Skip to content

Commit 7ee7a08

Browse files
committed
Define Cross-Origin-Resource-Policy response header
This header makes it easier for sites to block unwanted "no-cors" cross-origin requests. Tests: ... Fixes #687.
1 parent bd9b4e3 commit 7ee7a08

File tree

1 file changed

+62
-0
lines changed

1 file changed

+62
-0
lines changed

fetch.bs

+62
Original file line numberDiff line numberDiff line change
@@ -2455,6 +2455,64 @@ run these steps:</p>
24552455
</ol>
24562456

24572457

2458+
<h3 id=cross-origin-resource-policy-header>`<code>Cross-Origin-Resource-Policy</code>` header</h3>
2459+
2460+
<p>The
2461+
`<dfn export http-header id=http-cross-origin-resource-policy><code>Cross-Origin-Resource-Policy</code></dfn>`
2462+
response <a for=/>header</a> can be used to require checking a <a for=/>request</a>'s
2463+
<a for=request>current url</a>'s <a for=url>origin</a> against a <a for=/>request</a>'s
2464+
<a for=request>origin</a> when <a for=/>request</a>'s <a for=request>mode</a> is
2465+
"<code>no-cors</code>".
2466+
2467+
<p>Its <a for=header>value</a> <a>ABNF</a>:
2468+
2469+
<pre>
2470+
Cross-Origin-Resource-Policy = %x73.61.6D.65 / %x73.61.6D.65.2D.73.69.74.65 ; "same" / "same-site"; case-sensitive</pre>
2471+
2472+
<p>To perform a <dfn>cross-origin resource policy check</dfn>, given a <var>request</var> and
2473+
<var>response</var>, run these steps:</p>
2474+
2475+
<ol>
2476+
<li><p>If <var>request</var>'s <a for=request>mode</a> is not "<code>no-cors</code>", then return
2477+
<b>allowed</b>.
2478+
2479+
<li>
2480+
<p>If <var>request</var>'s <a for=request>origin</a> is <a>same origin</a> with
2481+
<var>request</var>'s <a for=request>current url</a>'s <a for=url>origin</a>, then return
2482+
<b>allowed</b>.
2483+
2484+
<p class=note>A cross-origin response redirecting to a same or same-site resource with the
2485+
`<a http-header><code>Cross-Origin-Resource-Policy</code></a>` header specified does not affect
2486+
anything.
2487+
<!-- We could make this have an effect if we fix https://github.com/whatwg/fetch/pull/594 first,
2488+
but even then we normally do not let this have any effect for "no-cors" so it would be
2489+
somewhat inconsistent if it did here, but might still be better... -->
2490+
2491+
<li><p>Let <var>policy</var> be the <a>combined value</a> with
2492+
`<a http-header><code>Cross-Origin-Resource-Policy</code></a>` and <var>response</var>'s
2493+
<a for=response>header list</a>.
2494+
2495+
<li><p>If <var>policy</var> is `<code>same</code>`, then return <b>blocked</b>.
2496+
2497+
<li>
2498+
<p>If <var>policy</var> is `<code>same-site</code>` and neither of the following is true
2499+
2500+
<ul class=brief>
2501+
<li><p><var>request</var>'s <a for=request>origin</a>'s <a for=origin>host</a>
2502+
<a>is a registrable domain suffix of or is equal to</a> <var>request</var>'s
2503+
<a for=request>current url</a>'s <a for=url>host</a>
2504+
2505+
<li><p><var>request</var>'s <a for=request>current url</a>'s <a for=url>host</a>
2506+
<a>is a registrable domain suffix of or is equal to</a> <var>request</var>'s
2507+
<a for=request>origin</a>'s <a for=origin>host</a>
2508+
</ul>
2509+
2510+
<p>then return <b>blocked</b>
2511+
2512+
<li><p>Return <b>allowed</b>.
2513+
</ol>
2514+
2515+
24582516

24592517
<h2 id=fetching>Fetching</h2>
24602518

@@ -3751,6 +3809,9 @@ Range Requests</cite>. [[HTTP-RANGE]] However, this is not widely supported by b
37513809
</ol>
37523810
</ol>
37533811

3812+
<li><p>If the <a>cross-origin resource policy check</a> with <var>request</var> and
3813+
<var>response</var> returns <b>blocked</b>, then return a <a>network error</a>.
3814+
37543815
<li>
37553816
<p>If <var>response</var>'s <a for=response>status</a> is <code>401</code>, <i>CORS flag</i>
37563817
is unset, <i>credentials flag</i> is set, and <var>request</var>'s <a for=request>window</a> is an
@@ -6390,6 +6451,7 @@ Jeffrey Yasskin,
63906451
Jesse M. Heines,
63916452
Jinho Bang,
63926453
Jochen Eisinger,
6454+
John Wilander,
63936455
Jonas Sicking,
63946456
Jonathan Kingston,
63956457
Jonathan Watt,

0 commit comments

Comments
 (0)