@@ -3093,8 +3093,9 @@ Cross-Origin-Resource-Policy = %s"same-origin" / %s"same-site" ; case-sensit
30933093
30943094 <p class="note no-backref"> While redirects that carry a
30953095 `<a http-header><code>Cross-Origin-Resource-Policy</code></a> ` header are checked, redirects
3096- without such a header resulting in <var> response</var> do not contribute to this algorithm. I.e.,
3097- <var> request</var> 's <a for=request>tainted origin flag</a> is not checked.
3096+ without such a header resulting in <var> response</var> do not affect the outcome as the default is
3097+ <b> allowed</b> .
3098+ <!-- This changes with COEP's cross-origin value. -->
30983099
30993100 <li>
31003101 <p> Let <var> policy</var> be the result of <a for="header list">getting</a>
@@ -3975,10 +3976,9 @@ optional <i>CORS-preflight flag</i>, run these steps:
39753976
39763977 <li><p> If <var> request</var> 's <a for=request>mode</a> is "<code> cors</code> ",
39773978 <var> actualResponse</var> 's <a for=response>location URL</a>
3978- <a lt="include credential">includes credentials</a> , and either <var> request</var> 's
3979- <a for=request>tainted origin flag</a> is set or <var> request</var> 's <a for=request>origin</a> is
3980- not <a>same origin</a> with <var> actualResponse</var> 's <a for=response>location URL</a>' s
3981- <a for=url>origin</a> , then return a <a>network error</a> .
3979+ <a lt="include credential">includes credentials</a> , and <var> request</var> 's
3980+ <a for=request>origin</a> is not <a>same origin</a> with <var> actualResponse</var> 's
3981+ <a for=response>location URL</a> 's <a for=url>origin</a> , then return a <a>network error</a> .
39823982
39833983 <li>
39843984 <p> If <var> request</var> 's <a for=request>response tainting</a> is "<code> cors</code> " and
0 commit comments