p class=warning> Using <a for=/>request</a> <a for=request>mode</a> "<code> unsafe-no-cors</code> "
1819- is even more discouraged and unsafe than "<code> no-cors</code> ". Any use of this mode must be in an
1820- <a>agent cluster</a> associated with the <a>host environment</a> itself to isolate its results from
1821- misuse. This <a for=request>mode</a> is deliberately not exposed in the {{RequestMode}} .
1827+
18221828</div>
18231829
18241830<p> A <a for=/>request</a> has an associated
0 commit comments