@@ -2455,6 +2455,64 @@ run these steps:</p>
2455
2455
</ol>
2456
2456
2457
2457
2458
+ <h3 id=cross-origin-resource-policy-header>`<code>Cross-Origin-Resource-Policy</code>` header</h3>
2459
+
2460
+ <p> The
2461
+ `<dfn export http-header id=http-cross-origin-resource-policy><code>Cross-Origin-Resource-Policy</code></dfn> `
2462
+ response <a for=/>header</a> can be used to require checking a <a for=/>request</a> 's
2463
+ <a for=request>current url</a> 's <a for=url>origin</a> against a <a for=/>request</a>' s
2464
+ <a for=request>origin</a> when <a for=/>request</a> 's <a for=request>mode</a> is
2465
+ "<code> no-cors</code> ".
2466
+
2467
+ <p> Its <a for=header>value</a> <a>ABNF</a> :
2468
+
2469
+ <pre>
2470
+ Cross-Origin-Resource-Policy = %x73.61.6D.65 / %x73.61.6D.65.2D.73.69.74.65 ; "same" / "same-site"; case-sensitive</pre>
2471
+
2472
+ <p> To perform a <dfn>cross-origin resource policy check</dfn> , given a <var> request</var> and
2473
+ <var> response</var> , run these steps:</p>
2474
+
2475
+ <ol>
2476
+ <li><p> If <var> request</var> 's <a for=request>mode</a> is not "<code> no-cors</code> ", then return
2477
+ <b> allowed</b> .
2478
+
2479
+ <li>
2480
+ <p> If <var> request</var> 's <a for=request>origin</a> is <a>same origin</a> with
2481
+ <var> request</var> 's <a for=request>current url</a>' s <a for=url>origin</a> , then return
2482
+ <b> allowed</b> .
2483
+
2484
+ <p class=note> A cross-origin response redirecting to a same or same-site resource with the
2485
+ `<a http-header><code>Cross-Origin-Resource-Policy</code></a> ` header specified does not affect
2486
+ anything.
2487
+ <!-- We could make this have an effect if we fix https://github.com/whatwg/fetch/pull/594 first,
2488
+ but even then we normally do not let this have any effect for "no-cors" so it would be
2489
+ somewhat inconsistent if it did here, but might still be better... -->
2490
+
2491
+ <li><p> Let <var> policy</var> be the <a>combined value</a> with
2492
+ `<a http-header><code>Cross-Origin-Resource-Policy</code></a> ` and <var> response</var> 's
2493
+ <a for=response>header list</a> .
2494
+
2495
+ <li><p> If <var> policy</var> is `<code> same</code> `, then return <b> blocked</b> .
2496
+
2497
+ <li>
2498
+ <p> If <var> policy</var> is `<code> same-site</code> ` and neither of the following is true
2499
+
2500
+ <ul class=brief>
2501
+ <li><p><var> request</var> 's <a for=request>origin</a>' s <a for=origin>host</a>
2502
+ <a>is a registrable domain suffix of or is equal to</a> <var> request</var> 's
2503
+ <a for=request>current url</a> 's <a for=url>host</a>
2504
+
2505
+ <li><p><var> request</var> 's <a for=request>current url</a>' s <a for=url>host</a>
2506
+ <a>is a registrable domain suffix of or is equal to</a> <var> request</var> 's
2507
+ <a for=request>origin</a> 's <a for=origin>host</a>
2508
+ </ul>
2509
+
2510
+ <p> then return <b> blocked</b>
2511
+
2512
+ <li><p> Return <b> allowed</b> .
2513
+ </ol>
2514
+
2515
+
2458
2516
2459
2517
<h2 id=fetching>Fetching</h2>
2460
2518
@@ -3751,6 +3809,9 @@ Range Requests</cite>. [[HTTP-RANGE]] However, this is not widely supported by b
3751
3809
</ol>
3752
3810
</ol>
3753
3811
3812
+ <li><p> If the <a>cross-origin resource policy check</a> with <var> request</var> and
3813
+ <var> response</var> returns <b> blocked</b> , then return a <a>network error</a> .
3814
+
3754
3815
<li>
3755
3816
<p> If <var> response</var> 's <a for=response>status</a> is <code> 401</code> , <i> CORS flag</i>
3756
3817
is unset, <i> credentials flag</i> is set, and <var> request</var> 's <a for=request>window</a> is an
@@ -6390,6 +6451,7 @@ Jeffrey Yasskin,
6390
6451
Jesse M. Heines,
6391
6452
Jinho Bang,
6392
6453
Jochen Eisinger,
6454
+ John Wilander,
6393
6455
Jonas Sicking,
6394
6456
Jonathan Kingston,
6395
6457
Jonathan Watt,
0 commit comments