Overview.src.html

<!doctype html>
<html lang=en-US>
<meta charset=utf-8>
<title>Fetch Standard</title>
<link rel=stylesheet href=//www.whatwg.org/style/specification>
<link rel=icon href=//resources.whatwg.org/logo-fetch.svg>

<div class="head">

<p><a class=logo href=//www.whatwg.org/><img alt=WHATWG src=//resources.whatwg.org/logo-fetch.svg width=100 height=100></a>
<h1 id="cors">Fetch</h1>
<h2 class="no-num no-toc">Living Standard &mdash; Last Updated [DATE: 3 August 2002]</h2>

<dl>
 <dt>This Version:
 <dd><a href=//fetch.spec.whatwg.org/>http://fetch.spec.whatwg.org/</a>

 <dt>Participate:
 <dd>Send feedback to <a href="http://www.whatwg.org/mailing-list">whatwg@whatwg.org</a> or
  <a href="https://www.w3.org/Bugs/Public/enter_bug.cgi?product=WHATWG&amp;component=Fetch">file a bug</a>
  (<a href="https://www.w3.org/Bugs/Public/buglist.cgi?product=WHATWG&amp;component=Fetch&amp;resolution=---">open bugs</a>)
 <dd><a href=//wiki.whatwg.org/wiki/IRC>IRC: #whatwg on Freenode</a>

 <dt>Version History:
 <dd><a href=https://github.com/whatwg/fetch/commits>https://github.com/whatwg/fetch/commits</a>

 <dt>Editor:
 <dd><a href="http://annevankesteren.nl/">Anne van Kesteren</a>
  (<a href=http://www.mozilla.org/>Mozilla</a>)
  &lt;<a href="mailto:annevk@annevk.nl">annevk@annevk.nl</a>>
</dl>

<script src=//resources.whatwg.org/file-bug.js async></script>

<p class=copyright><a rel=license href="http://creativecommons.org/publicdomain/zero/1.0/"><img src="http://i.creativecommons.org/p/zero/1.0/80x15.png" alt=CC0></a>
To the extent possible under law, the editor has waived all copyright and
related or neighboring rights to this work. In addition, as of
[DATE: 01 Jan 1901], the editor has made this specification available
under the
<a rel=license
href="http://www.openwebfoundation.org/legal/the-owf-1-0-agreements/owfa-1-0">Open Web Foundation Agreement Version 1.0</a>,
which is available at
http://www.openwebfoundation.org/legal/the-owf-1-0-agreements/owfa-1-0.

</div>



<h2 class="no-num no-toc">Abstract</h2>

<p>The Fetch standard defines the overall architecture for obtaining resources given a URL
and a set of parameters. This concept is named fetching.



<h2 class="no-num no-toc">Table of Contents</h2>
<!-- toc -->



<h2 class=no-num>Goals</h2>

<p>To unify fetching across the web platform this specification supplants a number of algorithms and specifications:

<ul class="brief no-backref">
 <li>HTML Standard's <span title=concept-legacy-fetch>fetch</span> and
 <span title="concept-legacy-potentially-cors-enabled-fetch">potentially CORS-enabled fetch</span>
 algorithms (now defined in terms of <span title=concept-fetch>fetch</span>)
 <span data-anolis-ref class=informative>HTML</span>
 <li>CORS <span data-anolis-ref class=informative>CORS</span>
 <li>HTTP `<code title=http-origin>Origin</code>` header semantics
 <span data-anolis-ref class=informative>ORIGIN</span>
</ul>

<p>Unifying fetching provides consistent handling of:

<ul class=brief>
 <li>Different URL schemes
 <li>HTTP redirects
 <li>Cross-origin requests
</ul>

<p>In due course, it should also help clarify the semantics of CSP and provide a model to hook offline networking into.



<h2>Conformance</h2>

<p>All diagrams, examples, and notes in this specification are
non-normative, as are all sections explicitly marked non-normative.
Everything else in this specification is normative.

<p>The key words "MUST", "MUST NOT", "REQUIRED", <!--"SHALL", "SHALL
NOT",--> "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in the normative parts of this specification are to be
interpreted as described in RFC2119. For readability, these words do
not appear in all uppercase letters in this specification.
<span data-anolis-ref>RFC2119</span>



<h2>Terminology</h2>

<p>This specification uses terminology from the Encoding and URL Standards.
<span data-anolis-ref>ENCODING</span>
<span data-anolis-ref>URL</span>

<p>A <span data-anolis-spec=encoding>byte</span> sequence with bytes in the range 0x00 to
0x7F is represented as a <span data-anolis-spec=encoding>utf-8</span> encoded
<span data-anolis-spec=encoding>string</span> with code points in the range U+0000 to
U+007F. To avoid confusion with an actual string backticks are used.

<p class=example>"<code title>true</code>" is a
<span data-anolis-spec=encoding>string</span>, while `<code title>true</code>` is a
byte sequence.

<p>Comparing two byte sequences in a <dfn>byte case-insensitive</dfn> manner means
comparing them exactly, byte for byte, except that the bytes in the range 0x41 to 0x5A are
considered to also match their corresponding byte in the range 0x61 to 0x7A.

<p>A <dfn>case-insensitive byte sequence</dfn> is a byte sequence that when compared to
another byte sequence does so in a <span>byte case-insensitive</span> manner.

<p class=example>The
<span title="case-insensitive byte sequence">case-insensitive byte sequences</span>
`<code title>Content-Type</code>` and `<code title>content-TYPE</code>` are equal.


<h3>HTTP</h3>

<p>While <span title=concept-fetch>fetching</span> encompasses more than just HTTP, it
borrows a number of concepts from HTTP and applies these to resources obtained via other
means (e.g. via <code title>data</code> URL).

<p>A <dfn title=concept-method>method</dfn> is a byte sequence.

<p>A <dfn title=concept-header>header</dfn> consists of a
<dfn title=concept-header-name>name</dfn> and <dfn title=concept-header-value>value</dfn>.
A <span title=concept-header-name>name</span> is a
<span>case-insensitive byte sequence</span> and a
<span title=concept-header-value>value</span> is a byte sequence.

<p>A <dfn>simple method</dfn> is a <span title=concept-method>method</span> that is
`<code title>GET</code>`, `<code title>HEAD</code>`, or `<code title>POST</code>`.

<p>A <dfn>simple header</dfn> is a <span title=concept-header>header</span> whose
<span title=concept-header-name>name</span> is `<code title>Accept</code>`,
`<code title>Accept-Language</code>`, or `<code title>Content-Language</code>`, or whose
<span title=concept-header-name>name</span> is `<code title>Content-Type</code>` and
<span title=concept-header-value>value</span>, <span class=XXX>once parsed,</span> is
`<code title>application/x-www-form-urlencoded</code>`,
`<code title>multipart/form-data</code>`,
or `<code title>text/plain</code>`.

<p class=XXX>What we never resolved in CORS was whether only certain
parameters should be allowed and how exactly the MIME type parsing would work. Hopefully
<a href=http://mimesniff.spec.whatwg.org/#parse-a-mime-type>parsing MIME types</a> will
solve this.
<!-- example if people ask: "Content-Type: text/html;" -->

<p>To <dfn title=concept-header-parse>parse a header value</dfn> parse it per the ABNF and
return the <span title=concept-header-value>values</span> obtained for the given
<span title=concept-header-name>name</span>, and return failure if the
<span title=concept-header-value>value</span> did not match the ABNF.



<h3>Requests</h3>

<p>The input to <span title=concept-fetch>fetch</span> is a
<dfn title=concept-request>request</dfn>.

<p>A <span title=concept-request>request</span> has an associated
<dfn title=concept-request-method>method</dfn>. Unless stated otherwise a
<span title=concept-request>request</span>'s
<span title=concept-request-method>method</span> is `<code title>GET</code>`.

<p>A <span title=concept-request>request</span> has an associated
<dfn title=concept-request-url>url</dfn> (a
<span data-anolis-spec=url title=concept-parsed-url>parsed URL</span>).

<p>A <span title=concept-request>request</span> has associated
<dfn title=concept-request-author-headers>author headers</dfn> and
<dfn title=concept-request-headers>headers</dfn>. Unless stated otherwise
<span title=concept-request>request</span>'s
<span title=concept-request-author-headers>author headers</span>
and <span title=concept-request-headers>headers</span> are empty lists of
<span title=concept-header>headers</span>.

<p>A <span title=concept-request>request</span> has an associated
<dfn title=concept-request-origin>origin</dfn>, and
<dfn>force <code title>Origin</code> header flag</dfn>. Unless stated otherwise a
<span title=concept-request>request</span>'s
<span title=concept-request-origin>origin</span> is null and its
<span>force <code title>Origin</code> header flag</span> is unset.

<p>A <span title=concept-request>request</span> has an associated
<dfn title=concept-request-referrer>referrer</dfn>. Unless stated otherwise it is null.

<p>A <span title=concept-request>request</span> has an associated
<dfn title=concept-request-body>body</dfn>. Unless stated otherwise a
<span title=concept-request>request</span>'s <span title=concept-request-body>body</span>
is null.

<p>A <span title=concept-request>request</span> has an associated
<dfn>synchronous flag</dfn>. Unless stated otherwise a
<span title=concept-request>request</span>'s <span>synchronous flag</span> is unset.

<p>A <span title=concept-request>request</span> has an associated
<dfn title=concept-request-mode>mode</dfn>, which is one of <i title>same-origin</i>,
<i title>tainted cross-origin</i>, and <i title>CORS</i>. Unless stated otherwise,
<span title=concept-request>request</span>'s <span title=concept-request-mode>mode</span>
is <i title>tainted cross-origin</i>.

<p>A <span title=concept-request>request</span> has an associated
<dfn>force preflight flag</dfn>. Unless stated otherwise, it is unset and only relevant
when <span title=concept-request>request</span>'s
<span title=concept-request-mode>mode</span> is <i title>CORS</i>.

<p>A <span title=concept-request>request</span> has an associated
<dfn title=concept-request-omit-credentials-mode>omit credentials mode</dfn>, which is
one of <i title>always</i>, <i title>CORS</i>, and <i title>never</i>.

<p class=XXX>I think we want the default to become <i title>always</i>, but currently it
is <i title>never</i>.

<p>A <span title=concept-request>request</span> has an associated
<dfn title=concept-request-use-url-credentials-flag>use URL credentials flag</dfn>.
Unless stated otherwise, it is unset.

<p>A <span title=concept-request>request</span> has an associated
<dfn title=concept-request-manual-redirect-flag>manual redirect flag</dfn>. Unless stated
otherwise, it is unset.

<hr>

<p>A <span title=concept-request>request</span> has an associated
<dfn title=concept-request-redirect-count>redirect count</dfn>. Unless stated otherwise,
it is zero.

<p>A <span title=concept-request>request</span> has an associated
<dfn title=concept-request-response-tainting>response tainting</dfn>, which is one of
<i title>basic</i>, <i title>CORS</i>, and <i title>opaque</i>. Unless stated otherwise,
it is <i title>basic</i>.

<p class="note no-backref">A <span title=concept-request>request</span>'s
<span title=concept-request-redirect-count>redirect count</span> and
<span title=concept-request-response-tainting>response tainting</span> are used as
bookkeeping details by the <span title=concept-fetch>fetch</span> algorithm.

<hr>

<p><span title=concept-fetch>Fetch</span> end points must enforce restrictions on a
<span title=concept-request>request</span>'s
<span title=concept-request-method>method</span> and
<span title=concept-request-author-headers>author headers</span>.

<p>The <dfn title=concept-forbidden-methods>forbidden methods</dfn> are
<span title=concept-method>methods</span> that are a <span>byte case-insensitive</span>
match for `<code title>CONNECT</code>`, `<code title>TRACE</code>`, and
`<code title>TRACK</code>`. <span data-anolis-ref>HTTPVERBSEC</span>

<p>The
<dfn title=concept-forbidden-author-header-names>forbidden author header names</dfn> are
all these <span title=concept-header>header</span>
<span title=concept-header-name>names</span>:

<ul class=brief>
 <li>`<code title>Accept-Charset</code>`
 <li>`<code title>Accept-Encoding</code>`
 <li>`<code title>Access-Control-Request-Headers</code>`
 <li>`<code title>Access-Control-Request-Method</code>`
 <li>`<code title>Connection</code>`
 <li>`<code title>Content-Length</code>`
 <li>`<code title>Cookie</code>`
 <li>`<code title>Cookie2</code>`
 <li>`<code title>Date</code>`
 <li>`<code title>DNT</code>`
 <li>`<code title>Expect</code>`
 <li>`<code title>Host</code>`
 <li>`<code title>Keep-Alive</code>`
 <li>`<code title=http-origin>Origin</code>`
 <li>`<code title>Referer</code>`
 <li>`<code title>TE</code>`
 <li>`<code title>Trailer</code>`
 <li>`<code title>Transfer-Encoding</code>`
 <li>`<code title>Upgrade</code>`
 <li>`<code title>User-Agent</code>`
 <li>`<code title>Via</code>`
</ul>

<p>&hellip; and <span title=concept-header>header</span>
<span title=concept-header-name>names</span> that start with `<code title>Proxy-</code>`
or `<code title>Sec-</code>` (including when it is just `<code title>Proxy-</code>` or
`<code title>Sec-</code>`).

<p class=note>These are forbidden so the user agent remains in full control over them.
<span title=concept-header-name>Names</span> starting with `<code title>Sec-</code>` are
not allowed to be set to allow new <span title=concept-header>headers</span> to be minted
that are guaranteed not to come from <span title=concept-fetch>fetching</span> end points
that allow control over <span title=concept-header>headers</span> by authors, such as
<code data-anolis-spec=xhr>XMLHttpRequest</code>.
<span data-anolis-ref class=informative>XHR</span>



<h3>Responses</h3>

<p>The result of <span title=concept-fetch>fetch</span> is a
<dfn title=concept-response>response</dfn>. A <span title=concept-response>response</span>
evolves over time. That is, not all its fields are available straight away.

<p>A <span title=concept-response>response</span> has an associated
<dfn title=concept-response-type>type</dfn> which is one of <i title>default</i>,
<i title>redirect</i>, and <i title>error</i>. Unless stated otherwise, it is
<i title>default</i>.

<p>A <span title=concept-response>response</span> can have an associated
<dfn title=concept-response-termination-reason>termination reason</dfn> which is one of
<i title>end-user abort</i>, <i title>fatal</i>, and <i title>timeout</i>.

<p>A <span title=concept-response>response</span> has an associated
<dfn title=concept-response-status>status</dfn>,
<dfn title=concept-response-status-message>status message</dfn>,
<dfn title=concept-response-location>location</dfn>,
<dfn title=concept-response-headers>headers</dfn>, and a
<dfn title=concept-response-body>body</dfn>.

<hr>

<p>Unless stated otherwise, a <span title=concept-response>response</span>'s
<span title=concept-response-status>status</span> is <code title>200</code>,
<span title=concept-response-status-message>status message</span> is `<code title>OK</code>`,
<span title=concept-response-location>location</span> is null,
<span title=concept-response-headers>headers</span> is an empty list, and
<span title=concept-response-body>body</span> is null,

<p>A <span title=concept-response>response</span> whose
<span title=concept-response-type>type</span> is <i title>error</i> is known as a
<dfn title=concept-network-error>network error</dfn>.

<p>A <span title=concept-network-error>network error</span>'s
<span title=concept-response-status>status</span> is <code title>0</code>,
<span title=concept-response-status-message>status message</span> is the empty byte sequence,
<span title=concept-response-location>location</span> is null,
<span title=concept-response-headers>headers</span> is an empty list, and
<span title=concept-response-body>body</span> is null.

<p>A <span title=concept-response>response</span> whose
<span title=concept-response-type>type</span> is <i title>redirect</i> is known as a
<dfn title=concept-redirect>redirect</dfn>.

<hr>

<p>A <dfn title=concept-filtered-response>filtered response</dfn> is a limited view on a
<span title=concept-response>response</span>. This
<span title=concept-response>response</span> is referred to as the
<span title=concept-filtered-response>filtered response</span>'s associated
<dfn title=concept-internal-response>internal response</dfn>.

<p class="note no-backref">The <span title=concept-fetch>fetch</span> algorithm returns
such a view to ensure APIs do not accidentally leak information. If the information is
required, e.g. to feed image data to a decoder, the associated
<span title=concept-internal-response>internal response</span> can be used.

<p>A <dfn title=concept-filtered-response-basic>basic filtered response</dfn> is a
<span title=concept-filtered-response>filtered responses</span> whose
<span title=concept-response-headers>response headers</span> exclude any
<span title=concept-header>headers</span> in
<span title=concept-internal-response>internal response</span>'s
<span title=concept-response-headers>response headers</span> whose
<span title=concept-header-name>name</span> is `<code title>Set-Cookie</code>` or
`<code title>Set-Cookie2</code>`.

<p>A <dfn title=concept-filtered-response-cors>CORS filtered responses</dfn> is a
<span title=concept-filtered-response>filtered responses</span> whose
<span title=concept-response-headers>response headers</span> exclude all
<span title=concept-header>headers</span> in
<span title=concept-internal-response>internal response</span>'s
<span title=concept-response-headers>response headers</span>, except those whose
<span title=concept-header-name>name</span> is either one of
`<code title>Cache-Control</code>`, `<code title>Content-Language</code>`,
`<code title>Content-Type</code>`, `<code title>Expires</code>`,
`<code title>Last-Modified</code>`, and `<code title>Pragma</code>`, and except those
whose <span title=concept-header-name>name</span> is one of the values of the
<span title=concept-header-parse>parsed</span>
<span title=concept-header-value>value</span> of the
<span title=concept-header>header</span> in
<span title=concept-internal-response>internal response</span>'s
<span title=concept-response-headers>response headers</span> whose
<span title=concept-header-name>name</span> is
`<code title=http-access-control-expose-headers>Access-Control-Expose-Headers</code>`.

<p>An <dfn title=concept-filtered-response-opaque>opaque filtered responses</dfn> is a
<span title=concept-filtered-response>filtered responses</span> whose
<span title=concept-response-type>type</span> is <i title>error</i>,
<span title=concept-response-status>status</span> is <code title>0</code>,
<span title=concept-response-status-message>status message</span> is the empty byte sequence,
<span title=concept-response-location>location</span> is null,
<span title=concept-response-headers>headers</span> is an empty list, and
<span title=concept-response-body>body</span> is null.

<p class="note no-backref">In other words, an
<span title=concept-filtered-response-opaque>opaque filtered response</span> is
indistinguishable from a <span title=concept-network-error>network error</span>. When
introducing new APIs, do not use the
<span title=concept-internal-response>internal response</span> as you will leak
information.



<h2>HTTP extensions</h2>

<h3>HTTP <code title>Origin</code> header</h3>

<p>The `<dfn title=http-origin><code>Origin</code></dfn>` request
<span title=concept-header>header</span> indicates where a
<span title=concept-fetch>fetch</span> originates from.

<p class=note>The `<code title=http-origin>Origin</code>` header is a stripped-down version
of the `<code title=http-referer>Referer</code>` [sic] header as to not reveal confidential
<span data-anolis-spec=url title=concept-url-path>path</span> information. It is used for
all <span title=concept-basic-fetch>basic fetches</span> whose <i title>CORS flag</i> is
set as well as <span title=concept-fetch>fetches</span> where
<span title=concept-request>request</span>'s
<span title=concept-request-method>method</span> is `<code title>POST</code>`. Due to
compatibility constraints it is not included in all fetches.
<!-- Ian Hickson told me Adam Barth researched that -->

<p>Its <span title=concept-header-value>value</span> ABNF:

<pre>Origin                           = origin-or-null

origin-or-null                   = origin / %x6E.75.6C.6C ; "null", case-sensitive
origin                           = <span data-anolis-spec=url title=concept-url-scheme>scheme</span> "://" <span data-anolis-spec=url title=concept-url-host>host</span> [ ":" <span data-anolis-spec=url title=concept-url-port>port</span> ]</pre>

<p class=note>This replaces the syntax defined for the
`<code title=http-origin>Origin</code>` header by The Web Origin Concept. Unfortunately
that document cannot be updated to match reality without involving layers and layers of
bureaucracy. <span data-anolis-ref>ORIGIN</span>


<h3>HTTP CORS protocol</h3>

<p>To allow sharing resources cross-origin and allow for more versatile HTTP requests than
possible with HTML's <code data-anolis-spec=html>form</code> element, the platform has
a <dfn>CORS protocol</dfn> layered on top of HTTP. It allows resources to declare they
can be shared with resources residing on a different <span>origin</span>.

<p class=note>It needs to be an opt-in mechanism to prevent leaking data from resources
behind a firewall (intranets). Additionally, for credentialed HTTP requests it needs to be
opt-in to prevent leaking potentially-sensitive data.

<p>This section explains the <span>CORS protocol</span> as it pertains to servers.
Requirements for user agents are part of the <span title=concept-fetch>fetch</span>
algorithm.

<h4>General</h4>

<p>The <span>CORS protocol</span> consists of a set of headers that indicates whether a
particular resource can be shared cross-origin.

<p>For HTTP requests that are more involved than what is possible with HTML's
<code data-anolis-spec=html>form</code> element, a <span>CORS preflight fetch</span> is
performed, to ensure the resource understands the <span>CORS protocol</span>.
<!-- XXX not an integrity check -->


<h4>HTTP requests</h4>

<p>An HTTP request can be identified as pertaining in the <span>CORS protocol</span> if it
includes an `<code title=http-origin>Origin</code>` header. This is named a
<dfn>CORS request</dfn>.

<p>An HTTP request can be identified as being a check to see if the
<span>CORS protocol</span> is understood if it is a <span>CORS request</span>, uses
`<code title>OPTIONS</code>` as <span title=concept-method>method</span>, and includes
these <span title=concept-header>headers</span>:

<dl>
 <dt>`<dfn title=http-access-control-request-method><code>Access-Control-Request-Method</code></dfn>`
 <dd><p>Indicates which <span title=concept-method>method</span> a future
 <span>CORS request</span> to the same resource might use.

 <dt>`<dfn title=http-access-control-request-headers><code>Access-Control-Request-Headers</code></dfn>`
 <dd><p>Indicates which <span title=concept-header>headers</span> a future
 <span>CORS request</span> to the same resource might use.
</dl>

<p>This is named a <dfn>CORS preflight request</dfn>.


<h4>HTTP responses</h4>

<p>An HTTP response to a <span>CORS request</span> can include the following
<span title=concept-header>headers</span>:

<dl>
 <dt>`<dfn title=http-access-control-allow-origin><code>Access-Control-Allow-Origin</code></dfn>`
 <dd><p>Indicates whether a resource can be shared, via returning the literal
 <span title=concept-header-value>value</span> of the
 <code title="http-origin"><a href="#http-origin">Origin</a></code> request
 <span title=concept-header>header</span> (which can be `<code title>null</code>`) or
 `<code title>*</code>` in a response.

 <dt>`<dfn title=http-access-control-allow-credentials><code>Access-Control-Allow-Credentials</code></dfn>`
 <dd>
  <p>Indicates whether a resource can be shared when
  <span title=concept-request>request</span>'s
  <span title=concept-request-omit-credentials-mode>omit credentials mode</span> is
  <i title>never</i>.

  <p class=note>For a <span>CORS preflight request</span>,
  <span title=concept-request>request</span>'s
  <span title=concept-request-omit-credentials-mode>omit credentials mode</span> is always
  <i title>never</i>, but for any subsequent
  <span title="CORS request">CORS requests</span> it might not be. Support therefore needs
  to be indicated as part of the HTTP response to the <span>CORS preflight request</span>
  as well.
</dl>

<p>An HTTP response to a <span>CORS preflight request</span> can include the following
<span title=concept-header>headers</span>:

<dl>
 <dt>`<dfn title=http-access-control-allow-methods><code>Access-Control-Allow-Methods</code></dfn>`
 <dd>
  <p>Indicates which <span title=concept-method>methods</span> are supported by the
  resource for the purposes of the <span>CORS protocol</span>.

  <p class=note>The `<code title>Allow</code>` <span title=concept-header>header</span> is
  not relevant for the purposes of the <span>CORS protocol</span>.

 <dt>`<dfn title=http-access-control-allow-headers><code>Access-Control-Allow-Headers</code></dfn>`
 <dd><p>Indicates which <span title=concept-header>headers</span> are supported by the
 resource for the purposes of the <span>CORS protocol</span>.

 <dt>`<dfn title=http-access-control-max-age><code>Access-Control-Max-Age</code></dfn>`
 <dd><p>Indicates how long the information provided by the
 `<code title=http-access-control-allow-methods>Access-Control-Allow-Methods</code>` and
 `<code title=http-access-control-allow-headers>Access-Control-Allow-Headers</code>`
 <span title=concept-header>headers</span> can be cached.
</dl>

<p>An HTTP response to a <span>CORS request</span> that is not a
<span>CORS preflight request</span> can also include the following
<span title=concept-header>header</span>:

<dl>
 <dt>`<dfn title=http-access-control-expose-headers><code>Access-Control-Expose-Headers</code></dfn>`
 <dd><p>Indicates which <span title=concept-header>headers</span> can be exposed as part
 of the HTTP response, via listing their <span title=concept-header-name>names</span>.
</dl>


<h4>HTTP new header syntax</h4>

<p>ABNF for the <span title=concept-header-value>values</span> of the
<span title=concept-header>headers</span> used by the <span>CORS protocol</span>:

<pre>Access-Control-Request-Method    = <span data-anolis-spec=http>Method</span>
Access-Control-Request-Headers   = #<span data-anolis-spec=http>field-name</span>

Access-Control-Allow-Origin      = origin-or-null / "*"
Access-Control-Allow-Credentials = %x74.72.75.65 ; "true", case-sensitive
Access-Control-Expose-Headers    = #<span data-anolis-spec=http>field-name</span>
Access-Control-Max-Age           = <span data-anolis-spec=http>delta-seconds</span>
Access-Control-Allow-Methods     = #<span data-anolis-spec=http>Method</span>
Access-Control-Allow-Headers     = #<span data-anolis-spec=http>field-name</span></pre>



<h2>Fetching</h2>

<div class="note no-backref">
 <p>The algorithm below defines <span title=concept-fetch>fetching</span>. In broad
 strokes, it takes a <span title=concept-request>request</span> and outputs a
 <span title=concept-response>response</span>.

 <p>That is, it either returns a <span title=concept-response>response</span> if
 <span title=concept-request>request</span>'s <span>synchronous flag</span> is set, or it
 <span data-anolis-spec=html title="queue a task">queues</span>
 <span data-anolis-spec=html title=concept-task>tasks</span> annotated
 <span>process response</span>, <span>process response body</span>, and
 <span>process response end-of-file</span> for the
 <span title=concept-response>response</span> on the
 <span data-anolis-spec=html>networking task source</span>.

 <p>To capture uploads, if <span title=concept-request>request</span>'s
 <span>synchronous flag</span> is unset,
 <span data-anolis-spec=html title=concept-task>tasks</span> annotated
 <span>process request body</span> and <span>process request end-of-file</span> for the
 <span title=concept-request>request</span> can be
 <span data-anolis-spec=html title="queue a task">queued</span> on the
 <span data-anolis-spec=html>networking task source</span>.
</div>

<p>To perform a <dfn title=concept-fetch>fetch</dfn> using <var title>request</var>,
optionally with a <i title>CORS flag</i>, run the steps below. An ongoing
<span title=concept-fetch>fetch</span> can be
<dfn title=concept-fetch-terminate>terminated</dfn> with reason <var title>reason</var>,
which must be one of <i title>end-user abort</i>, <i title>fatal</i>, or
<i title>timeout</i>.

<p class="note no-backref">The <i title>CORS flag</i> is an internal manner for handling
<span title=concept-redirect>redirects</span>. Only use the <var title>request</var>
parameter in other standards.

<ol>
 <li><p>Modify <var title>request</var>'s <span title=concept-request-url>url</span> per
 HTTP Strict Transport Security, if applicable. <span data-anolis-ref>HSTS</span>

 <li><p>Let <var title>url</var> be <var title>request</var>'s
 <span title=concept-request-url>url</span>.

 <li><p>Let <var title>origin</var> be <var title>request</var>'s
 <span title=concept-request-origin>origin</span>.

 <li><p>If <var title>request</var>'s <span>synchronous flag</span> is unset and
 <span title=concept-fetch>fetch</span> is not invoked recursively, run the remaining steps asynchronously.

 <li>
  <p>Let <var title>response</var> be the value corresponding to the first matching
  statement:

  <dl class=switch>
   <dt><var title>url</var>'s <span>origin</span> is <var title>origin</var> and the <i title>CORS flag</i> is unset
   <dt><var title>url</var>'s <span data-anolis-spec=url title=concept-url-scheme>scheme</span>
   is one of "<code title>about</code>", "<code title>blob</code>", and "<code title>data</code>",
   and <var title>request</var>'s <span title=concept-request-redirect-count>redirect count</span> is zero

   <dd><p>The result of performing a <span title=concept-basic-fetch>basic fetch</span> using <var title>request</var>.

   <dt><var title>request</var>'s <span title=concept-request-mode>mode</span> is
   "same-origin"

   <dd><p>A <span title=concept-network-error>network error</span>.

   <dt><var title>request</var>'s <span title=concept-request-mode>mode</span> is
   "tainted cross-origin"
   <dd>
    <p>Set <var title>request</var>'s
    <span title=concept-request-response-tainting>response tainting</span> to
    <i title>opaque</i>.
    <p>The result of performing a <span title=concept-basic-fetch>basic fetch</span> using
    <var title>request</var>.
    <!-- file URLs end up here as they are not same-origin typically. -->

   <dt><var title>url</var>'s <span title=concept-url-scheme>scheme</span> is not one of
   "<code title>http</code>" and "<code title>https</code>"

   <dd><p>A <span title=concept-network-error>network error</span>.

   <dt><var title>request</var>'s <span>force preflight flag</span> is set
   <dt><var title>request</var>'s <span title=concept-request-method>method</span> is not
   a <span>simple method</span>
   <dt>A <span title=concept-header>header</span> in <var title>request</var>'s
   <span title=concept-author-headers>author headers</span> is not a <span>simple header</span>
   <dd>
    <p>Set <var title>request</var>'s
    <span title=concept-request-response-tainting>response tainting</span> to
    <i title>CORS</i>.
    <p>The result of performing a <span>CORS fetch with preflight</span> using <var title>request</span>.

   <dt>Otherwise
   <dd>
    <p>Set <var title>request</var>'s
    <span title=concept-request-response-tainting>response tainting</span> to
    <i title>CORS</i>.
    <p>The result of performing a <span title=concept-basic-fetch>basic fetch</span> using
    <var title>request</var> with the <i title>CORS flag</i> set.
  </dl>

 <li><p>If <span title=concept-fetch>fetch</span> is invoked recursively, return <var title>response</var>.

 <li>
  <p>Set <var title>response</var> to the following
  <span title=concept-filtered-response>filtered response</span> with
  <var title>response</var> as its
  <span title=concept-internal-response>internal response</span>, depending on
  <var title>request</var>'s
  <span title=concept-request-response-tainting>response tainting</span>:

  <dl class="switch compact">
   <dt><i title>basic</i>
   <dd><span title=concept-filtered-response-basic>basic filtered response</span>
   <dt><i title>CORS</i>
   <dd><span title=concept-filtered-response-cors>CORS filtered response</span>
   <dt><i title>opaque</i>
   <dd><span title=concept-filtered-response-opaque>opaque filtered response</span>
  </dl>

 <li><p>If <var title>request</var>'s <span>synchronous flag</span> is set, wait for
 either <var title>response</var> to have been fully transmitted or
 <var title>response</var> to have a
 <span title=concept-response-termination-reason>termination reason</span>, and then
 return it.

 <li>
  <p>Otherwise, run these substeps:

  <ol>
   <li><p><span data-anolis-spec=html title="queue a task">Queue</span> a
   <span data-anolis-spec=html title=concept-task>task</span> to
   <dfn>process response</dfn> for <var title>response</var>.

   <li><p>If <var title>response</var> is a
   <span title=concept-network-error>network error</span>, terminate this algorithm.
   <span class=note>No point in continuing.</span>

   <li><p>Then, either once <var title>response</var>'s
   <span title=concept-response-body>body</span> is at least one byte long or there is no
   <var title>response</var>'s <span title=concept-response-body>body</span>,
   <span data-anolis-spec=html title="queue a task">queue</span> a
   <span data-anolis-spec=html title=concept-task>task</span> to
   <dfn>process response body</dfn> for <var title>response</var>. Keep
   <span data-anolis-spec=html title="queue a task">queuing</span>
   <span data-anolis-spec=html title=concept-task>tasks</span> to
   <span>process response body</span> for <var title>response</var> every 50ms or for each
   byte of <var title>response</var>'s <span title=concept-response-body>body</span>
   transmitted, whichever is <em>least</em> frequent, while <var title>response</var> has
   no <span title=concept-response-termination-reason>termination reason</span>.

   <li>
    <p>Then, once <var title>response</var>'s
    <span title=concept-response-body>body</span> is fully transmitted or has a
    <span title=concept-response-termination-reason>termination reason</span>,
    <span data-anolis-spec=html title="queue a task">queue</span> a
    <span data-anolis-spec=html title=concept-task>task</span> to
    <dfn>process response end-of-file</dfn> for <var title>response</var>

    <p class=note>This specification does not define what "fully transmitted" means.
    Ideally FTP/HTTP define this in detail, including when e.g.
    `<code title>Content-Length</code>` is not supplied or is deemed faulty.
  </ol>

  <p>Use the <span data-anolis-spec=html>networking task source</span> for these
  <span data-anolis-spec=html title=concept-task>tasks</span>.
</ol>


<h3>Basic fetch</h3>

<p>To perform a <dfn title=concept-basic-fetch>basic fetch</dfn> using <var title>request</var>, with an optional
<i title>CORS flag</i> and <i title>HTTP authentication flag</i>, switch on <var title>request</var>'s
<span title=concept-request-url>url</span>'s
<span data-anolis-spec=url title=concept-url-scheme>scheme</span> and run the associated
steps:

<dl class=switch>
 <dt>"<code title>about</code>"
 <dd>
  <p>If <var title>request</var>'s <span title=concept-request-url>url</span>'s
  <span data-anolis-spec=url title=concept-url-scheme-data>scheme data</span> is
  "<code title>blank</code>", return a <span title=concept-response>response</span> whose
  <span title=concept-response-headers>headers</span> consist of a single
  <span title=concept-header>header</span> whose
  <span title=concept-header-name>name</span> is `<code title>Content-Type</code>` and
  <span title=concept-header-value>value</span> is
  `<code title>text/html;charset=utf-8</code>`, and
  <span title=concept-response-body>body</span> is the empty byte sequence.

  <!-- introduce about:unicorn
       http://html5.org/temp/unicorn.svg -->

  <p>Otherwise, return a <span title=concept-network-error>network error</span>.

  <p class="note no-backref"><span data-anolis-spec=url title=concept-url>URLs</span> such
  as "<code title>about:config</code>" are handled during
  <span data-anolis-spec=html title=navigate>navigation</span> and result in a
  <span title=concept-network-error>network error</span> in the context of
  <span title=concept-fetch>fetching</span>.

 <dt>"<code title>blob</code>"
 <dd>
  <p class=XXX>It has been argued this should be handled outside of
  <span title=concept-fetch>fetching</span>.

 <dt>"<code title>data</code>"
 <dd>
  <p>If <var title>request</var>'s <span title=concept-request-method>method</span> is
  `<code title>GET</code>` and
  <a href="http://simonsapin.github.com/data-urls/">obtaining a resource</a> from
  <var title>request</var>'s <span title=concept-request-url>url</span> does not return
  failure, return a <span title=concept-response>response</span> whose
  <span title=concept-response-headers>headers</span> consist of a single
  <span title=concept-header>header</span> whose
  <span title=concept-header-name>name</span> is `<code title>Content-Type</code>` and
  <span title=concept-header-value>value</span> is the MIME type and parameters returned
  from <a href="http://simonsapin.github.com/data-urls/">obtaining a resource</a>, and
  <span title=concept-response-body>body</span> is the data returned from
  <a href="http://simonsapin.github.com/data-urls/">obtaining a resource</a>.
  <!-- XXX "obtaining a resource" needs a better reference -->

  <p>Otherwise, return a <span title=concept-network-error>network error</span>.

 <dt>"<code title>file</code>"
 <dd>
  <p>For now, unfortunate as it is, <code title>file</code>
  <span data-anolis-spec=url title=concept-url>URLs</span> are left as an exercise for the
  reader.

  <p>When in doubt, return a <span title=concept-network-error>network error</span>.

 <dt>"<code title>ftp</code>"
 <dd>
  <p>Follow the requirements from FTP to retrieve a resource.

  <p class=XXX>Map the result to <span title=concept-response>response</span>.

 <dt>"<code title>http</code>"
 <dt>"<code title>https</code>"
 <dd>
  <p>Make an HTTP request following the requirements from HTTP and TLS as appropriate,
  with these additional constraints:

  <ol>
   <li>
    <p>Set the HTTP request method to <var title>request</var>'s
    <span title=concept-request-method>method</span>.

    <p class="note no-backref"><span title=concept-forbidden-methods>Forbidden methods</span>
    are not supposed to reach this point.

   <li>
    <p>If <var title>request</var>'s
    <span title=concept-request-referrer>referrer</span> is not null, include a
    `<code title>Referer</code>` <span title=concept-header>header</span>
    whose <span title=concept-header-value>value</span> is <var title>request</var>'s
    <span title=concept-request-referrer>referrer</span>.

    <p class="note no-backref">User agents are encouraged to provide the end user with
    options to always exclude `<code title>Referer</code>`
    <span title=concept-header>headers</span> or have it expose less sensitive
    information.

   <li>
    <p>If <var title>request</var>'s <span>force <code>Origin</code> header flag</span> is
    set, include an `<code title>Origin</code>` <span title=concept-header>header</span>
    whose <span title=concept-header-value>value</span> is <var title>request</var>'s
    <span title=concept-request-origin>origin</span>,
    <span class=XXX>serialized to a byte sequence</span>.

   <li>
    <p>Include all of <var title>request</var>'s
    <span title=concept-request-headers>headers</span> and let them replace any
    <span title=concept-header>headers</span> with the same
    <span title=concept-header-name>name</span> already present in the HTTP request.

   <li>
    <p>Include all of <var title>request</var>'s
    <span title=concept-request-author-headers>author headers</span> as long as their
    <span title=concept-header-name>name</span> is <em>not</em> already present in the
    HTTP request.

    <p class="note no-backref"><span title=concept-forbidden-author-header-names>Forbidden author header names</span>
    are not supposed to reach this point.

   <li>
    <p>If <var title>request</var>'s
    <span title=concept-request-omit-credentials-mode>omit credentials mode</span> is
    <i title>never</i> or <var title>request</var>'s
    <span title=concept-request-omit-credentials-mode>omit credentials mode</span> is
    <i title>CORS</i> and the <i title>CORS flag</i> is unset, run these substeps:

    <ol>
     <li><p>Include `<code title>Cookie</code>` headers associated with
     <var title>request</var>'s <span title=concept-request-url>url</span>.
     <span data-anolis-ref>COOKIES</span>

     <!-- http://wiki.whatwg.org/wiki/HTTP_Authentication -->
     <li><p>If there's an <b title>authentication entry</b> for <var title>request</var>'s
     <span title=concept-request-url>url</span> and either
     <var title>request</var>'s <span title=concept-request-use-url-credentials-flag>use URL credentials flag</span> is unset or
     <var title>request</var>'s <span title=concept-request-url>url</span>
     does not include credentials, include the <code>Authorization</code> header from the
     <b title>authentication entry</b>.
     <!-- XXX need to define "includes credentials" in URL as username != "" and password != null??
              need to define the cache concept -->

     <li><p>Otherwise, if <var title>request</var>'s <span title=concept-request-url>url</span>
     includes credentials, and the <i title>HTTP authentication flag</i> is set, include an
     <code>Authorization</code> header using those credentials.
     <!-- XXX ... -->
    </ol>

   <li>
    <p>If there's a <b title>proxy authentication entry</b>, use it as appropriate.
    <span data-anolis-ref>HTTP</span>

    <p class=note>This intentionally does not depend on <var title>request</var>'s
    <span title=concept-request-omit-credentials-mode>omit credentials mode</span>.

   <li>
    <p>If <var title>request</var>'s <span title=concept-request-body>body</span> is
    non-null, include it, and <span data-anolis-spec=html title="queue a task">queue</span>
    a <span data-anolis-spec=html title=concept-task>task</span> every 50ms or for each
    byte of <var title>request</var>'s <span title=concept-request-body>body</span>
    transmitted, whichever is <em>least</em> request, to <dfn>process request body</dfn>
    for <var title>request</var>.

    <p>If included, when <var title>request</var>'s
    <span title=concept-request-body>body</span> is fully transmitted (and the HTTP
    request has not been observably terminated yet),
    <span data-anolis-spec=html title="queue a task">queue</span>
    a <span data-anolis-spec=html title=concept-task>task</span> to
    <dfn>process request end-of-file</dfn> for <var title>request</var>.

    <p>Use the <span data-anolis-spec=html>networking task source</span>.
  </ol>

  <p>If the HTTP request is terminated before all headers from the resource are obtained,
  return a <span title=concept-network-error>network error</span>. If this is due to
  <span title=concept-fetch>fetch</span> being
  <span title=concept-fetch-terminate>terminated</span> with reason
  <var title>reason</var>, set the return value's
  <span title=concept-response-termination-reason>termination reason</span> to
  <var title>reason</var>.

  <p>Otherwise, when the headers from the resource are obtained, let
  <var title>response</var> be a new <span title=concept-response>response</span> and set
  its fields appropriately.
  <!-- XXX do we need to spell this out? -->

  <p>If there are cookies to be set and either <var title>request</var>'s
  <span title=concept-request-omit-credentials-mode>omit credentials mode</span> is
  <i title>never</i>, or <var title>request</var>'s
  <span title=concept-request-omit-credentials-mode>omit credentials mode</span> is
  <i title>CORS</i> and the <i title>CORS flag</i> is unset, run these steps:

  <ol>
   <li><p>Wait until ownership of the <span data-anolis-spec=html>storage mutex</span> can
   be taken by this instance of the <span title=concept-fetch>fetch</span> algorithm.

   <li><p>Take ownership of the <span data-anolis-spec=html>storage mutex</span>.

   <li>
    <p>Update the cookies. <span data-anolis-ref>COOKIES</span>

    <p class=note>This is a fingerprinting vector.

   <li><p>Release the <span data-anolis-spec=html>storage mutex</span> so that it is once
   again free.
  </ol>

  <p>If the <i title>CORS flag</i> is set and a <span>CORS check</span> for
  <var title>request</var> and <var title>response</var> returns failure, return a
  <span title=concept-network-error>network error</span>.

  <p>If <var title>response</var>'s <span title=concept-response-status>status</span> is
  304, run these steps:

  <ol class=XXX>
   <li><p>For responses that are a result of a user agent generated conditional request
   the user agent must act as if the server gave a <code>200 OK</code> response with the
   appropriate content. The user agent must allow <span>author request headers</span> to
   override automatic cache validation (e.g. <code>If-None-Match</code> or
   <code>If-Modified-Since</code>), in which case <code>304 Not Modified</code> responses
   must be passed through.
  </ol>

  <p>Otherwise, if
  <var title>response</var>'s <span title=concept-response-status>status</span> is
  301, 302, 303, 307, or 308, run these steps:

  <ol>
   <li><p>If <var title>response</var>'s
   <span title=concept-response-headers>headers</span> do not contain a
   <span title=concept-header>header</span> whose
   <span title=concept-header-name>name</span> is `<code title>Location</code>`, return
   <var title>response</var>.

   <li><p>If <var title>response</var>'s
   <span title=concept-response-headers>headers</span> contain more than one
   <span title=concept-header>header</span> whose
   <span title=concept-header-name>name</span> is `<code title>Location</code>`, return a
   <span title=concept-network-error>network error</span>.
   <!-- only Gecko does this; if removed add "first" below -->

   <li><p>Let <var title>location</var> be the
   <span title=concept-header-value>value</span> of the
   <span title=concept-header>header</span> whose
   <span title=concept-header-name>name</span> is `<code title>Location</code>` within
   <var title>response</var>'s <span title=concept-response-headers>headers</span>.

   <li><p>Let <var title>parsed location</var> be the result of
   <span data-anolis-spec=url title=concept-url-parser>parsing</span>
   <var title>location</var> with <var title>request</var>'s
   <span title=concept-request-url>url</span>.

   <li><p>If <var title>parsed location</var> is failure, return a
   <span title=concept-network-error>network error</span>.

   <li><p>If <var title>request</var>'s
   <span title=concept-request-redirect-count>redirect count</span> is twenty, return a
   <span title=concept-network-error>network error</span>.

   <li><p>Increase <var title>request</var>'s
   <span title=concept-request-redirect-count>redirect count</span> by one.

   <li><p>Set <var title>response</var>'s <span title=concept-response-type>type</span> to
   <i title>redirect</i>.

   <li><p>Set <var title>response</var>'s
   <span title=concept-response-location>location</span> to
   <var title>parsed location</var>.

   <li>
    <p>If <var title>request</var>'s
    <span title=concept-request-manual-redirect-flag>manual redirect flag</span> is unset,
    run these substeps:

    <ol>
     <li><p>If the <i title>CORS flag</i> is set and <var title>response</var>'s
     <span title=concept-response-location>location</span>'s <span>origin</span> is not
     <var title>request</var>'s <span title=concept-request-url>url</span>'s
     <span>origin</span>, set <var title>request</var>'s
     <span title=concept-request-origin>origin</span> to a globally unique identifier.

     <li><p>If the <i title>CORS flag</i> is set and <var title>response</var>'s
     <span title=concept-response-location>location</span>'s
     <span data-anolis-spec=url title=concept-url-username>username</span> or
     <span data-anolis-spec=url title=concept-url-password>password</span> is non-null,
     return a <span title=concept-network-error>network error</span>.

     <li><p>Set <var title>request</var>'s <span title=concept-request-url>url</span> to
     <var title>response</var>'s <span title=concept-response-location>location</span>.

     <li><p>Return the result of performing a <span title=concept-fetch>fetch</span> using
     <var title>request</var>, with the <i title>CORS flag</i> set if set.
    </ol>
  </ol>

  <p>Otherwise, if
  <var title>response</var>'s <span title=concept-response-status>status</span> is 401,
  run these steps:

  <ol>
   <li><p>If the <i title>CORS flag</i> is set, return <var title>response</var>.

   <li class=XXX><p>Needs testing: multiple <code>WWW-Authenticate</code> headers,
   missing, parsing issues.

   <li>
    <p>If <var title>request</var>'s
    <span title=concept-request-use-url-credentials-flag>use URL credentials flag</span>
    is unset, or the <i title>HTTP authentication flag</i> is set, run these substeps:

    <ol>
     <li><p>Prompt the end user for a username and password.

     <li><p>Set <var title>request</var>'s <span title=concept-request-url>url</span>'s
     <span data-anolis-spec=url title=concept-url-username>username</span> and
     <span data-anolis-spec=url title=concept-url-password>password</span> to the given
     values.
     <!-- XXX sanitization? -->
    </ol>

   <li><p>Return the result of performing a <span title=concept-basic-fetch>basic fetch</span> using
   <var title>request</var>, with the <i title>HTTP authentication flag</i> set.
  </ol>

  <p>Otherwise, if
  <var title>response</var>'s <span title=concept-response-status>status</span> is 407,
  run these steps:

  <ol>
   <li class=XXX><p>Needs testing: multiple <code>Proxy-Authenticate</code> headers,
   missing, parsing issues.

   <li>
    <p>Prompt the end user as appropriate and store the result as appropriate as a
    <b title>proxy authentication entry</b>.
    <span data-anolis-ref>HTTP</span>

    <p class=note>Remaining details surrounding proxy authentication are defined by HTTP.

   <li><p>Return the result of performing <span title=concept-basic-fetch>basic fetch</span> using
   <var title>request</var>.
  </ol>

  <p>If the <i title>HTTP authentication flag</i> is set, create an <b title>authentication entry</b> for
  <var title>request</var>'s <span title=concept-request-url>url</span> and the given
  realm. <span data-anolis-ref>HTTPAUTH</span>

  <p>Return <var title>response</var>, but continue with the request and growing
  <var title>response</var>'s <span title=concept-response-body>body</span>. If at any
  point <span title=concept-fetch>fetch</span> is
  <span title=concept-fetch-terminate>terminated</span> with reason
  <var title>reason</var>, set <var title>response</var>'s
  <span title=concept-response-termination-reason>termination reason</span> to
  <var title>reason</var>. <span class=note>This modifies <var title>response</var> after
  it has been returned. Logic in <span title=concept-fetch>fetch</span> takes care of the
  rest.</span>

 <dt>Otherwise
 <dd><p>Return a <span title=concept-network-error>network error</span>.
</dl>


<h3>CORS fetch with preflight</h3>

<p>To perform a <dfn>CORS fetch with preflight</dfn> using <var title>request</var>, run
these steps:

<ol>
 <li>
  <p>If

  <ul>
   <li>there is no <span>method cache match</span> for
   <var title>request</var>'s <span title=concept-request-method>method</span> using
   <var title>request</var>, and
   <li>either <var title>request</var>'s <span title=concept-request-method>method</span>
   is a not <span>simple method</span> or <var title>request</var>'s
   <span>force preflight flag</span> is set, and
   <li>there is at least one <span title=concept-header>header</span>
   <span title=concept-header-name>name</span> in <var title>request</var>'s
   <span title=concept-request-author-headers>author headers</span> for which there is no
   <span>header name cache match</span> using <var title>request</var> and for which the
   <span title=concept-header>header</span> is not a <span>simple header</span>
  </ul>

  <p>then run these substeps:

  <ol>
   <li><p>Let <var title>response</var> be a <span>CORS preflight fetch</span> using
   <var title>request</var>.

   <li><p>If <var title>response</var> is a <span title=concept-network-error>network error</span>, return
   <var title>response</var>.
  </ol>

 <li><p>Set <var title>request</var>'s
 <span title=concept-request-manual-redirect-flag>manual redirect flag</span>.

 <li><p>Let <var title>response</var> be a <span title=concept-basic-fetch>basic fetch</span> using
 <var title>request</var> with the <i title>CORS flag</i> set.

 <li><p>If <var title>response</var> is a <span title=concept-redirect>redirect</span>, set its
 <span title=concept-response-type>type</span> to <i title>error</i>.

 <li><p>If <var title>response</var> is a <span title=concept-network-error>network error</span>,
 <span title=cache-clear>clear</span> using <var title>request</var>.

 <li><p>Return <var title>response</var>.
</ol>


<h3>CORS preflight fetch</h3>

<p>To perform a <dfn>CORS preflight fetch</dfn> using <var title>request</var>, run these
steps:

<ol>
 <li><p>Let <var title>preflight</var> be a new <span title=concept-request>request</span>.

 <li><p>Set <var title>preflight</var>'s <span title=concept-request-url>url</span> to
 <var title>request</var>'s <span title=concept-request-url>url</span>.

 <li><p>Set <var title>preflight</var>'s <span title=concept-request-origin>origin</span> to
 <var title>request</var>'s <span title=concept-request-origin>origin</span>.

 <li><p>Set <var title>preflight</var>'s <span title=concept-request-referrer>referrer</span> to
 <var title>request</var>'s <span title=concept-request-referrer>referrer</span>.

 <li><p>Set <var title>preflight</var>'s <span title=concept-request-method>method</span> to
 `<code title>OPTIONS</code>`.

 <li><p>Append a <span title=concept-header>header</span>
 <span title=concept-header-name>named</span>
 `<code title=http-access-control-request-method>Access-Control-Request-Method</code>`
 with <span title=concept-header-value>value</span> <var title>request</var>'s
 <span title=concept-request-method>method</span> to <var title>preflight</var>'s
 <span title=concept-request-headers>headers</span>.

 <li><p>Let <var title>headers</var> be the <span title=concept-header-name>names</span>
 of <var title>request</var>'s
 <span title=concept-request-author-headers>author headers</span>, sorted
 lexicographically and <span class=XXX>byte lowercased</span>.

 <li><p>Let <var title>header value</var> be the items in <var title>headers</var>
 separated from each other by 0x2C 0x20.

 <li><p>Append a <span title=concept-header>header</span>
 <span title=concept-header-name>named</span>
 `<code title=http-access-control-request-headers>Access-Control-Request-Headers</code>`
 with <span title=concept-header-value>value</span> <var title>header value</var> to
 <var title>preflight</var>'s <span title=concept-request-headers>headers</span>.

 <li><p>Set <var title>preflight</var>'s
 <span title=concept-request-manual-redirect-flag>manual redirect flag</span>.

 <li><p>Let <var title>response</var> be the result of performing a
 <span title=concept-basic-fetch>basic fetch</span> using <var title>preflight</var> with the <i title>CORS flag</i>
 set.

 <li>
  <p>If <var title>response</var>'s <span title=concept-response-status>status</span> is
  in the range 200 to 299, run these substeps:
  <!-- CORS said 200 here but nobody implemented that:
       http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0078.html -->

  <ol>
   <li><p>Let <var title>methods</var> be the result of
   <span title=concept-header-parse>parsing</span> all <var title>response</var>'s
   <span title=concept-response-headers>headers</span>'
   <span title=concept-header-name>named</span>
   `<code title=http-access-control-allow-methods>Access-Control-Allow-Methods</code>`.

   <li><p>Let <var title>header names</var> be the result of
   <span title=concept-header-parse>parsing</span> all <var title>response</var>'s
   <span title=concept-response-headers>headers</span>'
   <span title=concept-header-name>named</span>
   `<code title=http-access-control-allow-headers>Access-Control-Allow-Headers</code>`.

   <li><p>If either <var title>methods</var> or <var title>header names</var> is failure,
   return a <span title=concept-network-error>network error</span>.

   <li>
    <p>If <var title>methods</var> is empty <var title>request</var>'s
    <span>force preflight flag</span> is set, append <var title>request</var>'s
    <span title=concept-request-method>method</span> to <var title>methods</var>.

    <p class=note>This ensures that a <span>CORS preflight fetch</span> that happened
    solely because of <var title>request</var>'s <span>force preflight flag</span> is too.

   <li><p>If <var title>request</var>'s <span title=concept-request-method>method</span>
   is not in <var title>methods</var> and is not a <span>simple method</span>, return
   failure.

   <li><p>If one of <var title>request</var>'s
   <span title=concept-request-headers>headers</span>'
   <span title=concept-header-name>names</span> is not in <var title>header names</var> or
   its corresponding <span title=concept-header>header</span> is not a
   <span>simple header</span>, return a <span title=concept-network-error>network error</span>.

   <li><p>Let <var title>max-age</var> be the result of
   <span title=concept-header-parse>parsing</span> all <var title>response</var>'s
   <span title=concept-response-headers>headers</span>'
   <span title=concept-header-name>named</span>
   `<code title=http-access-control-max-age>Access-Control-Max-Age</code>`.

   <li><p>If <var title>max-age</var> is failure, set <var title>max-age</var> to zero.

   <li><p>If <var title>max-age</var> is greater than an imposed limit on
   <span title=cache-max-age>max-age</span>, set <var title>max-age</var> to the imposed
   limit.

   <li><p>If the user agent does not provide for a cache, return
   <var title>response</var>.

   <li><p>For each method in <var title>methods</var> for which there is a
   <span>method cache match</span> using <var title>request</var>, set matching entry's
   <span title="cache-max-age">max-age</span> to <var title>max-age</var>.

   <li>
    <p>For each <var title>method</var> in <var title>methods</var> for which there is
    <em>no</em>  <span>method cache match</span> using <var title>request</var>, create a
    new entry in the <span>CORS preflight cache</span> as follows:

    <dl>
     <dt><span title=cache-origin>origin</span>
     <dd><var title>request</var>'s <span title=concept-request-origin>origin</span>

     <dt><span title=cache-url>url</span>
     <dd><var title>request</var>'s <span title=concept-request-url>url</span>

     <dt><span title=cache-max-age>max-age</span>
     <dd><var title>max-age</var>

     <dt><span title="cache-credentials">credentials</span>
     <dd>False if <var title>request</var>'s
     <span title=concept-request-omit-credentials-mode>omit credentials mode</span> is not
     <i title>never</i>, and true otherwise

     <dt><span title="cache-method">method</span></dt>
     <dd><var title>method</var>
    </dl>

   <li><p>For each header name in <var title>header names</var> for which there is a
   <span>header name cache match</span> using <var title>request</var>, set
   matching entry's <span title=cache-max-age>max-age</span> to <var title>max-age</var>.

   <li>
    <p>For each <var title>header name</var> in <var title>header names</var> for which
    there is <em>no</em> <span>header name cache match</span> using
    <var title>request</var>, create a new entry in the <span>CORS preflight cache</span>
    as follows:

    <dl>
     <dt><span title=cache-origin>origin</span>
     <dd><var title>request</var>'s <span title=concept-request-origin>origin</span>

     <dt><span title=cache-url>url</span>
     <dd><var title>request</var>'s <span title=concept-request-url>url</span>

     <dt><span title=cache-max-age>max-age</span>
     <dd><var title>max-age</var>

     <dt><span title=cache-credentials>credentials</span>
     <dd>False if <var title>request</var>'s
     <span title=concept-request-omit-credentials-mode>omit credentials mode</span> is not
     <i title>never</i>, and true otherwise

     <dt><span title=cache-header-name>header name</span></dt>
     <dd><var title>header name</var>
    </dl>

   <li><p>Return <var title>response</var>.
  </ol>

 <li><p>Otherwise, return a <span title=concept-network-error>network error</span>.
</ol>


<h3>CORS preflight cache</h3>

<p>A <dfn>CORS preflight cache</dfn> consists of a collection of entries where each
entry has these fields:
  <dfn title=cache-origin>origin</dfn>,
  <dfn title=cache-url>url</dfn>,
  <dfn title=cache-max-age>max-age</dfn>,
  <dfn title=cache-credentials>credentials</dfn>,
  <dfn title=cache-method>method</dfn>, and
  <dfn title=cache-header-name>header name</dfn>.

<p>Entries must be removed after the seconds specified in the
<span title="cache-max-age">max-age</span> field have passed since storing the entry.
Entries may be removed before that moment arrives.

<p>To <dfn title=cache-clear>clear</dfn> entries using a <var title>request</var>,
remove any entries in the <span>CORS preflight cache</span> whose
<span title=cache-origin>origin</span> is <var title>request</var>'s
<span title=concept-request-origin>origin</span> and whose
<span title=cache-url>url</span> is <var title>request</var>'s
<span title=concept-request-url>url</span>.

<p>There is a <dfn>cache match</dfn> for a <var title>request</var> if
<span title="cache-origin">origin</span> is <var title>request</var>'s
<span title=concept-request-origin>origin</span>, <span title=cache-url>url</span> is
<var title>request</var>'s <span title=concept-request-url>url</span>, and either
<span title="cache-credentials">credentials</span> is false and <var title>request</var>'s
<span title=concept-request-omit-credentials-mode>omit credentials mode</span> is not
<i title>never</i> or
<span title="cache-credentials">credentials</span> is true and <var title>request</var>'s
<span title=concept-request-omit-credentials-mode>omit credentials mode</span> is
<i title>never</i>.

<p>There is a <dfn>method cache match</dfn> for a given method using <var title>request</var>
when there is an entry in <span>CORS preflight cache</span> for which there is a
<span>cache match</span> for <var title>request</var> and its
<span title="cache-method">method</span> is the given method.

<p>There is a <dfn>header name cache match</dfn> for a given header name using <var title>request</var>
when there is an entry in <span>CORS preflight cache</span> for which there is a
<span>cache match</span> for <var title>request</var> and its
<span title=cache-header-name>header name</span> is the given header name.


<h3>CORS check</h3>

<p>To perform a <dfn>CORS check</dfn> for a <var title>request</var> and
<var title>response</var>, run these steps:

<ol>
 <li><p>If <var title>response</var>'s <span title=concept-response-headers>headers</span>
 contains zero or more than one <span title=concept-header>header</span> whose
 <span title=concept-header-name>name</span> is
 `<code title=http-access-control-allow-origin>Access-Control-Allow-Origin</code>`, return
 failure.

 <li><p>Let <var title>result</var> be the <span title=concept-header-value>value</span>
 of the <span title=concept-header>header</span> whose
 <span title=concept-header-name>name</span> is
 `<code title=http-access-control-allow-origin>Access-Control-Allow-Origin</code>` within
 <var title>response</var>'s <span title=concept-response-headers>headers</span>.

 <li><p>If <var title>request</var>'s
 <span title=concept-request-omit-credentials-mode>omit credentials mode</span> is not
 <i title>never</i> and <var title>result</var> is `<code title>*</code>`, return success.

 <li><p>If <var title>request</var>'s <span title=concept-request-origin>origin</span>
 serialized to a byte sequence is not <var title>result</var>, return failure.
 <!-- XXX serialized to a byte sequence -->

 <li><p>If <var title>request</var>'s
 <span title=concept-request-omit-credentials-mode>omit credentials mode</span> is not
 <i title>never</i>, return success.

 <li><p>If <var title>response</var>'s <span title=concept-response-headers>headers</span>
 contains zero or more than one <span title=concept-header>header</span> whose
 <span title=concept-header-name>name</span> is
 `<code title=http-access-control-allow-credentials>Access-Control-Allow-Credentials</code>`,
 return failure.

 <li><p>If the <span title=concept-header-value>value</span>
 of the <span title=concept-header>header</span> whose
 <span title=concept-header-name>name</span> is
 `<code title=http-access-control-allow-credentials>Access-Control-Allow-Credentials</code>`
 within <var title>response</var>'s <span title=concept-response-headers>headers</span> is
 `<code title>true</code>`, return success.

 <li><p>Return failure.
</ol>



<h2 class=no-num>HTML fetch</h2>

<p>HTML defines two algorithms for obtaining resources. To ease transitioning towards this
specification, a mapping is defined between these "legacy" algorithms and
<span title=concept-fetch>fetch</span>.

<p>When a user agent is to <dfn title=concept-legacy-fetch>fetch</dfn> a resource or
URL, optionally <strong>from</strong> an origin <i title>origin</i>, optionally
<strong>using</strong> a specific <span data-anolis-spec=html>referrer source</span>
<var title>referrer source</var>, and optionally with any of a
<i title>synchronous flag</i>, a <i>manual redirect flag</i>, a
<i>force same-origin flag</i>, and a <i>block cookies flag</i>, the following
steps must be run:

<p class=note>The <i>block cookies flag</i> is obsolete now.

 <!-- if invoked with the synchronous flag, make sure to release the storage mutex first -->

 <!-- synchronous flag is only to be used in algorithms that are themselves asynchronous! Only
 sync-XHR is allowed to make the mistake of screwing that up. :-P -->

 <!-- the force same-origin flag is for use in places where we'll be moving to CORS one day; when
 used, the algorithm must be invoked with a URL (not something else, like a POST request) whose
 origin is the same as the /origin/, which must also be present, and the algorithm must not be
 invoked with the manual redirect flag. -->

<ol>
  <li><p>If the <code data-anolis-spec=dom>Document</code> with which any
  <span data-anolis-spec=html title=concept-task>tasks</span>
  <span data-anolis-spec=html title="queue a task">queued</span> by this
  algorithm would be associated doesn't have an associated
  <span data-anolis-spec=html>browsing context</span>, then terminate these
  steps.

<!--(redundant with 'at a time convenient...' below)
  <li><p>Optionally, wait until the <code>Document</code> with which any <span
  title="concept-task">tasks</span> <span title="queue a task">queued</span> by this algorithm
  would be associated is <span title="active document">active</span>.</p></li>
-->

 <li><p>Let <var title>req</var> be a new <span title=concept-request>request</span>.

 <li><p>If this algorithm was invoked with "from an origin", set  <var title>req</var>'s
 <span title=concept-request-origin>origin</span> to <var title>origin</var>.

 <li><p>Set <var title>req</var>'s <span title=concept-request-referrer>referrer</span> to
 the result of <span title="determine referrer">determining referrer</span> using
 <var title>referrer source</var> (if given).

 <li><p>Set <var title>req</var>'s <span title=concept-request-mode>mode</span> to
 same-origin if the <i>force same-origin flag</i> is set, and to tainted cross-origin
 otherwise.

 <li><p>Set <var title>req</var>'s
 <span title=concept-request-manual-redirect-flag>manual redirect flag</span> if
 <i>manual redirect flag</i> is set.

 <li><p>Set <var title>req</var>'s <span>synchronous flag</span> if
 <i title>synchronous flag</i> is set.

 <li><p><span title=concept-fetch>fetch</span> <var title>req</var>.
</ol>


<p>When the user agent is required to perform a
<dfn title=concept-legacy-potentially-cors-enabled-fetch>potentially CORS-enabled fetch</dfn>
of an <var title>URL</var> with a mode <var title>mode</var> that is either
"No CORS", "Anonymous", or "Use Credentials", optionally using a
<span data-anolis-spec=html>referrer source</span>
<var title>referrer source</var>, with an
<span data-anolis-spec=html>origin</span> <var title>origin</var>, and with a
default origin behaviour <var title>default</var> which is either "<i>taint</i>"
or "<i>fail</i>", it must run these steps:

<ol>
 <li><p>Let <var title>req</var> be a new <span title=concept-request>request</span>.

 <li><p>Set <var title>req</var>'s
 <span title=concept-request-origin>origin</span> to <var title>origin</var>.

 <li>
  <p>Set <var title>req</var>'s <span title=concept-request-mode>mode</span> to the value
  corresponding to the first matching statement:

  <dl class=switch>
   <dt><var title>mode</var> is "No CORS" and <var title>default</var> is "<i>fail</i>"
   <dd>same-origin

   <dt><var title>mode</var> is "No CORS" and <var title>default</var> is "<i>taint</i>"
   <dd>tainted cross-origin

   <dt>Otherwise
   <dd>CORS
  </dl>

 <li>
  <p>If <var title>mode</var> is "Anonymous", set <var title>req</var>'s
  <span title=concept-request-omit-credentials-mode>omit credentials mode</span> to
  <i title>always</i>.
  <!-- XXX unset by default? -->
  <!-- nullify Origin / Referer too? -->

 <li><p>Set <var title>req</var>'s
 <span title=concept-request-referrer>referrer</span> to the result of
 <span title="determine referrer">determining referrer</span> using
 <var title>referrer source</var> (if given).

 <li><p><span title=concept-fetch>fetch</span> <var title>req</var>.
</ol>

<p>To <dfn>determine referrer</dfn> optionally using a
<span data-anolis-spec=html>referrer source</span> <var title>referrer source</var>,
within the context of either <span title=concept-legacy-fetch>fetch</span> or
<span title=concept-legacy-potentially-cors-enabled-fetch>potentially CORS-enabled fetch</span>,
run these steps:

<ol>
 <li><p>If there is a specific <var title>referrer source</var>, and it is a
 <span title=concept-url data-anolis-spec=url>URL</span>, return
 <var title>referrer source</var>.

 <li>
  <p>Let <var title>document</var> be the appropriate
  <code data-anolis-spec=dom>Document</code> as given by the following list:

  <dl class="switch">
   <dt>If there is a <var title>referrer source</var>
   <dd><var title>referrer source</var>.

   <dt>When <span title=navigate>navigating</span>
   <dd>The <span data-anolis-spec=html>active document</span> of the
   <span data-anolis-spec=html>source browsing context</span>.

   <dt>When fetching resources for an element
   <dd>The element's <span data-anolis-spec=dom title=concept-node-document>node document</span>.
  </dl>

 <li><p>While <var title>document</var> is
 <span data-anolis-spec=html>an <code>iframe</code> <code>srcdoc</code> document</span>,
 set <var title>document</var> to <var title>document</var>'s
 <span data-anolis-spec=html>browsing context</span>'s
 <span data-anolis-spec=html>browsing context container</span>'s
 <code data-anolis-spec=dom>Document</code> instead.

 <li><p>If <var title>document</var>'s
 <span data-anolis-spec=html>origin</span> is not a scheme/host/port tuple, let
 <var title>referrer</var> be null.

 <li><p>Otherwise, let <var title>referrer</var> be
 <span data-anolis-spec=html>the document's address</span> of
 <var title>document</var>.

 <li><p>If <var title>referrer</var>'s
 <span data-anolis-spec=url title=concept-url-scheme>scheme</span> is
 about/data/javascript, set <var title>referrer</var> to null.

 <li><p>Return <var title>referrer</var>.
</ol>



<h2 class=no-num>References</h2>
<div id=anolis-references></div>



<h2 class="no-num">Acknowledgments</h2>

<p>The editor would like to thank

Adam Barth,
Alexey Proskuryakov,
Arne Johannessen,
Arthur Barstow,
Benjamin Hawkes-Lewis,
Bert Bos,
Bj&ouml;rn H&ouml;hrmann,
Boris Zbarsky,
Brad Hill,
Brad Porter,
Cameron McCormack,
Clement Pellerin,
Collin Jackson,
David H&aring;s&auml;ther,
David Orchard,
Dean Jackson,
Eric Lawrence,
Frank Ellerman,
Frederick Hirsch,
Gavin Carothers,
Glenn Maynard,
Graham Klyne,
Hal Lockhart,
Hallvord R. M. Steen,
Henri Sivonen,
Ian Hickson,
Janusz Majnert,
Jesse M. Heines,
Jonas Sicking,
Julian Reschke,
Lachlan Hunt,
Lucas Gonze,
呂康豪 (Kang-Hao Lu),
Maciej Stachowiak,
Marc Silbey,
Marcos Caceres,
Mark Nottingham,
Mark S. Miller,
Martin D&uuml;rst,
Matt Oshry,
Matt Womer,
Mhano Harkness,
Michael Smith,
Mohamed Zergaoui,
Nikhil Marathe,
Nikunj Mehta,
Odin H&oslash;rthe Omdal,
Ondřej Žára,
Philip Jägenstedt,
R. Auburn,
Sharath Udupa,
Simon Pieters,
Sunava Dutta,
Surya Ismail,
Thomas Roessler,
Tyler Close,
Vladimir Dzhuvinov,
Wayne Carr, and
Zhenbin Xu

for being awesome.

<script id=head src=http://www.whatwg.org/specs/web-apps/current-work/dfn.js></script>