From 9dc7e8b10ddda1ad87e0a673da035fd689b528a7 Mon Sep 17 00:00:00 2001
From: Domenic Denicola <d@domenic.me>
Date: Mon, 11 Nov 2019 15:57:01 -0500
Subject: [PATCH 1/4] Editorial: use origin-based "same site" definition
Follows https://github.com/whatwg/html/pull/5076.
---
fetch.bs | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fetch.bs b/fetch.bs
index 9fb969414..e432841ec 100644
--- a/fetch.bs
+++ b/fetch.bs
@@ -3111,8 +3111,8 @@ Cross-Origin-Resource-Policy = %s"same-origin" / %s"same-site" ; case-sensit
<p>If the following are true
<ul class=brief>
- <li><var>request</var>'s <a for=request>origin</a>'s <a for=url>host</a> is <a>same site</a> with
- <var>request</var>'s <a for=request>current URL</a>'s <a for=url>host</a>
+ <li><var>request</var>'s <a for=request>origin</a> is <a>same site</a> with
+ <var>request</var>'s <a for=request>current URL</a>'s <a for=url>origin</a>
<li><var>request</var>'s <a for=request>origin</a>'s <a for=url>scheme</a> is
"<code>https</code>" or <var>response</var>'s <a for=response>HTTPS state</a> is
"<code>none</code>"
From f290b62a62b6f6baf4a4daeff642b071df5a4e2d Mon Sep 17 00:00:00 2001
From: Domenic Denicola <d@domenic.me>
Date: Mon, 18 Nov 2019 15:40:32 -0500
Subject: [PATCH 2/4] Simplify in a normative way
---
fetch.bs | 19 +++----------------
1 file changed, 3 insertions(+), 16 deletions(-)
diff --git a/fetch.bs b/fetch.bs
index e432841ec..9e9b23810 100644
--- a/fetch.bs
+++ b/fetch.bs
@@ -3107,22 +3107,9 @@ Cross-Origin-Resource-Policy = %s"same-origin" / %s"same-site" ; case-sensit
<li><p>If <var>policy</var> is `<code>same-origin</code>`, then return <b>blocked</b>.
- <li>
- <p>If the following are true
-
- <ul class=brief>
- <li><var>request</var>'s <a for=request>origin</a> is <a>same site</a> with
- <var>request</var>'s <a for=request>current URL</a>'s <a for=url>origin</a>
- <li><var>request</var>'s <a for=request>origin</a>'s <a for=url>scheme</a> is
- "<code>https</code>" or <var>response</var>'s <a for=response>HTTPS state</a> is
- "<code>none</code>"
- </ul>
-
- <p>then return <b>allowed</b>.
-
- <p class=note>This prevents HTTPS responses with
- `<code>Cross-Origin-Resource-Policy: same-site</code>` from being accessed without secure
- transport.
+ <li><p>If <var>request</var>'s <a for=request>origin</a> is <a>same site</a> with
+ <var>request</var>'s <a for=request>current URL</a>'s <a for=url>origin</a>, then return
+ <b>allowed</b>.
<li><p>If <var>policy</var> is `<code>same-site</code>`, then return <b>blocked</b>.
From 40db0a4cf49d2b7fc81ef12a387d4fc10b941527 Mon Sep 17 00:00:00 2001
From: Domenic Denicola <d@domenic.me>
Date: Tue, 19 Nov 2019 11:59:13 -0500
Subject: [PATCH 3/4] Revert "Simplify in a normative way"
This reverts commit f290b62a62b6f6baf4a4daeff642b071df5a4e2d.
---
fetch.bs | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/fetch.bs b/fetch.bs
index 9e9b23810..e432841ec 100644
--- a/fetch.bs
+++ b/fetch.bs
@@ -3107,9 +3107,22 @@ Cross-Origin-Resource-Policy = %s"same-origin" / %s"same-site" ; case-sensit
<li><p>If <var>policy</var> is `<code>same-origin</code>`, then return <b>blocked</b>.
- <li><p>If <var>request</var>'s <a for=request>origin</a> is <a>same site</a> with
- <var>request</var>'s <a for=request>current URL</a>'s <a for=url>origin</a>, then return
- <b>allowed</b>.
+ <li>
+ <p>If the following are true
+
+ <ul class=brief>
+ <li><var>request</var>'s <a for=request>origin</a> is <a>same site</a> with
+ <var>request</var>'s <a for=request>current URL</a>'s <a for=url>origin</a>
+ <li><var>request</var>'s <a for=request>origin</a>'s <a for=url>scheme</a> is
+ "<code>https</code>" or <var>response</var>'s <a for=response>HTTPS state</a> is
+ "<code>none</code>"
+ </ul>
+
+ <p>then return <b>allowed</b>.
+
+ <p class=note>This prevents HTTPS responses with
+ `<code>Cross-Origin-Resource-Policy: same-site</code>` from being accessed without secure
+ transport.
<li><p>If <var>policy</var> is `<code>same-site</code>`, then return <b>blocked</b>.
From 1d6002fb3f9ae3bf3cd23c9e5863810f46544719 Mon Sep 17 00:00:00 2001
From: Domenic Denicola <d@domenic.me>
Date: Tue, 19 Nov 2019 11:59:50 -0500
Subject: [PATCH 4/4] schemelessly
---
fetch.bs | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fetch.bs b/fetch.bs
index e432841ec..46861a687 100644
--- a/fetch.bs
+++ b/fetch.bs
@@ -3111,7 +3111,7 @@ Cross-Origin-Resource-Policy = %s"same-origin" / %s"same-site" ; case-sensit
<p>If the following are true
<ul class=brief>
- <li><var>request</var>'s <a for=request>origin</a> is <a>same site</a> with
+ <li><var>request</var>'s <a for=request>origin</a> is <a>schemelessly same site</a> with
<var>request</var>'s <a for=request>current URL</a>'s <a for=url>origin</a>
<li><var>request</var>'s <a for=request>origin</a>'s <a for=url>scheme</a> is
"<code>https</code>" or <var>response</var>'s <a for=response>HTTPS state</a> is