diff --git a/fetch.bs b/fetch.bs index 5ac23d961..aa99277df 100644 --- a/fetch.bs +++ b/fetch.bs @@ -40,6 +40,10 @@ urlPrefix:https://httpwg.org/specs/rfc9111.html#;type:dfn;spec:http-caching urlPrefix:https://httpwg.org/specs/rfc9112.html#;type:dfn;spec:http1 url:status.line;text:reason-phrase +urlPrefix:https://https://html-preview.github.io/?url=https://raw.githubusercontent.com/johannhof/http-extensions/gh-pages/draft-ietf-httpbis-rfc6265bis.html#;type:dfn;spec:cookies + url:name-serialize-cookies;text:serialize cookies + url:name-retrieve-cookies;text:retrieve cookies + url:https://w3c.github.io/resource-timing/#dfn-mark-resource-timing;text:mark resource timing;type:dfn;spec:resource-timing urlPrefix:https://w3c.github.io/hr-time/#;spec:hr-time @@ -53,10 +57,20 @@ urlPrefix:https://tc39.es/ecma262/#;type:dfn;spec:ecma-262 url:realm;text:realm url:sec-list-and-record-specification-type;text:Record url:current-realm;text:current realm + +spec: storage-access; urlPrefix: https://privacycg.github.io/storage-access + type: dfn + for: environment + text: has storage access; url: #environment-has-storage-access 
 {
+    "COOKIES": {
+        "authors": ["Johann Hofmann", "Anne Van Kesteren"],
+        "href": "https://html-preview.github.io/?url=https://raw.githubusercontent.com/johannhof/http-extensions/gh-pages/draft-ietf-httpbis-rfc6265bis.html#name-retrieve-cookies",
+        "title": "Cookies: HTTP State Management Mechanism"
+    },
     "HTTP": {
         "aliasOf": "RFC9110"
     },
@@ -2222,9 +2236,8 @@ or "object".
 

 
 

-
A request request has a
-redirect-tainted origin if these steps
-return true:
+
To get request request's
+redirect-taint:
 
 
    
  
  1. Let lastURL be null.
@@ -2236,23 +2249,26 @@ return true:
    
  2. If lastURL is null, then set lastURL to url and
    continue.
 
+   
  3. If url's origin is not same site with
+   lastURL's origin and request's origin is
+   not same site with lastURL's origin, then return "Cross-Site".
+
    
  4. If url's origin is not same origin with
    lastURL's origin and request's origin is
-   not same origin with lastURL's origin, then return true.
+   not same origin with lastURL's origin, then return "Same-Site-Cross-Origin".
 
    
  5. Set lastURL to url.
   

 
- 
  • Return false.
+ 
  • Return "None".
 
 
    • 
 
-
    
 
    Serializing a request origin, given a request request, is to
 run these steps:
 
 
      
- 
    1. If request has a redirect-tainted origin, then return
+ 
    2. If request's redirect-taint is not "None", then return
  "null".
 
  
    3. Return request's origin,
@@ -2358,8 +2374,8 @@ source of security bugs. Please seek security review for features that deal with
  "credentialless", then return true.
      
 
  
    4. If request's origin is same origin with
- request's current URL's origin and request
- does not have a redirect-tainted origin, then return true.
      
+ request's current URL's origin and request's
+ redirect-taint is not "None", then return true.
      
 
  
    5. Return false.
      
 
    
@@ -2475,6 +2491,8 @@ this is also tracked internally using the request's timing allow
 
    A response has an associated has-cross-origin-redirects
 (a boolean), which is initially false.
 
+
    A response has an associated has-cross-site-redirects
+(a boolean), which is initially false.
 
    
 
 
    A network error is a response whose
@@ -3275,6 +3293,81 @@ through TLS using ALPN. The protocol cannot be spoofed through HTTP requests in
 
 
    HTTP extensions
    
 
+
+
+
    The `Cookie`
+request header allows the request to carry locally stored state, such as user credentials.
+
    
+
    To append a request `Cookie` header,
+given a request request, run these steps:
+  
      
+     
    1. Let |sameSite| be the result of [=determining the same-site mode=] for request.
+     
    2. Let |isSecure| be false.
+     
    3. If request's current URL's scheme is "https", then set |isSecure| to true.
+     
      Note that this doesn't use the arguably superior definition of [=secure context=]
+     
    4. Let |httpOnlyAllowed| be true.
+     
      Fetch implies that the request is http-only, as opposed to document.cookie
+     
    5. Let |partitionKey| be the result of [=computing the cookie partition key=] for request.
+     
    6. Let |partitionedContext| be the result of [=determining the partitioned context state=] for |request|.
+     
    7. Let |cookies| be the result of running retrieve cookies given
+      |isSecure|,
+      request's current URL's host,
+      request's current URL's path,
+      |httpOnlyAllowed|,
+      |sameSite|,
+      |partitionKey|
+      and |partitionedContext|.
+
+     
      It is expected that the cookie store returns an ordered list of cookies
+     
    8. If |cookies| is empty, then return.
+     
    9. Let |value| be the result of running serialize cookies given |cookies|.
+     
    10. Append (`Cookie`, value) to request's header list.
+  
    
+
    
+
+
    
+
    To determine the same-site mode for a given request request, run these steps:
+  
      
+   
    1. Assert: request's method is "GET" or "POST".
+   
    2. If request's method is "GET" and
+    request's destination is "document", return "LaxOrLess".
+   
      TODO: This needs to describe Lax-Allowing-Unsafe quirks
+   
    3. If request's client's has cross-site ancestor is true, return "None".
+   
      TODO: This refers to the cross-site ancestor flag added in https://github.com/whatwg/html/pull/8036
+   
    4. If request's redirect-taint is "Cross-Site", return "None".
+    
      Should we default to "UnsetOrLess" in place of "None", i.e. is "None" or "Lax" the default for us?
+   
    5. Return "StrictOrLess".
+  
    
+
    
+
+
    
+
    To compute the cookie partition key for a given request request, run these steps:
+  
    See https://dcthetall.github.io/CHIPS-spec/draft-cutler-httpbis-partitioned-cookies.html#name-computing-the-cookie-partit
+  
      
+   
    1. Let topLevelOrigin be request's client's
+   top-level origin.
+
+   
    2. Let topLevelSite be the result of obtaining a site,
+   given topLevelOrigin.
+
+   
    3. 
+    
      Let crossSiteAncestors be request's client's has cross-site ancestor.
+
+   
    4. Return (topLevelSite, crossSiteAncestors).
+  
    
+
    
+
+
    
+
    To determine the partitioned context state for a given request request, run these steps:
+  
      
+    
    1. If request's client's has cross-site ancestor is false, return false.
+    
      TODO: This refers to the cross-site ancestor flag added in https://github.com/whatwg/html/pull/8036
+    
    2. If request's client's [=environment/has storage access=] is true, return false.
+    
      TODO: This refers to the flag added in https://privacycg.github.io/storage-access/#environment-has-storage-access
+    
    3. Return true.
+  
    
+
    
+
 
    `Origin` header
    
 
 
    The `Origin`
@@ -4652,9 +4745,12 @@ steps:
  
 
- 
  • If request has a redirect-tainted origin, then set
+ 
  • If request's redirect-taint is not "None", then set
  internalResponse's has-cross-origin-redirects to true.
 
+ 
  • If request's redirect-taint is "Cross-Site", then set
+ internalResponse's has-cross-site-redirects to true.
+
  
  • If request's timing allow failed flag is unset, then set
  internalResponse's timing allow passed flag.
 
@@ -5652,23 +5748,8 @@ run these steps:
 
    
  • 
     
    If includeCredentials is true, then:
-
     
      
-     
    1. 
-      
      If the user agent is not configured to block cookies for httpRequest (see
-      section 7 of
-      [[!COOKIES]]), then:
-
-      
        
-       
      1. Let cookies be the result of running the "cookie-string" algorithm (see
-       section 5.4 of
-       [[!COOKIES]]) with the user agent's cookie store and httpRequest's
-       current URL.
-
-       
      2. If cookies is not the empty string, then append
-       (`Cookie`, cookies) to httpRequest's
-       header list.
-      
      
+     
    2. Append a request `Cookie` header for httpRequest.
 
      
    3. 
       
      If httpRequest's header list