fetch.bs

<pre class=metadata>
Group: WHATWG
H1: Fetch
Shortname: fetch
Text Macro: TWITTER fetchstandard
Text Macro: LATESTRD 2021-06
Abstract: The Fetch standard defines requests, responses, and the process that binds them: fetching.
Translation: ja https://triple-underscore.github.io/Fetch-ja.html
Markup Shorthands: css off
Translate IDs: typedefdef-bodyinit bodyinit,dictdef-requestinit requestinit,typedefdef-requestinfo requestinfo,enumdef-requestdestination requestdestination,enumdef-requestmode requestmode,enumdef-requestcredentials requestcredentials,enumdef-requestcache requestcache,enumdef-requestredirect requestredirect,dictdef-responseinit responseinit,enumdef-responsetype responsetype
</pre>

<pre class=anchors>
urlPrefix:https://datatracker.ietf.org/doc/html/rfc7230#;type:dfn;spec:http
    url:section-3.1.1;text:method
    url:section-3.2;text:field-name
    url:section-3.2;text:field-content
    url:section-3.2;text:field-value
    url:section-3.1.2;text:reason-phrase

url:https://datatracker.ietf.org/doc/html/rfc7234#section-1.2.1;text:delta-seconds;type:dfn;spec:http-caching

urlPrefix:https://datatracker.ietf.org/doc/html/rfc8941#;type:dfn;spec:rfc8941
    url:section-2;text:structured field value
    url:section-4.1;text:serializing structured fields
    url:section-4.2;text:parsing structured fields

url:https://w3c.github.io/resource-timing/#dfn-mark-resource-timing;text:mark resource timing;type:dfn;spec:resource-timing

urlPrefix:https://w3c.github.io/hr-time/#;spec:hr-time
    type:dfn
        url:dfn-coarsen-time;text:coarsen time
        url:dfn-coarsened-shared-current-time;text:coarsened shared current time
        url:dfn-unsafe-shared-current-time;text:unsafe shared current time
    type:typedef;url:dom-domhighrestimestamp;text:DOMHighResTimeStamp
</pre>

<pre class=biblio>
{
    "HTTP": {
        "aliasOf": "RFC7230"
    },
    "HTTP-SEMANTICS": {
        "aliasOf": "RFC7231"
    },
    "HTTP-COND": {
        "aliasOf": "RFC7232"
    },
    "HTTP-CACHING": {
        "aliasOf": "RFC7234"
    },
    "HTTP-RANGE": {
        "aliasOf": "RFC7233"
    },
    "HTTP-AUTH": {
        "aliasOf": "RFC7235"
    },
    "REFERRER": {
        "aliasOf": "referrer-policy"
    },
    "STALE-WHILE-REVALIDATE": {
        "aliasOf": "RFC5861"
    },
    "SW": {
        "aliasOf": "service-workers"
    },
    "HSTS": {
        "aliasOf": "RFC6797"
    },
    "WSP": {
        "aliasOf": "RFC6455"
    },
    "HTTPVERBSEC1": {
        "publisher": "US-CERT",
        "href": "https://www.kb.cert.org/vuls/id/867593",
        "title": "Multiple vendors' web servers enable HTTP TRACE method by default."
    },
    "HTTPVERBSEC2": {
        "publisher": "US-CERT",
        "href": "https://www.kb.cert.org/vuls/id/288308",
        "title": "Microsoft Internet Information Server (IIS) vulnerable to cross-site scripting via HTTP TRACK method."
    },
    "HTTPVERBSEC3": {
        "publisher": "US-CERT",
        "href": "https://www.kb.cert.org/vuls/id/150227",
        "title": "HTTP proxy default configurations allow arbitrary TCP connections."
    },
    "EXPECT-CT": {
        "authors": ["Emily Stark"],
        "href": "https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-expect-ct",
        "publisher": "IETF",
        "title": "Expect-CT Extension for HTTP"
    },
    "OCSP": {
        "aliasOf": "RFC2560"
    },
    "HTTP3": {
        "authors": ["M. Bishop, Ed."],
        "href": "https://datatracker.ietf.org/doc/html/draft-ietf-quic-http",
        "publisher": "IETF",
        "title": "Hypertext Transfer Protocol Version 3 (HTTP/3)"
    },
    "WEBTRANSPORT-HTTP3": {
        "authors": ["V. Vasiliev"],
        "href": "https://datatracker.ietf.org/doc/html/draft-ietf-webtrans-http3",
        "publisher": "IETF",
        "title": "WebTransport over HTTP/3"
    },
    "HTTP3-DATAGRAM": {
        "authors": ["David Schinazi", "Lucas Pardue"],
        "href": "https://datatracker.ietf.org/doc/html/draft-ietf-masque-h3-datagram",
        "publisher": "IETF",
        "title": "Using QUIC Datagrams with HTTP/3"
    }
}
</pre>



<h2 id=goals class="no-num short">Goals</h2>

<p>The goal is to unify fetching across the web platform and provide consistent handling of
everything that involves, including:

<ul class=brief>
 <li>URL schemes
 <li>Redirects
 <li>Cross-origin semantics
 <li>CSP [[!CSP]]
 <li>Fetch Metadata [[!FETCH-METADATA]]
 <li>Service workers [[!SW]]
 <li>Mixed Content [[!MIX]]
 <li>Upgrade Insecure Requests [[!UPGRADE-INSECURE-REQUESTS]]
 <li>`<code>Referer</code>` [[!REFERRER]]
</ul>

<p>To do so it also supersedes the HTTP `<a http-header><code>Origin</code></a>` header semantics
originally defined in <cite>The Web Origin Concept</cite>. [[ORIGIN]]



<h2 id=preface class=short>Preface</h2>

<p>At a high level, fetching a resource is a fairly simple operation. A request goes in, a
response comes out. <!--You can't explain that! -->The details of that operation are
however quite involved and used to not be written down carefully and differ from one API
to the next.

<p>Numerous APIs provide the ability to fetch a resource, e.g. HTML's <code>img</code> and
<code>script</code> element, CSS' <code>cursor</code> and <code>list-style-image</code>,
the <code>navigator.sendBeacon()</code> and <code>self.importScripts()</code> JavaScript
APIs. The Fetch Standard provides a unified architecture for these features so they are
all consistent when it comes to various aspects of fetching, such as redirects and the
CORS protocol.

<p>The Fetch Standard also defines the <a method><code>fetch()</code></a> JavaScript API, which
exposes most of the networking functionality at a fairly low level of abstraction.



<h2 id=infrastructure>Infrastructure</h2>

<p>This specification depends on the Infra Standard. [[!INFRA]]

<p>This specification uses terminology from the ABNF, Encoding, HTML, HTTP, IDL, MIME Sniffing,
Streams, and URL Standards.
[[!ABNF]]
[[!ENCODING]]
[[!HTML]]
[[!HTTP]]
[[!WEBIDL]]
[[!MIMESNIFF]]
[[!STREAMS]]
[[!URL]]

<p><dfn>ABNF</dfn> means ABNF as augmented by HTTP (in particular the addition of <code>#</code>)
and RFC 7405. [[!RFC7405]]

<hr>

<p><dfn id=credentials export>Credentials</dfn> are HTTP cookies, TLS client certificates, and <a
lt="authentication entry">authentication entries</a> (for HTTP authentication). [[!COOKIES]]
[[!TLS]] [[!HTTP-AUTH]]

<hr>

<p>A <dfn>fetch params</dfn> is a <a for=/>struct</a> used as a bookkeeping detail by the
<a for=/>fetch</a> algorithm. It has the following <a for=struct>items</a>:

<dl>
 <dt><dfn for="fetch params">request</dfn>
 <dd>A <a for=/>request</a>.

 <dt><dfn for="fetch params">process request body</dfn> (default null)
 <dt><dfn for="fetch params">process request end-of-body</dfn> (default null)
 <dt><dfn for="fetch params">process response</dfn> (default null)
 <dt><dfn for="fetch params">process response end-of-body</dfn> (default null)
 <dt><dfn for="fetch params">process response done</dfn> (default null)
 <dd>Null or an algorithm.

 <dt><dfn for="fetch params">task destination</dfn> (default null)
 <dd>Null, a <a for=/>global object</a>, or a <a for=/>parallel queue</a>.

 <dt><dfn for="fetch params">cross-origin isolated capability</dfn> (default false)
 <dd>A boolean.

 <dt><dfn for="fetch params">timing info</dfn>
 <dd>A <a for=/>fetch timing info</a>.
</dl>

<p>A <dfn export>fetch timing info</dfn> is a <a for=/>struct</a> used to maintain timing
information needed by <cite>Resource Timing</cite> and <cite>Navigation Timing</cite>. It has the
following <a for=struct>items</a>: [[RESOURCE-TIMING]] [[NAVIGATION-TIMING]]

<dl>
 <dt><dfn export for="fetch timing info">start time</dfn> (default 0)
 <dt><dfn export for="fetch timing info">redirect start time</dfn> (default 0)
 <dt><dfn export for="fetch timing info">redirect end time</dfn> (default 0)
 <dt><dfn export for="fetch timing info">post-redirect start time</dfn> (default 0)
 <dt><dfn export for="fetch timing info">final service worker start time</dfn> (default 0)
 <dt><dfn export for="fetch timing info">final network-request start time</dfn> (default 0)
 <dt><dfn export for="fetch timing info">final network-response start time</dfn> (default 0)
 <dt><dfn export for="fetch timing info">end time</dfn> (default 0)
 <dd>A {{DOMHighResTimeStamp}}.

 <dt><dfn export for="fetch timing info">encoded body size</dfn> (default 0)
 <dt><dfn export for="fetch timing info">decoded body size</dfn> (default 0)
 <dd>A number.

 <dt><dfn export for="fetch timing info">final connection timing info</dfn> (default null)
 <dd>Null or a <a for=/>connection timing info</a>.
</dl>

<p>To <dfn>update timing info from stored response</dfn>, given a
<a for=/>connection timing info</a> <var>timingInfo</var> and a <a for=/>response</a>
<var>response</var>, perform the following steps:

<ol>
 <li><p>Let <var>storedTimingInfo</var> be <var>response</var>'s <a for=response>timing info</a>.

 <li><p>If <var>storedTimingInfo</var> is null, then return.

 <li><p>Set <var>timingInfo</var>'s <a for="fetch timing info">encoded body size</a> to
 <var>storedTimingInfo</var>'s <a for="fetch timing info">encoded body size</a>.

 <li><p>Set <var>timingInfo</var>'s <a for="fetch timing info">decoded body size</a> to
 <var>storedTimingInfo</var>'s <a for="fetch timing info">decoded body size</a>.
</ol>

<p>To <dfn>queue a fetch task</dfn>, given an algorithm <var>algorithm</var>, a
<a for=/>global object</a> or a <a for=/>parallel queue</a> <var>taskDestination</var>, run these
steps:

<ol>
 <li><p>If <var>taskDestination</var> is a <a for=/>parallel queue</a>, then
 <a lt="enqueue steps" for="parallel queue">enqueue</a> <var>algorithm</var> to
 <var>taskDestination</var>.

 <li><p>Otherwise, <a>queue a global task</a> on the <a>networking task source</a> with
 <var>taskDestination</var> and <var>algorithm</var>.
</ol>

<hr>

<p>To <dfn>serialize an integer</dfn>, represent it as a string of the shortest possible decimal
number.

<p class=XXX>This will be replaced by a more descriptive algorithm in Infra. See
<a href="https://github.com/whatwg/infra/issues/201">infra/201</a>.


<h3 id=url>URL</h3>

<p>A <dfn export>local scheme</dfn> is a <a for=url>scheme</a> that is "<code>about</code>",
"<code>blob</code>", or "<code>data</code>".

<p>A <a for=/>URL</a> <dfn export>is local</dfn> if its <a for=url>scheme</a> is a
<a>local scheme</a>.

<p class=note>This definition is also used by <cite>Referrer Policy</cite>. [[REFERRER]]

<p>An <dfn export id=http-scheme>HTTP(S) scheme</dfn> is a <a for=url>scheme</a> that is
"<code>http</code>" or "<code>https</code>".

<p>A <dfn export>fetch scheme</dfn> is a <a for=url>scheme</a> that is "<code>about</code>",
"<code>blob</code>", "<code>data</code>", "<code>file</code>", or an <a>HTTP(S) scheme</a>.

<p class="note no-backref"><a>HTTP(S) scheme</a> and <a>fetch scheme</a> are also used by
<cite>HTML</cite>. [[HTML]]


<h3 id=http>HTTP</h3>

<p>While <a lt=fetch for=/>fetching</a> encompasses more than just HTTP, it
borrows a number of concepts from HTTP and applies these to resources obtained via other
means (e.g., <code>data</code> URLs).

<p>An <dfn export>HTTP tab or space</dfn> is U+0009 TAB or U+0020 SPACE.

<p><dfn export>HTTP whitespace</dfn> is U+000A LF, U+000D CR, or an <a>HTTP tab or space</a>.

<p class="note no-backref"><a>HTTP whitespace</a> is only useful for specific constructs that are
reused outside the context of HTTP headers (e.g., <a for=/>MIME types</a>). For HTTP header values,
using <a>HTTP tab or space</a> is preferred, and outside that context <a>ASCII whitespace</a> is
preferred. Unlike <a>ASCII whitespace</a> this excludes U+000C FF.

<p>An <dfn export>HTTP newline byte</dfn> is 0x0A (LF) or 0x0D (CR).

<p>An <dfn export>HTTP tab or space byte</dfn> is 0x09 (HT) or 0x20 (SP).

<p>An <dfn export>HTTP whitespace byte</dfn> is an <a>HTTP newline byte</a> or
<a>HTTP tab or space byte</a>.

<p>To
<dfn export lt="collect an HTTP quoted string|collecting an HTTP quoted string">collect an HTTP quoted string</dfn>
from a <a for=/>string</a> <var>input</var>, given a <a>position variable</a> <var>position</var>
and optionally an <var>extract-value flag</var>, run these steps:

<ol>
 <li><p>Let <var>positionStart</var> be <var>position</var>.

 <li><p>Let <var>value</var> be the empty string.

 <li><p>Assert: the <a>code point</a> at <var>position</var> within <var>input</var> is U+0022 (").

 <li><p>Advance <var>position</var> by 1.

 <li>
  <p>While true:

  <ol>
   <li><p>Append the result of <a>collecting a sequence of code points</a> that are not U+0022 (")
   or U+005C (\) from <var>input</var>, given <var>position</var>, to <var>value</var>.

   <li><p>If <var>position</var> is past the end of <var>input</var>, then
   <a for=iteration>break</a>.

   <li><p>Let <var>quoteOrBackslash</var> be the <a>code point</a> at <var>position</var> within
   <var>input</var>.

   <li><p>Advance <var>position</var> by 1.

   <li>
    <p>If <var>quoteOrBackslash</var> is U+005C (\), then:

    <ol>
     <li><p>If <var>position</var> is past the end of <var>input</var>, then append U+005C (\) to
     <var>value</var> and <a for=iteration>break</a>.

     <li><p>Append the <a>code point</a> at <var>position</var> within <var>input</var> to
     <var>value</var>.

     <li><p>Advance <var>position</var> by 1.
    </ol>

   <li>
    <p>Otherwise:

    <ol>
     <li><p>Assert: <var>quoteOrBackslash</var> is U+0022 (").

     <li><p><a for=iteration>Break</a>.
    </ol>
  </ol>

 <li><p>If the <var>extract-value flag</var> is set, then return <var>value</var>.

 <li><p>Return the <a for=/>code points</a> from <var>positionStart</var> to <var>position</var>,
 inclusive, within <var>input</var>.
</ol>

<div class=example id=example-http-quoted-string>
 <table>
  <tr>
   <th>Input
   <th>Output
   <th>Output with the <var>extract-value flag</var> set
   <th>Final <a>position variable</a> value
  <tr>
   <td>"<code><mark>"\</mark></code>"
   <td>"<code>"\</code>"
   <td>"<code>\</code>"
   <td>2
  <tr>
   <td>"<code><mark>"Hello"</mark> World</code>"
   <td>"<code>"Hello"</code>"
   <td>"<code>Hello</code>"
   <td>7
  <tr>
   <td>"<code><mark>"Hello \\ World\""</mark></code>"
   <td>"<code>"Hello \\ World\""</code>"
   <td>"<code>Hello \ World"</code>"
   <td>18
 </table>
 <p class=tablenote><small>The <a>position variable</a> always starts at 0 in these examples.</small>
</div>


<h4 id=methods>Methods</h4>

<p>A <dfn export id=concept-method>method</dfn> is a byte sequence that matches the
<a spec=http>method</a> token production.

<p id=simple-method>A <dfn export>CORS-safelisted method</dfn> is a
<a for=/>method</a> that is `<code>GET</code>`,
`<code>HEAD</code>`, or `<code>POST</code>`.

<p>A <dfn export>forbidden method</dfn> is a <a for=/>method</a> that is a
<a>byte-case-insensitive</a> match for `<code>CONNECT</code>`,
`<code>TRACE</code>`, or `<code>TRACK</code>`.
[[HTTPVERBSEC1]], [[HTTPVERBSEC2]], [[HTTPVERBSEC3]]

<p>To <dfn export for=method id=concept-method-normalize>normalize</dfn> a
<a for=/>method</a>, if it is a <a>byte-case-insensitive</a>
match for `<code>DELETE</code>`, `<code>GET</code>`,
`<code>HEAD</code>`, `<code>OPTIONS</code>`, `<code>POST</code>`, or
`<code>PUT</code>`, <a>byte-uppercase</a> it.

<p class="note no-backref"><a lt=normalize for=method>Normalization</a> is
done for backwards compatibility and consistency across APIs as
<a for=/>methods</a> are actually "case-sensitive".

<p id=example-normalization class=example>Using `<code>patch</code>` is highly likely to result in a
`<code>405 Method Not Allowed</code>`. `<code>PATCH</code>` is much more likely to
succeed.

<p class="note no-backref">There are no restrictions on <a for=/>methods</a>.
`<code>CHICKEN</code>` is perfectly acceptable (and not a misspelling of
`<code>CHECKIN</code>`). Other than those that are
<a lt=normalize for=method>normalized</a> there are no casing restrictions either.
`<code>Egg</code>` or `<code>eGg</code>` would be fine, though uppercase is encouraged
for consistency.


<h4 id=terminology-headers>Headers</h4>

<p>A <dfn export id=concept-header-list>header list</dfn> is a <a for=/>list</a> of zero or more
<a for=/>headers</a>. It is initially the empty list.

<p class="note no-backref">A <a for=/>header list</a> is essentially a
specialized multimap: an ordered list of key-value pairs with potentially duplicate keys.

<p>To
<dfn export for="header list" id=concept-header-list-get-structured-header>get a structured field value</dfn>
given a <var>name</var> and a <var>type</var> from a <a for=/>header list</a> <var>list</var>, run
these steps:

<ol>
 <li><p>Assert: <var>type</var> is one of "<code>dictionary</code>", "<code>list</code>", or
 "<code>item</code>".

 <li><p>Let <var>value</var> be the result of <a for="header list">getting</a> <var>name</var> from
 <var>list</var>.

 <li><p>If <var>value</var> is null, then return null.

 <li><p>Let <var>result</var> be the result of <a>parsing structured fields</a> with
 <var ignore>input_string</var> set to <var>value</var> and <var ignore>header_type</var> set to
 <var>type</var>.

 <li><p>If parsing failed, then return null.

 <li><p>Return <var>result</var>.
</ol>

<p class="note"><a>Get a structured field value</a> intentionally does not distinguish between a
<a for=/>header</a> not being present and its <a for=header>value</a> failing to parse as a
<a>structured field value</a>. This ensures uniform processing across the web platform.

<p>To
<dfn export for="header list" id=concept-header-list-set-structured-header>set a structured field value</dfn>
<a for=header>name</a>/<a>structured field value</a> <var>name</var>/<var>structuredValue</var>
pair in a <a for=/>header list</a> <var>list</var>, run these steps:

<ol>
 <li><p>Let <var>serializedValue</var> be the result of executing the
 <a>serializing structured fields</a> algorithm on <var>structuredValue</var>.

 <li><p><a for="header list">Set</a> <var>name</var>/<var>serializedValue</var> in <var>list</var>.
</ol>

<p class=note><a>Structured field values</a> are defined as objects which HTTP can (eventually)
serialize in interesting and efficient ways. For the moment, Fetch only supports <a for=/>header</a>
<a for=header>values</a> as <a for=/>byte sequences</a>, which means that these objects can be set
in <a for=/>header lists</a> only via serialization, and they can be obtained from
<a for=/>header lists</a> only by parsing. In the future the fact that they are objects might be
preserved end-to-end. [[!RFC8941]]

<hr>

<p>A <a for=/>header list</a> <var>list</var>
<dfn export for="header list" lt="contains|does not contain">contains</dfn> a <a for=header>name</a>
<var>name</var> if <var>list</var> <a for=list>contains</a> a <a for=/>header</a> whose
<a for=header>name</a> is a <a>byte-case-insensitive</a> match for <var>name</var>.

<p>To <dfn export for="header list" id=concept-header-list-get>get</dfn> a <a for=header>name</a>
<var>name</var> from a <a for=/>header list</a> <var>list</var>, run these steps:

<ol>
 <li><p>If <var>list</var> <a for="header list">does not contain</a> <var>name</var>, then return
 null.

 <li><p>Return the <a lt=value for=header>values</a> of all <a for=/>headers</a> in <var>list</var>
 whose <a for=header>name</a> is a <a>byte-case-insensitive</a> match for <var>name</var>, separated
 from each other by 0x2C 0x20, in order.
</ol>

<p>To
<dfn export for="header list" lt="get, decode, and split|getting, decoding, and splitting" id=concept-header-list-get-decode-split>get, decode, and split</dfn>
a <a for=header>name</a> <var>name</var> from <a for=/>header list</a> <var>list</var>, run these
steps:

<ol>
 <li><p>Let <var>initialValue</var> be the result of <a for="header list">getting</a>
 <var>name</var> from <var>list</var>.

 <li><p>If <var>initialValue</var> is null, then return null.

 <li><p>Let <var>input</var> be the result of <a>isomorphic decoding</a> <var>initialValue</var>.

 <li><p>Let <var>position</var> be a <a for=string>position variable</a> for <var>input</var>,
 initially pointing at the start of <var>input</var>.

 <li><p>Let <var>values</var> be a <a for=/>list</a> of <a for=/>strings</a>, initially empty.

 <li><p>Let <var>value</var> be the empty string.

 <li>
  <p>While <var>position</var> is not past the end of <var>input</var>:

  <ol>
   <li>
    <p>Append the result of <a>collecting a sequence of code points</a> that are not U+0022 (") or
    U+002C (,) from <var>input</var>, given <var>position</var>, to <var>value</var>.

    <p class=note>The result might be the empty string.

   <li>
    <p>If <var>position</var> is not past the end of <var>input</var>, then:

    <ol>
     <li>
      <p>If the <a for=/>code point</a> at <var>position</var> within <var>input</var> is
      U+0022 ("), then:

      <ol>
       <li><p>Append the result of <a>collecting an HTTP quoted string</a> from <var>input</var>,
       given <var>position</var>, to <var>value</var>.

       <li>If <var>position</var> is not past the end of <var>input</var>, then
       <a for=iteration>continue</a>.
      </ol>

     <li>
      <p>Otherwise:

      <ol>
       <li><p>Assert: the <a for=/>code point</a> at <var>position</var> within <var>input</var> is
       U+002C (,).

       <li><p>Advance <var>position</var> by 1.
      </ol>
    </ol>

   <li><p>Remove all <a>HTTP tab or space</a> from the start and end of <var>value</var>.

   <li><p><a for=list>Append</a> <var>value</var> to <var>values</var>.

   <li><p>Set <var>value</var> to the empty string.
  </ol>

 <li><p>Return <var>values</var>.
</ol>

<div class=example id=example-header-list-get-decode-split>
 <p>This is how <a>get, decode, and split</a> functions in practice with `<code>A</code>` as the
 <var>name</var> argument:

 <table>
  <tr>
   <th>Headers (as on the network)
   <th>Output
  <tr>
   <td>
    <pre><code class=lang-http>
A: nosniff,
</code></pre>
   <td rowspan=2>« "<code>nosniff</code>", "" »
  <tr>
   <td>
    <pre><code class=lang-http>
A: nosniff
B: sniff
A:
</code></pre>
  <tr>
   <td>
    <pre><code class=lang-http>A: text/html;", x/x</code></pre>
   <td rowspan=2>« "<code>text/html;", x/x</code>" »
  <tr>
   <td>
    <pre><code class=lang-http>
A: text/html;"
A: x/x
</code></pre>
  <tr>
   <td>
    <pre><code class=lang-http>
A: x/x;test="hi",y/y
</code></pre>
   <td rowspan=2>« "<code>x/x;test="hi"</code>", "<code>y/y</code>" »
  <tr>
   <td>
    <pre><code class=lang-http>
A: x/x;test="hi"
C: **bingo**
A: y/y
</code></pre>
  <tr>
   <td>
    <pre><code class=lang-http>
A: x / x,,,1
</code></pre>
   <td rowspan=2>« "<code>x / x</code>", "", "", "<code>1</code>" »
  <tr>
   <td>
    <pre><code class=lang-http>
A: x / x
A: ,
A: 1
</code></pre>
  <tr>
   <td>
    <pre><code class=lang-http>
A: "1,2", 3
</code></pre>
   <td rowspan=2>« "<code>"1,2"</code>", "<code>3</code>" »
  <tr>
   <td>
    <pre><code class=lang-http>
A: "1,2"
D: 4
A: 3
</code></pre>
 </table>
</div>

<p>To <dfn export for="header list" id=concept-header-list-append>append</dfn> a
<a for=header>name</a>/<a for=header>value</a> <var>name</var>/<var>value</var> pair to a
<a for=/>header list</a> <var>list</var>, run these steps:

<ol>
 <li>
  <p>If <var>list</var> <a for="header list">contains</a> <var>name</var>, then set <var>name</var>
  to the first such <a for=/>header</a>'s <a for=header>name</a>.

  <p class="note no-backref">This reuses the casing of the <a for=header>name</a> of the
  <a for=/>header</a> already in <var>list</var>, if any. If there are multiple matched
  <a for=/>headers</a> their <a for=header>names</a> will all be identical.

 <li><p><a for=list>Append</a> a new <a for=/>header</a> whose <a for=header>name</a> is
 <var>name</var> and <a for=header>value</a> is <var>value</var> to <var>list</var>.
</ol>

<p>To <dfn export for="header list" id=concept-header-list-delete>delete</dfn> a
<a for=header>name</a> <var>name</var> from a <a for=/>header list</a> <var>list</var>,
<a for=list>remove</a> all <a for=/>headers</a> whose <a for=header>name</a> is a
<a>byte-case-insensitive</a> match for <var>name</var> from <var>list</var>.

<p>To <dfn export for="header list" id=concept-header-list-set>set</dfn> a
<a for=header>name</a>/<a for=header>value</a> <var>name</var>/<var>value</var> pair in a
<a for=/>header list</a> <var>list</var>, run these steps:

<ol>
 <li><p>If <var>list</var> <a for="header list">contains</a> <var>name</var>, then set the
 <a for=header>value</a> of the first such <a for=/>header</a> to <var>value</var> and
 <a for=list>remove</a> the others.

 <li><p>Otherwise, <a for=list>append</a> a new <a for=/>header</a> whose <a for=header>name</a> is
 <var>name</var> and <a for=header>value</a> is <var>value</var> to <var>list</var>.
</ol>

<p>To <dfn export for="header list" id=concept-header-list-combine>combine</dfn> a
<a for=header>name</a>/<a for=header>value</a> <var>name</var>/<var>value</var> pair in a
<a for=/>header list</a> <var>list</var>, run these steps:

<ol>
 <li><p>If <var>list</var> <a for="header list">contains</a> <var>name</var>, then set the
 <a for=header>value</a> of the first such <a for=/>header</a> to its <a for=header>value</a>,
 followed by 0x2C 0x20, followed by <var>value</var>.

 <li><p>Otherwise, <a for=list>append</a> a new <a for=/>header</a> whose <a for=header>name</a> is
 <var>name</var> and <a for=header>value</a> is <var>value</var> to <var>list</var>.
</ol>

<p class="note no-backref"><a for="header list">Combine</a> is used by {{XMLHttpRequest}} and the
<a lt="establish a WebSocket connection">WebSocket protocol handshake</a>.

<p>To <dfn>convert header names to a sorted-lowercase set</dfn>, given a <a for=/>list</a> of
<a lt=name for=header>names</a> <var>headerNames</var>, run these steps:

<ol>
 <li><p>Let <var>headerNamesSet</var> be a new <a for/>ordered set</a>.

 <li><p><a for=list>For each</a> <var>name</var> of <var>headerNames</var>, <a for=set>append</a>
 the result of <a lt=byte-lowercased>byte-lowercasing</a> <var>name</var> to
 <var>headerNamesSet</var>.

 <li><p>Return the result of <a for=set>sorting</a> <var>headerNamesSet</var> in ascending order
 with <a>byte less than</a>.
</ol>

<p>To
<dfn export for="header list" id=concept-header-list-sort-and-combine>sort and combine</dfn>
a <a for=/>header list</a> <var>list</var>, run these steps:

<ol>
 <li><p>Let <var>headers</var> be an empty <a for=/>list</a> of
 <a for=header>name</a>-<a for=header>value</a> pairs with the key being the <a for=header>name</a>
 and value the <a for=header>value</a>.

 <li><p>Let <var>names</var> be the result of
 <a>convert header names to a sorted-lowercase set</a> with all the <a lt=name for=header>names</a>
 of the <a for=/>headers</a> in <var>list</var>.

 <li>
  <p><a for=list>For each</a> <var>name</var> in <var>names</var>:

  <ol>
   <li><p>Let <var>value</var> be the result of <a for="header list">getting</a> <var>name</var>
   from <var>list</var>.

   <li><p>Assert: <var>value</var> is not null.

   <li><p><a for=list>Append</a> <var>name</var>-<var>value</var> to <var>headers</var>.
  </ol>

 <li><p>Return <var>headers</var>.
</ol>

<hr>

<p>A <dfn export id=concept-header>header</dfn> consists of a
<dfn export for=header id=concept-header-name>name</dfn> and
<dfn export for=header id=concept-header-value>value</dfn>.

<p>A <a for=header>name</a> is a <a>byte sequence</a> that matches the <a spec=http>field-name</a>
token production.

<p>A <a for=header>value</a> is a <a>byte sequence</a> that matches the following conditions:

<ul class=brief>
 <li><p>Has no leading or trailing <a>HTTP tab or space bytes</a>.
 <li><p>Contains no 0x00 (NUL) or <a>HTTP newline bytes</a>.
</ul>

<p class=note>The definition of <a for=header>value</a> is not defined in terms of an HTTP token
production as
<a href=https://github.com/httpwg/http11bis/issues/19 title="fix field-value ABNF">it is broken</a>.

<p>To <dfn export for=header/value id=concept-header-value-normalize>normalize</dfn> a
<var>potentialValue</var>, remove any leading and trailing <a>HTTP whitespace bytes</a> from
<var>potentialValue</var>.

<hr>

<p id=simple-header>To determine whether a <a for=/>header</a> <var>header</var> is a
<dfn export>CORS-safelisted request-header</dfn>, run these steps:

<ol>
 <li><p>Let <var>value</var> be <var>header</var>'s <a for=header>value</a>.

 <li>
  <p><a>Byte-lowercase</a> <var>header</var>'s <a for=header>name</a> and switch on the result:

  <dl class=switch>
   <dt>`<code>accept</code>`
   <dd>
    <p>If <var>value</var> contains a <a>CORS-unsafe request-header byte</a>, then return false.

   <dt>`<code>accept-language</code>`
   <dt>`<code>content-language</code>`
   <dd><p>If <var>value</var> contains a byte that is not in the range 0x30 (0) to 0x39 (9),
   inclusive, is not in the range 0x41 (A) to 0x5A (Z), inclusive, is not in the range 0x61 (a) to
   0x7A (z), inclusive, and is not 0x20 (SP), 0x2A (*), 0x2C (,), 0x2D (-), 0x2E (.), 0x3B (;), or
   0x3D (=), then return false.
   <!-- Maybe give Infra "byte-alphanumeric"? -->

   <dt>`<code>content-type</code>`
   <dd>
    <ol>
     <li><p>If <var>value</var> contains a <a>CORS-unsafe request-header byte</a>, then return
     false.

     <li><p>Let <var>mimeType</var> be the result of <a lt="parse a MIME type">parsing</a>
     <var>value</var>.

     <li><p>If <var>mimeType</var> is failure, then return false.

     <li><p>If <var>mimeType</var>'s <a for="MIME type">essence</a> is not
     "<code>application/x-www-form-urlencoded</code>", "<code>multipart/form-data</code>", or
     "<code>text/plain</code>", then return false.
    </ol>

    <p class=warning>This intentionally does not use <a>extract a MIME type</a> as that algorithm is
    rather forgiving and servers are not expected to implement it.

    <div class="example no-backref" id=example-cors-safelisted-request-header-content-type>
     <p>If <a>extract a MIME type</a> were used the following request would not result in a CORS
     preflight and a naïve parser on the server might treat the request body as JSON:

     <pre><code class=lang-javascript>
fetch("https://victim.example/naïve-endpoint", {
  method: "POST",
  headers: [
    ["Content-Type", "application/json"],
    ["Content-Type", "text/plain"]
  ],
  credentials: "include",
  body: JSON.stringify(exerciseForTheReader)
});
</code></pre>
    </div>

   <dt>Otherwise
   <dd><p>Return false.
  </dl>

 <li><p>If <var>value</var>'s <a for="byte sequence">length</a> is greater than 128, then return
 false.

 <li><p>Return true.
</ol>

<p class="note">There are limited exceptions to the `<code>Content-Type</code>` header safelist, as
documented in <a href=#cors-protocol-exceptions>CORS protocol exceptions</a>.

<p>A <dfn>CORS-unsafe request-header byte</dfn> is a byte <var>byte</var> for which one of the
following is true:

<ul class=brief>
 <li><p><var>byte</var> is less than 0x20 and is not 0x09 HT
 <li><p><var>byte</var> is 0x22 ("), 0x28 (left parenthesis), 0x29 (right parenthesis), 0x3A (:),
 0x3C (&lt;), 0x3E (>), 0x3F (?), 0x40 (@), 0x5B ([), 0x5C (\), 0x5D (]), 0x7B ({), 0x7D (}), or
 0x7F DEL.
 <!-- Delimiters from https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6 except for ,/;=
      and including DEL -->
</ul>

<p>The <dfn noexport>CORS-unsafe request-header names</dfn>, given a <a for=/>header list</a>
<var>headers</var>, are determined as follows:

<ol>
 <li><p>Let <var>unsafeNames</var> be a new <a for=/>list</a>.

 <li><p>Let <var>potentiallyUnsafeNames</var> be a new <a for=/>list</a>.

 <li><p>Let <var>safelistValueSize</var> be 0.

 <li>
  <p><a for=list>For each</a> <var>header</var> of <var>headers</var>:

  <ol>
   <li><p>If <var>header</var> is not a <a>CORS-safelisted request-header</a>, then
   <a for=list>append</a> <var>header</var>'s <a for=header>name</a> to <var>unsafeNames</var>.

   <li><p>Otherwise, <a for=list>append</a> <var>header</var>'s <a for=header>name</a> to
   <var>potentiallyUnsafeNames</var> and increase <var>safelistValueSize</var> by
   <var>header</var>'s <a for=header>value</a>'s <a for="byte sequence">length</a>.
  </ol>

 <li><p>If <var>safelistValueSize</var> is greater than 1024, then <a for=list>for each</a>
 <var>name</var> of <var>potentiallyUnsafeNames</var>, <a for=list>append</a> <var>name</var> to
 <var>unsafeNames</var>.

 <li><p>Return the result of <a>convert header names to a sorted-lowercase set</a> with
 <var>unsafeNames</var>.
</ol>

<p>A <dfn export>CORS non-wildcard request-header name</dfn> is a <a>byte-case-insensitive</a> match
for `<code>Authorization</code>`.

<p>A <dfn export>privileged no-CORS request-header name</dfn> is a <a for=/>header</a>
<a for=header>name</a> that is a <a>byte-case-insensitive</a> match for one of

<ul class=brief>
 <li>`<code>Range</code>`.
</ul>

<div class="note no-backref">
 <p>These are headers that can be set by privileged APIs, and will be preserved if their associated
 request object is copied, but will be removed if the request is modified by unprivilaged APIs.

 <p>`<code>Range</code>` headers are commonly used by <a lt="download the hyperlink">downloads</a>
 and <a lt="resource fetch algorithm">media fetches</a>, although neither of these currently specify
 how. <a href=https://github.com/whatwg/html/pull/2814>html/2914</a> aims to solve this.

 <p>A helper is provided to <a for=request>add a range header</a> to a particular request.
</div>

<p>A <dfn export>CORS-safelisted response-header name</dfn>, given a
<a for=response>CORS-exposed header-name list</a> <var>list</var>, is a <a for=/>header</a>
<a for=header>name</a> that is a <a>byte-case-insensitive</a> match for one of

<ul class=brief>
 <li>`<code>Cache-Control</code>`
 <li>`<code>Content-Language</code>`
 <li>`<code>Content-Length</code>`
 <li>`<code>Content-Type</code>`
 <li>`<code>Expires</code>`
 <li>`<code>Last-Modified</code>`
 <li>`<code>Pragma</code>`
 <li>Any <a for=header>value</a> in <var>list</var> that is not a
 <a>forbidden response-header name</a>.
</ul>

<p>A <dfn noexport>no-CORS-safelisted request-header name</dfn> is a <a for=/>header</a>
<a for=header>name</a> that is a <a>byte-case-insensitive</a> match for one of

<ul class=brief>
 <li>`<code>Accept</code>`
 <li>`<code>Accept-Language</code>`
 <li>`<code>Content-Language</code>`
 <li>`<code>Content-Type</code>`
</ul>

<p>To determine whether a <a for/>header</a> <var>header</var> is a
<dfn noexport>no-CORS-safelisted request-header</dfn>, run these steps:

<ol>
 <li><p>If <var>header</var>'s <a for=header>name</a> is not a
 <a>no-CORS-safelisted request-header name</a>, then return false.

 <li><p>Return whether <var>header</var> is a <a>CORS-safelisted request-header</a>.
</ol>

<p>A <dfn export>forbidden header name</dfn> is a <a for=/>header</a> <a for=header>name</a> that
is a <a>byte-case-insensitive</a> match for one of

<ul class=brief>
 <li>`<code>Accept-Charset</code>`
 <li>`<code>Accept-Encoding</code>`
 <li>`<a http-header><code>Access-Control-Request-Headers</code></a>`
 <li>`<a http-header><code>Access-Control-Request-Method</code></a>`
 <li>`<code>Connection</code>`
 <li>`<code>Content-Length</code>`
 <li>`<code>Cookie</code>`
 <li>`<code>Cookie2</code>`
 <li>`<code>Date</code>`
 <li>`<code>DNT</code>`
 <li>`<code>Expect</code>`
 <li>`<code>Host</code>`
 <li>`<code>Keep-Alive</code>`
 <li>`<a http-header><code>Origin</code></a>`
 <li>`<code>Referer</code>`
 <li>`<code>TE</code>`
 <li>`<code>Trailer</code>`
 <li>`<code>Transfer-Encoding</code>`
 <li>`<code>Upgrade</code>`
 <li>`<code>Via</code>`
</ul>

<p>or a <a for=/>header</a> <a for=header>name</a> that
starts with a <a>byte-case-insensitive</a> match for `<code>Proxy-</code>` or `<code>Sec-</code>`
(including being a <a>byte-case-insensitive</a> match for just `<code>Proxy-</code>` or
`<code>Sec-</code>`).

<p class=note>These are forbidden so the user agent remains in full control over them.
<a for=header>Names</a> starting with `<code>Sec-</code>` are
reserved to allow new <a for=/>headers</a> to be minted that are safe
from APIs using <a for=/>fetch</a> that allow control over
<a for=/>headers</a> by developers, such as
{{XMLHttpRequest}}.
[[XHR]]

<p>A <dfn export>forbidden response-header name</dfn> is a <a for=/>header</a>
<a for=header>name</a> that is a <a>byte-case-insensitive</a> match for one of:

<ul class=brief>
 <li>`<code>Set-Cookie</code>`
 <li>`<code>Set-Cookie2</code>`
</ul>

<p>A <dfn export>request-body-header name</dfn> is a <a for=/>header</a> <a for=header>name</a> that
is a <a>byte-case-insensitive</a> match for one of:

<ul class=brief>
 <li>`<code>Content-Encoding</code>`
 <li>`<code>Content-Language</code>`
 <li>`<code>Content-Location</code>`
 <li>`<code>Content-Type</code>`
</ul>

<hr>

<p>To <dfn export lt="extract header values|extracting header values">extract header values</dfn>
given a <a for=/>header</a> <var>header</var>, run these steps:

<ol>
 <li><p>If parsing <var>header</var>'s <a for=header>value</a>, per the <a>ABNF</a> for
 <var>header</var>'s <a for=header>name</a>, fails, then return failure.

 <li><p>Return one or more <a for=header>values</a> resulting from parsing <var>header</var>'s
 <a for=header>value</a>, per the <a>ABNF</a> for <var>header</var>'s <a for=header>name</a>.
</ol>

<p>To
<dfn export lt="extract header list values|extracting header list values">extract header list values</dfn>
given a <a for=header>name</a> <var>name</var> and a <a for=/>header list</a> <var>list</var>,
run these steps:

<ol>
 <li><p>If <var>list</var> <a for="header list">does not contain</a> <var>name</var>, then return
 null.

 <li>
  <p>If the <a>ABNF</a> for <var>name</var> allows a single <a for=/>header</a> and <var>list</var>
  <a for="header list">contains</a> more than one, then return failure.

  <p class="note no-backref">If different error handling is needed, extract the desired
  <a for=/>header</a> first.

 <li><p>Let <var>values</var> be an empty <a for=/>list</a>.

 <li>
  <p>For each <a for=/>header</a> <var>header</var> <var>list</var>
  <a for="header list">contains</a> whose <a for=header>name</a> is <var>name</var>:

  <ol>
   <li><p>Let <var>extract</var> be the result of <a>extracting header values</a> from
   <var>header</var>.

   <li><p>If <var>extract</var> is failure, then return failure.

   <li><p>Append each <a for=header>value</a> in <var>extract</var>, in order, to <var>values</var>.
  </ol>

 <li><p>Return <var>values</var>.
</ol>

<hr>

<p>A <dfn id=default-user-agent-value export>default `<code>User-Agent</code>` value</dfn> is a
user-agent-defined <a for=header>value</a> for the
`<code>User-Agent</code>` <a for=/>header</a>.


<h4 id=statuses>Statuses</h4>

<p>A <dfn export id=concept-status>status</dfn> is an integer in the range 0 to 999, inclusive.

<p class=XXX>Various edge cases in mapping HTTP/1's <code>status-code</code> to this concept are
worked on in <a href=https://github.com/whatwg/fetch/issues/1156>issue #1156</a>.

<p>A <dfn export>null body status</dfn> is a <a for=/>status</a> that is 101, 204, 205, or 304.

<p>An <dfn export>ok status</dfn> is a <a for=/>status</a> in the range 200 to 299, inclusive.

<p>A <dfn export>redirect status</dfn> is a <a for=/>status</a> that is 301, 302, 303, 307, or 308.


<h4 id=bodies>Bodies</h4>

<p>A <dfn export id=concept-body>body</dfn> consists of:

<ul>
 <li><p>A <dfn export for=body id=concept-body-stream>stream</dfn> (a {{ReadableStream}} object).

 <li><p>A <dfn export for=body id=concept-body-source>source</dfn> (null, a
 <a for=/>byte sequence</a>, a {{Blob}} object, or a {{FormData}} object), initially null.

 <li><p>A <dfn export for=body id=concept-body-total-bytes>length</dfn> (null or an integer),
 initially null.
</ul>

<p>To <dfn export for=body id=concept-body-clone>clone</dfn> a
<a for=/>body</a> <var>body</var>, run these steps:

<ol>
 <li><p>Let « <var>out1</var>, <var>out2</var> » be the result of <a for=ReadableStream>teeing</a>
 <var>body</var>'s <a for=body>stream</a>.

 <li><p>Set <var>body</var>'s <a for=body>stream</a> to <var>out1</var>.

 <li><p>Return a <a for=/>body</a> whose
 <a for=body>stream</a> is <var>out2</var> and other members are copied from
 <var>body</var>.
</ol>

<hr>

<p>To <dfn export for=body>incrementally read</dfn> a <a for=/>body</a> <var>body</var>, given an
algorithm <var>processBodyChunk</var>, an algorithm <var>processEndOfBody</var>, an algorithm
<var>processBodyError</var>, and an optional null, <a for=/>parallel queue</a>, or
<a for=/>global object</a> <var>taskDestination</var> (default null), run these steps.
<var>processBodyChunk</var> must be an algorithm accepting a <a for=/>byte sequence</a>.
<var>processEndOfBody</var> must be an algorithm accepting no arguments. <var>processBodyError</var>
must be an algorithm accepting an exception.

<ol>
 <li><p>If <var>taskDestination</var> is null, then set <var>taskDestination</var> to the result of
 <a>starting a new parallel queue</a>.

 <li>
  <p>Let <var>reader</var> be the result of <a for=ReadableStream>getting a reader</a> for
  <var>body</var>'s <a for=body>stream</a>.

  <p class=note>This operation will not throw an exception.

 <li><p>Perform the <a>incrementally-read loop</a> given <var>reader</var>,
 <var>taskDestination</var>, <var>processBodyChunk</var>, <var>processEndOfBody</var>, and
 <var>processBodyError</var>.
</ol>

<p>To perform the <dfn>incrementally-read loop</dfn>, given a {{ReadableStreamDefaultReader}} object
<var>reader</var>, <a for=/>parallel queue</a> or <a for=/>global object</a>
<var>taskDestination</var>, algorithm <var>processBodyChunk</var>, algorithm
<var>processEndOfBody</var>, and algorithm <var>processBodyError</var>:

<ol>
 <li>
  <p>Let <var>readRequest</var> be the following <a>read request</a>:

  <dl>
   <dt><a for="read request">chunk steps</a>, given <var>chunk</var>
   <dd>
    <ol>
     <li><p>Let <var>continueAlgorithm</var> be null.

     <li><p>If <var>chunk</var> is not a {{Uint8Array}} object, then set
     <var>continueAlgorithm</var> to this step: run <var>processBodyError</var> given a
     {{TypeError}}.

     <li>
      <p>Otherwise:

      <ol>
       <li>
        <p>Let <var>bytes</var> be a <a lt="get a copy of the buffer source">copy of</a>
        <var>chunk</var>.

        <p class=note>Implementations are strongly encouraged to use an implementation strategy that
        avoids this copy where possible.

       <li>
        <p>Set <var>continueAlgorithm</var> to these steps:

        <ol>
         <li><p>Run <var>processBodyChunk</var> given <var>bytes</var>.

         <li><p>Perform the <a>incrementally-read loop</a> given <var>reader</var>,
         <var>taskDestination</var>, <var>processBodyChunk</var>, <var>processEndOfBody</var>, and
         <var>processBodyError</var>.
        </ol>
      </ol>

     <li><p><a>Queue a fetch task</a> given <var>continueAlgorithm</var> and
     <var>taskDestination</var>.
    </ol>

   <dt><a for="read request">close steps</a>
   <dd><ol><li><p><a>Queue a fetch task</a> given <var>processEndOfBody</var> and
   <var>taskDestination</var>.</ol>

   <dt><a for="read request">error steps</a>, given <var>e</var>
   <dd><ol><li><p><a>Queue a fetch task</a> to run <var>processBodyError</var> given <var>e</var>,
   with <var>taskDestination</var>.</ol>
  </dl>

 <li><p><a for=ReadableStreamDefaultReader>Read a chunk</a> from <var>reader</var> given
 <var>readRequest</var>.
</ol>

<p>To <dfn export for=body>fully read</dfn> a <a for=/>body</a> <var>body</var>, given an algorithm
<var>processBody</var>, an algorithm <var>processBodyError</var>, and an optional null,
<a for=/>parallel queue</a>, or <a for=/>global object</a> <var>taskDestination</var> (default
null), run these steps. <var>processBody</var> must be an algorithm accepting a
<a for=/>byte sequence</a>. <var>processBodyError</var> must be an algorithm accepting no arguments.

<ol>
 <li><p>If <var>taskDestination</var> is null, then set <var>taskDestination</var> to the result of
 <a>starting a new parallel queue</a>.

 <li><p>Let <var>promise</var> be the result of <a>fully reading body as promise</a> given
 <var>body</var>.

 <li><p>Let <var>fulfilledSteps</var> given a <a>byte sequence</a> <var>bytes</var> be to
 <a>queue a fetch task</a> to run <var>processBody</var> given <var>bytes</var>, with
 <var>taskDestination</var>.

 <li><p>Let <var>rejectedSteps</var> be to <a>queue a fetch task</a> to run
 <var>processBodyError</var>, with <var>taskDestination</var>.

 <li><p><a for=promise>React</a> to <var>promise</var> with <var>fulfilledSteps</var> and
 <var>rejectedSteps</var>.
</ol>

<p>To <dfn export lt="fully reading body as promise">fully read body as promise</dfn>, given a
<a for=/>body</a> <var>body</var>, run these steps:

<ol>
 <li><p>Let <var>reader</var> be the result of <a for=ReadableStream>getting a reader</a> for
 <var>body</var>'s <a for=body>stream</a>. If that threw an exception, then return
 <a>a promise rejected with</a> that exception.

 <li><p>Return the result of <a for=ReadableStreamDefaultReader>reading all bytes</a> from
 <var>reader</var>.
</ol>

<hr>

<p>To <dfn export>handle content codings</dfn> given <var>codings</var> and <var>bytes</var>, run
these steps:

<ol>
 <li><p>If <var>codings</var> are not supported, then return <var>bytes</var>.

 <li><p>Return the result of decoding <var>bytes</var> with <var>codings</var> as explained in HTTP,
 if decoding does not result in an error, and failure otherwise. [[!HTTP]] [[!HTTP-SEMANTICS]]
</ol>
<!-- XXX https://github.com/whatwg/fetch/issues/716
         https://github.com/httpwg/http-core/issues/58 -->


<h4 id=requests>Requests</h4>

<p>The input to <a for=/>fetch</a> is a
<dfn export id=concept-request>request</dfn>.

<p>A <a for=/>request</a> has an associated
<dfn export for=request id=concept-request-method>method</dfn> (a
<a for=/>method</a>). Unless stated otherwise it is
`<code>GET</code>`.

<p class="note no-backref">This can be updated during redirects to `<code>GET</code>` as
described in <a>HTTP fetch</a>.

<p>A <a for=/>request</a> has an associated <dfn export for=request id=concept-request-url>URL</dfn>
(a <a for=/>URL</a>).

<p class="note no-backref">Implementations are encouraged to make this a pointer to the first
<a for=/>URL</a> in <a for=/>request</a>'s <a for=request>URL list</a>. It is provided as a distinct
field solely for the convenience of other standards hooking into Fetch.

<p>A <a for=/>request</a> has an associated
<dfn export>local-URLs-only flag</dfn>. Unless stated otherwise it is
unset.

<p>A <a for=/>request</a> has an associated
<dfn export for=request id=concept-request-header-list>header list</dfn> (a
<a for=/>header list</a>). Unless stated otherwise it is empty.

<p>A <a for=/>request</a> has an associated
<dfn id=unsafe-request-flag export for=request>unsafe-request flag</dfn>. Unless stated otherwise it
is unset.

<p class="note no-backref">The <a>unsafe-request flag</a> is set by APIs such as
<a method><code>fetch()</code></a>  and {{XMLHttpRequest}} to ensure a <a>CORS-preflight fetch</a>
is done based on the supplied <a for=request>method</a> and <a for=request>header list</a>. It does
not free an API from outlawing <a>forbidden methods</a> and <a>forbidden header names</a>.

<p>A <a for=/>request</a> has an associated
<dfn export for=request id=concept-request-body>body</dfn> (null, a <a for=/>byte sequence</a>, or a
<a for=/>body</a>). Unless stated otherwise it is null.

<p class="note no-backref">A <a for=/>byte sequence</a> will be <a for=BodyInit>safely extracted</a>
into a <a for=/>body</a> early on in <a for=/>fetch</a>. As part of <a>HTTP fetch</a> it is possible
for this field to be set to null due to certain redirects.

<hr>

<p>A <a for=/>request</a> has an associated
<dfn export for=request id=concept-request-client>client</dfn> (null or an
<a>environment settings object</a>).

<p>A <a for=/>request</a> has an associated
<dfn id=concept-request-reserved-client export for=request>reserved client</dfn>
(null, an <a for=/>environment</a>, or an
<a>environment settings object</a>). Unless stated otherwise it is null.

<p class="note no-backref">This is only used by <a>navigation requests</a> and worker
requests, but not service worker requests. It references an
<a for=/>environment</a> for a <a>navigation request</a> and an
<a>environment settings object</a> for a worker request.

<p>A <a for=/>request</a> has an associated
<dfn id=concept-request-replaces-client-id export for=request>replaces client id</dfn>
(a string). Unless stated otherwise it is the empty string.

<p class="note no-backref">This is only used by <a>navigation requests</a>. It is the
<a for="environment">id</a> of the
<a for="environment">target browsing context</a>'s
<a>active document</a>'s
<a>environment settings object</a>.

<p>A <a for=/>request</a> has an associated
<dfn export for=request id=concept-request-window>window</dfn>
("<code>no-window</code>", "<code>client</code>", or an
<a>environment settings object</a> whose
<a for="environment settings object">global object</a> is a
{{Window}} object). Unless stated otherwise it is
"<code>client</code>".

<p class="note no-backref">The "<code>client</code>" value is changed to "<code>no-window</code>" or
<a for=/>request</a>'s <a for=request>client</a> during
<a lt=fetch for=/>fetching</a>. It provides a convenient way for standards to not have to
explicitly set <a for=/>request</a>'s
<a for=request>window</a>.

<p id=keep-alive-flag>A <a for=/>request</a> has an associated boolean
<dfn for=request export id=request-keepalive-flag>keepalive</dfn>. Unless stated otherwise it is
false.

<p class="note no-backref">This can be used to allow the request to outlive the
<a>environment settings object</a>, e.g.,
<code>navigator.sendBeacon</code> and the HTML <code>img</code> element set this flag. Requests with
this flag set are subject to additional processing requirements.

<p>A <a for=/>request</a> has an associated <dfn for=request export>service-workers mode</dfn>, that
is "<code>all</code>" or "<code>none</code>". Unless stated otherwise it is "<code>all</code>".

<div class=note>
 <p>This determines which service workers will receive a {{fetch!!event}} event for this fetch.

 <dl>
  <dt>"<code>all</code>"
  <dd>Relevant service workers will get a {{fetch!!event}} event for this fetch.

  <dt>"<code>none</code>"
  <dd>No service workers will get events for this fetch.
 </dl>
</div>

<p>A <a for=/>request</a> has an associated
<dfn export for=request id=concept-request-initiator>initiator</dfn>, which is
the empty string,
"<code>download</code>",
"<code>imageset</code>",
"<code>manifest</code>",
"<code>prefetch</code>",
"<code>prerender</code>", or
"<code>xslt</code>". Unless stated otherwise it is the empty string.

<p class="note no-backref">A <a for=/>request</a>'s
<a for=request>initiator</a> is not particularly granular for
the time being as other specifications do not require it to be. It is primarily a
specification device to assist defining CSP and Mixed Content. It is not exposed to
JavaScript. [[!CSP]] [[!MIX]]

<p>A <a for=/>request</a> has an associated
<dfn export for=request id=concept-request-destination>destination</dfn>, which is
the empty string,
"<code>audio</code>",
"<code>audioworklet</code>",
"<code>document</code>",
"<code>embed</code>",
"<code>font</code>",
"<code>frame</code>",
"<code>iframe</code>",
"<code>image</code>",
"<code>manifest</code>",
"<code>object</code>",
"<code>paintworklet</code>",
"<code>report</code>",
"<code>script</code>",
"<code>serviceworker</code>",
"<code>sharedworker</code>",
"<code>style</code>",
"<code>track</code>",
"<code>video</code>",
"<code>worker</code>", or
"<code>xslt</code>". Unless stated otherwise it is the empty string.

<!-- Dependencies:
     * CSP: https://w3c.github.io/webappsec-csp/#effective-directive-for-a-request
     * Mixed Content
     * Preload: https://w3c.github.io/preload/#processing
     * HTML -->

<p>A <a for=/>request</a>'s <a for=request>destination</a> is
<dfn export for=request/destination>script-like</dfn> if it is "<code>audioworklet</code>",
"<code>paintworklet</code>", "<code>script</code>", "<code>serviceworker</code>",
"<code>sharedworker</code>", or "<code>worker</code>".

<p class=warning>Algorithms that use <a for=request/destination>script-like</a> should also consider
"<code>xslt</code>" as that too can cause script execution. It is not included in the list as it is
not always relevant and might require different behavior.

<div class=note>
 <p>The following table illustrates the relationship between a <a for=/>request</a>'s
 <a for=request>initiator</a>, <a for=request>destination</a>, CSP directives, and features. It is
 not exhaustive with respect to features. Features need to have the relevant values defined in their
 respective standards.

 <table>
  <tbody><tr>
   <th><a lt=initiator for=request>Initiator</a>
   <th><a lt=destination for=request>Destination</a>
   <th>CSP directive
   <th>Features
  <tr>
   <td rowspan=19>""
   <td>"<code>report</code>"
   <td rowspan=2>&mdash;
   <td>CSP, NEL reports.
  <tr>
   <td>"<code>document</code>"
   <td>HTML's navigate algorithm (top-level only).
  <tr>
   <td>"<code>frame</code>"
   <td><code>child-src</code>
   <td>HTML's <code>&lt;frame></code>
  <tr>
   <td>"<code>iframe</code>"
   <td><code>child-src</code>
   <td>HTML's <code>&lt;iframe></code>
  <tr>
   <td>""
   <td><code>connect-src</code>
   <td><code>navigator.sendBeacon()</code>, {{EventSource}},
   HTML's <code>&lt;a ping=""></code> and <code>&lt;area ping=""></code>,
   <a method><code>fetch()</code></a>, {{XMLHttpRequest}}, {{WebSocket}}, Cache API
  <tr>
   <td>"<code>object</code>"
   <td><code>object-src</code>
   <td>HTML's <code>&lt;object></code>
  <tr>
   <td>"<code>embed</code>"
   <td><code>object-src</code>
   <td>HTML's <code>&lt;embed></code>
  <tr>
   <td>"<code>audio</code>"
   <td><code>media-src</code>
   <td>HTML's <code>&lt;audio></code>
  <tr>
   <td>"<code>font</code>"
   <td><code>font-src</code>
   <td>CSS' <code>@font-face</code>
  <tr>
   <td>"<code>image</code>"
   <td><code>img-src</code>
   <td>HTML's <code>&lt;img src></code>, <code>/favicon.ico</code> resource,
   SVG's <code>&lt;image></code>, CSS' <code>background-image</code>, CSS'
   <code>cursor</code>, CSS' <code>list-style-image</code>, …
  <tr>
   <td>"<code>audioworklet</code>"
   <td><code>script-src</code>
   <td><code>audioWorklet.addModule()</code>
  <tr>
   <td>"<code>paintworklet</code>"
   <td><code>script-src</code>
   <td><code>CSS.paintWorklet.addModule()</code>
  <tr>
   <td>"<code>script</code>"
   <td><code>script-src</code>
   <td>HTML's <code>&lt;script></code>, <code>importScripts()</code>
  <tr>
   <td>"<code>serviceworker</code>"
   <td><code>child-src</code>, <code>script-src</code>, <code>worker-src</code>
   <td><code>navigator.serviceWorker.register()</code>
  <tr>
   <td>"<code>sharedworker</code>"
   <td><code>child-src</code>, <code>script-src</code>, <code>worker-src</code>
   <td><code>SharedWorker</code>
  <tr>
   <td>"<code>worker</code>"
   <td><code>child-src</code>, <code>script-src</code>, <code>worker-src</code>
   <td><code>Worker</code>
  <tr>
   <td>"<code>style</code>"
   <td><code>style-src</code>
   <td>HTML's <code>&lt;link rel=stylesheet></code>, CSS' <code>@import</code>
  <tr>
   <td>"<code>track</code>"
   <td><code>media-src</code>
   <td>HTML's <code>&lt;track></code>
  <tr>
   <td>"<code>video</code>"
   <td><code>media-src</code>
   <td>HTML's <code>&lt;video></code> element
  <tr>
   <td>"<code>download</code>"
   <td>""
   <td>&mdash;
   <td>HTML's <code>download=""</code>, "Save Link As…" UI
  <tr>
   <td>"<code>imageset</code>"
   <td>"<code>image</code>"
   <td><code>img-src</code>
   <td>HTML's <code>&lt;img srcset></code> and <code>&lt;picture></code>
  <tr>
   <td>"<code>manifest</code>"
   <td>"<code>manifest</code>"
   <td><code>manifest-src</code>
   <td>HTML's <code>&lt;link rel=manifest></code>
  <tr>
   <td>"<code>prefetch</code>"
   <td rowspan=2>""
   <td rowspan=2><code>prefetch-src</code>
   <td>HTML's <code>&lt;link rel=prefetch></code>
  <tr>
   <td>"<code>prerender</code>"
   <td>HTML's <code>&lt;link rel=prerender></code>
  <tr>
   <td>"<code>xslt</code>"
   <td>"<code>xslt</code>"
   <td><code>script-src</code>
   <td><code>&lt;?xml-stylesheet></code>
 </table>

 <p>CSP's <code>form-action</code> needs to be a hook directly in HTML's navigate or form
 submission algorithm.

 <p>CSP will also need to check <a for=/>request</a>'s <a for=request>client</a>'s
 <a for="environment settings object">global object</a>'s
 <a for=Window>browsing context</a>'s <a>ancestor browsing contexts</a> for various CSP
 directives.
</div>

<hr>

<p>A <a for=/>request</a> has an associated
<dfn export for=request id=concept-request-priority>priority</dfn> (null or a
user-agent-defined object). Unless otherwise stated it is null.

<p>A <a for=/>request</a> has an associated
<dfn export for=request id=concept-request-origin>origin</dfn>, which is
"<code>client</code>" or an <a for=/>origin</a>. Unless stated otherwise it is
"<code>client</code>".

<p class="note no-backref">"<code>client</code>" is changed to an <a for=/>origin</a> during
<a lt=fetch for=/>fetching</a>. It provides a convenient way for standards to not have to set
<a for=/>request</a>'s <a for=request>origin</a>.

<p>A <a for=/>request</a> has an associated
<dfn export for=request id=concept-request-policy-container>policy container</dfn>, which is
"<code>client</code>" or a <a for=/>policy container</a>. Unless stated otherwise it is
"<code>client</code>".

<p class=note>"<code>client</code>" is changed to a <a for=/>policy container</a> during
<a lt=fetch for=/>fetching</a>. It provides a convenient way for standards to not have to set
<a for=/>request</a>'s <a for=request>policy container</a>.

<p>A <a for=/>request</a> has an associated
<dfn export for=request id=concept-request-referrer>referrer</dfn>, which is
"<code>no-referrer</code>", "<code>client</code>", or a <a for=/>URL</a>. Unless stated otherwise it
is "<code>client</code>".

<p class="note no-backref">"<code>client</code>" is changed to "<code>no-referrer</code>" or a
<a for=/>URL</a> during <a lt=fetch for=/>fetching</a>. It provides a convenient way for standards
to not have to set <a for=/>request</a>'s <a for=request>referrer</a>.

<p>A <a for=/>request</a> has an associated
<dfn export for=request id=concept-request-referrer-policy>referrer policy</dfn>, which is a
<a for=/>referrer policy</a>. Unless stated otherwise it is the empty string. [[!REFERRER]]

<p class="note no-backref">This can be used to override the referrer policy to be used for this
<a for=/>request</a>.

<p>A <a for=/>request</a> has an associated
<dfn export for=request id=concept-request-mode>mode</dfn>, which is
"<code>same-origin</code>", "<code>cors</code>", "<code>no-cors</code>",
"<code>navigate</code>", or "<code>websocket</code>". Unless stated otherwise, it is
"<code>no-cors</code>".

<div class="note no-backref">
 <dl>
  <dt>"<code>same-origin</code>"
  <dd>Used to ensure requests are made to same-origin URLs. <a for=/>Fetch</a> will return a
  <a>network error</a> if the request is not made to a same-origin URL.

  <dt>"<code>cors</code>"
  <dd>For requests whose <a for=request>response tainting</a> gets set to "<code>cors</code>", makes
  the request a <a>CORS request</a> — in which case, fetch will return a <a>network error</a> if the
  requested resource does not understand the <a>CORS protocol</a>, or if the requested resource is
  one that intentionally does not participate in the <a>CORS protocol</a>.

  <dt>"<code>no-cors</code>"
  <dd>Restricts requests to using <a>CORS-safelisted methods</a> and
  <a>CORS-safelisted request-headers</a>. Upon success, fetch will return an
  <a>opaque filtered response</a>.

  <dt>"<code>navigate</code>"
  <dd>This is a special mode used only when <a>navigating</a> between documents.

  <dt>"<code>websocket</code>"
  <dd>This is a special mode used only when <a lt="establish a WebSocket connection">establishing
  a WebSocket connection</a>.
 </dl>

 <p>Even though the default <a for=/>request</a> <a for=request>mode</a> is "<code>no-cors</code>",
 standards are highly discouraged from using it for new features. It is rather unsafe.
</div>

<p>A <a for=/>request</a> has an associated
<dfn id=use-cors-preflight-flag export for=request>use-CORS-preflight flag</dfn>. Unless stated
otherwise, it is unset.

<p class="note no-backref">The <a>use-CORS-preflight flag</a> being set is one of several conditions
that results in a <a>CORS-preflight request</a>. The <a>use-CORS-preflight flag</a> is set if either
one or more event listeners are registered on an {{XMLHttpRequestUpload}} object or if a
{{ReadableStream}} object is used in a request.

<p>A <a for=/>request</a> has an associated
<dfn export for=request id=concept-request-credentials-mode>credentials mode</dfn>,
which is "<code>omit</code>", "<code>same-origin</code>", or
"<code>include</code>". Unless stated otherwise, it is "<code>same-origin</code>".

<div class="note no-backref">
 <dl>
  <dt>"<code>omit</code>"
  <dd>Excludes credentials from this request, and causes any credentials sent back in the response
  to be ignored.

  <dt>"<code>same-origin</code>"
  <dd>Include credentials with requests made to same-origin URLs, and use any credentials sent back
  in responses from same-origin URLs.

  <dt>"<code>include</code>"
  <dd>Always includes credentials with this request, and always use any credentials sent back in the
  response.
 </dl>

 <p><a for=/>Request</a>'s <a for=request>credentials mode</a> controls the flow of
 <a for=/>credentials</a> during a <a for=/>fetch</a>. When <a for=/>request</a>'s
 <a for=request>mode</a> is "<code>navigate</code>", its <a for=request>credentials mode</a> is
 assumed to be "<code>include</code>" and <a for=/>fetch</a> does not currently account for other
 values. If <cite>HTML</cite> changes here, this standard will need corresponding changes.
</div>

<p>A <a for=/>request</a> has an associated
<dfn export for=request id=concept-request-use-url-credentials-flag>use-URL-credentials flag</dfn>.
Unless stated otherwise, it is unset.

<p>A <a for=/>request</a> has an associated
<dfn export for=request id=concept-request-cache-mode>cache mode</dfn>, which is
"<code>default</code>", "<code>no-store</code>", "<code>reload</code>",
"<code>no-cache</code>", "<code>force-cache</code>", or
"<code>only-if-cached</code>". Unless stated otherwise, it is "<code>default</code>".

<div class="note no-backref">
 <dl>
  <dt>"<code>default</code>"
  <dd><a for=/>Fetch</a> will inspect the HTTP cache on the way to the network. If the HTTP cache
  contains a matching <a>fresh response</a> it will be returned. If the HTTP cache contains a
  matching <a>stale-while-revalidate response</a> it will be returned, and a conditional network
  fetch will be made to update the entry in the HTTP cache. If the HTTP cache contains a matching
  <a>stale response</a>, a conditional network fetch will be returned to update the entry in
  the HTTP cache. Otherwise, a non-conditional network fetch will be returned to update the entry
  in the HTTP cache. [[!HTTP]] [[!HTTP-SEMANTICS]] [[!HTTP-COND]] [[!HTTP-CACHING]] [[!HTTP-AUTH]]
  [[!STALE-WHILE-REVALIDATE]]

  <dt>"<code>no-store</code>"
  <dd>Fetch behaves as if there is no HTTP cache at all.

  <dt>"<code>reload</code>"
  <dd>Fetch behaves as if there is no HTTP cache on the way to the network. Ergo, it creates a
  normal request and updates the HTTP cache with the response.

  <dt>"<code>no-cache</code>"
  <dd>Fetch creates a conditional request if there is a response in the HTTP cache and a normal
  request otherwise. It then updates the HTTP cache with the response.

  <dt>"<code>force-cache</code>"
  <dd>Fetch uses any response in the HTTP cache matching the request, not paying attention to
  staleness. If there was no response, it creates a normal request and updates the HTTP cache with
  the response.

  <dt>"<code>only-if-cached</code>"
  <dd>Fetch uses any response in the HTTP cache matching the request, not paying attention to
  staleness. If there was no response, it returns a network error. (Can only be used when
  <a for=/>request</a>'s <a for=request>mode</a> is
  "<code>same-origin</code>". Any cached redirects will be followed assuming
  <a for=/>request</a>'s
  <a for=request>redirect mode</a> is "<code>follow</code>" and the
  redirects do not violate <a for=/>request</a>'s
  <a for=request>mode</a>.)
 </dl>

 <p>If <a for=request>header list</a> <a for="header list">contains</a>
 `<code>If-Modified-Since</code>`,
 `<code>If-None-Match</code>`,
 `<code>If-Unmodified-Since</code>`,
 `<code>If-Match</code>`, or
 `<code>If-Range</code>`,
 <a for=/>fetch</a> will set
 <a for=request>cache mode</a> to "<code>no-store</code>" if it is
 "<code>default</code>".
</div>

<p>A <a for=/>request</a> has an associated
<dfn export for=request id=concept-request-redirect-mode>redirect mode</dfn>, which is
"<code>follow</code>", "<code>error</code>", or "<code>manual</code>".
Unless stated otherwise, it is "<code>follow</code>".

<div class="note no-backref">
 <dl>
  <dt>"<code>follow</code>"
  <dd>Follow all redirects incurred when fetching a resource.

  <dt>"<code>error</code>"
  <dd>Return a <a>network error</a> when a request is met with a redirect.

  <dt>"<code>manual</code>"
  <dd>Retrieves an <a>opaque-redirect filtered response</a> when a request is met with a redirect,
  to allow a service worker to replay the redirect offline. The response is otherwise
  indistinguishable from a <a>network error</a>, to not violate
  <a>atomic HTTP redirect handling</a>.
 </dl>
</div>

<p>A <a for=/>request</a> has associated
<dfn export for=request id=concept-request-integrity-metadata>integrity metadata</dfn>
(a string). Unless stated otherwise, it is the empty string.

<p>A <a for=/>request</a> has associated
<dfn export for=request id=concept-request-nonce-metadata>cryptographic nonce metadata</dfn>
(a string). Unless stated otherwise, it is the empty string.

<p>A <a for=/>request</a> has associated
<dfn export for=request id=concept-request-parser-metadata>parser metadata</dfn>
which is the empty string, "<code>parser-inserted</code>", or
"<code>not-parser-inserted</code>". Unless otherwise stated, it is the empty string.

<p class="note no-backref">A <a for=/>request</a>'s <a for=request>cryptographic nonce metadata</a>
and <a for=request>parser metadata</a> are generally populated from attributes and flags on the HTML
element responsible for creating a <a for=/>request</a>. They are used by various algorithms in
<cite>Content Security Policy</cite> to determine whether requests or responses are to be blocked in
a given context. [[!CSP]]

<p>A <a for=/>request</a> has an associated
<dfn export for=request id=concept-request-reload-navigation-flag>reload-navigation flag</dfn>.
Unless stated otherwise, it is unset.

<p class=note>This flag is for exclusive use by HTML's navigate algorithm. [[!HTML]]

<p>A <a for=/>request</a> has an associated
<dfn export for=request id=concept-request-history-navigation-flag>history-navigation flag</dfn>.
Unless stated otherwise, it is unset.

<p class=note>This flag is for exclusive use by HTML's navigate algorithm. [[!HTML]]

<p>A <a for=/>request</a> has an associated boolean <dfn export for=request>user-activation</dfn>.
Unless stated otherwise, it is false.

<p class=note>This is for exclusive use by HTML's navigate algorithm. [[!HTML]]

<hr>

<p>A <a for=/>request</a> has an associated
<dfn for=request id=concept-request-tainted-origin>tainted origin flag</dfn>. Unless stated
otherwise, it is unset.

<p>A <a for=/>request</a> has an associated
<dfn export for=request id=concept-request-url-list>URL list</dfn> (a <a for=/>list</a> of one or
more <a for=/>URLs</a>). Unless stated otherwise, it is a list containing a copy of
<a for=/>request</a>'s <a for=request>URL</a>.

<p>A <a for=/>request</a> has an associated
<dfn export for=request id=concept-request-current-url>current URL</dfn>. It is a pointer to the
last <a for=/>URL</a> in <a for=/>request</a>'s <a for=request>URL list</a>.

<p>A <a for=/>request</a> has an associated
<dfn export for=request id=concept-request-redirect-count>redirect count</dfn>.
Unless stated otherwise, it is zero.

<p>A <a for=/>request</a> has an associated
<dfn export for=request id=concept-request-response-tainting>response tainting</dfn>,
which is "<code>basic</code>", "<code>cors</code>", or "<code>opaque</code>".
Unless stated otherwise, it is "<code>basic</code>".

<p>A <a for=/>request</a> has an associated
<dfn export for=request id=no-cache-prevent-cache-control>prevent no-cache cache-control header modification flag</dfn>.
Unless stated otherwise, it is unset.

<p>A <a for=/>request</a> has an associated <dfn export for=request id=done-flag>done flag</dfn>.
Unless stated otherwise, it is unset.

<p>A <a for=/>request</a> has an associated
<dfn export for=request id=timing-allow-failed>timing allow failed flag</dfn>. Unless stated
otherwise, it is unset.

<p class="note no-backref">A <a for=/>request</a>'s <a for=request>tainted origin flag</a>,
<a for=request>URL list</a>, <a for=request>current URL</a>, <a for=request>redirect count</a>,
<a for=request>response tainting</a>, <a for=request>done flag</a>, and
<a for=request>timing allow failed flag</a> are used as bookkeeping details by the
<a for=/>fetch</a> algorithm.

<hr>

<p>A <dfn export>subresource request</dfn> is a <a for=/>request</a>
whose <a for=request>destination</a> is "<code>audio</code>", "<code>audioworklet</code>",
"<code>font</code>", "<code>image</code>", "<code>manifest</code>", "<code>paintworklet</code>",
"<code>script</code>", "<code>style</code>", "<code>track</code>", "<code>video</code>",
"<code>xslt</code>", or the empty string.

<p>A <dfn export>non-subresource request</dfn> is a <a for=/>request</a>
whose <a for=request>destination</a> is "<code>document</code>", "<code>embed</code>",
"<code>frame</code>", "<code>iframe</code>", "<code>object</code>", "<code>report</code>",
"<code>serviceworker</code>", "<code>sharedworker</code>", or "<code>worker</code>".

<p>A <dfn export>navigation request</dfn> is a <a for=/>request</a> whose
<a for=request>destination</a> is
"<code>document</code>", "<code>embed</code>", "<code>frame</code>", "<code>iframe</code>",
or "<code>object</code>".

<p class=note>See <a for=/>handle fetch</a> for usage of these terms.
[[!SW]]

<hr>

<p><dfn>Serializing a request origin</dfn>, given a <a for=/>request</a> <var>request</var>, is to
run these steps:

<ol>
 <li><p>If <var>request</var>'s <a for=request>tainted origin flag</a> is set, then return
 "<code>null</code>".

 <li><p>Return <var>request</var>'s <a for=request>origin</a>,
 <a lt="ASCII serialization of an origin">serialized</a>.
</ol>

<p><dfn>Byte-serializing a request origin</dfn>, given a <a for=/>request</a> <var>request</var>,
is to return the result of <a>serializing a request origin</a> with <var>request</var>,
<a>isomorphic encoded</a>.

<hr>

<p>To <dfn export for=request id=concept-request-clone>clone</dfn> a
<a for=/>request</a> <var>request</var>, run these steps:

<ol>
 <li><p>Let <var>newRequest</var> be a copy of <var>request</var>, except for its
 <a for=request>body</a>.

 <li><p>If <var>request</var>'s <a for=request>body</a> is non-null, set <var>newRequest</var>'s
 <a for=request>body</a> to the result of <a lt=clone for=body>cloning</a> <var>request</var>'s
 <a for=request>body</a>.

 <li><p>Return <var>newRequest</var>.
</ol>

<hr>

<p>To <dfn export for=request id=concept-request-add-range-header>add a range header</dfn> to a
<a for=/>request</a> <var>request</var>, with an integer <var>first</var>, and an optional integer
<var>last</var>, run these steps:

<ol>
 <li><p>Let <var>rangeValue</var> be `<code>bytes </code>`.

 <li><p><a lt="serialize an integer">Serialize</a> and <a>isomorphic encode</a> <var>first</var>,
 and append the result to <var>rangeValue</var>.

 <li><p>Append 0x2D (-) to <var>rangeValue</var>.

 <li><p>If <var>last</var> is given, then <a lt="serialize an integer">serialize</a> and
 <a>isomorphic encode</a> it, and append the result to <var>rangeValue</var>.

 <li><p><a for="header list">Append</a> `<code>Range</code>`/<var>rangeValue</var> to
 <var>request</var>'s <a for=request>header list</a>.
</ol>

<p class=note>A range header denotes an inclusive byte range. There a range header where
<var>first</var> is 0 and <var>last</var> is 500, is a range of 501 bytes.

<p class=note>Features that combine multiple responses into one logical resource are historically a
source of security bugs. Please seek security review for features that deal with partial responses.

<hr>

<p>To <dfn export>serialize a response URL for reporting</dfn>, given a <a for=/>response</a>
<var>response</var>, run these steps:

<ol>
 <li><p>Assert: <var>response</var>'s <a for=response>URL list</a> <a for=list>is not empty</a>.

 <li>
  <p>Let <var>url</var> be a copy of <var>response</var>'s <a for=response>URL list</a>'s first
  element.

  <p class="note">This is not <var>response</var>'s <a for=response>URL</a> in order to avoid
  leaking information about redirect targets (see
  <a href="https://w3c.github.io/webappsec-csp/#security-violation-reports">similar considerations for CSP reporting</a>
  too). [[CSP]]

 <li><p><a>Set the username</a> given <var>url</var> and the empty string.

 <li><p><a>Set the password</a> given <var>url</var> and the empty string.

 <li><p>Return the <a lt="URL serializer">serialization</a> of <var>url</var> with
 <a for="URL serializer"><i>exclude fragment</i></a> set to true.
</ol>


<h4 id=responses>Responses</h4>

<p>The result of <a for=/>fetch</a> is a
<dfn export id=concept-response>response</dfn>. A <a for=/>response</a>
evolves over time. That is, not all its fields are available straight away.

<p>A <a for=/>response</a> has an associated
<dfn export for=response id=concept-response-type>type</dfn> which is
"<code>basic</code>",
"<code>cors</code>",
"<code>default</code>",
"<code>error</code>",
"<code>opaque</code>", or
"<code>opaqueredirect</code>".
Unless stated otherwise, it is "<code>default</code>".

<p>A <a for=/>response</a> can have an associated
<dfn export for=response id=concept-response-aborted>aborted flag</dfn>, which is initially unset.

<p class="note">This indicates that the request was intentionally aborted by the developer or
end-user.

<p>A <a for=/>response</a> has an associated
<dfn export for=response id=concept-response-url>URL</dfn>. It is a pointer to the last
<a for=/>URL</a> in <a for=/>response</a>'s <a for=response>URL list</a> and null if
<a for=/>response</a>'s <a for=response>URL list</a> <a for=list>is empty</a>.

<p>A <a for=/>response</a> has an associated
<dfn export for=response id=concept-response-url-list>URL list</dfn> (a <a for=/>list</a> of zero or
more <a for=/>URLs</a>). Unless stated otherwise, it is the empty list.

<p class="note no-backref">Except for the last <a for=/>URL</a>, if any, a <a for=/>response</a>'s
<a for=response>URL list</a> is not exposed to script as that would violate
<a>atomic HTTP redirect handling</a>.

<p>A <a for=/>response</a> has an associated
<dfn export for=response id=concept-response-status>status</dfn>, which is a <a for=/>status</a>.
Unless stated otherwise it is 200.

<p>A <a for=/>response</a> has an associated
<dfn export for=response id=concept-response-status-message>status message</dfn>. Unless stated
otherwise it is the empty byte sequence.

<p class=note>Responses over an HTTP/2 connection will always have the empty byte sequence as status
message as HTTP/2 does not support them.

<p>A <a for=/>response</a> has an associated
<dfn export for=response id=concept-response-header-list>header list</dfn> (a
<a for=/>header list</a>). Unless stated otherwise it is empty.

<p>A <a for=/>response</a> has an associated
<dfn export for=response id=concept-response-body>body</dfn> (null or a
<a for=/>body</a>). Unless stated otherwise it is null.

<p class=note>The <a for=body>source</a> and <a for=body>length</a> concepts of a network's
<a for=/>response</a>'s <a for=response>body</a> are always null.

<p>A <a for=/>response</a> has an associated
<dfn export for=response id=concept-response-cache-state>cache state</dfn> (the empty string,
"<code>local</code>", or "<code>validated</code>"). Unlesss stated otherwise, it is the empty
string.

<p class=note>This is intended for usage by <cite>Service Workers</cite> and
<cite>Resource Timing</cite>.  [[SW]] [[RESOURCE-TIMING]]
<!-- If we ever expand the utility of this we need to carefully consider whether filtered responses
     need to mask it, whether the cache API needs to store it, etc. -->

<p>A <a for=/>response</a> has an associated
<dfn export for=response id=concept-response-cors-exposed-header-name-list>CORS-exposed header-name list</dfn>
(a list of zero or more <a for=/>header</a>
<a lt=name for=header>names</a>). The list is empty unless otherwise specified.

<p class="note no-backref">A <a for=/>response</a> will typically get its
<a for=response>CORS-exposed header-name list</a> set by <a>extracting header values</a> from the
`<a http-header><code>Access-Control-Expose-Headers</code></a>` header. This list is used by a
<a>CORS filtered response</a> to determine which headers to expose.

<p>A <a for=/>response</a> has an associated
<dfn for=response id=concept-response-range-requested-flag>range-requested flag</dfn>, which is
initially unset.

<p class=note>This is used to ensure to prevent a partial response from an earlier ranged request
being provided to an API that didn't make a range request. See the flag's usage for a detailed
description of the attack.

<p>A <a for=/>response</a> has an associated
<dfn for=response id=concept-response-timing-allow-passed>timing allow passed flag</dfn>, which is
initially unset.

<p class=note>This is used so that the caller to a fetch can determine if sensitive timing data is
allowed on the resource fetched by looking at the flag of the response returned. Because the flag on
the response of a redirect has to be set if it was set for previous responses in the redirect chain,
this is also tracked internally using the request's <a for=request>timing allow failed flag</a>.

<p>A <a for=/>response</a> has an associated
<dfn for=response id=concept-response-timing-info>timing info</dfn> (null or a
<a for=/>fetch timing info</a>), which is initially null.

<p>A <a for=/>response</a> has an associated
<dfn export for=response>service worker timing info</dfn> (null or a
<a for=/>service worker timing info</a>), which is initially null.

<hr>

<p>A <a for=/>response</a> whose
<a for=response>type</a> is "<code>error</code>" and <a for=response>aborted flag</a> is set is
known as an <dfn export id=concept-aborted-network-error>aborted network error</dfn>.

<p>A <a for=/>response</a> whose
<a for=response>type</a> is "<code>error</code>" is known as a
<dfn export id=concept-network-error>network error</dfn>.

<p>A <a>network error</a> is a <a for=/>response</a> whose
<a for=response>status</a> is always 0,
<a for=response>status message</a> is always the empty byte sequence,
<a for=response>header list</a> is always empty, and
<a for=response>body</a> is always null.

<hr>

<p>A <dfn export id=concept-filtered-response>filtered response</dfn> is a limited view on a
<a for=/>response</a> that is not a
<a>network error</a>. This
<a for=/>response</a> is referred to as the
<a>filtered response</a>'s associated
<dfn export id=concept-internal-response for="filtered response">internal response</dfn>.

<p class="note no-backref">The <a for=/>fetch</a> algorithm returns such a view to ensure APIs do
not accidentally leak information. If the information needs to be exposed for legacy reasons, e.g.,
to feed image data to a decoder, the associated <a for="filtered response">internal response</a> can
be used, which is only "accessible" to internal specification algorithms and is never a
<a>filtered response</a> itself.

<p>A <dfn export id=concept-filtered-response-basic>basic filtered response</dfn> is a
<a>filtered response</a> whose
<a for=response>type</a> is "<code>basic</code>" and
<a for=response>header list</a> excludes any
<a for=/>headers</a> in
<a for="filtered response">internal response</a>'s
<a for=response>header list</a> whose
<a for=header>name</a> is a
<a>forbidden response-header name</a>.

<p>A <dfn export id=concept-filtered-response-cors>CORS filtered response</dfn> is a
<a>filtered response</a> whose
<a for=response>type</a> is "<code>cors</code>" and
<a for=response>header list</a> excludes any
<a for=/>headers</a> in
<a for="filtered response">internal response</a>'s
<a for=response>header list</a> whose
<a for=header>name</a> is <em>not</em> a
<a>CORS-safelisted response-header name</a>, given
<a for="filtered response">internal response</a>'s
<a for=response>CORS-exposed header-name list</a>.

<p>An <dfn export id=concept-filtered-response-opaque>opaque filtered response</dfn> is a
<a>filtered response</a> whose
<a for=response>type</a> is "<code>opaque</code>",
<a for=response>URL list</a> is the empty list,
<a for=response>status</a> is 0,
<a for=response>status message</a> is the empty byte sequence,
<a for=response>header list</a> is empty, and
<a for=response>body</a> is null.

<p>An
<dfn export id=concept-filtered-response-opaque-redirect>opaque-redirect filtered response</dfn>
is a <a>filtered response</a> whose
<a for=response>type</a> is "<code>opaqueredirect</code>",
<a for=response>status</a> is 0,
<a for=response>status message</a> is the empty byte sequence,
<a for=response>header list</a> is empty, and
<a for=response>body</a> is null.

<div class="note no-backref">
 <p>Exposing the <a for=response>URL list</a> for
 <a lt="opaque-redirect filtered response">opaque-redirect filtered responses</a> is harmless since
 no redirects are followed.

 <p>In other words, an <a>opaque filtered response</a> and an
 <a>opaque-redirect filtered response</a> are nearly indistinguishable from a <a>network error</a>.
 When introducing new APIs, do not use the <a for="filtered response">internal response</a> for
 internal specification algorithms as that will leak information.

 <p>This also means that JavaScript APIs, such as
 <a attribute for=Response lt=ok><code>response.ok</code></a>, will return rather useless results.
</div>

<p>To <dfn export for=response id=concept-response-clone>clone</dfn> a
<a for=/>response</a> <var>response</var>, run these steps:

<ol>
 <li><p>If <var>response</var> is a <a>filtered response</a>, then return a new identical
 <a>filtered response</a> whose <a for="filtered response">internal response</a> is a
 <a for=response>clone</a> of <var>response</var>'s
 <a for="filtered response">internal response</a>.

 <li><p>Let <var>newResponse</var> be a copy of <var>response</var>, except for its
 <a for=response>body</a>.

 <li><p>If <var>response</var>'s <a for=response>body</a> is non-null, then set
 <var>newResponse</var>'s <a for=response>body</a> to the result of <a lt=clone for=body>cloning</a>
 <var>response</var>'s <a for=response>body</a>.

 <li><p>Return <var>newResponse</var>.
</ol>

<p>A <dfn id=concept-fresh-response>fresh response</dfn> is a <a for=/>response</a> whose
<a href=https://datatracker.ietf.org/doc/html/rfc7234#section-4.2.3>current age</a> is within its
<a href=https://datatracker.ietf.org/doc/html/rfc7234#section-4.2.1>freshness lifetime</a>.

<p>A <dfn id=concept-stale-while-revalidate-response>stale-while-revalidate response</dfn> is a
<a for=/>response</a> that is not a <a>fresh response</a> and whose
<a href=https://datatracker.ietf.org/doc/html/rfc7234#section-4.2.3>current age</a> is within the
<a href=https://datatracker.ietf.org/doc/html/rfc5861#section-3>stale-while-revalidate lifetime</a>.

<p>A <dfn export id=concept-stale-response>stale response</dfn> is a <a for=/>response</a> that is
not a <a>fresh response</a> or a <a>stale-while-revalidate response</a>.

<hr>

<p>The <dfn export for=response id=concept-response-location-url>location URL</dfn> of a
<a for=/>response</a> <var>response</var>, given null or an <a for=/>ASCII string</a>
<var>requestFragment</var>, is the value returned by the following steps. They return null, failure,
or a <a for=/>URL</a>.

<ol>
 <li><p>If <var>response</var>'s <a for=response>status</a> is not a <a>redirect status</a>, then
 return null.

 <li><p>Let <var>location</var> be the result of <a>extracting header list values</a> given
 `<code>Location</code>` and <var>response</var>'s <a for=response>header list</a>.
 <!-- https://github.com/whatwg/fetch/issues/814#issuecomment-431366126 -->

 <li>
  <p>If <var>location</var> is a <a for=header>value</a>, then set <var>location</var> to the result
  of <a lt="url parser">parsing</a> <var>location</var> with <var>response</var>'s
  <a for=response>URL</a>.

  <p class=note>If <var>response</var> was constructed through the {{Response}} constructor,
  <var>response</var>'s <a for=response>URL</a> will be null, meaning that <var>location</var> will
  only parse successfully if it is an <a>absolute-URL-with-fragment string</a>.

 <li>
  <p>If <var>location</var> is a <a for=/>URL</a> whose <a for=url>fragment</a> is null, then set
  <var>location</var>'s <a for=url>fragment</a> to <var>requestFragment</var>.

  <p class=note>This ensures that synthetic (indeed, all) responses follow the processing model for
  redirects defined by HTTP. [[HTTP-SEMANTICS]]

 <li><p>Return <var>location</var>.
</ol>

<p class=note>The <a for=response>location URL</a> algorithm is exclusively used for redirect
handling in this standard and in <cite>HTML</cite>'s navigate algorithm which handles redirects
manually. [[!HTML]]


<h4 id=miscellaneous>Miscellaneous</h4>

<p>A <dfn export id=concept-potential-destination>potential destination</dfn> is
"<code>fetch</code>" or a <a for=request>destination</a> which is not the empty string.

<p>To <dfn export for=destination id=concept-potential-destination-translate>translate</dfn> a
<a for=/>potential destination</a> <var>potentialDestination</var>, run these steps:

<ol>
 <li><p>If <var>potentialDestination</var> is "<code>fetch</code>", then return the empty string.

 <li><p>Assert: <var>potentialDestination</var> is a <a for=request>destination</a>.

 <li><p>Return <var>potentialDestination</var>.
</ol>


<h3 id=authentication-entries>Authentication entries</h3>

<p>An <dfn export>authentication entry</dfn> and a <dfn export>proxy-authentication entry</dfn> are
tuples of username, password, and realm, used for HTTP authentication and HTTP proxy authentication,
and associated with one or more <a for=/>requests</a>.
<p>User agents should allow both to be cleared together with HTTP cookies and similar tracking
functionality.
<!-- fingerprinting -->

<p>Further details are defined by HTTP. [[!HTTP]] [[!HTTP-SEMANTICS]] [[!HTTP-COND]] [[!HTTP-CACHING]] [[!HTTP-AUTH]]


<h3 id=fetch-groups>Fetch groups</h3>

<p>Each <a>environment settings object</a> has an associated
<dfn export id=concept-fetch-group for=fetch>fetch group</dfn>.

<p>A <a for=fetch>fetch group</a> holds an ordered list of
<dfn lt="fetch record" export for="fetch group" id=concept-fetch-record>fetch records</dfn>.

<p>A <a for="fetch group">fetch record</a> has an associated
<dfn export for="fetch record" id=concept-fetch-record-request>request</dfn> (a
<a for=/>request</a>).

<p>A <a for="fetch group">fetch record</a> has an associated
<dfn export for="fetch record" id=concept-fetch-record-fetch>fetch</dfn> (a
<a for=/>fetch</a> algorithm or null).

<hr>

<p>When a <a for=fetch>fetch group</a> is
<dfn export for="fetch group" id=concept-fetch-group-terminate>terminated</dfn>, for each associated
<a for="fetch group">fetch record</a> whose <a for="fetch record">request</a>'s <a>done flag</a> is
unset or <a for=request>keepalive</a> is false, <a lt=terminated for=fetch>terminate</a> the
<a for="fetch group">fetch record</a>'s <a for="fetch record">fetch</a>.


<h3 id=resolving-domains>Resolving domains</h3>

<p tracking-vector>To <dfn>resolve a domain</dfn>, given a <a for=/>network partition key</a>
<var>key</var> and a <a for=/>domain</a> <var>domain</var>:

<ol>
 <li><p>If <var>domain</var> is a <a for=/>host</a> whose <a for=host>public suffix</a> is
 "<code>localhost</code>", then return « <code>::1</code>, <code>127.0.0.1</code> ».

 <li><p>Perform an <a>implementation-defined</a> operation to turn <var>domain</var> into a
 <a for=/>set</a> of one or more <a for=/>IP addresses</a>. If this operation succeeds, return the
 <a for=/>set</a> of <a for=/>IP addresses</a>.

 <li><p>Return failure.
</ol>

<p>The results of <a>resolve a domain</a> may be cached. If they are cached, <var>key</var> should
be used as part of the cache key.

<div class=note>
 <p>Typically this operation would involve DNS and as such caching can happen on DNS servers without
 <var>key</var> being taken into account. Depending on the implementation it might also not be
 possible to take <var>key</var> into account locally. [[RFC1035]]

 <p>The order of the <a for=/>IP addresses</a> <a>resolve a domain</a> can return return can differ
 between invocations.

 <p>The particulars (apart from the cache key) are not tied down as they are not pertinent to the
 system the Fetch Standard establishes. Other documents ought not to build on this primitive without
 having a considered discussion with the Fetch Standard community first.
</div>

<p>To <dfn>resolve an origin</dfn>, given a <a for=/>network partition key</a> <var>key</var> and an
<a for=/>origin</a> <var>origin</var>:
<!-- Should we assert the scheme here to be an HTTP(S) scheme or a WebRTC scheme? -->

<ol>
 <li><p>If <var>origin</var>'s <a for=origin>host</a> is an <a for=/>IP address</a>, then return
 « <var>origin</var>'s <a for=origin>host</a> ».

 <li><p>If the user agent is configured to use a proxy that resolves domains on its own, then return
 « <var>origin</var>'s <a for=origin>host</a> ».

 <li><p>Return the result of running <a>resolve a domain</a> given <var>key</var> and
 <var>origin</var>'s <a for=origin>host</a>.
</ol>

<p class=note>The same caveat applies. Do not build on this without having a considered discussion
with the Fetch Standard community first.


<h3 id=connections>Connections</h3>

<p>A user agent has an associated <dfn export id=concept-connection-pool>connection pool</dfn>. A
<a>connection pool</a> is an <a for=/>ordered set</a> of zero or more
<dfn lt=connection export id=concept-connection>connections</dfn>. Each <a>connection</a> is
identified by an associated <dfn for=connection>key</dfn> (a <a>network partition key</a>),
<dfn for=connection>origin</dfn> (an <a for=/>origin</a>), and <dfn for=connection>credentials</dfn>
(a boolean).

<p>Each <a>connection</a> has an associated
<dfn for=connection id=concept-connection-timing-info>timing info</dfn> (a
<a for=/>connection timing info</a>).

<p>A <dfn export>connection timing info</dfn> is a <a for=/>struct</a> used to maintain timing
information pertaining to the process of obtaining a connection. It has the following
<a for=struct>items</a>:

<dl>
 <dt><dfn export for="connection timing info">domain lookup start time</dfn> (default 0)
 <dt><dfn export for="connection timing info">domain lookup end time</dfn> (default 0)
 <dt><dfn export for="connection timing info">connection start time</dfn> (default 0)
 <dt><dfn export for="connection timing info">connection end time</dfn> (default 0)
 <dt><dfn export for="connection timing info">secure connection start time</dfn> (default 0)
 <dd>A {{DOMHighResTimeStamp}}.

 <dt><dfn export for="connection timing info">ALPN negotiated protocol</dfn> (default the empty
 <a for=/>byte sequence</a>)
 <dd>A <a for=/>byte sequence</a>.
</dl>

<p>To <dfn>clamp and coarsen connection timing info</dfn>, given a
<a for=/>connection timing info</a> <var>timingInfo</var>, a {{DOMHighResTimeStamp}}
<var>defaultStartTime</var>, and a boolean <var>crossOriginIsolatedCapability</var>, run these
steps:

<ol>
 <li><p>If <var>timingInfo</var>'s <a for="connection timing info">connection start time</a> is
 less than <var>defaultStartTime</var>, then return a new <a for=/>connection timing info</a> whose
 <a for="connection timing info">domain lookup start time</a> is <var>defaultStartTime</var>,
 <a for="connection timing info">domain lookup end time</a> is <var>defaultStartTime</var>,
 <a for="connection timing info">connection start time</a> is <var>defaultStartTime</var>,
 <a for="connection timing info">connection end time</a> is <var>defaultStartTime</var>,
 <a for="connection timing info">secure connection start time</a> is <var>defaultStartTime</var>,
 and <a for="connection timing info">ALPN negotiated protocol</a> is <var>timingInfo</var>'s
 <a for="connection timing info">ALPN negotiated protocol</a>.

 <li><p>Return a new <a for=/>connection timing info</a> whose
 <a for="connection timing info">domain lookup start time</a> is the result of <a>coarsen time</a>
 given <var>timingInfo</var>'s <a for="connection timing info">domain lookup start time</a> and
 <var>crossOriginIsolatedCapability</var>,
 <a for="connection timing info">domain lookup end time</a> is the result of <a>coarsen time</a>
 given <var>timingInfo</var>'s <a for="connection timing info">domain lookup end time</a> and
 <var>crossOriginIsolatedCapability</var>, <a for="connection timing info">connection start time</a>
 is the result of <a>coarsen time</a> given <var>timingInfo</var>'s
 <a for="connection timing info">connection start time</a> and
 <var>crossOriginIsolatedCapability</var>, <a for="connection timing info">connection end time</a>
 is the result of <a>coarsen time</a> given <var>timingInfo</var>'s
 <a for="connection timing info">connection end time</a> and
 <var>crossOriginIsolatedCapability</var>,
 <a for="connection timing info">secure connection start time</a> is the result of
 <a>coarsen time</a> given <var>timingInfo</var>'s
 <a for="connection timing info">connection end time</a> and
 <var>crossOriginIsolatedCapability</var>, and
 <a for="connection timing info">ALPN negotiated protocol</a> is <var>timingInfo</var>'s
 <a for="connection timing info">ALPN negotiated protocol</a>.
</ol>

<hr>

<p>To <dfn export id=concept-connection-obtain>obtain a connection</dfn>, given a
<a>network partition key</a> <var>key</var>, <a for=/>origin</a> <var>origin</var>, boolean
<var>credentials</var>, an optional boolean <var>forceNew</var> (default false), an optional boolean
<dfn export for="obtain a connection"><var>http3Only</var></dfn> (default false), and an optional
boolean <dfn export for="obtain a connection"><var>dedicated</var></dfn> (default false), run these
steps:
<!-- http3Only and dedicated have been added for WebTransport -->

<ol>
 <li>
  <p>If <var>forceNew</var> is false or <var>dedicated</var> is false, then:

  <ol>
   <li><p>Let <var>connections</var> be a set of <a>connections</a> in the user agent's
   <a>connection pool</a> whose <a for=connection>key</a> is <var>key</var>,
   <a for=connection>origin</a> is <var>origin</var>, and <a for=connection>credentials</a> is
   <var>credentials</var>.

   <li><p>If <var>connections</var> is not empty and <var>http3Only</var> is false, then return
   one of <var>connections</var>.

   <li><p>If there is an HTTP/3 <a>connection</a> in <var>connections</var>, then return that
   <a>connection</a>.
  </ol>

 <li><p>Let <var>timingInfo</var> be a new <a for=/>connection timing info</a>.

 <li><p>Set <var>timingInfo</var>'s <a for="connection timing info">domain lookup start time</a> to
 the <a for=/>unsafe shared current time</a>.

 <li><p>Let <var>hosts</var> be the result of running <a>resolve an origin</a> given <var>key</var>
 and <var>origin</var>.

 <li><p>If <var>hosts</var> is failure, then return failure.

 <li><p>Set <var>timingInfo</var>'s <a for="connection timing info">domain lookup end time</a> to
 the <a for=/>unsafe shared current time</a>.

 <li>
  <p>Let <var>connection</var> be the result of running this step: run <a>create a connection</a>
  given <var>key</var>, <var>origin</var>, <var>credentials</var>, an <a>implementation-defined</a>
  <a for=/>host</a> from <var>hosts</var>, <var>timingInfo</var>, and <var>http3Only</var> an
  <a>implementation-defined</a> number of times, <a>in parallel</a> from each other, and wait for at
  least 1 to return a value. In an <a>implementation-defined</a> manner, select a value to return
  from the returned values and return it. Any other returned values that are <a>connections</a> may
  be closed.

  <p class=note>Essentially this allows an implementation to pick one or more
  <a for=/>IP addresses</a> from the return value of <a>resolve a domain</a> (assuming no proxy) and
  race them against each other, favor <a for=/>IPv6 addresses</a>, retry in case of a timeout, etc.

 <li><p>If <var>connection</var> is failure, then return failure.

 <li><p>If <var>dedicated</var> is false, then <a for=set>append</a> <var>connection</var> to the
 user agent's <a>connection pool</a>.

 <li><p>Return <var>connection</var>.
</ol>

<p class=note>This is intentionally a little vague as there are a lot of nuances to connection
management that are best left to the discretion of implementers. Describing this helps explain the
<code>&lt;link rel=preconnect></code> feature and clearly stipulates that <a>connections</a> are
keyed on <a for=/>credentials</a>. The latter clarifies that, e.g., TLS session identifiers are not
reused across <a>connections</a> whose <a for=connection>credentials</a> are false with
<a>connections</a> whose <a for=connection>credentials</a> are true.

<hr>

<p>To <dfn>create a connection</dfn>, given a <a for=/>network partition key</a> <var>key</var>,
<a for=/>origin</a> <var>origin</var>, boolean <var>credentials</var>, <a for=/>host</a>
<var>host</var>, <a for=/>connection timing info</a> <var>timingInfo</var>, and boolean
<var>http3Only</var>, run these steps:

<ol>
 <li><p>Set <var>timingInfo</var>'s <a for="connection timing info">connection start time</a> to the
 <a for=/>unsafe shared current time</a>.

 <li>
  <p>Let <var>connection</var> be a new <a for=/>connection</a> whose <a for=connection>key</a> is
  <var>key</var>, <a for=connection>origin</a> is <var>origin</var>,
  <a for=connection>credentials</a> is <var>credentials</var>, and <a for=connection>timing info</a>
  is <var>timingInfo</var>. <a for=/>Record connection timing info</a> given <var>connection</var>
  and use <var>connection</var> to establish an HTTP connection to <var>host</var>, taking
  <var>origin</var> into account. [[!HTTP]] [[!HTTP-SEMANTICS]] [[!HTTP-COND]] [[!HTTP-CACHING]]
  [[!HTTP-AUTH]] [[!TLS]]

  <p>If <var>http3Only</var> is true, then establish an HTTP/3 connection. [[!HTTP3]]

  <p>When establishing an HTTP/3 connection, include SETTINGS_ENABLE_WEBTRANSPORT with a value of 1
  and H3_DATAGRAM with a value of 1 in the initial SETTINGS frame. [[!WEBTRANSPORT-HTTP3]]
  [[!HTTP3-DATAGRAM]]

  <p>If <var>credentials</var> is false, then do <em>not</em> send a TLS client certificate.

  <p>If establishing a connection does not succeed (e.g., a TCP or TLS error), then return failure.

 <li>
  <p>Set <var>timingInfo</var>'s <a for="connection timing info">ALPN negotiated protocol</a> to
  <var>connection</var>'s ALPN Protocol ID, with the following caveats: [[RFC7301]]

  <ul>
   <li><p>When a proxy is configured, if a tunnel connection is established then this must be the
   ALPN Protocol ID of the tunneled protocol, otherwise it must be the ALPN Protocol ID of the first
   hop to the proxy.

   <li>
    <p>In case the user agent is using an experimental, non-registered protocol, the user agent must
    use the used ALPN Protocol ID, if any. If ALPN was not used for protocol negotiations, the user
    agent may use another descriptive string.

    <p class=note><var>timingInfo</var>'s
    <a for="connection timing info">ALPN negotiated protocol</a> is intended to identify the network
    protocol in use regardless of how it was actually negotiated; that is, even if ALPN is not used
    to negotiate the network protocol, this is the ALPN Protocol IDs that indicates the protocol in
    use.
  </ul>

  <p class=note>IANA maintains a
  <a href="https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids">list of ALPN Protocol IDs</a>.

 <li><p>Return <var>connection</var>.
</ol>

<hr>

<p>To <dfn>record connection timing info</dfn> given a <a for=/>connection</a>
<var>connection</var>, let <var>timingInfo</var> be <var>connection</var>'s
<a for=connection>timing info</a> and observe these requirements:

<ul>
 <li>
  <p><var>timingInfo</var>'s <a for="connection timing info">connection end time</a> should be the
  <a for=/>unsafe shared current time</a> immediately after establishing the connection to the
  server or proxy, as follows:

  <ul>
   <li><p>The returned time must include the time interval to establish the transport connection, as
   well as other time intervals such as SOCKS authentication. It must include the time interval to
   complete enough of the TLS handshake to request the resource.

   <li><p>If the user agent used TLS False Start for this connection, this interval must not include
   the time needed to receive the server's Finished message. [[RFC7918]]

   <li><p>If the user agent sends the request with early data without waiting for the full handshare
   to complete, this interval must not include the time needed to receive the server's ServerHello
   message. [[RFC8470]]

   <li><p>If the user agent waits for full handshake completion to send the request, this interval
   includes the full TLS handshake even if other requests were sent using early data on
   <var>connection</var>.
  </ul>

  <p class=example id=example-connection-end-time>Suppose the user agent establishes an HTTP/2
  connection over TLS 1.3 to send a <code>GET</code> request and a <code>POST</code> request. It
  sends the ClientHello at time <var>t1</var> and then sends the <code>GET</code> request with early
  data. The <code>POST</code> request is not safe ([[HTTP-SEMANTICS]], section 4.2.1), so the user
  agent waits to complete the handshake at time <var>t2</var> before sending it. Although both
  requests used the same connection, the <code>GET</code> request reports a connection end time of
  <var>t1</var>, while the <code>POST</code> request reports <var>t2</var>.

 <li><p>If a secure transport is used, <var>timingInfo</var>'s
 <a for="connection timing info">secure connection start time</a> should be the result of calling
 <a for=/>unsafe shared current time</a> immmediately before starting the handshake process to
 secure <var>connection</var>. [[!TLS]]
</ul>

<p class=note>The <a for=/>clamp and coarsen connection timing info</a> algorithm ensures that
details of reused connections are not exposed and time values are coarsened.


<h3 id=network-partition-keys>Network partition keys</h3>

<p>A <dfn>network partition key</dfn> is a tuple consisting of a <a for=/>site</a> and null or
an <a>implementation-defined</a> value.

<p>To
<dfn export lt="determine the network partition key|determining the network partition key">determine the network partition key</dfn>,
given an <a for=/>environment settings object</a> <var>settings</var>, run these steps:

<ol>
 <li><p>Let <var>topLevelOrigin</var> be <var>settings</var>'s
 <a for="environment">top-level origin</a>.

 <li><p>If <var>topLevelOrigin</var> is null, then set <var>topLevelOrigin</var> to
 <var>settings</var>'s <a for="environment">top-level creation URL</a>'s <a for=url>origin</a>.

 <li><p>Assert: <var>topLevelOrigin</var> is an <a for=/>origin</a>.

 <li><p>Let <var>topLevelSite</var> be the result of <a lt="obtain a site">obtaining a site</a>,
 given <var>topLevelOrigin</var>.

 <li>
  <p>Let <var>secondKey</var> be null or an <a>implementation-defined</a> value.

  <p class=XXX>The second key is intentionally a little vague as the finer points are still
  evolving. See <a href=https://github.com/whatwg/fetch/issues/1035>issue #1035</a>.

 <li><p>Return (<var>topLevelSite</var>, <var>secondKey</var>).
</ol>

<p>To
<dfn for=request lt="determine the network partition key|determining the network partition key">determine the network partition key</dfn>,
given <var>request</var>, run these steps:

<ol>
 <li><p>If <var>request</var>'s <a for=request>reserved client</a> is non-null, then return the
 result of <a for=/>determining the network partition key</a> given <var>request</var>'s
 <a for=request>reserved client</a>.

 <li><p>If <var>request</var>'s <a for=request>client</a> is non-null, then return the
 result of <a for=/>determining the network partition key</a> given <var>request</var>'s
 <a for=request>client</a>.

 <li><p>Return null.
</ol>


<h3 id=http-cache-partitions>HTTP cache partitions</h3>

<p>To
<dfn lt="determine the HTTP cache partition|determining the HTTP cache partition">determine the HTTP cache partition</dfn>,
given <var>request</var>, run these steps:

<ol>
 <li><p>Let <var>key</var> be the result of <a for=request>determining the network partition key</a>
 given <var>request</var>.

 <li><p>If <var>key</var> is null, then return null.

 <li><p>Return the unique HTTP cache associated with <var>key</var>. [[!HTTP-CACHING]]
</ol>


<h3 id=port-blocking>Port blocking</h3>

<p class=note>New protocols can avoid the need for blocking ports by negotiating the protocol
through TLS using ALPN. The protocol cannot be spoofed through HTTP requests in that case.
[[RFC7301]]

<p>To determine whether fetching a <a for=/>request</a> <var>request</var>
<dfn export lt="block bad port">should be blocked due to a bad port</dfn>,
run these steps:

<ol>
 <li><p>Let <var>url</var> be <var>request</var>'s <a for=request>current URL</a>.

 <li><p>If <var>url</var>'s <a for=url>scheme</a> is an <a>HTTP(S) scheme</a> and <var>url</var>'s
 <a for=url>port</a> is a <a>bad port</a>, then return <b>blocked</b>.

 <li><p>Return <b>allowed</b>.
</ol>

<p>A <a for=url>port</a> is a
<dfn export>bad port</dfn> if it is listed in the first column of the following table.

<table>
 <tbody><tr><th>Port<th>Typical service
 <tr><td>1<td>tcpmux
 <tr><td>7<td>echo
 <tr><td>9<td>discard
 <tr><td>11<td>systat
 <tr><td>13<td>daytime
 <tr><td>15<td>netstat
 <tr><td>17<td>qotd
 <tr><td>19<td>chargen
 <tr><td>20<td>ftp-data
 <tr><td>21<td>ftp
 <tr><td>22<td>ssh
 <tr><td>23<td>telnet
 <tr><td>25<td>smtp
 <tr><td>37<td>time
 <tr><td>42<td>name
 <tr><td>43<td>nicname
 <tr><td>53<td>domain
 <tr><td>69<td>tftp
 <tr><td>77<td>—
 <tr><td>79<td>finger
 <tr><td>87<td>—
 <tr><td>95<td>supdup
 <tr><td>101<td>hostname
 <tr><td>102<td>iso-tsap
 <tr><td>103<td>gppitnp
 <tr><td>104<td>acr-nema
 <tr><td>109<td>pop2
 <tr><td>110<td>pop3
 <tr><td>111<td>sunrpc
 <tr><td>113<td>auth
 <tr><td>115<td>sftp
 <tr><td>117<td>uucp-path
 <tr><td>119<td>nntp
 <tr><td>123<td>ntp
 <tr><td>135<td>epmap
 <tr><td>137<td>netbios-ns
 <tr><td>139<td>netbios-ssn
 <tr><td>143<td>imap
 <tr><td>161<td>snmp
 <tr><td>179<td>bgp
 <tr><td>389<td>ldap
 <tr><td>427<td>svrloc
 <tr><td>465<td>submissions
 <tr><td>512<td>exec
 <tr><td>513<td>login
 <tr><td>514<td>shell
 <tr><td>515<td>printer
 <tr><td>526<td>tempo
 <tr><td>530<td>courier
 <tr><td>531<td>chat
 <tr><td>532<td>netnews
 <tr><td>540<td>uucp
 <tr><td>548<td>afp
 <tr><td>554<td>rtsp
 <tr><td>556<td>remotefs
 <tr><td>563<td>nntps
 <tr><td>587<td>submission
 <tr><td>601<td>syslog-conn
 <tr><td>636<td>ldaps
 <tr><td>989<td>ftps-data
 <tr><td>990<td>ftps
 <tr><td>993<td>imaps
 <tr><td>995<td>pop3s
 <tr><td>1719<td>h323gatestat
 <tr><td>1720<td>h323hostcall
 <tr><td>1723<td>pptp
 <tr><td>2049<td>nfs
 <tr><td>3659<td>apple-sasl
 <tr><td>4045<td>npp
 <tr><td>5060<td>sip
 <tr><td>5061<td>sips
 <tr><td>6000<td>x11
 <tr><td>6566<td>sane-port
 <tr><td>6665<td>ircu
 <tr><td>6666<td>ircu
 <tr><td>6667<td>ircu
 <tr><td>6668<td>ircu
 <tr><td>6669<td>ircu
 <tr><td>6697<td>ircs-u
 <tr><td>10080<td>amanda
</table>
<!-- Service names per
     https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt -->


<h3 dfn export lt="should response to request be blocked due to mime type" id=should-response-to-request-be-blocked-due-to-mime-type?>Should
<var>response</var> to <var>request</var> be blocked due to its MIME type?</h3>

<p>Run these steps:

<ol>
 <li><p>Let <var>mimeType</var> be the result of <a for="header list">extracting a MIME type</a>
 from <var>response</var>'s <a for=response>header list</a>.

 <li><p>If <var>mimeType</var> is failure, then return <b>allowed</b>.

 <li><p>Let <var>destination</var> be <var>request</var>'s <a for=request>destination</a>.

 <li>
  <p>If <var>destination</var> is <a for=request/destination>script-like</a> and one of the
  following is true, then return <b>blocked</b>:

  <ul class=brief>
   <li><var>mimeType</var>'s <a for="MIME type">essence</a> starts with "<code>audio/</code>",
   "<code>image/</code>", or "<code>video/</code>".
   <li><var>mimeType</var>'s <a for="MIME type">essence</a> is "<code>text/csv</code>".
  </ul>

 <li><p>Return <b>allowed</b>.
</ol>



<h2 id=http-extensions>HTTP extensions</h2>

<h3 id=origin-header>`<code>Origin</code>` header</h3>

<p>The `<dfn export http-header id=http-origin><code>Origin</code></dfn>`
request <a for=/>header</a> indicates where a
<a for=/>fetch</a> originates from.

<p class="note no-backref">The `<a http-header><code>Origin</code></a>` header is a version of the
`<code>Referer</code>` [sic] header that does not reveal a <a for=url>path</a>. It is used for all
<a lt="HTTP fetch">HTTP fetches</a> whose <a for=/>request</a>'s
<a for=request>response tainting</a> is "<code>cors</code>", as well as those where
<a for=/>request</a>'s <a for=request>method</a> is neither `<code>GET</code>` nor
`<code>HEAD</code>`. Due to compatibility constraints it is not included in all
<a lt=fetch for=/>fetches</a>.
<!-- Ian Hickson told me Adam Barth researched that -->

<p>Its <a for=header>value</a> <a>ABNF</a>:

<pre><code class=lang-abnf>
Origin                           = origin-or-null

origin-or-null                   = origin / %s"null" ; case-sensitive
origin                           = <a for=url>scheme</a> "://" <a for=url>host</a> [ ":" <a for=url>port</a> ]
</code></pre>

<p class=note>This supplants the definition in <cite>The Web Origin Concept</cite>. [[ORIGIN]]

<hr>

<p>To <dfn id=append-a-request-origin-header>append a request `<code>Origin</code>` header</dfn>,
given a <a for=/>request</a> <var>request</var>, run these steps:

<ol>
 <li><p>Let <var>serializedOrigin</var> be the result of <a>byte-serializing a request origin</a>
 with <var>request</var>.

 <li><p>If <var>request</var>'s <a for=request>response tainting</a> is "<code>cors</code>" or
 <var>request</var>'s <a for=request>mode</a> is "<code>websocket</code>", then
 <a for="header list">append</a> `<code>Origin</code>`/<var>serializedOrigin</var> to
 <var>request</var>'s <a for=request>header list</a>.

 <li>
  <p>Otherwise, if <var>request</var>'s <a for=request>method</a> is neither `<code>GET</code>` nor
  `<code>HEAD</code>`, then:

  <ol>
   <li>
    <p>Switch on <var>request</var>'s <a for=request>referrer policy</a>:

    <dl class=switch>
     <dt>"<code>no-referrer</code>"
     <dd><p>Set <var>serializedOrigin</var> to `<code>null</code>`.

     <dt>"<code>no-referrer-when-downgrade</code>"
     <dt>"<code>strict-origin</code>"
     <dt>"<code>strict-origin-when-cross-origin</code>"
     <dd><p>If <var>request</var>'s <a for=request>origin</a> is a <a>tuple origin</a>, its
     <var>scheme</var> is "<code>https</code>", and <var>request</var>'s
     <a for=request>current URL</a>'s <var>scheme</var> is not "<code>https</code>", then set
     <var>serializedOrigin</var> to `<code>null</code>`.

     <dt>"<code>same-origin</code>"
     <dd><p>If <var>request</var>'s <a for=request>origin</a> is not <a>same origin</a> with
     <var>request</var>'s <a for=request>current URL</a>'s <a for=url>origin</a>, then set
     <var>serializedOrigin</var> to `<code>null</code>`.

     <dt>Otherwise
     <dd>Do nothing.
    </dl>

   <li><p><a for="header list">Append</a> `<code>Origin</code>`/<var>serializedOrigin</var> to
   <var>request</var>'s <a for=request>header list</a>.
  </ol>
</ol>

<p class=note>A <a for=/>request</a>'s <a for=request>referrer policy</a> is taken into account for
all fetches where the fetcher did not explicitly opt into sharing their <a for=/>origin</a> with the
server, e.g., via using the <a>CORS protocol</a>.


<h3 id=http-cors-protocol>CORS protocol</h3>

<p>To allow sharing responses cross-origin and allow for more versatile
<a lt=fetch for=/>fetches</a> than possible with HTML's
<{form}> element, the <dfn export>CORS protocol</dfn> exists. It
is layered on top of HTTP and allows responses to declare they can be shared with other
<a for=/>origins</a>.

<p class=note>It needs to be an opt-in mechanism to prevent leaking data from responses behind a
firewall (intranets). Additionally, for <a for=/>requests</a> including
<a for=/>credentials</a> it needs to be opt-in to prevent leaking potentially-sensitive data.

<p>This section explains the <a>CORS protocol</a> as it pertains to server developers.
Requirements for user agents are part of the <a for=/>fetch</a> algorithm,
except for the <a href=#http-new-header-syntax>new HTTP header syntax</a>.


<h4 id=general>General</h4>

<p>The <a>CORS protocol</a> consists of a set of headers that indicates whether a response can
be shared cross-origin.

<p>For <a for=/>requests</a> that are more involved than what is possible with HTML's <{form}>
element, a <a>CORS-preflight request</a> is performed, to ensure <a for=/>request</a>'s
<a for=request>current URL</a> supports the <a>CORS protocol</a>.


<h4 id=http-requests>HTTP requests</h4>

<p>A <dfn export>CORS request</dfn> is an HTTP request that includes an
`<a http-header><code>Origin</code></a>` header. It cannot be reliably identified as participating in
the <a>CORS protocol</a> as the `<a http-header><code>Origin</code></a>` header is also included for
all <a for=/>requests</a> whose <a for=request>method</a> is neither `<code>GET</code>` nor
`<code>HEAD</code>`.

<p>A <dfn id=cors-preflight-request export>CORS-preflight request</dfn> is a <a>CORS request</a> that checks to see
if the <a>CORS protocol</a> is understood. It uses `<code>OPTIONS</code>` as
<a for=/>method</a> and includes these
<a for=/>headers</a>:

<dl>
 <dt>`<dfn export http-header id=http-access-control-request-method><code>Access-Control-Request-Method</code></dfn>`
 <dd><p>Indicates which <a for=/>method</a> a future
 <a>CORS request</a> to the same resource might use.

 <dt>`<dfn export http-header id=http-access-control-request-headers><code>Access-Control-Request-Headers</code></dfn>`
 <dd><p>Indicates which <a for=/>headers</a> a future
 <a>CORS request</a> to the same resource might use.
</dl>


<h4 id=http-responses>HTTP responses</h4>

<p>An HTTP response to a <a>CORS request</a> can include the following
<a for=/>headers</a>:

<dl>
 <dt>`<dfn export http-header id=http-access-control-allow-origin><code>Access-Control-Allow-Origin</code></dfn>`
 <dd><p>Indicates whether the response can be shared, via returning the literal
 <a for=header>value</a> of the
 `<a http-header><code>Origin</code></a>` request <a for=/>header</a>
 (which can be `<code>null</code>`) or `<code>*</code>` in a response.

 <dt>`<dfn export http-header id=http-access-control-allow-credentials><code>Access-Control-Allow-Credentials</code></dfn>`
 <dd>
  <p>Indicates whether the response can be shared when <a for=/>request</a>'s
  <a for=request>credentials mode</a> is
  "<code>include</code>".

  <p class=note>For a <a>CORS-preflight request</a>, <a for=/>request</a>'s
  <a for=request>credentials mode</a> is always "<code>same-origin</code>", i.e., it excludes
  credentials, but for any subsequent <a>CORS requests</a> it might not be. Support therefore needs
  to be indicated as part of the HTTP response to the <a>CORS-preflight request</a> as well.
</dl>

<p>An HTTP response to a <a>CORS-preflight request</a> can include the following
<a for=/>headers</a>:

<dl>
 <dt>`<dfn export http-header id=http-access-control-allow-methods><code>Access-Control-Allow-Methods</code></dfn>`
 <dd>
  <p>Indicates which <a for=/>methods</a> are supported by the <a for=/>response</a>'s
  <a for=response>URL</a> for the purposes of the <a>CORS protocol</a>.

  <p class=note>The `<code>Allow</code>` <a for=/>header</a> is
  not relevant for the purposes of the <a>CORS protocol</a>.

 <dt>`<dfn export http-header id=http-access-control-allow-headers><code>Access-Control-Allow-Headers</code></dfn>`
 <dd><p>Indicates which <a for=/>headers</a> are supported by the <a for=/>response</a>'s
 <a for=response>URL</a> for the purposes of the <a>CORS protocol</a>.

 <dt>`<dfn export http-header id=http-access-control-max-age><code>Access-Control-Max-Age</code></dfn>`
 <dd><p>Indicates the number of seconds (5 by default) the information provided by the
 `<a http-header><code>Access-Control-Allow-Methods</code></a>` and
 `<a http-header><code>Access-Control-Allow-Headers</code></a>` <a for=/>headers</a> can be cached.
</dl>

<p>An HTTP response to a <a>CORS request</a> that is not a
<a>CORS-preflight request</a> can also include the following
<a for=/>header</a>:

<dl>
 <dt>`<dfn export http-header id=http-access-control-expose-headers><code>Access-Control-Expose-Headers</code></dfn>`
 <dd><p>Indicates which <a for=/>headers</a> can be exposed as part
 of the response by listing their <a lt=name for=header>names</a>.
</dl>

<hr>

<p>In case a server does not wish to participate in the <a>CORS protocol</a>, its HTTP response to
the <a lt="CORS request">CORS</a> or <a>CORS-preflight request</a> must not include any of the above
<a for=/>headers</a>. The server is encouraged to use the 403 <a for=/>status</a> in such HTTP
responses.


<h4 id=http-new-header-syntax>HTTP new-header syntax</h4>

<p><a>ABNF</a> for the <a lt=value for=header>values</a> of the
<a for=/>headers</a> used by the <a>CORS protocol</a>:

<pre><code class=lang-abnf>
Access-Control-Request-Method    = <a spec=http>method</a>
Access-Control-Request-Headers   = 1#<a spec=http>field-name</a>

wildcard                         = "*"
Access-Control-Allow-Origin      = origin-or-null / wildcard
Access-Control-Allow-Credentials = %s"true" ; case-sensitive
Access-Control-Expose-Headers    = #<a spec=http>field-name</a>
Access-Control-Max-Age           = <a spec=http-caching>delta-seconds</a>
Access-Control-Allow-Methods     = #<a spec=http>method</a>
Access-Control-Allow-Headers     = #<a spec=http>field-name</a>
</code></pre>

<p class=note>For `<code>Access-Control-Expose-Headers</code>`,
`<code>Access-Control-Allow-Methods</code>`, and `<code>Access-Control-Allow-Headers</code>`
response <a for=/>headers</a> the <a for=header>value</a> `<code>*</code>` counts as a wildcard for
<a for=/>requests</a> without <a for=/>credentials</a>. For such <a for=/>requests</a> there is no
way to solely match a <a for=/>header</a> <a for=header>name</a> or <a for=/>method</a> that is
`<code>*</code>`.


<h4 id=cors-protocol-and-credentials>CORS protocol and credentials</h4>

<!-- non-normative -->

<p>When <a for=/>request</a>'s
<a for=request>credentials mode</a> is "<code>include</code>" it
has an impact on the functioning of the <a>CORS protocol</a> other than including
<a for=/>credentials</a> in the <a for=/>fetch</a>.

<div id=example-xhr-credentials class=example>
 <p>In the old days, {{XMLHttpRequest}} could be used to set
 <a for=/>request</a>'s
 <a for=request>credentials mode</a> to "<code>include</code>":

 <pre><code class=lang-javascript>
var client = new XMLHttpRequest()
client.open("GET", "./")
client.withCredentials = true
/* … */
</code></pre>

 <p>Nowadays, <code>fetch("./", { credentials:"include" }).then(/* … */)</code>
 suffices.
</div>

<p>A <a for=/>request</a>'s
<a for=request>credentials mode</a> is not necessarily observable
on the server; only when <a for=/>credentials</a> exist for a
<a for=/>request</a> can it be observed by virtue of the
<a for=/>credentials</a> being included. Note that even so, a <a>CORS-preflight request</a>
never includes <a for=/>credentials</a>.

<p>The server developer therefore needs to decide whether or not responses "tainted" with
<a for=/>credentials</a> can be shared. And also needs to decide if
<a for=/>requests</a> necessitating a <a>CORS-preflight request</a> can
include <a for=/>credentials</a>. Generally speaking, both sharing responses and allowing requests
with <a for=/>credentials</a> is rather unsafe, and extreme care has to be taken to avoid the
<a href=https://en.wikipedia.org/wiki/Confused_deputy_problem>confused deputy problem</a>.
<!-- Turn into a reference? Meh. -->

<p>To share responses with <a for=/>credentials</a>, the
`<a http-header><code>Access-Control-Allow-Origin</code></a>` and
`<a http-header><code>Access-Control-Allow-Credentials</code></a>` <a for=/>headers</a> are
important. The following table serves to illustrate the various legal and illegal combinations for a
request to <code>https://rabbit.invalid/</code>:

<table>
 <tbody><tr>
  <th>Request's credentials mode
  <th>`<a http-header><code>Access-Control-Allow-Origin</code></a>`
  <th>`<a http-header><code>Access-Control-Allow-Credentials</code></a>`
  <th>Shared?
  <th>Notes
 <tr>
  <td>"<code>omit</code>"
  <td>`<code>*</code>`
  <td>Omitted
  <td>✅
  <td>—
 <tr>
  <td>"<code>omit</code>"
  <td>`<code>*</code>`
  <td>`<code>true</code>`
  <td>✅
  <td>If credentials mode is not "<code>include</code>", then
  `<a http-header><code>Access-Control-Allow-Credentials</code></a>` is ignored.
 <tr>
  <td>"<code>omit</code>"
  <td>`<code>https://rabbit.invalid/`</code>
  <td>Omitted
  <td>❌
  <td>A <a lt="serialization of an origin">serialized</a> origin has no trailing slash.
 <tr>
  <td>"<code>omit</code>"
  <td>`<code>https://rabbit.invalid`</code>
  <td>Omitted
  <td>✅
  <td>—
 <tr>
  <td>"<code>include</code>"
  <td>`<code>*</code>`
  <td>`<code>true</code>`
  <td>❌
  <td>If credentials mode is "<code>include</code>", then
  `<a http-header><code>Access-Control-Allow-Origin</code></a>` cannot be
  `<code>*</code>`.
 <tr>
  <td>"<code>include</code>"
  <td>`<code>https://rabbit.invalid`</code>
  <td>`<code>true</code>`
  <td>✅
  <td>—
 <tr>
  <td>"<code>include</code>"
  <td>`<code>https://rabbit.invalid`</code>
  <td>`<code>True</code>`
  <td>❌
  <td>`<code>true</code>` is (byte) case-sensitive.
</table>

<p>Similarly, `<a http-header><code>Access-Control-Expose-Headers</code></a>`,
`<a http-header><code>Access-Control-Allow-Methods</code></a>`, and
`<a http-header><code>Access-Control-Allow-Headers</code></a>` response headers can only use
`<code>*</code>` as value when <a for=/>request</a>'s <a for=request>credentials mode</a> is not
"<code>include</code>".


<h4 id=cors-protocol-examples>Examples</h4>

<div id=example-simple-cors class=example>
 <p>A script at <code>https://foo.invalid/</code> wants to fetch some data from
 <code>https://bar.invalid/</code>. (Neither <a for=/>credentials</a> nor response header access is
 important.)

 <pre id=unicorn><code class=lang-javascript>
var url = "https://bar.invalid/api?key=730d67a37d7f3d802e96396d00280768773813fbe726d116944d814422fc1a45&amp;data=about:unicorn";
fetch(url).then(success, failure)
</code></pre>

 <p>This will use the <a>CORS protocol</a>, though this is entirely transparent to the
 developer from <code>foo.invalid</code>. As part of the <a>CORS protocol</a>, the user agent
 will include the `<a http-header><code>Origin</code></a>` header in the request:

 <pre><code class=lang-http>
Origin: https://foo.invalid
</code></pre>

 <p>Upon receiving a response from <code>bar.invalid</code>, the user agent will verify the
 `<a http-header><code>Access-Control-Allow-Origin</code></a>` response header. If its value is
 either `<code>https://foo.invalid</code>` or `<code>*</code>`, the user agent will invoke the
 <code>success</code> callback. If it has any other value, or is missing, the user agent will invoke
 the <code>failure</code> callback.
</div>

<div id=example-cors-with-response-header class=example>
 <p>The developer of <code>foo.invalid</code> is back, and now wants to fetch some data from
 <code>bar.invalid</code> while also accessing a response header.

 <pre><code class=lang-javascript>
fetch(url).then(response => {
  var hsts = response.headers.get("strict-transport-security"),
      csp = response.headers.get("content-security-policy")
  log(hsts, csp)
})
</code></pre>

 <p><code>bar.invalid</code> provides a correct
 `<a http-header><code>Access-Control-Allow-Origin</code></a>` response header per the earlier
 example. The values of <code>hsts</code> and <code>csp</code> will depend on the
 `<a http-header><code>Access-Control-Expose-Headers</code></a>` response header. For example, if
 the response included the following headers

 <pre><code class=lang-http>
Content-Security-Policy: default-src 'self'
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
Access-Control-Expose-Headers: Content-Security-Policy
</code></pre>

 <p>then <code>hsts</code> would be null and <code>csp</code> would be
 "<code>default-src 'self'</code>", even though the response did include both headers. This is
 because <code>bar.invalid</code> needs to explicitly share each header by listing their names in
 the `<a http-header><code>Access-Control-Expose-Headers</code></a>` response header.

 <p>Alternatively, if <code>bar.invalid</code> wanted to share all its response headers, for
 requests that do not include <a for=/>credentials</a>, it could use `<code>*</code>` as value for
 the `<a http-header><code>Access-Control-Expose-Headers</code></a>` response header. If the request
 would have included <a for=/>credentials</a>, the response header names would have to be listed
 explicitly and `<code>*</code>` could not be used.
</div>

<div id=example-cors-with-credentials class=example>
 <p>The developer of <code>foo.invalid</code> returns, now fetching some data from
 <code>bar.invalid</code> while including <a for=/>credentials</a>. This time around the
 <a>CORS protocol</a> is no longer transparent to the developer as <a for=/>credentials</a>
 require an explicit opt-in:

 <pre><code class=lang-javascript>
fetch(url, { credentials:"include" }).then(success, failure)
</code></pre>

 <p>This also makes any `<code>Set-Cookie</code>` response headers <code>bar.invalid</code>
 includes fully functional (they are ignored otherwise).

 <p>The user agent will make sure to include any relevant <a for=/>credentials</a> in the request.
 It will also put stricter requirements on the response. Not only will <code>bar.invalid</code> need
 to list `<code>https://foo.invalid</code>` as value for the
 `<a http-header><code>Access-Control-Allow-Origin</code></a>` header (`<code>*</code>` is not
 allowed when <a for=/>credentials</a> are involved), the
 `<a http-header><code>Access-Control-Allow-Credentials</code></a>` header has to be present too:

 <pre><code class=lang-http>
Access-Control-Allow-Origin: https://foo.invalid
Access-Control-Allow-Credentials: true
</code></pre>

 <p>If the response does not include those two headers with those values, the <code>failure</code>
 callback will be invoked. However, any `<code>Set-Cookie</code>` response headers will be
 respected.
</div>


<h4 id=cors-protocol-exceptions>CORS protocol exceptions</h4>

<p>Specifications have allowed limited exceptions to the CORS safelist for non-safelisted
`<code>Content-Type</code>` header values. These exceptions are made for requests that can be
triggered by web content but whose headers and bodies can be only minimally controlled by the web
content. Therefore, servers should expect cross-origin web content to be allowed to trigger
non-preflighted requests with the following non-safelisted `<code>Content-Type</code>` header
values:

<ul class=brief>
 <li>`<code>application/csp-report</code>` [[CSP]]
 <li>`<code>application/expect-ct-report+json</code>` [[EXPECT-CT]]
 <li>`<code>application/xss-auditor-report</code>`
 <li>`<code>application/ocsp-request</code>` [[OCSP]]
</ul>

<p>Specifications should avoid introducing new exceptions and should only do so with careful
consideration for the security consequences. New exceptions can be proposed by
<a href=https://github.com/whatwg/fetch/issues/new>filing an issue</a>.


<h3 id=content-length-header>`<code>Content-Length</code>` header</h3>

<p>The `<code>Content-Length</code>` header is largely defined in HTTP. Its processing model is
defined here as the model defined in HTTP is not compatible with web content. [[HTTP]]

<p>To <dfn export for="header list" lt="extract a length|extracting a length">extract a length</dfn>
from a <a for=/>header list</a> <var>headers</var>, run these steps:

<ol>
 <li><p>Let <var>values</var> be the result of
 <a for="header list">getting, decoding, and splitting</a> `<code>Content-Length</code>` from
 <var>headers</var>.

 <li><p>If <var>values</var> is null, then return null.

 <li><p>Let <var>candidateValue</var> be null.

 <li>
  <p><a for=list>For each</a> <var>value</var> of <var>values</var>:

  <ol>
   <li><p>If <var>candidateValue</var> is null, then set <var>candidateValue</var> to
   <var>value</var>.

   <li><p>Otherwise, if <var>value</var> is not <var>candidateValue</var>, return failure.
  </ol>

 <li><p>If <var>candidateValue</var> is the empty string or has a <a for=/>code point</a> that is
 not an <a for=/>ASCII digit</a>, then return null.

 <li><p>Return <var>candidateValue</var>, interpreted as decimal number.
</ol>


<h3 id=content-type-header>`<code>Content-Type</code>` header</h3>

<p>The `<code>Content-Type</code>` header is largely defined in HTTP. Its processing model is
defined here as the model defined in HTTP is not compatible with web content. [[HTTP]]

<p>To
<dfn export for="header list" lt="extract a MIME type|extracting a MIME type" id=concept-header-extract-mime-type>extract a MIME type</dfn>
from a <a for=/>header list</a> <var>headers</var>, run these steps:

<ol>
 <li><p>Let <var>charset</var> be null.

 <li><p>Let <var>essence</var> be null.

 <li><p>Let <var>mimeType</var> be null.

 <li><p>Let <var>values</var> be the result of
 <a for="header list">getting, decoding, and splitting</a> `<code>Content-Type</code>` from
 <var>headers</var>.

 <li><p>If <var>values</var> is null, then return failure.

 <li>
  <p><a for=list>For each</a> <var>value</var> of <var>values</var>:

  <ol>
   <li><p>Let <var>temporaryMimeType</var> be the result of <a lt="parse a MIME type">parsing</a>
   <var>value</var>.

   <li><p>If <var>temporaryMimeType</var> is failure or its <a for="MIME type">essence</a> is
   "<code>*/*</code>", then <a for=iteration>continue</a>.

   <li><p>Set <var>mimeType</var> to <var>temporaryMimeType</var>.

   <li>
    <p>If <var>mimeType</var>'s <a for="MIME type">essence</a> is not <var>essence</var>, then:

    <ol>
     <li><p>Set <var>charset</var> to null.

     <li><p>If <var>mimeType</var>'s <a for="MIME type">parameters</a>["<code>charset</code>"]
     <a for=map>exists</a>, then set <var>charset</var> to <var>mimeType</var>'s
     <a for="MIME type">parameters</a>["<code>charset</code>"].

     <li><p>Set <var>essence</var> to <var>mimeType</var>'s <a for="MIME type">essence</a>.
    </ol>

   <li><p>Otherwise, if <var>mimeType</var>'s
   <a for="MIME type">parameters</a>["<code>charset</code>"] does not <a for=map>exist</a>, and
   <var>charset</var> is non-null, set <var>mimeType</var>'s
   <a for="MIME type">parameters</a>["<code>charset</code>"] to <var>charset</var>.
  </ol>

 <li><p>If <var>mimeType</var> is null, then return failure.

 <li><p>Return <var>mimeType</var>.
</ol>

<p class=warning>When <a>extract a MIME type</a> returns failure or a <a for=/>MIME type</a> whose
<a for="MIME type">essence</a> is incorrect for a given format, treat this as a fatal error.
Existing web platform features have not always followed this pattern, which has been a major source
of security vulnerabilities in those features over the years. In contrast, a
<a for=/>MIME type</a>'s <a for="MIME type">parameters</a> can typically be safely ignored.

<div class=example id=example-extract-a-mime-type>
 <p>This is how <a>extract a MIME type</a> functions in practice:

 <table>
  <tr>
   <th>Headers (as on the network)
   <th>Output (<a lt="serialize a MIME type">serialized</a>)
  <tr>
   <td>
    <pre><code class=lang-http>
Content-Type: text/plain;charset=gbk, text/html
</code></pre>
   <td><code>text/html</code>
  <tr>
   <td>
    <pre><code class=lang-http>
Content-Type: text/html;charset=gbk;a=b, text/html;x=y
</code></pre>
   <td rowspan=2><code>text/html;x=y;charset=gbk</code>
  <tr>
   <td>
    <pre><code class=lang-http>
Content-Type: text/html;charset=gbk;a=b
Content-Type: text/html;x=y
</code></pre>
  <tr>
   <td>
    <pre><code class=lang-http>
Content-Type: text/html;charset=gbk
Content-Type: x/x
Content-Type: text/html;x=y
</code></pre>
   <td><code>text/html;x=y</code>
  <tr>
   <td>
    <pre><code class=lang-http>
Content-Type: text/html
Content-Type: cannot-parse
</code></pre>
   <td rowspan=3><code>text/html</code>
  <tr>
   <td>
    <pre><code class=lang-http>
Content-Type: text/html
Content-Type: */*
</code></pre>
  <tr>
   <td>
    <pre><code class=lang-http>
Content-Type: text/html
Content-Type:
</code></pre>
 </table>
</div>


<h3 id=x-content-type-options-header>`<code>X-Content-Type-Options</code>` header</h3>

<p>The
`<dfn export http-header id=http-x-content-type-options><code>X-Content-Type-Options</code></dfn>`
response <a for=/>header</a> can be used to require checking of a <a for=/>response</a>'s
`<code>Content-Type</code>` <a for=/>header</a> against the <a for=request>destination</a> of a
<a for=/>request</a>.

<p>To <dfn export>determine nosniff</dfn>, given a <a for=/>header list</a> <var>list</var>, run
these steps:

<ol>
 <li><p>Let <var>values</var> be the result of
 <a for="header list">getting, decoding, and splitting</a>
 `<a http-header><code>X-Content-Type-Options</code></a>` from <var>list</var>.

 <li><p>If <var>values</var> is null, then return false.

 <li><p>If <var>values</var>[0] is an <a>ASCII case-insensitive</a> match for
 "<code>nosniff</code>", then return true.

 <li><p>Return false.
</ol>

<p>Web developers and conformance checkers must use the following <a for=header>value</a>
<a>ABNF</a> for `<a http-header><code>X-Content-Type-Options</code></a>`:

<pre><code class=lang-abnf>
X-Content-Type-Options           = "nosniff" ; case-insensitive
</code></pre>


<h4 lt="should response to request be blocked due to nosniff" dfn id=should-response-to-request-be-blocked-due-to-nosniff?>Should
<var>response</var> to <var>request</var> be blocked due to nosniff?</h4>

<p>Run these steps:

<ol>
 <li><p>If <a>determine nosniff</a> with <var>response</var>'s <a for=response>header list</a> is
 false, then return <b>allowed</b>.

 <li><p>Let <var>mimeType</var> be the result of <a for="header list">extracting a MIME type</a>
 from <var>response</var>'s <a for=response>header list</a>.

 <li><p>Let <var>destination</var> be <var>request</var>'s <a for=request>destination</a>.

 <li><p>If <var>destination</var> is <a for=request/destination>script-like</a> and
 <var>mimeType</var> is failure or is not a <a>JavaScript MIME type</a>, then return <b>blocked</b>.

 <li><p>If <var>destination</var> is "<code>style</code>" and <var>mimeType</var> is failure or its
 <a for="MIME type">essence</a> is not "<code>text/css</code>", then return <b>blocked</b>.

 <li><p>Return <b>allowed</b>.
</ol>

<p class="note no-backref">Only <a for=/>request</a> <a for=request>destinations</a> that are
<a for=request/destination>script-like</a> or "<code>style</code>" are considered as any exploits
pertain to them. Also, considering "<code>image</code>" was not compatible with deployed content.


<h3 id=corb>CORB</h3>

<p class="note">Cross-origin read blocking, better known as CORB, is an algorithm which identifies
dubious cross-origin resource fetches (e.g., fetches that would fail anyway like attempts to render
JSON inside an <code>img</code> element) and blocks them before they reach a web page. CORB reduces
the risk of leaking sensitive data by keeping it further from cross-origin web pages.

<p>A <dfn>CORB-protected MIME type</dfn> is an <a>HTML MIME type</a>, a <a>JSON MIME type</a>, or an
<a>XML MIME type</a> excluding <code>image/svg+xml</code>.

<p class="note no-backref">Even without CORB, accessing the content of cross-origin resources with
<a>CORB-protected MIME types</a> is either managed by the <a>CORS protocol</a> (e.g., in case of
{{XMLHttpRequest}}), not observable (e.g., in case of pings or CSP reports which ignore the
response), or would result in an error (e.g., when failing to decode an HTML document embedded in an
<code>img</code> element as an image). This means that CORB can block
<a>CORB-protected MIME types</a> resources without being disruptive to web pages.

<p>To perform a <dfn noexport>CORB check</dfn>, given a <var>request</var> and <var>response</var>,
run these steps:</p>

<ol>
 <li>
  <p>If <var>request</var>'s <a for=request>initiator</a> is "<code>download</code>", then return
  <b>allowed</b>.

  <p class=XXX>If we recast downloading as navigation this step can be removed.

 <li><p>If <var>request</var>'s <a for=request>current URL</a>'s <a for=url>scheme</a> is not an
 <a>HTTP(S) scheme</a>, then return <b>allowed</b>.

 <li><p>Let <var>mimeType</var> be the result of <a for="header list">extracting a MIME type</a>
 from <var>response</var>'s <a for=response>header list</a>.

 <li><p>If <var>mimeType</var> is failure, then return <b>allowed</b>.

 <li><p>If <var>response</var>'s <a for=response>status</a> is 206 and <var>mimeType</var> is a
 <a>CORB-protected MIME type</a>, then return <b>blocked</b>.

 <li>
  <p>If <a>determine nosniff</a> with <var>response</var>'s <a for=response>header list</a> is true
  and <var>mimeType</var> is a <a>CORB-protected MIME type</a> or its <a for="MIME type">essence</a>
  is "<code>text/plain</code>", then return <b>blocked</b>.

  <p class="note no-backref">CORB only protects <code>text/plain</code> responses with a
  `<code>X-Content-Type-Options: nosniff</code>` header. Unfortunately, protecting such responses
  without that header when their <a for=response>status</a> is 206 would break too many existing
  video responses that have a <code>text/plain</code> <a for=/>MIME type</a>.

 <!-- TODO: MIME type confirmation sniffing -->
 <!-- TODO: JSON security prefix sniffing -->

 <li><p>Return <b>allowed</b>.
</ol>


<h3 id=cross-origin-resource-policy-header>`<code>Cross-Origin-Resource-Policy</code>` header</h3>

<p>The
`<dfn export http-header id=http-cross-origin-resource-policy><code>Cross-Origin-Resource-Policy</code></dfn>`
response <a for=/>header</a> can be used to require checking a <a for=/>request</a>'s
<a for=request>current URL</a>'s <a for=url>origin</a> against a <a for=/>request</a>'s
<a for=request>origin</a> when <a for=/>request</a>'s <a for=request>mode</a> is
"<code>no-cors</code>".

<p>Its <a for=header>value</a> <a>ABNF</a>:

<pre><code class=lang-abnf>
Cross-Origin-Resource-Policy     = %s"same-origin" / %s"same-site" / %s"cross-origin" ; case-sensitive
</code></pre>

<p>To perform a <dfn export>cross-origin resource policy check</dfn>, given an <a for=url>origin</a>
<var>origin</var>, an <a for=/>environment settings object</a> <var>settingsObject</var>, a string
<var>destination</var>, a <a for=/>response</a> <var>response</var>, and an optional boolean
<var>forNavigation</var>, run these steps:

<ol>
 <li><p>Set <var>forNavigation</var> to false if it is not given.

 <li><p>Let <var>embedderPolicy</var> be <var>settingsObject</var>'s
 <a for="environment settings object">policy container</a>'s
 <a for="policy container">embedder policy</a>.

 <li>
  <p>If the <a>cross-origin resource policy internal check</a> with <var>origin</var>,
  "<code><a for="embedder policy value">unsafe-none</a></code>", <var>response</var>, and
  <var>forNavigation</var> returns <b>blocked</b>, then return <b>blocked</b>.

  <p class="note">This step is needed because we don't want to report violations not related to
  Cross-Origin Embedder Policy below.

 <li><p>If the <a>cross-origin resource policy internal check</a> with <var>origin</var>,
 <var>embedderPolicy</var>'s <a for="embedder policy">report only value</a>, <var>response</var>,
 and <var>forNavigation</var> returns <b>blocked</b>, then
 <a>queue a cross-origin embedder policy CORP violation report</a> with <var>response</var>,
 <var>settingsObject</var>, <var>destination</var>, and true.

 <li><p>If the <a>cross-origin resource policy internal check</a> with <var>origin</var>,
 <var>embedderPolicy</var>'s <a for="embedder policy">value</a>, <var>response</var>, and
 <var>forNavigation</var> returns <b>allowed</b>, then return <b>allowed</b>.

 <li><p><a>Queue a cross-origin embedder policy CORP violation report</a> with <var>response</var>,
 <var>settingsObject</var>, <var>destination</var>, and false.

 <li><p>Return <b>blocked</b>.
</ol>

<p class="note no-backref">Only HTML's navigate algorithm uses this check with
<var>forNavigation</var> set to true, and it's always for nested navigations. Otherwise,
<var>response</var> is either the <a for="filtered response">internal response</a> of an
<a>opaque filtered response</a> or a <a for=/>response</a> which will be the
<a for="filtered response">internal response</a> of an <a>opaque filtered response</a>. [[HTML]]

<p>To perform a <dfn>cross-origin resource policy internal check</dfn>, given an
<a for=url>origin</a> <var>origin</var>, an <a for=/>embedder policy value</a>
<var>embedderPolicyValue</var>, a <a for=/>response</a> <var>response</var>, and a boolean
<var>forNavigation</var>, run these steps:

<ol>
 <li><p>If <var>forNavigation</var> is true and <var>embedderPolicyValue</var> is
 "<code><a for="embedder policy value">unsafe-none</a></code>", then return <b>allowed</b>.

 <li>
  <p>Let <var>policy</var> be the result of <a for="header list">getting</a>
  `<a http-header><code>Cross-Origin-Resource-Policy</code></a>` from <var>response</var>'s
  <a for=response>header list</a>.

  <p class=note>This means that `<code>Cross-Origin-Resource-Policy: same-site, same-origin</code>`
  ends up as <b>allowed</b> below as it will never match anything, as long as
  <var>embedderPolicyValue</var> is "<code><a for="embedder policy value">unsafe-none</a></code>".
  Two or more `<a http-header><code>Cross-Origin-Resource-Policy</code></a>` headers will have the
  same effect.

 <li><p>If <var>policy</var> is neither `<code>same-origin</code>`, `<code>same-site</code>`, nor
 `<code>cross-origin</code>`, then set <var>policy</var> to null.

 <li><p>If <var>policy</var> is null and <var>embedderPolicyValue</var> is
 "<code><a for="embedder policy value">require-corp</a></code>", then set <var>policy</var> to
 `<code>same-origin</code>`.

 <li>
  <p>Switch on <var>policy</var>:

  <dl class=switch>
   <dt>null
   <dt>`<code>cross-origin</code>`
   <dd><p>Return <b>allowed</b>.

   <dt>`<code>same-origin</code>`
   <dd>
    <p>If <var>origin</var> is <a>same origin</a> with <var>response</var>'s <a for=response>URL</a>'s
    <a for=url>origin</a>, then return <b>allowed</b>.

    <p>Otherwise, return <b>blocked</b>.

   <dt>`<code>same-site</code>`
   <dd>
    <p>If all of the following are true

    <ul class=brief>
     <li><p><var>origin</var> is <a>schemelessly same site</a> with <var>response</var>'s
     <a for=response>URL</a>'s <a for=url>origin</a>

     <li><p><var>origin</var>'s <a for=url>scheme</a> is "<code>https</code>" or
     <var>response</var>'s <a for=response>URL</a>'s <a for=url>scheme</a> is not
     "<code>https</code>"
    </ul>

    <p>then return <b>allowed</b>.

    <p>Otherwise, return <b>blocked</b>.

    <p class=note>`<code>Cross-Origin-Resource-Policy: same-site</code>` does not consider a
    response delivered via a secure transport to match a non-secure requesting origin,
    even if their hosts are otherwise same site. Securely-transported responses will only
    match a securely-transported initiator.
  </dl>
</ol>

<p>To <dfn>queue a cross-origin embedder policy CORP violation report</dfn>, given a
<a for=/>response</a> <var>response</var>, an <a for=/>environment settings object</a>
<var>settingsObject</var>, a string <var>destination</var>, and a boolean <var>reportOnly</var>,
run these steps:

<ol>
 <li><p>Let <var>endpoint</var> be <var>settingsObject</var>'s
 <a for="environment settings object">policy container</a>'s
 <a for="policy container">embedder policy</a>'s
 <a for="embedder policy">report only reporting endpoint</a> if <var>reportOnly</var> is true and
 <var>settingsObject</var>'s <a for="environment settings object">policy container</a>'s
 <a for="policy container">embedder policy</a>'s
 <a for="embedder policy">reporting endpoint</a> otherwise.

 <li><p>Let <var>serializedURL</var> be the result of
 <a lt="serialize a response URL for reporting">serializing a response URL for reporting</a> with
 <var>response</var>.

 <li><p>Let <var>disposition</var> be "<code>reporting</code>" if <var>reportOnly</var> is true;
 otherwise "<code>enforce</code>".

 <li>
  <p>Let <var>body</var> be a new object containing the following properties:

  <table>
   <thead>
    <th>key
    <th>value
   </thead>
   <tbody>
    <tr>
     <td>"<code>type</code>"
     <td>"<code>corp</code>"
    </tr>
    <tr>
     <td>"<code>blockedURL</code>"
     <td><var>serializedURL</var>
    </tr>
    <tr>
     <td>"<code>destination</code>"
     <td><var>destination</var>
    </tr>
    <tr>
     <td>"<code>disposition</code>"
     <td><var>disposition</var>
    </tr>
   </tbody>
  </table>

 <li><p><a for="reporting">Queue</a> <var>body</var> as the <a>"<code>coep</code>" report type</a> for
 <var>endpoint</var> on <var>settingsObject</var>. [[!REPORTING]]
</ol>



<h2 id=fetching>Fetching</h2>

<p class=note>The algorithm below defines <a lt=fetch for=/>fetching</a>. In broad strokes, it takes
a <a for=/>request</a> and one or more algorithms to run at various points during the operation. A
<a for=/>response</a> is passed to the last two algorithms listed below. The first two algorithms
can be used to capture uploads.

<p>To <dfn export id=concept-fetch>fetch</dfn>, given a <a for=/>request</a> <var>request</var>, an
optional algorithm
<dfn export for=fetch id=process-request-body><var>processRequestBody</var></dfn>, an optional
algorithm
<dfn export for=fetch id=process-request-end-of-body oldids=process-request-end-of-file><var>processRequestEndOfBody</var></dfn>,
an optional algorithm <dfn export for=fetch id=process-response><var>processResponse</var></dfn>,
an optional algorithm
<dfn export for=fetch id=process-response-end-of-body oldids=process-response-end-of-file><var>processResponseEndOfBody</var></dfn>,
an optional algorithm <dfn export for=fetch><var>processResponseDone</var></dfn>, and an optional
boolean <dfn export for=fetch><var>useParallelQueue</var></dfn> (default false), run the steps
below. If given, <var>processRequestBody</var> must be an algorithm accepting an integer
representing the number of bytes transmitted. If given, <var>processRequestEndOfBody</var> must be
an algorithm accepting no arguments. If given, <var>processResponse</var> must be an algorithm
accepting a <a for=/>response</a>. If given, <var>processResponseEndOfBody</var> must be an
algorithm accepting a <a for=/>response</a> and null, failure, or a <a for=/>byte sequence</a>. If
given, <var>processResponseDone</var> must be an algorithm accepting a <a for=/>response</a>.

<p>An ongoing <a for=/>fetch</a> can be
<dfn export for=fetch id=concept-fetch-terminate>terminated</dfn> with flag <var>aborted</var>,
which is unset unless otherwise specified.

<p>The user agent may be asked to
<dfn export for=fetch id=concept-fetch-suspend>suspend</dfn> the ongoing fetch.
The user agent may either accept or ignore the suspension request. The suspended fetch can be
<dfn export for=fetch id=concept-fetch-resume>resumed</dfn>. The user agent should
ignore the suspension request if the ongoing fetch is updating the response in the HTTP cache for
the request.

<p class="note no-backref">The user agent does not update the entry in the HTTP cache for a
<a for=/>request</a> if request's cache mode is "no-store" or a
`<code>Cache-Control: no-store</code>` header appears in the response.
[[!HTTP-CACHING]]

<ol>
 <li><p>Let <var>taskDestination</var> be null.

 <li><p>Let <var>crossOriginIsolatedCapability</var> be false.

 <li>
  <p>If <var>request</var>'s <a for=request>client</a> is non-null, then:

  <ol>
   <li><p>Set <var>taskDestination</var> to <var>request</var>'s <a for=request>client</a>'s
   <a for="environment settings object">global object</a>.

   <li><p>Set <var>crossOriginIsolatedCapability</var> to <var>request</var>'s
   <a for=request>client</a>'s
   <a for="environment settings object">cross-origin isolated capability</a>.
  </ol>

 <li><p>If <var>useParallelQueue</var> is true, then set <var>taskDestination</var> to the result of
 <a>starting a new parallel queue</a>.

 <!-- It would be nice to assert that taskDestination is non-null here, but it's not clear if this
      works for all callers. Fetch itself calls main fetch while taskDestination is null. Anyone
      wanting to do a ping without request body might do so as well, but if you do have a request
      body you definitely need this as otherwise transmit-request-body loop breaks down. -->

 <li><p>Let <var>timingInfo</var> be a new <a for=/>fetch timing info</a> whose
 <a for="fetch timing info">start time</a> and
 <a for="fetch timing info">post-redirect start time</a> are the
 <a for=/>coarsened shared current time</a> given <var>crossOriginIsolatedCapability</var>.

 <li><p>Let <var>fetchParams</var> be a new <a for=/>fetch params</a> whose
 <a for="fetch params">request</a> is <var>request</var>,
 <a for="fetch params">timing info</a> is <var>timingInfo</var>,
 <a for="fetch params">process request body</a> is <var>processRequestBody</var>,
 <a for="fetch params">process request end-of-body</a> is <var>processRequestEndOfBody</var>,
 <a for="fetch params">process response</a> is <var>processResponse</var>,
 <a for="fetch params">process response end-of-body</a> is <var>processResponseEndOfBody</var>,
 <a for="fetch params">process response done</a> is <var>processResponseDone</var>,
 <a for="fetch params">task destination</a> is <var>taskDestination</var>, and
 <a for="fetch params">cross-origin isolated capability</a> is
 <var>crossOriginIsolatedCapability</var>.

 <li><p>If <var>request</var>'s <a for=request>body</a> is a <a for=/>byte sequence</a>, then set
 <var>request</var>'s <a for=request>body</a> to the first return value of
 <a for=BodyInit>safely extracting</a> <var>request</var>'s <a for=request>body</a>.

 <li><p>If <var>request</var>'s <a for=request>window</a> is "<code>client</code>", then set
 <var>request</var>'s <a for=request>window</a> to <var>request</var>'s <a for=request>client</a>,
 if <var>request</var>'s <a for=request>client</a>'s
 <a for="environment settings object">global object</a> is a {{Window}} object; otherwise
 "<code>no-window</code>".

 <li><p>If <var>request</var>'s <a for=request>origin</a> is "<code>client</code>", then set
 <var>request</var>'s <a for=request>origin</a> to  <var>request</var>'s <a for=request>client</a>'s
 <a for="environment settings object">origin</a>.

 <li>
  <p>If <var>request</var>'s <a for=request>policy container</a> is "<code>client</code>", then:

  <ol>
   <li><p>If <var>request</var>'s <a for=request>client</a> is non-null, then set
   <var>request</var>'s <a for=request>policy container</a> to a
   <a lt="clone a policy container">clone</a> of <var>request</var>'s <a for=request>client</a>'s
   <a for="environment settings object">policy container</a>. [[!HTML]]

   <li><p>Otherwise, set <var>request</var>'s <a for=request>policy container</a> to a new
   <a for=/>policy container</a>.
  </ol>

 <li>
  <p>If <var>request</var>'s <a for=request>header list</a>
  <a for="header list">does not contain</a> `<code>Accept</code>`, then:

  <ol>
   <li><p>Let <var>value</var> be `<code>*/*</code>`.

   <li>
    <p>A user agent should set <var>value</var> to the first matching statement, if any, switching
    on <var>request</var>'s <a for=request>destination</a>:
    <!-- https://github.com/whatwg/fetch/issues/43#issuecomment-97909717 -->

    <dl class=switch>
     <dt>"<code>document</code>"
     <dt>"<code>frame</code>"
     <dt>"<code>iframe</code>"
     <dd>`<code>text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8</code>`

     <dt>"<code>image</code>"
     <dd>`<code>image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5</code>`

     <dt>"<code>style</code>"
     <dd>`<code>text/css,*/*;q=0.1</code>`
    </dl>

   <li><p><a for="header list">Append</a> `<code>Accept</code>`/<var>value</var> to
   <var>request</var>'s <a for=request>header list</a>.
  </ol>

 <li><p>If <var>request</var>'s <a for=request>header list</a>
 <a for="header list">does not contain</a> `<code>Accept-Language</code>`, then user agents should
 <a for="header list">append</a> `<code>Accept-Language</code>`/an appropriate
 <a for=header>value</a> to <var>request</var>'s <a for=request>header list</a>.

 <li>
  <p>If <var>request</var>'s <a for=request>priority</a> is null, then use <var>request</var>'s
  <a for=request>initiator</a> and <a for=request>destination</a> appropriately in setting
  <var>request</var>'s <a for=request>priority</a> to a user-agent-defined object.

  <p class=note>The user-agent-defined object could encompass stream weight and dependency for
  HTTP/2, and equivalent information used to prioritize dispatch and processing of HTTP/1 fetches.

 <li>
  <p>If <var>request</var> is a <a>subresource request</a>, then:

  <ol>
   <li><p>Let <var>record</var> be a new <a for="fetch group">fetch record</a> consisting of
   <var>request</var> and this instance of the <a for=/>fetch</a> algorithm.

   <li><p>Append <var>record</var> to <var>request</var>'s <a for=request>client</a>'s
   <a for=fetch>fetch group</a> list of <a for="fetch group">fetch records</a>.
  </ol>

 <li><p>Run <a>main fetch</a> given <var>fetchParams</var>.
</ol>


<h3 id=main-fetch>Main fetch</h3>

<p>To <dfn id=concept-main-fetch>main fetch</dfn>, given a <a for=/>fetch params</a>
<var>fetchParams</var> and an optional boolean <var>recursive</var> (default false), run these
steps:

<ol>
 <li><p>Let <var>request</var> be <var>fetchParams</var>'s <a for="fetch params">request</a>.

 <li><p>Let <var>response</var> be null.

 <li><p>If <var>request</var>'s <a>local-URLs-only flag</a> is set and <var>request</var>'s
 <a for=request>current URL</a> is not <a lt="is local">local</a>, then set <var>response</var> to a
 <a>network error</a>.

 <li><p>Run <a>report Content Security Policy violations for <var>request</var></a>.

 <li><p><a>Upgrade <var>request</var> to a potentially trustworthy URL, if appropriate</a>.

 <li><p>If <a lt="block bad port">should <var>request</var> be blocked due to a bad port</a>,
 <a lt="should fetching request be blocked as mixed content?">should fetching <var>request</var> be blocked as mixed content</a>, or
 <a lt="should request be blocked by Content Security Policy?">should <var>request</var> be blocked by Content Security Policy</a>
 returns <b>blocked</b>, then set <var>response</var> to a <a>network error</a>.

 <li><p>If <var>request</var>'s <a for=request>referrer policy</a> is the empty string, then set
 <var>request</var>'s <a for=request>referrer policy</a> to <var>request</var>'s
 <a for=request>policy container</a>'s <a for="policy container">referrer policy</a>.

 <li>
  <p>If <var>request</var>'s <a for=request>referrer</a> is not "<code>no-referrer</code>", then set
  <var>request</var>'s <a for=request>referrer</a> to the result of invoking
  <a>determine <var>request</var>'s referrer</a>. [[!REFERRER]]

  <p class=note>As stated in <cite>Referrer Policy</cite>, user agents can provide the end user with
  options to override <var>request</var>'s <a for=request>referrer</a> to "<code>no-referrer</code>"
  or have it expose less sensitive information.

 <li>
  <p>Set <var>request</var>'s <a for=request>current URL</a>'s <a for=url>scheme</a> to
  "<code>https</code>" if all of the following conditions are true:

  <ul class=brief>
   <li><var>request</var>'s <a for=request>current URL</a>'s <a for=url>scheme</a> is
   "<code>http</code>"
   <li><var>request</var>'s <a for=request>current URL</a>'s <a for=url>host</a> is a
   <a for=/>domain</a>
   <li>Matching <var>request</var>'s <a for=request>current URL</a>'s <a for=url>host</a> per
   <a href=https://datatracker.ietf.org/doc/html/rfc6797#section-8.2>Known HSTS Host Domain Name Matching</a>
   results in either a superdomain match with an asserted <code>includeSubDomains</code> directive
   or a congruent match (with or without an asserted <code>includeSubDomains</code> directive).
   [[!HSTS]]
  </ul>
  <!-- Per Mike West HSTS happens "probably after" Referrer -->

 <li><p>If <var>recursive</var> is false, then run the remaining steps <a>in parallel</a>.

 <li>
  <p>If <var>response</var> is null, then set <var>response</var> to the result of running the steps
  corresponding to the first matching statement:

  <dl class=switch>
   <dt><var>request</var>'s <a for=request>current URL</a>'s <a for=url>origin</a> is
   <a>same origin</a> with <var>request</var>'s <a for=request>origin</a>, and <var>request</var>'s
   <a for=request>response tainting</a> is "<code>basic</code>"
   <dt><var>request</var>'s <a for=request>current URL</a>'s <a for=url>scheme</a> is
   "<code>data</code>"
   <dt><var>request</var>'s <a for=request>mode</a> is
   "<code>navigate</code>" or "<code>websocket</code>"

   <dd>
    <ol>
     <li><p>Set <var>request</var>'s
     <a for=request>response tainting</a> to "<code>basic</code>".

     <li><p>Return the result of running <a>scheme fetch</a> given <var>fetchParams</var>.
    </ol>

    <p class="note no-backref">HTML assigns any documents and workers created from <a for=/>URLs</a>
    whose <a for=url>scheme</a> is "<code>data</code>" a unique <a>opaque origin</a>. Service
    workers can only be created from <a for=/>URLs</a> whose <a for=url>scheme</a> is an
    <a>HTTP(S) scheme</a>.
    [[!HTML]] [[!SW]]

   <dt><var>request</var>'s <a for=request>mode</a> is
   "<code>same-origin</code>"

   <dd><p>Return a <a>network error</a>.

   <dt><var>request</var>'s <a for=request>mode</a> is
   "<code>no-cors</code>"
   <dd>
    <ol>
     <li><p>If <var>request</var>'s <a for=request>redirect mode</a> is not "<code>follow</code>",
     then return a <a>network error</a>.

     <li><p>Set <var>request</var>'s
     <a for=request>response tainting</a> to
     "<code>opaque</code>".

     <li><p>Let <var>noCorsResponse</var> be the result of running <a>scheme fetch</a> given
     <var>fetchParams</var>.
     <!-- file URLs end up here as they are not same-origin typically. -->

     <li><p>If <var>noCorsResponse</var> is a <a>filtered response</a> or the <a>CORB check</a> with
     <var>request</var> and <var>noCorsResponse</var> returns <b>allowed</b>, then return
     <var>noCorsResponse</var>.

     <li>
      <p>Return a new <a for=/>response</a> whose <a for=response>status</a> is
      <var>noCorsResponse</var>'s <a for=response>status</a>.

      <p class="warning">This is only an effective defense against side channel attacks if
      <var>noCorsResponse</var> is kept isolated from the process that initiated the request.
    </ol>

   <dt><var>request</var>'s <a for=request>current URL</a>'s <a for=url>scheme</a> is not an
   <a>HTTP(S) scheme</a>

   <dd><p>Return a <a>network error</a>.

   <dt><var>request</var>'s <a>use-CORS-preflight flag</a> is set
   <dt><var>request</var>'s <a>unsafe-request flag</a> is set and either <var>request</var>'s
   <a for=request>method</a> is not a <a>CORS-safelisted method</a> or
   <a>CORS-unsafe request-header names</a> with <var>request</var>'s <a for=request>header list</a>
   <a for=list>is not empty</a>
   <dd>
    <ol>
     <li><p>Set <var>request</var>'s
     <a for=request>response tainting</a> to
     "<code>cors</code>".

     <li><p>Let <var>corsWithPreflightResponse</var> be the result of running <a>HTTP fetch</a>
     given <var>fetchParams</var> and true.

     <li><p>If <var>corsWithPreflightResponse</var> is a <a>network error</a>, then
     <a>clear cache entries</a> using <var>request</var>.

     <li><p>Return <var>corsWithPreflightResponse</var>.
    </ol>

   <dt>Otherwise
   <dd>
    <ol>
     <li><p>Set <var>request</var>'s
     <a for=request>response tainting</a> to
     "<code>cors</code>".

     <li><p>Return the result of running <a>HTTP fetch</a> given <var>fetchParams</var>.
    </ol>
  </dl>

 <li><p>If <var>recursive</var> is true, then return <var>response</var>.

 <li>
  <p>If <var>response</var> is not a <a>network error</a> and <var>response</var> is not a
  <a>filtered response</a>, then:

  <ol>
   <li>
    <p>If <var>request</var>'s <a for=request>response tainting</a> is "<code>cors</code>", then:

    <ol>
     <li><p>Let <var>headerNames</var> be the result of <a>extracting header list values</a> given
     `<a http-header><code>Access-Control-Expose-Headers</code></a>` and <var>response</var>'s
     <a for=response>header list</a>.

     <li><p>If <var>request</var>'s <a for=request>credentials mode</a> is not
     "<code>include</code>" and <var>headerNames</var> contains `<code>*</code>`, then set
     <var>response</var>'s <a for=response>CORS-exposed header-name list</a> to all unique
     <a for=/>header</a> <a lt=name for=header>names</a> in <var>response</var>'s
     <a for=response>header list</a>.

     <li>
      <p>Otherwise, if <var>headerNames</var> is not null or failure, then set <var>response</var>'s
      <a for=response>CORS-exposed header-name list</a> to <var>headerNames</var>.

      <p class="note">One of the <var>headerNames</var> can still be `<code>*</code>` at this point,
      but will only match a <a for=/>header</a> whose <a for=header>name</a> is `<code>*</code>`.
    </ol>

   <li>
    <p>Set <var>response</var> to the following <a>filtered response</a> with <var>response</var> as
    its <a for="filtered response">internal response</a>, depending on <var>request</var>'s
    <a for=request>response tainting</a>:

    <dl class="switch compact">
     <dt>"<code>basic</code>"
     <dd><a>basic filtered response</a>
     <dt>"<code>cors</code>"
     <dd><a>CORS filtered response</a>
     <dt>"<code>opaque</code>"
     <dd><a>opaque filtered response</a>
    </dl>
  </ol>

 <li><p>Let <var>internalResponse</var> be <var>response</var>, if <var>response</var> is a
 <a>network error</a>, and <var>response</var>'s <a for="filtered response">internal response</a>
 otherwise.

 <li>
  <p>If <var>internalResponse</var>'s <a for=response>URL list</a> <a for=list>is empty</a>, then
  set it to a <a for=list>clone</a> of <var>request</var>'s <a for=request>URL list</a>.

  <p class=note>A <a for=/>response</a>'s <a for=response>URL list</a> can be empty (for example,
  when the response represents an <code>about</code> URL).
 <!-- If you are ever tempted to move this around, carefully consider responses from about URLs,
      blob URLs, service workers, HTTP cache, HTTP network, etc. -->

 <li><p>If <var>request</var>'s <a for=request>timing allow failed flag</a> is unset, then set
 <var>internalResponse</var>'s <a for=response>timing allow passed flag</a>.

 <li>
  <p>If <var>response</var> is not a <a>network error</a> and any of the following returns
  <b>blocked</b>

  <ul class=brief>
   <li><p><a lt="should response to request be blocked as mixed content?">should <var>internalResponse</var> to <var>request</var> be blocked as mixed content</a>

   <li><p><a lt="Should response to request be blocked by Content Security Policy?">should <var>internalResponse</var> to <var>request</var> be blocked by Content Security Policy</a>

   <li><p><a lt="should response to request be blocked due to mime type">should <var>internalResponse</var> to <var>request</var> be blocked due to its MIME type</a>

   <li><p><a lt="should response to request be blocked due to nosniff">should <var>internalResponse</var> to <var>request</var> be blocked due to nosniff</a>
  </ul>

  <p>then set <var>response</var> and <var>internalResponse</var> to a <a>network error</a>.

 <li>
  <p>If <var>response</var>'s <a for=response>type</a> is "<code>opaque</code>",
  <var>internalResponse</var>'s <a for=response>status</a> is 206, <var>internalResponse</var>'s
  <a for=response>range-requested flag</a> is set, and <var>request</var>'s
  <a for=request>header list</a> does not <a for="header list">contain</a> `<code>Range</code>`,
  then set <var>response</var> and <var>internalResponse</var> to a <a>network error</a>.

  <div class=note>
   <p>Traditionally, APIs accept a ranged response even if a range was not requested. This prevents
   a partial response from an earlier ranged request being provided to an API that did not make a
   range request.

   <details>
    <summary>Further details</summary>

    <p>The above steps prevent the following attack:

    <p>A media element is used to request a range of a cross-origin HTML resource. Although this is
    invalid media, a reference to a clone of the response can be retained in a service worker. This
    can later be used as the response to a script element's fetch. If the partial response is valid
    JavaScript (even though the whole resource is not), executing it would leak private data.
   </details>
  </div>

 <li>
  <p>If <var>response</var> is not a <a>network error</a> and
  either <var>request</var>'s <a for=request>method</a> is
  `<code>HEAD</code>` or `<code>CONNECT</code>`, or <var>internalResponse</var>'s
  <a for=response>status</a> is a <a>null body status</a>,
  set <var>internalResponse</var>'s <a for=response>body</a> to
  null and disregard any enqueuing toward it (if any).

  <p class=note>This standardizes the error handling for servers that violate HTTP.

 <li>
  <p>If <var>request</var>'s <a for=request>integrity metadata</a> is not the empty string, then:

  <ol>
   <li><p>Let <var>processBodyError</var> be this step: run <a>fetch finale</a> given
   <var>fetchParams</var> and a <a>network error</a>.


   <li><p>If <var>request</var>'s <a for=request>response tainting</a> is "<code>opaque</code>",
   <var>response</var> is a <a>network error</a>, or <var>response</var>'s <a for=response>body</a>
   is null, then run <var>processBodyError</var> and abort these steps.

   <li>
    <p>Let <var>processBody</var> given <var>bytes</var> be these steps:

    <ol>
     <li><p>If <var>bytes</var> do not <a lt="Do bytes match metadataList?">match</a>
     <var>request</var>'s <a for=request>integrity metadata</a>, then run
     <var>processBodyError</var> and abort these steps. [[!SRI]]

     <li><p>Set <var>response</var>'s <a for=response>body</a> to the first return value of
     <a for=BodyInit>safely extracting</a> <var>bytes</var>.

     <li><p>Run <a>fetch finale</a> given <var>fetchParams</var> and <var>response</var>.
    </ol>

   <li><p><a for=body>Fully read</a> <var>response</var>'s <a for=response>body</a> given
   <var>processBody</var> and <var>processBodyError</var>.
  </ol>

 <li><p>Otherwise, run <a>fetch finale</a> given <var>fetchParams</var> and <var>response</var>.
</ol>

<hr>

<p>The <dfn>fetch finale</dfn>, given a <a for=/>fetch params</a> <var>fetchParams</var> and a
<a for=/>response</a> <var>response</var>, run these steps:

<ol>
 <li><p>If <var>fetchParams</var>'s <a for="fetch params">process response</a> is non-null, then
 <a>queue a fetch task</a> to run <var>fetchParams</var>'s
 <a for="fetch params">process response</a> given <var>response</var>, with <var>fetchParams</var>'s
 <a for="fetch params">task destination</a>.

 <li>
  <p>If <var>fetchParams</var>'s <a for="fetch params">process response end-of-body</a> is non-null,
  then:

  <ol>
   <li><p>Let <var>processBody</var> given <var>nullOrBytes</var> be this step: run
   <var>fetchParams</var>'s <a for="fetch params">process response end-of-body</a> given
   <var>response</var> and <var>nullOrBytes</var>.

   <li><p>Let <var>processBodyError</var> be this step: run <var>fetchParams</var>'s
   <a for="fetch params">process response end-of-body</a> given <var>response</var> and failure.

   <li><p>If <var>response</var>'s <a for=response>body</a> is null, then <a>queue a fetch task</a>
   to run <var>processBody</var> given null, with <var>fetchParams</var>'s
   <a for="fetch params">task destination</a>.

   <li><p>Otherwise, <a for=body>fully read</a> <var>response</var>'s <a for=response>body</a> given
   <var>processBody</var>, <var>processBodyError</var>, and <var>fetchParams</var>'s
   <a for="fetch params">task destination</a>.
  </ol>
</ol>

<p>To <dfn>finalize response</dfn> given a <a for=/>fetch params</a> <var>fetchParams</var> and a
<a for=/>response</a> <var>response</var>, run these steps:

<ol>
 <li><p>Set <var>fetchParams</var>'s <a for="fetch params">request</a>'s
 <a for=request>done flag</a>.

 <li><p>If <var>fetchParams</var>'s <a for="fetch params">process response done</a> is not null,
 then <a>queue a fetch task</a> to run <var>fetchParams</var>'s
 <a for="fetch params">process response done</a> given <var>response</var>,
 with <var>fetchParams</var>'s <a for="fetch params">task destination</a>.
</ol>

<p>To <dfn export>finalize and report timing</dfn> given a <a for=/>response</a>
<var>response</var>, a <a for=/>global object</a> <var>global</var>, and a <a for=/>string</a>
<var>initiatorType</var> (default "<code>other</code>"), run these steps:

<ol>
 <li><p>If <var>response</var>'s <a for=response>URL list</a> is null or
 <a for=list lt="is empty">empty</a>, then return.

 <li><p>Let <var>originalURL</var> be <var>response</var>'s <a for=response>URL list</a>[0].

 <li><p>Let <var>timingInfo</var> be <var>response</var>'s <a for=response>timing info</a>.

 <li><p>Let <var>cacheState</var> be <var>response</var>'s <a for=response>cache state</a>.

 <li><p>If <var>timingInfo</var> is null, then return.

 <li>
  <p>If <var>response</var>'s <a for=response>timing allow passed flag</a> is not set, then:

  <ol>
   <li><p>Set <var>timingInfo</var> to a new <a for=/>fetch timing info</a> whose
   <a for="fetch timing info">start time</a> and
   <a for="fetch timing info">post-redirect start time</a> are <var>timingInfo</var>'s
   <a for="fetch timing info">start time</a>.

   <li><p>Set <var>cacheState</var> to the empty string.
  </ol>

 <li><p>Set <var>timingInfo</var>'s <a for="fetch timing info">end time</a> to the
 <a for=/>coarsened shared current time</a> given <var>global</var>'s
 <a>relevant settings object</a>'s
 <a for="environment settings object">cross-origin isolated capability</a>.

 <li><p>Set <var>response</var>'s <a for="response">timing info</a> to <var>timingInfo</var>.

 <li><p><a for=/>Mark resource timing</a> for <var>timingInfo</var>, <var>originalURL</var>,
 <var>initiatorType</var>, <var>global</var>, and <var>cacheState</var>.
</ol>


<h3 id=scheme-fetch oldids=basic-fetch>Scheme fetch</h3>

<p>To <dfn id=concept-scheme-fetch oldids=concept-basic-fetch>scheme fetch</dfn>, given a
<a for=/>fetch params</a> <var>fetchParams</var>: let <var>request</var> be <var>fetchParams</var>'s
<a for="fetch params">request</a>, switch on <var>request</var>'s <a for=request>current URL</a>'s
<a for=url>scheme</a>, and run the associated steps:

<dl class=switch>
 <dt>"<code>about</code>"
 <dd>
  <p>If <var>request</var>'s <a for=request>current URL</a>'s <a>cannot-be-a-base-URL</a> is true
  and <a for=url>path</a> contains a single string "<code>blank</code>", then return a new
  <a for=/>response</a> whose <a for=response>status message</a> is `<code>OK</code>`,
  <a for=response>header list</a> consist of a single <a for=/>header</a> whose
  <a for=header>name</a> is `<code>Content-Type</code>` and <a for=header>value</a> is
  `<code>text/html;charset=utf-8</code>`, and <a for=response>body</a> is the empty byte sequence.

  <p>Otherwise, return a <a>network error</a>.

  <p class="note no-backref"><a for=/>URLs</a> such as "<code>about:config</code>" are handled
  during <a lt=navigate>navigation</a> and result in a <a>network error</a> in the context of
  <a lt=fetch for=/>fetching</a>.

 <dt>"<code>blob</code>"
 <dd>
  <ol>
   <li>
    <p>Run these steps, but <a>abort when</a> the ongoing fetch is <a for=fetch>terminated</a>:

    <ol>
     <li><p>Let <var>blob</var> be <var>request</var>'s <a for=request>current URL</a>'s
     <a for=url>blob URL entry</a>'s <a for="blob URL entry">object</a>.

     <li>
      <p>If <var>request</var>'s <a for=request>method</a> is not `<code>GET</code>` or
      <var>blob</var> is not a {{Blob}} object, then return a <a>network error</a>. [[!FILEAPI]]

      <p class=note>The `<code>GET</code>` <a for=/>method</a> restriction serves no useful purpose
      other than being interoperable.

     <li><p>Let <var>response</var> be a new <a for=/>response</a> whose
     <a for=response>status message</a> is `<code>OK</code>`.

     <li><p><a for="header list">Append</a>
     `<code>Content-Length</code>`/<var>blob</var>'s
     {{Blob/size}} attribute value to
     <var>response</var>'s
     <a for=response>header list</a>.

     <li><p><a for="header list">Append</a>
     `<code>Content-Type</code>`/<var>blob</var>'s
     {{Blob/type}} attribute value to
     <var>response</var>'s
     <a for=response>header list</a>.

     <li><p>Set <var>response</var>'s <a for=response>body</a> to
     the result of performing the <a spec=fileapi>read operation</a> on
     <var>blob</var>.

     <!-- This takes care of setting length, transmitted, and error flag as well -->

     <li><p>Return <var>response</var>.
    </ol>

   <li>
    <p><a>If aborted</a>, then:

    <ol>
     <li><p>Let <var>aborted</var> be the termination's aborted flag.

     <li><p>If <var>aborted</var> is set, then return an <a>aborted network error</a>.

     <li><p>Return a <a>network error</a>.
    </ol>
  </ol>

 <dt>"<code>data</code>"
 <dd>
  <ol>
   <li><p>Let <var>dataURLStruct</var> be the result of running the
   <a><code>data:</code> URL processor</a> on <var>request</var>'s <a for=request>current URL</a>.

   <li><p>If <var>dataURLStruct</var> is failure, then return a <a>network error</a>.

   <li><p>Return a <a for=/>response</a> whose <a for=response>status message</a> is
   `<code>OK</code>`, <a for=response>header list</a> consist of a single <a for=/>header</a> whose
   <a for=header>name</a> is `<code>Content-Type</code>` and <a for=header>value</a> is
   <var>dataURLStruct</var>'s <a for="data: URL struct">MIME type</a>,
   <a lt="serialize a MIME type to bytes">serialized</a>, and <a for=response>body</a> is
   <var>dataURLStruct</var>'s <a for="data: URL struct">body</a>.
  </ol>

 <dt>"<code>file</code>"
 <dd>
  <p>For now, unfortunate as it is, <code>file</code> <a for=/>URLs</a> are left as an exercise for
  the reader.

  <p>When in doubt, return a <a>network error</a>.

 <dt><a>HTTP(S) scheme</a>
 <dd>
  <p>Return the result of running <a>HTTP fetch</a> given <var>fetchParams</var>.

 <dt>Otherwise
 <dd><p>Return a <a>network error</a>.
</dl>


<h3 id=http-fetch>HTTP fetch</h3>

<p>To <dfn export id=concept-http-fetch>HTTP fetch</dfn>, given a <a for=/>fetch params</a>
<var>fetchParams</var> and an optional boolean <var>makeCORSPreflight</var> (default false), run
these steps:
<!-- This is exported for service workers, but that specification only mentions it in passing. -->

<ol>
 <li><p>Let <var>request</var> be <var>fetchParams</var>'s <a for="fetch params">request</a>.

 <li><p>Let <var>response</var> be null.

 <li><p>Let <var>actualResponse</var> be null.

 <li><p>Let <var>timingInfo</var> be <var>fetchParams</var>'s <a for="fetch params">timing info</a>.

 <li>
  <p>If <var>request</var>'s <a>service-workers mode</a> is "<code>all</code>", then:

  <ol>
   <li><p>Let <var>requestForServiceWorker</var> be a <a for=request>clone</a> of
   <var>request</var>.

   <li>
    <p>If <var>requestForServiceWorker</var>'s <a for=/>body</a> is non-null, then:

    <ol>
     <li>
      <p>Let <var>transformAlgorithm</var> given <var>chunk</var> be these steps:

      <ol>
       <li><p>If the ongoing fetch is <a for=fetch>terminated</a>, then abort these steps.

       <li><p>If <var>chunk</var> is not a {{Uint8Array}} object, then
       <a lt=terminated for=fetch>terminate</a> the ongoing fetch.

       <li><p>Otherwise, <a for=ReadableStream>enqueue</a> <var>chunk</var>. The user agent may
       split the chunk into <a>implementation-defined</a> practical sizes and
       <a for=ReadableStream>enqueue</a> each of them. The user agent also may concatenate the
       chunks into an <a>implementation-defined</a> practical size and
       <a for=ReadableStream>enqueue</a> it.
      </ol>

     <li><p>Let <var>transformStream</var> be the result of <a for=TransformStream>setting up</a> a
     {{TransformStream}} with <var>transformAlgorithm</var>.

     <li><p>Let <var>transformedStream</var> be the result of <var>requestForServiceWorker</var>'s
     <a for=/>body</a>'s <a for=body>stream</a> <a for=ReadableStream>piped through</a>
     <var>transformStream</var>.

     <li><p>Set <var>requestForServiceWorker</var>'s <a for=/>body</a>'s <a for=body>stream</a> to
     <var>transformedStream</var>.
    </ol>

   <li><p>Let <var>serviceWorkerStartTime</var> be the <a for=/>coarsened shared current time</a>
   given <var>fetchParams</var>'s <a for="fetch params">cross-origin isolated capability</a>.

   <li><p>Set <var>response</var> to the result of invoking <a for=/>handle fetch</a> for
   <var>requestForServiceWorker</var>. [[!HTML]] [[!SW]]

   <li>
    <p>If <var>response</var> is not null, then:

    <ol>
     <li><p>Set <var>fetchParams</var>'s <a for="fetch params">timing info</a>'s
     <a for="fetch timing info">final service worker start time</a> to
     <var>serviceWorkerStartTime</var>.

     <li><p><a for=/>Update timing info from stored response</a> given <var>fetchParams</var>'s
     <a for="fetch params">timing info</a> and <var>response</var>.

     <li>If <var>request</var>'s <a for=request>body</a> is non-null, then
     <a for=ReadableStream>cancel</a> <var>request</var>'s <a for=request>body</a> with undefined.

     <li><p>Set <var>actualResponse</var> to <var>response</var>, if <var>response</var> is not a
     <a>filtered response</a>, and to <var>response</var>'s
     <a for="filtered response">internal response</a> otherwise.

     <li>
      <p>If one of the following is true

      <ul class=brief>
       <li><p><var>response</var>'s <a for=response>type</a> is "<code>error</code>"

       <li><p><var>request</var>'s <a for=request>mode</a> is "<code>same-origin</code>" and
       <var>response</var>'s <a for=response>type</a> is "<code>cors</code>"

       <li><p><var>request</var>'s <a for=request>mode</a> is not "<code>no-cors</code>" and
       <var>response</var>'s <a for=response>type</a> is "<code>opaque</code>"

       <li><var>request</var>'s <a for=request>redirect mode</a> is not "<code>manual</code>" and
       <var>response</var>'s <a for=response>type</a> is "<code>opaqueredirect</code>"

       <li><var>request</var>'s <a for=request>redirect mode</a> is not "<code>follow</code>" and
       <var>response</var>'s <a for=response>URL list</a> has more than one item.
      </ul>

      <p>then return a <a>network error</a>.
    </ol>
  </ol>

 <li>
  <p>If <var>response</var> is null, then:

  <ol>
   <li>
    <p>If <var>makeCORSPreflight</var> is true and one of these conditions is true:

    <ul class=brief>
     <li><p>There is no <a>method cache entry match</a> for <var>request</var>'s
     <a for=request>method</a> using <var>request</var>, and either <var>request</var>'s
     <a for=request>method</a> is not a <a>CORS-safelisted method</a> or <var>request</var>'s
     <a>use-CORS-preflight flag</a> is set.

     <li>There is at least one <a for=list>item</a> in the <a>CORS-unsafe request-header names</a>
     with <var>request</var>'s <a for=request>header list</a> for which there is no
     <a>header-name cache entry match</a> using <var>request</var>.
    </ul>

    <p>Then:

    <ol>
     <li><p>Let <var>preflightResponse</var> be the result of running <a>CORS-preflight fetch</a>
     given <var>request</var>.

     <li><p>If <var>preflightResponse</var> is a <a>network error</a>, then return
     <var>preflightResponse</var>.
    </ol>

    <p class="note no-backref">This step checks the
    <a>CORS-preflight cache</a> and if there is no suitable entry it
    performs a <a>CORS-preflight fetch</a> which, if successful, populates the cache. The
    purpose of the <a>CORS-preflight fetch</a> is to ensure the
    <a lt=fetch for=/>fetched</a> resource is familiar with the
    <a>CORS protocol</a>. The cache is there to minimize the number of
    <a lt="CORS-preflight fetch">CORS-preflight fetches</a>.

   <li>
    <p>If <var>request</var>'s <a for=request>redirect mode</a> is "<code>follow</code>", then set
    <var>request</var>'s <a>service-workers mode</a> to "<code>none</code>".

    <p class="note no-backref">Redirects coming from the network (as opposed to from a service
    worker) are not to be exposed to a service worker.

   <li><p>Set <var>response</var> and <var>actualResponse</var> to the result of running
   <a>HTTP-network-or-cache fetch</a> given <var>fetchParams</var>.

   <li>
    <p>If <var>request</var>'s <a for=request>response tainting</a> is "<code>cors</code>" and a
    <a>CORS check</a> for <var>request</var> and <var>response</var> returns failure, then return a
    <a>network error</a>.

    <p class="note no-backref">As the <a>CORS check</a> is not to be applied to
    <a for=/>responses</a> whose <a for=response>status</a> is 304 or 407, or <a for=/>responses</a>
    from a service worker for that matter, it is applied here.

   <li><p>If the <a>TAO check</a> for <var>request</var> and <var>response</var> returns failure,
   then set <var>request</var>'s <a for=request>timing allow failed flag</a>.
  </ol>

 <li>
  <p>If either <var>request</var>'s <a for=request>response tainting</a> or <var>response</var>'s
  <a for=response>type</a> is "<code>opaque</code>", and the
  <a>cross-origin resource policy check</a> with <var>request</var>'s <a for=request>origin</a>,
  <var>request</var>'s <a for=request>client</a>, <var>request</var>'s
  <a for=request>destination</a>, and <var>actualResponse</var> returns <b>blocked</b>, then return
  a <a>network error</a>.

  <p class=note>The <a>cross-origin resource policy check</a> runs for responses coming from the
  network and responses coming from the service worker. This is different from the
  <a>CORS check</a>, as <var>request</var>'s <a for=request>client</a> and the service worker can
  have different embedder policies.

 <li>
  <p>If <var>actualResponse</var>'s <a for=response>status</a> is a <a>redirect status</a>, then:

  <ol>
   <li>
    <p>If <var>actualResponse</var>'s <a for=response>status</a> is not 303, <var>request</var>'s
    <a for=request>body</a> is not null, and the <a>connection</a> uses HTTP/2, then user agents
    may, and are even encouraged to, transmit an <code>RST_STREAM</code> frame.

    <p class=note>303 is excluded as certain communities ascribe special status to it.

   <li>
    <p>Switch on <var>request</var>'s
    <a for=request>redirect mode</a>:

    <dl class=switch>
     <dt>"<code>error</code>"
     <dd><p>Set <var>response</var> to a <a>network error</a>.

     <dt>"<code>manual</code>"
     <dd><p>Set <var>response</var> to an <a>opaque-redirect filtered response</a> whose
     <a for="filtered response">internal response</a> is <var>actualResponse</var>.

     <dt>"<code>follow</code>"
     <dd><p>Set <var>response</var> to the result of running <a>HTTP-redirect fetch</a> given
     <var>fetchParams</var> and <var>response</var>.
    </dl>
    <!-- not resetting actualResponse since it's no longer used anyway -->
  </ol>

 <li>
  <p>Set <var>response</var>'s <a for=response>timing info</a> to <var>timingInfo</var>.

  <p class=note>Attaching the timing info to a response is what makes it exposed to the web as a
  Resource Timing entry later. This step is done here, as resource-timing entries are available only
  for HTTP fetches, including ones that are handled by service-workers or HTTP cache, and not for,
  e.g., <code>data:</code>, <code>blob:</code> URL fetches, and are only available after all the
  relevant security checks have succeeded.

 <li><p>Return <var>response</var>. <span class="note no-backref">Typically
 <var>actualResponse</var>'s <a for=response>body</a>'s
 <a for=body>stream</a> is still being enqueued to after returning.</span>
</ol>


<h3 id=http-redirect-fetch>HTTP-redirect fetch</h3>

<p>To <dfn export id=concept-http-redirect-fetch>HTTP-redirect fetch</dfn>, given a
<a for=/>fetch params</a> <var>fetchParams</var> and a <a for=/>response</a> <var>response</var>,
run these steps:

<ol>
 <li><p>Let <var>request</var> be <var>fetchParams</var>'s <a for="fetch params">request</a>.

 <li><p>Let <var>actualResponse</var> be <var>response</var>, if <var>response</var> is not a
 <a>filtered response</a>, and <var>response</var>'s
 <a for="filtered response">internal response</a> otherwise.

 <li><p>Let <var>locationURL</var> be <var>actualResponse</var>'s <a for=response>location URL</a>
 given <var>request</var>'s <a for=request>current URL</a>'s <a for=url>fragment</a>.

 <li><p>If <var>locationURL</var> is null, then return <var>response</var>.

 <li><p>If <var>locationURL</var> is failure, then return a <a>network error</a>.

 <li><p>If <var>locationURL</var>'s <a for=url>scheme</a> is not an <a>HTTP(S) scheme</a>, then
 return a <a>network error</a>.

 <li><p>If <var>request</var>'s <a for=request>redirect count</a> is
 twenty, return a <a>network error</a>.

 <li><p>Increase <var>request</var>'s
 <a for=request>redirect count</a> by one.

 <li><p>If <var>request</var>'s <a for=request>mode</a> is "<code>cors</code>",
 <var>locationURL</var> <a>includes credentials</a>, and <var>request</var>'s
 <a for=request>origin</a> is not <a>same origin</a> with <var>locationURL</var>'s
 <a for=url>origin</a>, then return a <a>network error</a>.

 <li>
  <p>If <var>request</var>'s <a for=request>response tainting</a> is "<code>cors</code>" and
  <var>locationURL</var> <a>includes credentials</a>, then return a <a>network error</a>.

  <p class=note>This catches a cross-origin resource redirecting to a same-origin URL.

 <li><p>If <var>actualResponse</var>'s <a for=response>status</a> is not 303, <var>request</var>'s
 <a for=request>body</a> is non-null, and <var>request</var>'s <a for=request>body</a>'s
 <a for=body>source</a> is null, then return a <a>network error</a>.

 <li><p>If <var>locationURL</var>'s <a for=url>origin</a> is not <a>same origin</a> with
 <var>request</var>'s <a for=request>current URL</a>'s <a for=url>origin</a> and
 <var>request</var>'s <a for=request>origin</a> is not <a>same origin</a> with <var>request</var>'s
 <a for=request>current URL</a>'s <a for=url>origin</a>, then set <var>request</var>'s
 <a for=request>tainted origin flag</a>.

 <li>
  <p>If one of the following is true

  <ul class=brief>
   <li><p><var>actualResponse</var>'s <a for=response>status</a> is 301 or 302 and
   <var>request</var>'s <a for=request>method</a> is `<code>POST</code>`
   <li><p><var>actualResponse</var>'s <a for=response>status</a> is 303 and <var>request</var>'s
   <a for=request>method</a> is not `<code>GET</code>` or `<code>HEAD</code>`
  </ul>

  <p>then:

  <ol>
   <li><p>Set <var>request</var>'s <a for=request>method</a> to `<code>GET</code>` and
   <var>request</var>'s <a for=request>body</a> to null.

   <li><p><a for="list">For each</a> <var>headerName</var> of <a>request-body-header name</a>,
   <a for="header list">delete</a> <var>headerName</var> from <var>request</var>'s
   <a for=request>header list</a>.
  </ol>

 <li>
  <p>If <var>request</var>'s <a for=request>body</a> is non-null, then set <var>request</var>'s
  <a for=request>body</a> to the first return value of <a for=BodyInit>safely extracting</a>
  <var>request</var>'s <a for=request>body</a>'s <a for=body>source</a>.

  <p class="note no-backref"><var>request</var>'s <a for=request>body</a>'s <a for=body>source</a>'s
  nullity has already been checked.

 <li><p>Let <var>timingInfo</var> be <var>fetchParams</var>'s <a for="fetch params">timing info</a>.

 <li><p>Set <var>timingInfo</var>'s <a for="fetch timing info">redirect end time</a> and
 <a for="fetch timing info">post-redirect start time</a> to the
 <a for=/>coarsened shared current time</a> given <var>fetchParams</var>'s
 <a for="fetch params">cross-origin isolated capability</a>.

 <li><p>If <var>timingInfo</var>'s <a for="fetch timing info">redirect start time</a> is 0, then set
 <var>timingInfo</var>'s <a for="fetch timing info">redirect start time</a> to
 <var>timingInfo</var>'s <a for="fetch timing info">start time</a>.

 <li><p><a for=list>Append</a> <var>locationURL</var> to <var>request</var>'s
 <a for=request>URL list</a>.

 <li><p>Invoke <a>set <var>request</var>'s referrer policy on redirect</a> on <var>request</var> and
 <var>actualResponse</var>. [[!REFERRER]]

 <li>
  <p>Return the result of running <a>main fetch</a> given <var>fetchParams</var> and true.

  <p class=note>This has to invoke <a>main fetch</a> to get <var>request</var>'s
  <a for=request>response tainting</a> correct.
</ol>


<h3 id=navigate-redirect-fetch>Navigate-redirect fetch</h3>

<p class=note>This algorithm is used by <cite>HTML</cite>'s navigate algorithm. It is expected to be
invoked while <a>in parallel</a>. [[!HTML]]

<p>To <dfn export id=concept-navigate-redirect-fetch>navigate-redirect fetch</dfn>, given a
<a for=/>request</a> <var>request</var> and <a for=/>response</a> <var>response</var>, run these
steps. They return a <a for=/>response</a>.

<ol>
 <li><p>Assert: <var>request</var>'s <a for=request>redirect mode</a> is "<code>manual</code>".

 <li><p>Let <var>fetchParams</var> be a new <a for=/>fetch params</a> whose
 <a for="fetch params">request</a> is <var>request</var>.

 <li><p>Return the result of running <a>HTTP-redirect fetch</a> given <var>fetchParams</var> and
 <var>response</var>.
</ol>


<h3 id=http-network-or-cache-fetch>HTTP-network-or-cache fetch</h3>

<p>To <dfn id=concept-http-network-or-cache-fetch>HTTP-network-or-cache fetch</dfn>, given a
<a for=/>fetch params</a> <var>fetchParams</var>, an optional boolean
<var>isAuthenticationFetch</var> (default false), and an optional boolean
<var>isNewConnectionFetch</var> (default false), run these steps:

<p class=note>Some implementations might support caching of partial content, as per
<cite>HTTP Range Requests</cite>. However, this is not widely supported by browser caches.
[[HTTP-RANGE]]

<ol>
 <li><p>Let <var>request</var> be <var>fetchParams</var>'s <a for="fetch params">request</a>.

 <li><p>Let <var>httpFetchParams</var> be null.

 <li><p>Let <var>httpRequest</var> be null.

 <li><p>Let <var>response</var> be null.

 <li><p>Let <var>storedResponse</var> be null.

 <li><p>Let <var>httpCache</var> be null.

 <li><p>Let the <var>revalidatingFlag</var> be unset.

 <li>
  <p>Run these steps, but <a>abort when</a> the ongoing fetch is <a for=fetch>terminated</a>:

  <ol>
   <li><p>If <var>request</var>'s <a for=request>window</a> is "<code>no-window</code>" and
   <var>request</var>'s <a for=request>redirect mode</a> is "<code>error</code>", then set
   <var>httpFetchParams</var> to <var>fetchParams</var> and <var>httpRequest</var> to
   <var>request</var>.

   <li>
    <p>Otherwise:

    <ol>
     <li>
      <p>Set <var>httpRequest</var> to a <a for=request>clone</a> of <var>request</var>.

      <p class=note>Implementations are encouraged to avoid teeing <var>request</var>'s
      <a for=request>body</a>'s <a for=body>stream</a> when <var>request</var>'s
      <a for=request>body</a>'s <a for=body>source</a> is null as only a single body is needed in
      that case. E.g., when <var>request</var>'s <a for=request>body</a>'s <a for=body>source</a>
      is null, redirects and authentication will end up failing the fetch.

     <li><p>Set <var>httpFetchParams</var> to a copy of <var>fetchParams</var>.

     <li><p>Set <var>httpFetchParams</var>'s <a for="fetch params">request</a> to
     <var>httpRequest</var>.
    </ol>

   <li>
    <p>Let <var>includeCredentials</var> be true if one of

    <ul class=brief>
     <li><var>request</var>'s <a for=request>credentials mode</a> is
     "<code>include</code>"
     <li><var>request</var>'s  <a for=request>credentials mode</a> is
     "<code>same-origin</code>" and <var>request</var>'s
     <a for=request>response tainting</a> is "<code>basic</code>"
    </ul>

    <p>is true; otherwise false.

   <li><p>Let <var>contentLength</var> be <var>httpRequest</var>'s <a for=request>body</a>'s
   <a for=body>length</a>, if <var>httpRequest</var>'s <a for=request>body</a> is non-null;
   otherwise null.

   <li><p>Let <var>contentLengthHeaderValue</var> be null.

   <li><p>If <var>httpRequest</var>'s <a for=request>body</a> is null and <var>httpRequest</var>'s
   <a for=request>method</a> is `<code>POST</code>` or `<code>PUT</code>`, then set
   <var>contentLengthHeaderValue</var> to `<code>0</code>`.
   <!-- https://chromium.googlesource.com/chromium/src/+/master/net/http/http_network_transaction.cc#982 -->

   <li><p>If <var>contentLength</var> is non-null, then set  <var>contentLengthHeaderValue</var> to
   <var>contentLength</var>, <a lt="serialize an integer">serialized</a> and
   <a>isomorphic encoded</a>.

   <li><p>If <var>contentLengthHeaderValue</var> is non-null, then <a for="header list">append</a>
   `<code>Content-Length</code>`/<var>contentLengthHeaderValue</var> to <var>httpRequest</var>'s
   <a for=request>header list</a>.

   <li>
    <p>If <var>contentLength</var> is non-null and <var>httpRequest</var>'s
    <a for=request>keepalive</a> is true, then:

    <ol>
     <li><p>Let <var>inflightKeepaliveBytes</var> be 0.

     <li><p>Let <var>group</var> be <var>httpRequest</var>'s <a for=request>client</a>'s
     <a>fetch group</a>.

     <li><p>Let <var>inflightRecords</var> be the set of <a for="fetch group">fetch records</a> in
     <var>group</var> whose <a for="fetch record">request</a>'s <a for=request>keepalive</a> is true
     and <a>done flag</a> is unset.

     <li>
      <p><a for=set>For each</a> <var>fetchRecord</var> in <var>inflightRecords</var>:

      <ol>
       <li><p>Let <var>inflightRequest</var> be <var>fetchRecord</var>'s
       <a for="fetch record">request</a>.

       <li><p>Increment <var>inflightKeepaliveBytes</var> by <var>inflightRequest</var>'s
       <a for=request>body</a>'s <a for=body>length</a>.
      </ol>

     <li><p>If the sum of <var>contentLength</var> and <var>inflightKeepaliveBytes</var> is greater
     than 64 kibibytes, then return a <a>network error</a>.
    </ol>

    <p class="note no-backref">The above limit ensures that requests that are allowed to outlive the
    <a>environment settings object</a> and contain a body, have a bounded size and are not allowed
    to stay alive indefinitely.

   <li><p>If <var>httpRequest</var>'s <a for=request>referrer</a> is a <a for=/>URL</a>, then
   <a for="header list">append</a> `<code>Referer</code>`/<var>httpRequest</var>'s
   <a for=request>referrer</a>, <a lt="URL serializer">serialized</a> and <a>isomorphic encoded</a>,
   to <var>httpRequest</var>'s <a for=request>header list</a>.

   <li><p><a>Append a request `<code>Origin</code>` header</a> for <var>httpRequest</var>.

   <li><p><a abstract-op lt="append the Fetch metadata headers for a request">Append the Fetch metadata headers for <var>httpRequest</var></a>.
   [[!FETCH-METADATA]]

   <li><p>If <var>httpRequest</var>'s <a for=request>header list</a>
   <a for="header list">does not contain</a> `<code>User-Agent</code>`, then user agents should
   <a for="header list">append</a>
   `<code>User-Agent</code>`/<a>default `<code>User-Agent</code>` value</a>
   to <var>httpRequest</var>'s <a for=request>header list</a>.

   <li><p>If <var>httpRequest</var>'s <a for=request>cache mode</a> is "<code>default</code>" and
   <var>httpRequest</var>'s <a for=request>header list</a> <a for="header list">contains</a>
   `<code>If-Modified-Since</code>`,
   `<code>If-None-Match</code>`,
   `<code>If-Unmodified-Since</code>`,
   `<code>If-Match</code>`, or
   `<code>If-Range</code>`, then set <var>httpRequest</var>'s
   <a for=request>cache mode</a> to "<code>no-store</code>".

   <li><p>If <var>httpRequest</var>'s <a for=request>cache mode</a> is "<code>no-cache</code>",
   <var>httpRequest</var>'s <a for=request>prevent no-cache cache-control header modification flag</a>
   is unset, and <var>httpRequest</var>'s <a for=request>header list</a>
   <a for="header list">does not contain</a> `<code>Cache-Control</code>`, then
   <a for="header list">append</a> `<code>Cache-Control</code>`/`<code>max-age=0</code>` to
   <var>httpRequest</var>'s <a for=request>header list</a>.

   <li>
    <p>If <var>httpRequest</var>'s <a for=request>cache mode</a> is "<code>no-store</code>" or
    "<code>reload</code>", then:

    <ol>
     <li><p>If <var>httpRequest</var>'s <a for=request>header list</a>
     <a for="header list">does not contain</a> `<code>Pragma</code>`, then
     <a for="header list">append</a> `<code>Pragma</code>`/`<code>no-cache</code>` to
     <var>httpRequest</var>'s <a for=request>header list</a>.

     <li><p>If <var>httpRequest</var>'s <a for=request>header list</a>
     <a for="header list">does not contain</a> `<code>Cache-Control</code>`, then
     <a for="header list">append</a> `<code>Cache-Control</code>`/`<code>no-cache</code>` to
     <var>httpRequest</var>'s <a for=request>header list</a>.
     <!-- Technically this only applies to HTTP/1.1 and up -->
    </ol>

   <li>
    <p>If <var>httpRequest</var>'s <a for=request>header list</a> <a for="header list">contains</a>
    `<code>Range</code>`, then <a for="header list">append</a>
    `<code>Accept-Encoding</code>`/`<code>identity</code>` to <var>httpRequest</var>'s
    <a for=request>header list</a>.

    <div class="note no-backref">
     <p>This avoids a failure when <a lt="handle content codings">handling content codings</a> with
     a part of an encoded <a for=/>response</a>.

     <p>Additionally,
     <a href="https://jakearchibald.github.io/accept-encoding-range-test/">many servers</a>
     mistakenly ignore `<code>Range</code>` headers if a non-identity encoding is accepted.
    </div>

   <li>
    <p>Modify <var>httpRequest</var>'s <a for=request>header list</a> per HTTP. Do not
    <a for="header list">append</a> a given <a>header</a> if <var>httpRequest</var>'s
    <a for=request>header list</a> <a for="header list">contains</a> that <a>header</a>'s
    <a for=header>name</a>.

    <p class="note no-backref">It would be great if we could make this more normative
    somehow. At this point <a for=/>headers</a> such as
    `<code>Accept-Encoding</code>`,
    `<code>Connection</code>`,
    `<code>DNT</code>`, and
    `<code>Host</code>`,
    are to be <a for="header list">appended</a> if necessary.

    <p>`<code>Accept</code>`,
    `<code>Accept-Charset</code>`, and
    `<code>Accept-Language</code>` must not be included at this point.

    <p class="note no-backref">`<code>Accept</code>` and `<code>Accept-Language</code>` are already
    included (unless <a method><code>fetch()</code></a> is used, which does not include the latter
    by default), and `<code>Accept-Charset</code>` is a waste of bytes. See
    <a>HTTP header layer division</a> for more details.

   <li>
    <p>If <var>includeCredentials</var> is true, then:

    <ol>
     <li>
      <p>If the user agent is not configured to block cookies for <var>httpRequest</var> (see
      <a href=https://datatracker.ietf.org/doc/html/rfc6265#section-7>section 7</a> of
      [[!COOKIES]]), then:

      <ol>
       <li><p>Let <var>cookies</var> be the result of running the "cookie-string" algorithm (see
       <a href=https://datatracker.ietf.org/doc/html/rfc6265#section-5.4>section 5.4</a> of
       [[!COOKIES]]) with the user agent's cookie store and <var>httpRequest</var>'s
       <a for=request>current URL</a>.

       <li>If <var>cookies</var> is not the empty string, append
       `<code>Cookie</code>`/<var>cookies</var> to <var>httpRequest</var>'s
       <a for=request>header list</a>.
      </ol>

     <li>
      <p>If <var>httpRequest</var>'s <a for=request>header list</a>
      <a for="header list">does not contain</a> `<code>Authorization</code>`, then:

      <!-- https://wiki.whatwg.org/wiki/HTTP_Authentication -->
      <ol>
       <li><p>Let <var>authorizationValue</var> be null.

       <li><p>If there's an <a>authentication entry</a> for <var>httpRequest</var> and either
       <var>httpRequest</var>'s <a for=request>use-URL-credentials flag</a> is unset or
       <var>httpRequest</var>'s <a for=request>current URL</a> does not <a>include credentials</a>,
       then set <var>authorizationValue</var> to <a>authentication entry</a>.
       <!-- need to define the cache concept -->

       <li><p>Otherwise, if <var>httpRequest</var>'s <a for=request>current URL</a> does
       <a>include credentials</a> and <var>isAuthenticationFetch</var> is true, set
       <var>authorizationValue</var> to <var>httpRequest</var>'s <a for=request>current URL</a>,
       <span class=XXX>converted to an `<code>Authorization</code>` value</span>.

       <li><p>If <var>authorizationValue</var> is non-null, then <a for="header list">append</a>
       `<code>Authorization</code>`/<var>authorizationValue</var> to <var>httpRequest</var>'s
       <a for=request>header list</a>.
      </ol>
    </ol>

   <li>
    <p>If there's a <a>proxy-authentication entry</a>, use it as appropriate.

    <p class="note no-backref">This intentionally does not depend on
    <var>httpRequest</var>'s
    <a for=request>credentials mode</a>.

   <li><p>Set <var>httpCache</var> to the result of <a>determining the HTTP cache partition</a>,
   given <var>httpRequest</var>.

   <li><p>If <var>httpCache</var> is null, then set <var>httpRequest</var>'s
   <a for=request>cache mode</a> to "<code>no-store</code>".

   <li>
    <p>If <var>httpRequest</var>'s <a for=request>cache mode</a> is neither "<code>no-store</code>"
    nor "<code>reload</code>", then:

    <ol>
     <li>
      <p>Let <var>timingInfo</var> be <var>fetchParams</var>'s <a for="fetch params">timing info</a>.

      <p>Set <var>storedResponse</var> to the result of selecting a response from the
      <var>httpCache</var>, possibly needing validation, as per the
      "<a href=https://datatracker.ietf.org/doc/html/rfc7234#section-4>Constructing Responses from Caches</a>"
      chapter of <cite>HTTP Caching</cite> [[!HTTP-CACHING]], if any.

      <p class=note>As mandated by HTTP, this still takes the `<code>Vary</code>`
      <a for=/>header</a> into account.

     <li>
      <p>If <var>storedResponse</var> is non-null, then:

      <!-- cache hit -->
      <ol>
       <li>
        <p>If <a for=request>cache mode</a> is "<code>default</code>", <var>storedResponse</var>
        is a <a>stale-while-revalidate response</a>, and <var>httpRequest</var>'s
        <a for=request>client</a> is non-null, then:

        <ol>
         <li><p>Set <var>response</var> to <var>storedResponse</var>.

         <li><p>Set <var>response</var>'s <a for=response>cache state</a> to "<code>local</code>".

         <li><p>Let <var>revalidateRequest</var> be a <a for=request>clone</a> of
         <var>request</var>.

         <li><p>Set <var>revalidateRequest</var>'s <a for=request>cache mode</a> set to
         "<code>no-cache</code>".

         <li><p>Set <var>revalidateRequest</var>'s
         <a for=request>prevent no-cache cache-control header modification flag</a>.

         <li><p>Set <var>revalidateRequest</var>'s <a for=request>service-workers mode</a> set to
         "<code>none</code>".

         <li>
          <p><a>In parallel</a>, run <a>main fetch</a> given a new <a for=/>fetch params</a> whose
          <a for="fetch params">request</a> is <var>revalidateRequest</var>.

          <p class=note>This fetch is only meant to update the state of <var>httpCache</var>
          and the response will be unused until another cache access. The stale response will be used
          as the response to current request. This fetch is issued in the context of a client so if
          it goes away the request will be terminated.
        </ol>

       <li>
        <p>Otherwise:

        <ol>
         <li><p>If <var>storedResponse</var> is a <a>stale response</a>, then set the
         <var>revalidatingFlag</var>.

         <li>
          <p>If the <var>revalidatingFlag</var> is set and <var>httpRequest</var>'s
          <a for=request>cache mode</a> is neither "<code>force-cache</code>" nor
          "<code>only-if-cached</code>", then:

          <ol>
           <li><p>If <var>storedResponse</var>'s <a for=response>header list</a>
           <a for="header list">contains</a> `<code>ETag</code>`, then
           <a for="header list">append</a> `<code>If-None-Match</code>` with its value to
           <var>httpRequest</var>'s <a for=request>header list</a>.

           <li><p>If <var>storedResponse</var>'s <a for=response>header list</a>
           <a for="header list">contains</a> `<code>Last-Modified</code>`, then
           <a for="header list">append</a> `<code>If-Modified-Since</code>` with its value to
           <var>httpRequest</var>'s <a for=request>header list</a>.
          </ol>

          <p class=note>See also the
          "<a href=https://datatracker.ietf.org/doc/html/rfc7234#section-4.3.4>Sending a Validation Request</a>"
          chapter of <cite>HTTP Caching</cite> [[!HTTP-CACHING]].

         <li><p>Otherwise, set <var>response</var> to <var>storedResponse</var> and set
         <var>response</var>'s <a for=response>cache state</a> to "<code>local</code>".
        </ol>
      </ol>
    </ol>
  </ol>

 <li>
  <p><a>If aborted</a>, then:

  <ol>
   <li><p>Let <var>aborted</var> be the termination's aborted flag.

   <li><p>If <var>aborted</var> is set, then return an <a>aborted network error</a>.

   <li><p>Return a <a>network error</a>.
  </ol>

 <!-- If response is still null, we require a forwarded request. -->
 <li>
  <p>If <var>response</var> is null, then:

  <ol>
   <li><p>If <var>httpRequest</var>'s <a for=request>cache mode</a> is
   "<code>only-if-cached</code>", then return a <a>network error</a>.

   <li><p>Let <var>forwardResponse</var> be the result of running <a>HTTP-network fetch</a> given
   <var>httpFetchParams</var>, <var>includeCredentials</var>, and <var>isNewConnectionFetch</var>.

   <li><p>If <var>httpRequest</var>'s <a for=request>method</a> is
   <a href=https://datatracker.ietf.org/doc/html/rfc7231#section-4.2.1>unsafe</a> and
   <var>forwardResponse</var>'s <a for=response>status</a> is in the range 200 to 399, inclusive,
   invalidate appropriate stored responses in <var>httpCache</var>, as per the
   "<a href=https://datatracker.ietf.org/doc/html/rfc7234#section-4.4>Invalidation</a>" chapter of
   <cite>HTTP Caching</cite>, and set <var>storedResponse</var> to null. [[!HTTP-CACHING]]

   <li>
    <p>If the <var>revalidatingFlag</var> is set and <var>forwardResponse</var>'s
    <a for=response>status</a> is 304, then:

    <ol>
     <li>
      <p>Update <var>storedResponse</var>'s <a for=response>header list</a> using
      <var>forwardResponse</var>'s <a for=response>header list</a>, as per the
      "<a href=https://datatracker.ietf.org/doc/html/rfc7234#section-4.3.4>Freshening Stored Responses upon Validation</a>"
      chapter of <cite>HTTP Caching</cite>. [[!HTTP-CACHING]]

      <p class="note">This updates the stored response in cache as well.

     <li><p>Set <var>response</var> to <var>storedResponse</var>.

     <li><p>Set <var>response</var>'s <a for=response>cache state</a> to "<code>validated</code>".

     <li><p><a for=/>Update timing info from stored response</a> given <var>fetchParams</var>'s
     <a for="fetch params">timing info</a> and <var>response</var>.
    </ol>

   <li>
    <p>If <var>response</var> is null, then:

    <ol>
     <li><p>Set <var>response</var> to <var>forwardResponse</var>.

     <li>
      <p>Store <var>httpRequest</var> and <var>forwardResponse</var> in <var>httpCache</var>, as per
      the "<a href=https://datatracker.ietf.org/doc/html/rfc7234#section-3>Storing Responses in Caches</a>"
      chapter of <cite>HTTP Caching</cite>. [[!HTTP-CACHING]]

      <p class=note>If <var>forwardResponse</var> is a <a>network error</a>, this effectively caches
      the network error, which is sometimes known as "negative caching".

      <p class=note>The associated <a for=response>timing info</a> is stored in the cache
      alongside the response.
    </ol>
  </ol>

 <li><p>Set <var>response</var>'s <a for=response>URL list</a> to a <a for=list>clone</a> of
 <var>httpRequest</var>'s <a for=request>URL list</a>.

 <li><p>If <var>httpRequest</var>'s <a for=request>header list</a> <a for="header list">contains</a>
 `<code>Range</code>`, then set <var>response</var>'s <a for=response>range-requested flag</a>.

 <li>
  <p>If <var>response</var>'s <a for=response>status</a> is 401, <var>httpRequest</var>'s
  <a for=request>response tainting</a> is not "<code>cors</code>", <var>includeCredentials</var> is
  true, and <var>request</var>'s <a for=request>window</a> is an <a>environment settings object</a>,
  then:

  <ol>
   <li class=XXX><p>Needs testing: multiple `<code>WWW-Authenticate</code>` headers, missing,
   parsing issues.

   <li>
    <p>If <var>request</var>'s <a for=request>body</a> is non-null, then:

    <ol>
     <li><p>If <var>request</var>'s <a for=request>body</a>'s <a for=body>source</a> is null,
     then return a <a>network error</a>.

     <li><p>Set <var>request</var>'s <a for=request>body</a> to the first return value of
     <a for=BodyInit>safely extracting</a> <var>request</var>'s <a for=request>body</a>'s
     <a for=body>source</a>.
    </ol>

   <li>
    <p>If <var>request</var>'s <a for=request>use-URL-credentials flag</a> is unset or
    <var>isAuthenticationFetch</var> is true, then:

    <ol>
     <li>
      <p>If the ongoing fetch is <a for=fetch>terminated</a>, then:

      <ol>
       <li><p>Let <var>aborted</var> be the termination's aborted flag.

       <li><p>If <var>aborted</var> is set, then return an <a>aborted network error</a>.

       <li><p>Return a <a>network error</a>.
      </ol>

     <li><p>Let <var>username</var> and <var>password</var> be the result of prompting the end user
     for a username and password, respectively, in <var>request</var>'s
     <a for=request>window</a>.

     <li><p><a>Set the username</a> given <var>request</var>'s <a for=request>current URL</a> and
     <var>username</var>.

     <li><p><a>Set the password</a> given <var>request</var>'s <a for=request>current URL</a> and
     <var>password</var>.
    </ol>

   <li><p>Set <var>response</var> to the result of running <a>HTTP-network-or-cache fetch</a> given
   <var>fetchParams</var> and true.
  </ol>

 <li>
  <p>If <var>response</var>'s <a for=response>status</a> is 407, then:

  <ol>
   <li><p>If <var>request</var>'s <a for=request>window</a> is
   "<code>no-window</code>", then return a <a>network error</a>.

   <li class=XXX><p>Needs testing: multiple `<code>Proxy-Authenticate</code>` headers, missing,
   parsing issues.

   <li>
    <p>If the ongoing fetch is <a for=fetch>terminated</a>, then:

    <ol>
     <li><p>Let <var>aborted</var> be the termination's aborted flag.

     <li><p>If <var>aborted</var> is set, then return an <a>aborted network error</a>.

     <li><p>Return a <a>network error</a>.
    </ol>

   <li>
    <p>Prompt the end user as appropriate in <var>request</var>'s
    <a for=request>window</a> and store the result as a
    <a>proxy-authentication entry</a>. [[!HTTP-AUTH]]

    <p class=note>Remaining details surrounding proxy authentication are defined by HTTP.

   <li><p>Set <var>response</var> to the result of running <a>HTTP-network-or-cache fetch</a> given
   <var>fetchParams</var>.
  </ol>

 <li>
  <p>If all of the following are true

  <ul class=brief>
   <li><p><var>response</var>'s <a for=response>status</a> is 421

   <li><p><var>isNewConnectionFetch</var> is false

   <li><p><var>request</var>'s <a for=request>body</a> is null, or <var>request</var>'s
   <a for=request>body</a> is non-null and <var>request</var>'s <a for=request>body</a>'s
   <a for=body>source</a> is non-null
  </ul>

  <p>then:

  <ol>
   <li>
    <p>If the ongoing fetch is <a for=fetch>terminated</a>, then:

    <ol>
     <li><p>Let <var>aborted</var> be the termination's aborted flag.

     <li><p>If <var>aborted</var> is set, then return an <a>aborted network error</a>.

     <li><p>Return a <a>network error</a>.
    </ol>

   <li><p>Set <var>response</var> to the result of running <a>HTTP-network-or-cache fetch</a> given
   <var>fetchParams</var>, <var>isAuthenticationFetch</var>, and true.
  </ol>

 <li><p>If <var>isAuthenticationFetch</var> is true, then create an <a>authentication entry</a> for
 <var>request</var> and the given realm.

 <li><p>Return <var>response</var>. <span class="note no-backref">Typically
 <var>response</var>'s <a for=response>body</a>'s
 <a for=body>stream</a> is still being enqueued to after returning.</span>
</ol>


<h3 id=http-network-fetch>HTTP-network fetch</h3>

<p>To <dfn id=concept-http-network-fetch>HTTP-network fetch</dfn>, given a <a for=/>fetch params</a>
<var>fetchParams</var>, an optional boolean <var>includeCredentials</var> (default false), and an
optional boolean <var>forceNewConnection</var> (default false), run these steps:

<ol>
 <li><p>Let <var>request</var> be <var>fetchParams</var>'s <a for="fetch params">request</a>.

 <li><p>Let <var>response</var> be null.

 <li><p>Let <var>timingInfo</var> be <var>fetchParams</var>'s <a for="fetch params">timing info</a>.

 <li><p>Let <var>httpCache</var> be the result of <a>determining the HTTP cache partition</a>, given
 <var>httpRequest</var>.

 <li><p>If <var>httpCache</var> is null, then set <var>request</var>'s <a for=request>cache mode</a>
 to "<code>no-store</code>".

 <li><p>Let <var>networkPartitionKey</var> be the result of
 <a for=request>determining the network partition key</a> given <var>request</var>.

 <li>
  <p>Switch on <var>request</var>'s <a for=request>mode</a>:

  <dl>
   <dt>"<code>websocket</code>"
   <dd><p>Let <var>connection</var> be the result of
   <a lt="obtain a WebSocket connection">obtaining a WebSocket connection</a>, given
   <var>request</var>'s <a for=request>current URL</a>.

   <dt>Otherwise
   <dd><p>Let <var>connection</var> be the result of
   <a lt="obtain a connection">obtaining a connection</a>, given <var>networkPartitionKey</var>,
   <var>request</var>'s <a for=request>current URL</a>'s <a for=url>origin</a>,
   <var>includeCredentials</var>, and <var>forceNewConnection</var>.
  </dl>

 <li>
  <p>Run these steps, but <a>abort when</a> the ongoing fetch is <a for=fetch>terminated</a>:

  <ol>
   <li><p>If <var>connection</var> is failure, then return a <a>network error</a>.

   <li><p>Set <var>timingInfo</var>'s <a for="fetch timing info">final connection timing info</a> to
   the result of calling <a>clamp and coarsen connection timing info</a> with
   <var>connection</var>'s <a for=connection>timing info</a>, <var>timingInfo</var>'s
   <a for="fetch timing info">post-redirect start time</a>, and <var>fetchParams</var>'s
   <a for="fetch params">cross-origin isolated capability</a>.

   <li><p>If <var>connection</var> is not an HTTP/2 connection, <var>request</var>'s
   <a for=request>body</a> is non-null, and <var>request</var>'s <a for=request>body</a>'s
   <a for=body>source</a> is null, then <a for="header list">append</a>
   `<code>Transfer-Encoding</code>`/`<code>chunked</code>` to <var>request</var>'s
   <a for=request>header list</a>.

   <li>Set <var>timingInfo</var>'s <a for="fetch timing info">final network-request start time</a>
   to the <a for=/>coarsened shared current time</a> given <var>fetchParams</var>'s
   <a for="fetch params">cross-origin isolated capability</a>.

   <li>
    <p>Set <var>response</var> to the result of making an HTTP request over <var>connection</var>
    using <var>request</var> with the following caveats:

    <ul>
     <li><p>Follow the relevant requirements from HTTP. [[!HTTP]] [[!HTTP-SEMANTICS]] [[!HTTP-COND]] [[!HTTP-CACHING]] [[!HTTP-AUTH]]

     <li>
      <p>If <var>request</var>'s <a for=request>body</a> is non-null, and <var>request</var>'s
      <a for=request>body</a>'s <a for=body>source</a> is null, then the user agent may have a
      buffer of up to 64 kibibytes and store a part of <var>request</var>'s <a for=request>body</a>
      in that buffer. If the user agent reads from <var>request</var>'s <a for=request>body</a>
      beyond that buffer's size and the user agent needs to resend <var>request</var>, then instead
      return a <a>network error</a>.

      <div class=note>
       <p>The resending is needed when the connection is timed out, for example.

       <p>The buffer is not needed when <var>request</var>'s <a for=request>body</a>'s
       <a for=body>source</a> is non-null, because <var>request</var>'s <a for=request>body</a> can
       be recreated from it.

       <p>When <var>request</var>'s <a for=request>body</a>'s <a for=body>source</a> is null, it
       means <a for=request>body</a> is created from a {{ReadableStream}} object, which means
       <a for=request>body</a> cannot be recreated and that is why the buffer is needed.
      </div>

     <li><p>Set <var>timingInfo</var>'s
     <a for="fetch timing info">final network-response start time</a> to the
     <a for=/>coarsened shared current time</a> given <var>fetchParams</var>'s
     <a for="fetch params">cross-origin isolated capability</a>, immediately after the user agent's
     HTTP parser receives the first byte of the response (e.g., frame header bytes for HTTP/2 or
     response status line for HTTP/1.x).

     <li><p>Wait until all the <a for=/>headers</a> are transmitted.

     <li>
      <p>Any <a for=/>responses</a> whose <a for=response>status</a> is in the range 100 to 199,
      inclusive, and is not 101, are to be ignored, except for the purposes of setting
      <var>timingInfo</var>'s <a for="fetch timing info">final network-response start time</a> above.

      <p class="note no-backref">These kind of <a for=/>responses</a> are eventually followed by a
      "final" <a for=/>response</a>.
    </ul>

    <p class=note>The exact layering between Fetch and HTTP still needs to be sorted through and
    therefore <var>response</var> represents both a <a for=/>response</a> and
    an HTTP response here.

    <p>If <var>request</var>'s <a for=request>header list</a> contains
    `<code>Transfer-Encoding</code>`/`<code>chunked</code>` and <var>response</var> is transferred
    via HTTP/1.0 or older, then return a <a>network error</a>.

    <p>If the HTTP request results in a TLS client certificate dialog, then:

    <ol>
     <li><p>If <var>request</var>'s <a for=request>window</a>
     is an <a>environment settings object</a>, make the dialog
     available in <var>request</var>'s
     <a for=request>window</a>.

     <li><p>Otherwise, return a <a>network error</a>.
    </ol>

    <p>To transmit <var>request</var>'s <a for=request>body</a> <var>body</var>, run these steps:

    <ol>
     <li><p>If <var>body</var> is null and <var>fetchParams</var>'s
     <a for="fetch params">process request end-of-body</a> is non-null, then
     <a>queue a fetch task</a> given <var>fetchParams</var>'s
     <a for="fetch params">process request end-of-body</a> and <var>fetchParams</var>'s
     <a for="fetch params">task destination</a>.

     <li>
      <p>Otherwise, if <var>body</var> is non-null:

      <ol>
       <li>
        <p>Let <var>processBodyChunk</var> given <var>bytes</var> be these steps:

        <ol>
         <li><p>If the ongoing fetch is <a for=fetch>terminated</a>, then abort these steps.

         <li><p>Run this step <a>in parallel</a>: transmit <var>bytes</var>.

         <li><p>If <var>fetchParams</var>'s <a for="fetch params">process request body</a> is
         non-null, then run <var>fetchParams</var>'s <a for="fetch params">process request body</a>
         given <var>bytes</var>'s <a for="byte sequence">length</a>.
        </ol>

       <li>
        <p>Let <var>processEndOfBody</var> be these steps:

        <ol>
         <li><p>If the ongoing fetch is <a for=fetch>terminated</a>, then abort these steps.

         <li><p>If <var>fetchParams</var>'s <a for="fetch params">process request end-of-body</a> is
         non-null, then run <var>fetchParams</var>'s
         <a for="fetch params">process request end-of-body</a>.
        </ol>

       <li>
        <p>Let <var>processBodyError</var> given <var>e</var> be these steps:

        <ol>
         <li><p>If the ongoing fetch is <a for=fetch>terminated</a>, then abort these steps.

         <li><p>If <var>e</var> is an "<code><a exception>AbortError</a></code>" {{DOMException}},
         then <a lt=terminated for=fetch>terminate</a> the ongoing fetch with the aborted flag set.

         <li><p>Otherwise, <a lt=terminated for=fetch>terminate</a> the ongoing fetch.
        </ol>

       <li><p><a for=body>Incrementally read</a> <var>request</var>'s <a for=request>body</a> given
       <var>processBodyChunk</var>, <var>processEndOfBody</var>, <var>processBodyError</var>, and
       <var>fetchParams</var>'s <a for="fetch params">task destination</a>.
       <!-- This obtains a reader in parallel, but it's mostly fine since we already proxied the
            input stream as part of the Request constructor. -->
      </ol>
    </ol>
    <!-- In implementations to date this always happens before a response is processed. -->
  </ol>

 <li>
  <p><a>If aborted</a>, then:

  <ol>
   <li><p>Let <var>aborted</var> be the termination's aborted flag.

   <li><p>If <var>connection</var> uses HTTP/2, then transmit an <code>RST_STREAM</code> frame.

   <li><p>If <var>aborted</var> is set, then return an <a>aborted network error</a>.

   <li><p>Return a <a>network error</a>.
  </ol>

 <li><p>Let <var>pullAlgorithm</var> be an action that <a lt=resumed for=fetch>resumes</a> the
 ongoing fetch if it is <a lt=suspend for=fetch>suspended</a>.

 <li><p>Let <var>cancelAlgorithm</var> be an action that <a lt=terminated for=fetch>terminates</a>
 the ongoing fetch with the aborted flag set.

 <li><p>Let <var>highWaterMark</var> be a non-negative, non-NaN number, chosen by the user agent.

 <li><p>Let <var>sizeAlgorithm</var> be an algorithm that accepts a <a>chunk</a> object and returns
 a non-negative, non-NaN, non-infinite number, chosen by the user agent.

 <li><p>Let <var>stream</var> be a <a>new</a> {{ReadableStream}}.

 <li><p><a for=ReadableStream>Set up</a> <var>stream</var> with
 <a for="ReadableStream/set up"><var>pullAlgorithm</var></a> set to <var>pullAlgorithm</var>,
 <a for="ReadableStream/set up"><var>cancelAlgorithm</var></a> set to <var>cancelAlgorithm</var>,
 <a for="ReadableStream/set up"><var>highWaterMark</var></a> set to <var>highWaterMark</var>, and
 <a for="ReadableStream/set up"><var>sizeAlgorithm</var></a> set to <var>sizeAlgorithm</var>.

 <li>
  <p>Run these steps, but <a>abort when</a> the ongoing fetch is <a for=fetch>terminated</a>:

  <ol>
   <li><p>Set <var>response</var>'s <a for=response>body</a> to a new
   <a for=/>body</a> whose <a for=body>stream</a> is
   <var>stream</var>.

   <li><p>If <var>response</var> is not a <a>network error</a> and <var>request</var>'s
   <a for=request>cache mode</a> is not "<code>no-store</code>", then update <var>response</var> in
   <var>httpCache</var> for <var>request</var>.

   <li>
    <p>If <var>includeCredentials</var> is true and the user agent is not configured to block
    cookies for <var>request</var> (see
    <a href=https://datatracker.ietf.org/doc/html/rfc6265#section-7>section 7</a> of [[!COOKIES]]),
    then run the "set-cookie-string" parsing algorithm (see
    <a href=https://datatracker.ietf.org/doc/html/rfc6265#section-5.2>section 5.2</a> of
    [[!COOKIES]]) on the <a for=header>value</a> of each <var>header</var> whose
    <a for=header>name</a> is a <a>byte-case-insensitive</a> match for `<code>Set-Cookie</code>` in
    <var>response</var>'s <a for=response>header list</a>, if any, and <var>request</var>'s
    <a for=request>current URL</a>.

    <p class=note>This is a fingerprinting vector.
  </ol>

 <li>
  <p><a>If aborted</a>, then:

  <ol>
   <li><p>Let <var>aborted</var> be the termination's aborted flag.

   <li><p>If <var>aborted</var> is set, then set <var>response</var>'s
   <a for=response>aborted flag</a>.

   <li><p>Return <var>response</var>.
  </ol>

 <li>
  <p>Run these steps <a>in parallel</a>:

  <ol>
   <li>
    <p>Run these steps, but <a>abort when</a> the ongoing fetch is <a for=fetch>terminated</a>:

    <ol>
     <li>
      <p>While true:

      <ol>
       <li>
        <p>If one or more bytes have been transmitted from <var>response</var>'s message body, then:

        <ol>
         <li><p>Let <var>bytes</var> be the transmitted bytes.

         <li><p>Let <var>codings</var> be the result of <a>extracting header list values</a> given
         `<code>Content-Encoding</code>` and <var>response</var>'s <a for=response>header list</a>.

         <li><p>Increase <var>timingInfo</var>'s <a for="fetch timing info">encoded body size</a>
         by <var>bytes</var>'s <a for="byte sequence">length</a>.

         <li>
          <p>Set <var>bytes</var> to the result of <a lt="handle content codings">handling content
          codings</a> given <var>codings</var> and <var>bytes</var>.

          <p class="note no-backref">This makes the `<code>Content-Length</code>` <a for=/>header</a>
          unreliable to the extent that it was reliable to begin with.

         <li><p>Increase <var>timingInfo</var>'s <a for="fetch timing info">decoded body size</a> by
         <var>bytes</var>'s <a for="byte sequence">length</a>.

         <li><p>If <var>bytes</var> is failure, then <a lt=terminated for=fetch>terminate</a> the
         ongoing fetch.

         <li><p><a for=ReadableStream>Enqueue</a> a {{Uint8Array}} wrapping an {{ArrayBuffer}}
         containing <var>bytes</var> into <var>stream</var>.

         <li><p>If <var>stream</var> is <a for=ReadableStream>errored</a>, then
         <a lt=terminated for=fetch>terminate</a> the ongoing fetch.

         <li><p>If <var>stream</var> doesn't <a for=ReadableStream>need more data</a> ask the user
         agent to <a for=fetch>suspend</a> the ongoing fetch.
        </ol>

       <li><p>Otherwise, if the bytes transmission for <var>response</var>'s message body is done
       normally and <var>stream</var> is <a for=ReadableStream>readable</a>, then
       <a for=ReadableStream>close</a> <var>stream</var>, <a for=/>finalize response</a> for
       <var>fetchParams</var> and <var>response</var>, and abort these in-parallel steps.
      </ol>
    </ol>

   <li>
    <p><a>If aborted</a>, then:

    <ol>
     <li><a for=/>Finalize response</a> for <var>fetchParams</var> and <var>response</var>.

     <li><p>Let <var>aborted</var> be the termination's aborted flag.

     <li>
      <p>If <var>aborted</var> is set, then:

      <ol>
       <li><p>Set <var>response</var>'s <a for=response>aborted flag</a>.

       <li><p>If <var>stream</var> is <a for=ReadableStream>readable</a>,
       <a for=ReadableStream>error</a> <var>stream</var> with an
       "<code><a exception>AbortError</a></code>" {{DOMException}}.
      </ol>

     <li><p>Otherwise, if <var>stream</var> is <a for=ReadableStream>readable</a>,
     <a for=ReadableStream>error</a> <var>stream</var> with a {{TypeError}}.

     <li><p>If <var>connection</var> uses HTTP/2, then transmit an <code>RST_STREAM</code> frame.

     <li>
      <p>Otherwise, the user agent should close <var>connection</var> unless it would be bad for
      performance to do so.

      <p class=note>For instance, the user agent could keep the connection open if it knows there's
      only a few bytes of transfer remaining on a reusable connection. In this case it could be
      worse to close the connection and go through the handshake process again for the next fetch.
    </ol>
  </ol>

  <p class="note no-backref">These are run <a>in parallel</a> as at this point it is unclear whether
  <var>response</var>'s <a for=response>body</a> is relevant (<var>response</var> might be a
  redirect).

 <li><p>Return <var>response</var>. <span class="note no-backref">Typically <var>response</var>'s
 <a for=response>body</a>'s <a for=body>stream</a> is still being enqueued to after
 returning.</span>
</ol>


<h3 id=cors-preflight-fetch>CORS-preflight fetch</h3>

<p class="note no-backref">This is effectively the user agent implementation of the check to see if
the <a>CORS protocol</a> is understood. The so-called <a>CORS-preflight request</a>. If
successful it populates the <a>CORS-preflight cache</a> to minimize the
number of these <a lt="CORS-preflight fetch">fetches</a>.

<p>To <dfn id=cors-preflight-fetch-0>CORS-preflight fetch</dfn>, given a <a for=/>request</a>
<var>request</var>, run these steps:

<ol>
 <li>
  <p>Let <var>preflight</var> be a new <a for=/>request</a> whose
  <a for=request>method</a> is `<code>OPTIONS</code>`,
  <a for=request>URL</a> is <var>request</var>'s <a for=request>current URL</a>,
  <a for=request>initiator</a> is <var>request</var>'s <a for=request>initiator</a>,
  <a for=request>destination</a> is <var>request</var>'s <a for=request>destination</a>,
  <a for=request>origin</a> is <var>request</var>'s <a for=request>origin</a>,
  <a for=request>referrer</a> is <var>request</var>'s <a for=request>referrer</a>,
  <a for=request>referrer policy</a> is <var>request</var>'s <a for=request>referrer policy</a>,
  <a for=request>mode</a> is "<code>cors</code>",
  <a for=request>tainted origin flag</a> is <var>request</var>'s
  <a for=request>tainted origin flag</a>, and
  <a for=request>response tainting</a> is "<code>cors</code>".

  <p class="note no-backref">The <a for=request>service-workers mode</a> of <var>preflight</var>
  does not matter as this algorithm uses <a>HTTP-network-or-cache fetch</a> rather than
  <a>HTTP fetch</a>.

 <li><p><a for="header list">Append</a> `<code>Accept</code>`/`<code>*/*</code>` to
 <var>preflight</var>'s <a for=request>header list</a>.

 <li><p><a for="header list">Append</a>
 `<a http-header><code>Access-Control-Request-Method</code></a>`/<var>request</var>'s
 <a for=request>method</a> to <var>preflight</var>'s <a for=request>header list</a>.

 <li><p>Let <var>headers</var> be the <a>CORS-unsafe request-header names</a> with
 <var>request</var>'s <a for=request>header list</a>.

 <li>
  <p>If <var>headers</var> <a for=list>is not empty</a>, then:

  <ol>
   <li><p>Let <var>value</var> be the items in <var>headers</var> separated from each other by
   `<code>,</code>`.

   <li><p><a for="header list">Append</a>
   `<a http-header><code>Access-Control-Request-Headers</code></a>`/<var>value</var> to
   <var>preflight</var>'s <a for=request>header list</a>.
  </ol>

  <p class=note>This intentionally does not use <a for="header list">combine</a>, as 0x20 following
  0x2C is not the way this was implemented, for better or worse.

 <li><p>Let <var>response</var> be the result of running <a>HTTP-network-or-cache fetch</a> given
 a new <a for=/>fetch params</a> whose <a for="fetch params">request</a> is <var>preflight</var>.

 <li>
  <p>If a <a>CORS check</a> for <var>request</var> and <var>response</var> returns success and
  <var>response</var>'s <a for=response>status</a> is an <a>ok status</a>, then:
  <!-- CORS said 200 here but nobody implemented that:
       https://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0078.html -->

  <p class="note no-backref">The <a>CORS check</a> is done on <var>request</var> rather than
  <var>preflight</var> to ensure the correct <a for=request>credentials mode</a> is used.

  <ol>
   <li><p>Let <var>methods</var> be the result of <a>extracting header list values</a> given
   `<a http-header><code>Access-Control-Allow-Methods</code></a>` and <var>response</var>'s
   <a for=response>header list</a>.

   <li><p>Let <var>headerNames</var> be the result of <a>extracting header list values</a> given
   `<a http-header><code>Access-Control-Allow-Headers</code></a>` and <var>response</var>'s
   <a for=response>header list</a>.

   <li><p>If either <var>methods</var> or <var>headerNames</var> is failure,
   return a <a>network error</a>.

   <li>
    <p>If <var>methods</var> is null and <var>request</var>'s <a>use-CORS-preflight flag</a>
    is set, then set <var>methods</var> to a new list containing <var>request</var>'s
    <a for=request>method</a>.

    <p class="note no-backref">This ensures that a <a>CORS-preflight fetch</a> that
    happened due to <var>request</var>'s <a>use-CORS-preflight flag</a> being set is
    <a lt="CORS-preflight cache">cached</a>.

   <li><p>If <var>request</var>'s <a for=request>method</a> is not in <var>methods</var>,
   <var>request</var>'s <a for=request>method</a> is not a <a>CORS-safelisted method</a>, and
   <var>request</var>'s <a for=request>credentials mode</a> is "<code>include</code>" or
   <var>methods</var> does not contain `<code>*</code>`, then return a <a>network error</a>.

   <li><p>If one of <var>request</var>'s <a for=request>header list</a>'s
   <a lt=name for=header>names</a> is a <a>CORS non-wildcard request-header name</a> and is not a
   <a>byte-case-insensitive</a> match for an <a for=list>item</a> in <var>headerNames</var>, then
   return a <a>network error</a>.

   <li><p><a for=list>For each</a> <var>unsafeName</var> in the
   <a>CORS-unsafe request-header names</a> with <var>request</var>'s
   <a for=request>header list</a>, if <var>unsafeName</var> is not a <a>byte-case-insensitive</a>
   match for an <a for=list>item</a> in <var>headerNames</var> and <var>request</var>'s
   <a for=request>credentials mode</a> is "<code>include</code>" or <var>headerNames</var> does not
   contain `<code>*</code>`, return a <a>network error</a>.

   <li><p>Let <var>max-age</var> be the result of <a>extracting header list values</a> given
   `<a http-header><code>Access-Control-Max-Age</code></a>` and <var>response</var>'s
   <a for=response>header list</a>.

   <li><p>If <var>max-age</var> is failure or null, then set <var>max-age</var> to 5.

   <li><p>If <var>max-age</var> is greater than an imposed limit on
   <a for="cache entry">max-age</a>, then set <var>max-age</var> to the imposed limit.

   <li><p>If the user agent does not provide for a <a lt="CORS-preflight cache">cache</a>, then
   return <var>response</var>.

   <li><p>For each <var>method</var> in <var>methods</var> for which there is a
   <a>method cache entry match</a> using <var>request</var>, set matching entry's
   <a for="cache entry">max-age</a> to <var>max-age</var>.

   <li><p>For each <var>method</var> in <var>methods</var> for which there is no
   <a>method cache entry match</a> using <var>request</var>, <a>create a new cache entry</a> with
   <var>request</var>, <var>max-age</var>, <var>method</var>, and null.

   <li><p>For each <var>headerName</var> in <var>headerNames</var> for which there is a
   <a>header-name cache entry match</a> using <var>request</var>, set matching entry's
   <a for="cache entry">max-age</a> to <var>max-age</var>.

   <li><p>For each <var>headerName</var> in <var>headerNames</var> for which there is no
   <a>header-name cache entry match</a> using <var>request</var>, <a>create a new cache entry</a>
   with <var>request</var>, <var>max-age</var>, null, and <var>headerName</var>.

   <li><p>Return <var>response</var>.
  </ol>

 <li><p>Otherwise, return a <a>network error</a>.
</ol>


<h3 id=cors-preflight-cache>CORS-preflight cache</h3>

<p>A user agent has an associated <a>CORS-preflight cache</a>. A
<dfn id=concept-cache>CORS-preflight cache</dfn> is a <a for=/>list</a> of <a>cache entries</a>.

<p>A <dfn>cache entry</dfn> consists of:

<ul class=brief>
 <li><dfn id=concept-cache-key for="cache entry">key</dfn> (a <a for=/>network partition key</a>)
 <li><dfn id=concept-cache-origin for="cache entry">byte-serialized origin</dfn> (a
 <a for=/>byte sequence</a>)
 <li><dfn id=concept-cache-url for="cache entry">URL</dfn> (a <a for=/>URL</a>)
 <li><dfn id=concept-cache-max-age for="cache entry">max-age</dfn> (a number of seconds)
 <li><dfn id=concept-cache-credentials for="cache entry">credentials</dfn> (a boolean)
 <li><dfn id=concept-cache-method for="cache entry">method</dfn> (null, `<code>*</code>`, or a
 <a for=/>method</a>)
 <li><dfn id=concept-cache-header-name for="cache entry">header name</dfn> (null, `<code>*</code>`,
 or a <a for=/>header</a> <a for=header>name</a>)
</ul>

<p><a>Cache entries</a> must be removed after the seconds specified in their
<a for="cache entry">max-age</a> field have passed since storing the entry. <a>Cache entries</a> may
be removed before that moment arrives.

<p>To <dfn id=concept-cache-create-entry>create a new cache entry</dfn>, given <var>request</var>,
<var>max-age</var>, <var>method</var>, and <var>headerName</var>, run these steps:

<ol>
 <li>
  <p>Let <var>entry</var> be a <a>cache entry</a>, initialized as follows:

  <dl>
   <dt><a for="cache entry">key</a>
   <dd><p>The result of <a for=request>determining the network partition key</a> given
   <var>request</var>

   <dt><a for="cache entry">byte-serialized origin</a>
   <dd><p>The result of <a>byte-serializing a request origin</a> with <var>request</var>

   <dt><a for="cache entry">URL</a>
   <dd><p><var>request</var>'s <a for=request>current URL</a>

   <dt><a for="cache entry">max-age</a>
   <dd><p><var>max-age</var>

   <dt><a for="cache entry">credentials</a>
   <dd><p>True if <var>request</var>'s <a for=request>credentials mode</a> is
   "<code>include</code>", and false otherwise

   <dt><a for="cache entry">method</a>
   <dd><p><var>method</var>

   <dt><a for="cache entry">header name</a>
   <dd><p><var>headerName</var>
  </dl>

 <li><p><a for=list>Append</a> <var>entry</var> to the user agent's <a>CORS-preflight cache</a>.
</ol>

<p>To <dfn id=concept-cache-clear>clear cache entries</dfn>, given a <var>request</var>,
<a for=list>remove</a> any <a>cache entries</a> in the user agent's <a>CORS-preflight cache</a>
whose <a for="cache entry">key</a> is the result of
<a for=request>determining the network partition key</a> given <var>request</var>,
<a for="cache entry">byte-serialized origin</a> is the result of
<a>byte-serializing a request origin</a> with <var>request</var>, and <a for="cache entry">URL</a>
is <var>request</var>'s <a for=request>current URL</a>.

<p>There is a <dfn id=concept-cache-match>cache entry match</dfn> for a <a>cache entry</a>
<var>entry</var> with <var>request</var> if <var>entry</var>'s <a for="cache entry">key</a> is the
result of <a for=request>determining the network partition key</a> given <var>request</var>,
<var>entry</var>'s <a for="cache entry">byte-serialized origin</a> is the result of
<a>byte-serializing a request origin</a> with <var>request</var>, <var>entry</var>'s
<a for="cache entry">URL</a> is <var>request</var>'s <a for=request>current URL</a>, and one of

<ul class=brief>
 <li><var>entry</var>'s <a for="cache entry">credentials</a> is true
 <li><var>entry</var>'s <a for="cache entry">credentials</a> is false and <var>request</var>'s
 <a for=request>credentials mode</a> is not "<code>include</code>".
</ul>

<p>is true.

<p>There is a <dfn id=concept-cache-match-method>method cache entry match</dfn> for
<var>method</var> using <var>request</var> when there is a <a>cache entry</a> in the user agent's
<a>CORS-preflight cache</a> for which there is a <a>cache entry match</a> with <var>request</var>
and its <a for="cache entry">method</a> is <var>method</var> or `<code>*</code>`.

<p>There is a <dfn id=concept-cache-match-header>header-name cache entry match</dfn> for
<var>headerName</var> using <var>request</var> when there is a <a>cache entry</a> in the user
agent's <a>CORS-preflight cache</a> for which there is a <a>cache entry match</a> with
<var>request</var> and one of

<ul class=brief>
 <li>its <a for="cache entry">header name</a> is a <a>byte-case-insensitive</a> match for
 <var>headerName</var>
 <li>its <a for="cache entry">header name</a> is `<code>*</code>` and <var>headerName</var> is not
 a <a>CORS non-wildcard request-header name</a>
</ul>

<p>is true.


<h3 id=cors-check>CORS check</h3>

<p>To perform a <dfn id=concept-cors-check>CORS check</dfn> for a <var>request</var> and
<var>response</var>, run these steps:

<ol>
 <li><p>Let <var>origin</var> be the result of <a for="header list">getting</a>
 `<a http-header><code>Access-Control-Allow-Origin</code></a>` from <var>response</var>'s
 <a for=response>header list</a>.

 <li>
  <p>If <var>origin</var> is null, then return failure.

  <p class=note>Null is not `<code>null</code>`.

 <li><p>If <var>request</var>'s <a for=request>credentials mode</a> is not "<code>include</code>"
 and <var>origin</var> is `<code>*</code>`, then return success.

 <li><p>If the result of <a>byte-serializing a request origin</a> with <var>request</var> is not
 <var>origin</var>, then return failure.

 <li><p>If <var>request</var>'s <a for=request>credentials mode</a> is not "<code>include</code>",
 then return success.

 <li><p>Let <var>credentials</var> be the result of <a for="header list">getting</a>
 `<a http-header><code>Access-Control-Allow-Credentials</code></a>` from <var>response</var>'s
 <a for=response>header list</a>.

 <li><p>If <var>credentials</var> is `<code>true</code>`, then return success.

 <li><p>Return failure.
</ol>


<h3 id=tao-check>TAO check</h3>

<p>To perform a <dfn id=concept-tao-check>TAO check</dfn> for a <var>request</var> and
<var>response</var>, run these steps:

<ol>
 <li><p>If <var>request</var>'s <a for=request>timing allow failed flag</a> is set, then return
 failure.

 <li><p>If <var>request</var>'s <a for=request>response tainting</a> is "<code>basic</code>", then
 return success.

 <li><p>Let <var>values</var> be the result of
 <a for="header list">getting, decoding, and splitting</a> `<code>Timing-Allow-Origin</code>` from
 <var>response</var>'s <a for=response>header list</a>.

 <li><p>If <var>values</var> <a for=list>contains</a> "<code>*</code>", then return success.

 <li><p>If <var>values</var> <a for=list>contains</a> the result of
 <a>serializing a request origin</a> with <var>request</var>, then return success.

 <li><p>Return failure.
</ol>



<h2 id=fetch-api>Fetch API</h2>

<p class=no-backref>The <a method><code>fetch()</code></a> method is relatively low-level API for
<a lt=fetch for=/>fetching</a> resources. It covers slightly more ground than {{XMLHttpRequest}},
although it is currently lacking when it comes to request progression (not response progression).

<div id=fetch-blob-example class="example no-backref">
 <p>The <a method><code>fetch()</code></a> method makes it quite straightforward to
 <a for=/>fetch</a> a resource and extract its contents as a {{Blob}}:

 <pre><code class=lang-javascript>
fetch("/music/pk/altes-kamuffel.flac")
  .then(res => res.blob()).then(playBlob)
</code></pre>

 <p>If you just care to log a particular response header:

 <pre><code class=lang-javascript>
fetch("/", {method:"HEAD"})
  .then(res => log(res.headers.get("strict-transport-security")))
</code></pre>

 <p>If you want to check a particular response header and then process the response of a
 cross-origin resource:

 <pre><code class=lang-javascript>
fetch("https://pk.example/berlin-calling.json", {mode:"cors"})
  .then(res => {
    if(res.headers.get("content-type") &amp;&amp;
       res.headers.get("content-type").toLowerCase().indexOf("application/json") >= 0) {
      return res.json()
    } else {
      throw new TypeError()
    }
  }).then(processJSON)
</code></pre>

 <p>If you want to work with URL query parameters:

 <pre><code class=lang-javascript>
var url = new URL("https://geo.example.org/api"),
    params = {lat:35.696233, long:139.570431}
Object.keys(params).forEach(key => url.searchParams.append(key, params[key]))
fetch(url).then(/* … */)
</code></pre>

 <p>If you want to receive the body data progressively:

 <pre><code class=lang-javascript>
function consume(reader) {
  var total = 0
  return pump()
  function pump() {
    return reader.read().then(({done, value}) => {
      if (done) {
        return
      }
      total += value.byteLength
      log(`received ${value.byteLength} bytes (${total} bytes in total)`)
      return pump()
    })
  }
}

fetch("/music/pk/altes-kamuffel.flac")
  .then(res => consume(res.body.getReader()))
  .then(() => log("consumed the entire body without keeping the whole thing in memory!"))
  .catch(e => log("something went wrong: " + e))
</code></pre>
</div>


<h3 id=headers-class>Headers class</h3>

<pre class=idl>
typedef (sequence&lt;sequence&lt;ByteString>> or record&lt;ByteString, ByteString>) HeadersInit;

[Exposed=(Window,Worker)]
interface Headers {
  constructor(optional HeadersInit init);

  undefined append(ByteString name, ByteString value);
  undefined delete(ByteString name);
  ByteString? get(ByteString name);
  boolean has(ByteString name);
  undefined set(ByteString name, ByteString value);
  iterable&lt;ByteString, ByteString>;
};
</pre>

<p class=note>Unlike a <a for=/>header list</a>, a {{Headers}} object cannot represent more than one
`<code>Set-Cookie</code>` <a for=/>header</a>. In a way this is problematic as unlike all other
headers `<code>Set-Cookie</code>` headers cannot be combined, but since `<code>Set-Cookie</code>`
headers are not exposed to client-side JavaScript this is deemed an acceptable compromise.
Implementations could choose the more efficient {{Headers}} object representation even for a
<a for=/>header list</a>, as long as they also support an associated data structure for
`<code>Set-Cookie</code>` headers.

<p>A {{Headers}} object has an associated
<dfn export for=Headers id=concept-headers-header-list>header list</dfn> (a
<a for=/>header list</a>), which is initially empty. <span class=note>This
can be a pointer to the <a for=/>header list</a> of something else, e.g.,
of a <a for=/>request</a> as demonstrated by {{Request}}
objects.</span>

<p>A {{Headers}} object also has an associated
<dfn export for=Headers id=concept-headers-guard>guard</dfn>, which is a <dfn>headers guard</dfn>. A
<a for=/>headers guard</a> is "<code>immutable</code>", "<code>request</code>",
"<code>request-no-cors</code>", "<code>response</code>" or "<code>none</code>".

<hr>

<dl class=domintro>
 <dt><code><var>headers</var> = new <a constructor lt="Headers()">Headers</a>([<var>init</var>])</code>
 <dd>
  <p>Creates a new {{Headers}} object. <var>init</var> can be used to fill its internal header list,
  as per the example below.

  <div class=example id=example-headers-class>
   <pre><code class=lang-javascript>
const meta = { "Content-Type": "text/xml", "Breaking-Bad": "&lt;3" };
new Headers(meta);

// The above is equivalent to
const meta2 = [
  [ "Content-Type", "text/xml" ],
  [ "Breaking-Bad", "&lt;3" ]
];
new Headers(meta2);
</code></pre>
  </div>

 <dt><code><var>headers</var> . <a method for=Headers lt=append()>append</a>(<var>name</var>, <var>value</var>)</code>
 <dd><p>Appends a header to <var>headers</var>.

 <dt><code><var>headers</var> . <a method for=Headers lt=delete()>delete</a>(<var>name</var>)</code>
 <dd><p>Removes a header from <var>headers</var>.

 <dt><code><var>headers</var> . <a method for=Headers lt=get()>get</a>(<var>name</var>)</code>
 <dd><p>Returns as a string the values of all headers whose name is <var>name</var>, separated by a
 comma and a space.

 <dt><code><var>headers</var> . <a method for=Headers lt=has()>has</a>(<var>name</var>)</code>
 <dd><p>Returns whether there is a header whose name is <var>name</var>.

 <dt><code><var>headers</var> . <a method for=Headers lt=set()>set</a>(<var>name</var>, <var>value</var>)</code>
 <dd><p>Replaces the value of the first header whose name is <var>name</var> with <var>value</var>
 and removes any remaining headers whose name is <var>name</var>.

 <dt><code>for(const [<var>name</var>, <var>value</var>] of <var>headers</var>)</code>
 <dd><p><var>headers</var> can be iterated over.
</dl>

<hr>

<p>To <dfn export for=Headers id=concept-headers-append>append</dfn> a
<a for=header>name</a>/<a for=header>value</a>
<var>name</var>/<var>value</var> pair to a
{{Headers}} object (<var>headers</var>), run these steps:

<ol>
 <li><p><a lt=normalize for=header/value>Normalize</a> <var>value</var>.

 <li><p>If <var>name</var> is not a <a for=header>name</a> or <var>value</var> is not a
 <a for=header>value</a>, then <a>throw</a> a {{TypeError}}.

 <li><p>If <var>headers</var>'s <a for=Headers>guard</a> is "<code>immutable</code>", then
 <a>throw</a> a {{TypeError}}.

 <li><p>Otherwise, if <var>headers</var>'s <a for=Headers>guard</a> is "<code>request</code>" and
 <var>name</var> is a <a>forbidden header name</a>, return.

 <li>
  <p>Otherwise, if <var>headers</var>'s <a for=Headers>guard</a> is "<code>request-no-cors</code>":

  <ol>
   <li><p>Let <var>temporaryValue</var> be the result of <a for="header list">getting</a>
   <var>name</var> from <var>headers</var>'s <a for=Headers>header list</a>.

   <li><p>If <var>temporaryValue</var> is null, then set <var>temporaryValue</var> to
   <var>value</var>.

   <li><p>Otherwise, set <var>temporaryValue</var> to <var>temporaryValue</var>, followed by
   0x2C 0x20, followed by <var>value</var>.

   <li><p>If <var>name</var>/<var>temporaryValue</var> is not a
   <a>no-CORS-safelisted request-header</a>, then return.
  </ol>

 <li><p>Otherwise, if <var>headers</var>'s <a for=Headers>guard</a> is "<code>response</code>" and
 <var>name</var> is a <a>forbidden response-header name</a>, return.

 <li><p><a for="header list">Append</a> <var>name</var>/<var>value</var> to <var>headers</var>'s
 <a for=Headers>header list</a>.

 <li><p>If <var>headers</var>'s <a for=Headers>guard</a> is "<code>request-no-cors</code>", then
 <a for=Headers>remove privileged no-CORS request headers</a> from <var>headers</var>.
</ol>

<p>To <dfn export for=Headers id=concept-headers-fill>fill</dfn> a {{Headers}} object
<var>headers</var> with a given object <var>object</var>, run these steps:

<ol>
 <li>
  <p>If <var>object</var> is a <a>sequence</a>, then <a for=list>for each</a> <var>header</var> in
  <var>object</var>:

  <ol>
   <li><p>If <var>header</var> does not contain exactly two items, then <a>throw</a> a
   {{TypeError}}.

   <li><p><a lt=append for=Headers>Append</a> <var>header</var>'s first item/<var>header</var>'s
   second item to <var>headers</var>.
  </ol>

 <li><p>Otherwise, <var>object</var> is a <a for=/>record</a>, then <a for=map>for each</a>
 <var>key</var> → <var>value</var> in <var>object</var>, <a lt=append for=Headers>append</a>
 <var>key</var>/<var>value</var> to <var>headers</var>.
</ol>

<p>To
<dfn for=Headers id=concept-headers-remove-privileged-no-cors-request-headers>remove privileged no-CORS request headers</dfn>
from a {{Headers}} object (<var>headers</var>), run these steps:

<ol>
 <li><p><a for="list">For each</a> <var>headerName</var> of
 <a>privileged no-CORS request-header names</a>:

 <ol>
  <li><p><a for="header list">Delete</a> <var>headerName</var> from <var>headers</var>'s
  <a for=Headers>header list</a>.
 </ol>
</ol>

<p class=note>This is called when headers are modified by unprivileged code.

<p>The
<dfn id=dom-headers export for=Headers constructor lt="Headers(init)"><code>new Headers(<var>init</var>)</code></dfn>
constructor steps are:

<ol>
 <li><p>Set <a>this</a>'s <a for=Headers>guard</a> to "<code>none</code>".

 <li><p>If <var>init</var> is given, then <a for=Headers>fill</a> <a>this</a> with <var>init</var>.
</ol>

<p>The <dfn export for=Headers method><code>append(<var>name</var>, <var>value</var>)</code></dfn>
method steps are to <a for=Headers>append</a> <var>name</var>/<var>value</var> to <a>this</a>.

<p>The <dfn export for=Headers method><code>delete(<var>name</var>)</code></dfn> method steps are:

<ol>
 <li><p>If <var>name</var> is not a <a for=header>name</a>, then <a>throw</a> a {{TypeError}}.

 <li><p>If <a>this</a>'s <a for=Headers>guard</a> is "<code>immutable</code>", then <a>throw</a> a
 {{TypeError}}.

 <li><p>Otherwise, if <a>this</a>'s <a for=Headers>guard</a> is "<code>request</code>" and
 <var>name</var> is a <a>forbidden header name</a>, return.

 <li><p>Otherwise, if <a>this</a>'s <a for=Headers>guard</a> is "<code>request-no-cors</code>",
 <var>name</var> is not a <a>no-CORS-safelisted request-header name</a>, and <var>name</var> is not
 a <a>privileged no-CORS request-header name</a>, return.

 <li><p>Otherwise, if <a>this</a>'s <a for=Headers>guard</a> is "<code>response</code>" and
 <var>name</var> is a <a>forbidden response-header name</a>, return.

 <li><p>If <a>this</a>'s <a for=Headers>header list</a> does not <a for="header list">contain</a>
 <var>name</var>, then return.

 <li><p><a for="header list">Delete</a> <var>name</var> from <a>this</a>'s
 <a for=Headers>header list</a>.

 <li><p>If <a>this</a>'s <a for=Headers>guard</a> is "<code>request-no-cors</code>", then
 <a for=Headers>remove privileged no-CORS request headers</a> from <a>this</a>.
</ol>

<p>The <dfn export for=Headers method><code>get(<var>name</var>)</code></dfn> method steps are:

<ol>
 <li><p>If <var>name</var> is not a <a for=header>name</a>, then <a>throw</a> a {{TypeError}}.

 <li><p>Return the result of <a for="header list">getting</a> <var>name</var> from <a>this</a>'s
 <a for=Headers>header list</a>.
</ol>

<p>The <dfn export for=Headers method><code>has(<var>name</var>)</code></dfn> method steps are:

<ol>
 <li><p>If <var>name</var> is not a <a for=header>name</a>, then <a>throw</a> a {{TypeError}}.

 <li><p>Return true if <a>this</a>'s <a for=Headers>header list</a>
 <a for="header list">contains</a> <var>name</var>; otherwise false.
</ol>

<p>The <dfn export for=Headers method><code>set(<var>name</var>, <var>value</var>)</code></dfn>
method steps are:

<ol>
 <li><p><a lt=normalize for=header/value>Normalize</a> <var>value</var>.

 <li><p>If <var>name</var> is not a <a for=header>name</a> or <var>value</var> is not a
 <a for=header>value</a>, then <a>throw</a> a {{TypeError}}.

 <li><p>If <a>this</a>'s <a for=Headers>guard</a> is "<code>immutable</code>", then <a>throw</a> a
 {{TypeError}}.

 <li><p>Otherwise, if <a>this</a>'s <a for=Headers>guard</a> is "<code>request</code>" and
 <var>name</var> is a <a>forbidden header name</a>, return.

 <li><p>Otherwise, if <a>this</a>'s <a for=Headers>guard</a> is "<code>request-no-cors</code>" and
 <var>name</var>/<var>value</var> is not a <a>no-CORS-safelisted request-header</a>, return.

 <li><p>Otherwise, if <a>this</a>'s <a for=Headers>guard</a> is "<code>response</code>" and
 <var>name</var> is a <a>forbidden response-header name</a>, return.

 <li><p><a for="header list">Set</a> <var>name</var>/<var>value</var> in <a>this</a>'s
 <a for=Headers>header list</a>.

 <li><p>If <a>this</a>'s <a for=Headers>guard</a> is "<code>request-no-cors</code>", then
 <a for=Headers>remove privileged no-CORS request headers</a> from <a>this</a>.
</ol>

<p>The <a>value pairs to iterate over</a> are the return value of running
<a for="header list">sort and combine</a> with <a>this</a>'s <a for=Headers>header list</a>.


<h3 id=bodyinit-unions>BodyInit unions</h3>

<pre class=idl>
typedef (Blob or BufferSource or FormData or URLSearchParams or USVString) XMLHttpRequestBodyInit;

typedef (ReadableStream or XMLHttpRequestBodyInit) BodyInit;</pre>

<p>To <dfn for=BodyInit export>safely extract</dfn> a <a for=/>body</a> and a
`<code>Content-Type</code>` <a for=header>value</a> from a <a for=/>byte sequence</a> or
{{BodyInit}} object <var>object</var>, run these steps:

<ol>
 <li>
  <p>If <var>object</var> is a {{ReadableStream}} object, then:

  <ol>
   <li><p>Assert: <var>object</var> is neither <a for=ReadableStream>disturbed</a> nor
   <a for=ReadableStream>locked</a>.
  </ol>

 <li><p>Return the results of <a for=BodyInit>extracting</a> <var>object</var>.
</ol>

<p class="note no-backref">The <a for=BodyInit>safely extract</a> operation is a subset of the
<a for=BodyInit>extract</a> operation that is guaranteed to not throw an exception.

<p>To <dfn id=concept-bodyinit-extract for=BodyInit export>extract</dfn> a <a for=/>body</a> and a
`<code>Content-Type</code>` <a for=header>value</a> from a <a for=/>byte sequence</a> or
{{BodyInit}} object <var>object</var>, with an optional boolean
<dfn id=keepalive for=BodyInit/extract export><var>keepalive</var></dfn> (default false), run these
steps:

<ol>
 <li><p>Let <var>stream</var> be <var>object</var> if <var>object</var> is a {{ReadableStream}}
 object. Otherwise, let <var>stream</var> be a <a>new</a> {{ReadableStream}}, and
 <a for=ReadableStream>set up</a> <var>stream</var>.

 <li><p>Let <var>action</var> be null.

 <li><p>Let <var>source</var> be null.

 <li><p>Let <var>length</var> be null.

 <li><p>Let <var>Content-Type</var> be null.

 <li>
  <p>Switch on <var>object</var>:

  <dl class=switch>
   <dt>{{Blob}}
   <dd>
    <p>Set <var>action</var> to this step: read <var>object</var>.

    <p>Set <var>source</var> to <var>object</var>.

    <p>Set <var>length</var> to <var>object</var>'s {{Blob/size}}.

    <p>If <var>object</var>'s {{Blob/type}}
    attribute is not the empty byte sequence, set <var>Content-Type</var> to its value.
    <!-- Blob reading is not defined and blobs don't have an internal data model to poke at -->

   <dt><a for=/>byte sequence</a>
   <dd><p>Set <var>source</var> to <var>object</var>.

   <dt>{{BufferSource}}
   <dd><p>Set <var>source</var> to a <a lt="get a copy of the buffer source">copy of the bytes</a>
   held by <var>object</var>.

   <dt>{{FormData}}
   <dd>
    <p>Set <var>action</var> to this step: run the
    <a><code>multipart/form-data</code> encoding algorithm</a>, with <var>object</var>'s
    <a for=FormData>entry list</a> and <a>UTF-8</a>.

    <p>Set <var>source</var> to <var>object</var>.

    <p>Set <var>length</var> to <span class=XXX>unclear, see
    <a href="https://github.com/whatwg/html/issues/6424">html/6424</a> for improving this</span>.

    <p>Set <var>Content-Type</var> to `<code>multipart/form-data; boundary=</code>`, followed by the
    <a><code>multipart/form-data</code> boundary string</a> generated by the
    <a><code>multipart/form-data</code> encoding algorithm</a>.

   <dt>{{URLSearchParams}}
   <dd>
    <p>Set <var>source</var> to the result of running the
    <a lt="urlencoded serializer"><code>application/x-www-form-urlencoded</code> serializer</a> with
    <var>object</var>'s <a for=URLSearchParams>list</a>.

    <p>Set <var>Content-Type</var> to
    `<code>application/x-www-form-urlencoded;charset=UTF-8</code>`.

   <dt><a for=/>scalar value string</a>
   <dd>
    <p>Set <var>source</var> to the <a>UTF-8 encoding</a> of <var>object</var>.

    <p>Set <var>Content-Type</var> to `<code>text/plain;charset=UTF-8</code>`.

   <dt>{{ReadableStream}}
   <dd>
    <p>If <var>keepalive</var> is true, then <a>throw</a> a {{TypeError}}.

    <p>If <var>object</var> is <a for=ReadableStream>disturbed</a> or
    <a for=ReadableStream>locked</a>, then <a>throw</a> a {{TypeError}}.
  </dl>

 <li><p>If <var>source</var> is a <a for=/>byte sequence</a>, then set <var>action</var> to a step
 that returns <var>source</var> and <var>length</var> to <var>source</var>'s
 <a for="byte sequence">length</a>.

 <li>
  <p>If <var>action</var> is non-null, then run these steps in <a>in parallel</a>:

  <ol>
   <li>
    <p>Run <var>action</var>.

    <p>Whenever one or more bytes are available and <var>stream</var> is not
    <a for=ReadableStream>errored</a>, <a for=ReadableStream>enqueue</a> a {{Uint8Array}} wrapping
    an {{ArrayBuffer}} containing the available bytes into <var>stream</var>.

    <p>When running <var>action</var> is done, <a for=ReadableStream>close</a> <var>stream</var>.
  </ol>

 <li><p>Let <var>body</var> be a <a for=/>body</a> whose <a for=body>stream</a> is
 <var>stream</var>, <a for=body>source</a> is <var>source</var>, and <a for=body>length</a> is
 <var>length</var>.

 <li><p>Return <var>body</var> and <var>Content-Type</var>.
</ol>


<h3 id=body-mixin>Body mixin</h3>

<pre class=idl>
interface mixin Body {
  readonly attribute ReadableStream? body;
  readonly attribute boolean bodyUsed;
  [NewObject] Promise&lt;ArrayBuffer> arrayBuffer();
  [NewObject] Promise&lt;Blob> blob();
  [NewObject] Promise&lt;FormData> formData();
  [NewObject] Promise&lt;any> json();
  [NewObject] Promise&lt;USVString> text();
};</pre>

<p class=note>Formats you would not want a network layer to be dependent upon, such as
HTML, will likely not be exposed here. Rather, an HTML parser API might accept a stream in
due course.
<!-- https://lists.w3.org/Archives/Public/public-whatwg-archive/2014Jun/thread.html#msg72 -->

<p>Objects including the {{Body}} interface mixin need to define an associated
<dfn id=concept-body-mime-type for=Body>MIME type</dfn> algorithm which takes no arguments and
returns failure or a <a for=/>MIME type</a>.

<p>Objects including the {{Body}} interface mixin have an associated
<dfn id=concept-body-body for=Body>body</dfn> (null or a <a for=/>body</a>).

<p>An object including the {{Body}} interface mixin is said to be
<dfn export for=Body>unusable</dfn> if its <a for=Body>body</a> is non-null and its
<a for=Body>body</a>'s <a for=body>stream</a> is <a for=ReadableStream>disturbed</a> or
<a for=ReadableStream>locked</a>.

<hr>

<dl class=domintro>
 <dt><code><var>requestOrResponse</var> . <a attribute for=Body>body</a></code>
 <dd><p>Returns <var>requestOrResponse</var>'s body as {{ReadableStream}}.

 <dt><code><var>requestOrResponse</var> . <a attribute for=Body>bodyUsed</a></code>
 <dd><p>Returns whether <var>requestOrResponse</var>'s body has been read from.

 <dt><code><var>requestOrResponse</var> . <a method for=Body>arrayBuffer</a>()</code>
 <dd><p>Returns a promise fulfilled with <var>requestOrResponse</var>'s body as {{ArrayBuffer}}.

 <dt><code><var>requestOrResponse</var> . <a method for=Body>blob</a>()</code>
 <dd><p>Returns a promise fulfilled with <var>requestOrResponse</var>'s body as {{Blob}}.

 <dt><code><var>requestOrResponse</var> . <a method for=Body>formData</a>()</code>
 <dd><p>Returns a promise fulfilled with <var>requestOrResponse</var>'s body as {{FormData}}.

 <dt><code><var>requestOrResponse</var> . <a method for=Body>json</a>()</code>
 <dd><p>Returns a promise fulfilled with <var>requestOrResponse</var>'s body parsed as JSON.

 <dt><code><var>requestOrResponse</var> . <a method for=Body>text</a>()</code>
 <dd><p>Returns a promise fulfilled with <var>requestOrResponse</var>'s body as string.
</dl>

<hr>

<p>The <dfn attribute for=Body><code>body</code></dfn> getter steps are to return null if
<a>this</a>'s <a for=Body>body</a> is null; otherwise <a>this</a>'s <a for=Body>body</a>'s
<a for=body>stream</a>.

<p>The <dfn attribute for=Body><code>bodyUsed</code></dfn> getter steps are to return true if
<a>this</a>'s <a for=Body>body</a> is non-null and <a>this</a>'s <a for=Body>body</a>'s
<a for=body>stream</a> is <a for=ReadableStream>disturbed</a>; otherwise false.

<p>The <dfn id=concept-body-package-data for=Body>package data</dfn> algorithm, given
<var>bytes</var>, <var>type</var>, and a <var>mimeType</var>, switches on <var>type</var>, and runs
the associated steps:

<dl class=switch>
 <dt><i>ArrayBuffer</i>
 <dd>
  <p>Return a new {{ArrayBuffer}} whose contents are <var>bytes</var>.

  <p class=note>Allocating an {{ArrayBuffer}} can throw a {{RangeError}}.

 <dt><i>Blob</i>
 <dd><p>Return a {{Blob}} whose contents are <var>bytes</var> and {{Blob/type}} attribute is
 <var>mimeType</var>.

 <dt><i>FormData</i>
 <dd>
  <p>If <var>mimeType</var>'s <a for="MIME type">essence</a> is "<code>multipart/form-data</code>",
  then:

  <ol>
   <li>
    <p>Parse <var>bytes</var>, using the value of the `<code>boundary</code>` parameter from
    <var>mimeType</var>, per the rules set forth in
    <cite>Returning Values from Forms: multipart/form-data</cite>. [[!RFC7578]]</p>

    <p>Each part whose `<code>Content-Disposition</code>` header contains a `<code>filename</code>`
    parameter must be parsed into an <a for=FormData>entry</a> whose value is a {{File}} object
    whose contents are the contents of the part. The {{File/name}} attribute of the {{File}} object
    must have the value of the `<code>filename</code>` parameter of the part. The {{Blob/type}}
    attribute of the {{File}} object must have the value of the `<code>Content-Type</code>` header
    of the part if the part has such header, and `<code>text/plain</code>` (the default defined by
    [[!RFC7578]] section 4.4) otherwise.</p>

    <p>Each part whose `<code>Content-Disposition</code>` header does not contain a
    `<code>filename</code>` parameter must be parsed into an <a for=FormData>entry</a> whose value
    is the <a lt="UTF-8 decode without BOM">UTF-8 decoded without BOM</a> content of the part.
    <span class=note>This is done regardless of the presence or the value of a
    `<code>Content-Type</code>` header and regardless of the presence or the value of a
    `<code>charset</code>` parameter.</span></p>

    <p class=note>A part whose `<code>Content-Disposition</code>` header contains a
    `<code>name</code>` parameter whose value is `<code>_charset_</code>` is parsed like any other
    part. It does not change the encoding.</p>
   </li>

   <li><p>If that fails for some reason, then <a>throw</a> a {{TypeError}}.

   <li><p>Return a new {{FormData}} object, appending each <a for=FormData>entry</a>, resulting from
   the parsing operation, to <a for=FormData>entries</a>.
  </ol>

  <p class=XXX>The above is a rough approximation of what is needed for
  `<code>multipart/form-data</code>`, a more detailed parsing specification is to be
  written. Volunteers welcome.

  <p>Otherwise, if <var>mimeType</var>'s <a for="MIME type">essence</a> is
  "<code>application/x-www-form-urlencoded</code>", then:

  <ol>
   <li><p>Let <var>entries</var> be the result of
   <a lt="urlencoded parser">parsing</a> <var>bytes</var>.

   <li><p>If <var>entries</var> is failure, then <a>throw</a> a {{TypeError}}.

   <li><p>Return a new {{FormData}} object whose
   <a spec=xhr>entries</a> are <var>entries</var>.
  </ol>

  <p>Otherwise, <a>throw</a> a {{TypeError}}.

 <dt><i>JSON</i>
 <dd><p>Return the result of running <a>parse JSON from bytes</a> on <var>bytes</var>.

 <dt><i>text</i>
 <dd><p>Return the result of running <a>UTF-8 decode</a> on
 <var>bytes</var>.
</dl>

<p>The <dfn id=concept-body-consume-body for=Body>consume body</dfn> algorithm, given an
<var>object</var> and <var>type</var>, runs these steps:

<ol>
 <li><p>If <var>object</var> is <a for=Body>unusable</a>, then return <a>a promise rejected with</a>
 a {{TypeError}}.

 <li><p>Let <var>promise</var> be <a>a promise resolved with</a> an empty
 <a for=/>byte sequence</a>.

 <li><p>If <var>object</var>'s <a for=Body>body</a> is non-null, then set <var>promise</var> to the
 result of <a>fully reading body as promise</a> given <var>object</var>'s <a for=Body>body</a>.

 <li><p>Let <var>steps</var> be to return the result of <a>package data</a> with the first argument
 given, <var>type</var>, and <var>object</var>'s <a for=Body>MIME type</a>.

 <li><p>Return the result of <a>upon fulfillment</a> of <var>promise</var> given <var>steps</var>.
</ol>

<p>The <dfn method for=Body><code>arrayBuffer()</code></dfn> method steps are to return the result
of running <a for=Body>consume body</a> with <a>this</a> and <i>ArrayBuffer</i>.

<p>The <dfn method for=Body><code>blob()</code></dfn> method steps are to return the result of
running <a for=Body>consume body</a> with <a>this</a> and <i>Blob</i>.

<p>The <dfn method for=Body><code>formData()</code></dfn> method steps are to return the result of
running <a for=Body>consume body</a> with <a>this</a> and <i>FormData</i>.

<p>The <dfn method for=Body><code>json()</code></dfn> method steps are to return the result of
running <a for=Body>consume body</a> with <a>this</a> and <i>JSON</i>.

<p>The <dfn method for=Body><code>text()</code></dfn> method steps are to return the result of
running <a for=Body>consume body</a> with <a>this</a> and <i>text</i>.


<h3 id=request-class>Request class</h3>

<!-- No client member, see
  https://github.com/w3c/ServiceWorker/issues/318
  https://github.com/w3c/ServiceWorker/issues/575 -->

<pre class=idl>
typedef (Request or USVString) RequestInfo;

[Exposed=(Window,Worker)]
interface Request {
  constructor(RequestInfo input, optional RequestInit init = {});

  readonly attribute ByteString method;
  readonly attribute USVString url;
  [SameObject] readonly attribute Headers headers;

  readonly attribute RequestDestination destination;
  readonly attribute USVString referrer;
  readonly attribute ReferrerPolicy referrerPolicy;
  readonly attribute RequestMode mode;
  readonly attribute RequestCredentials credentials;
  readonly attribute RequestCache cache;
  readonly attribute RequestRedirect redirect;
  readonly attribute DOMString integrity;
  readonly attribute boolean keepalive;
  readonly attribute boolean isReloadNavigation;
  readonly attribute boolean isHistoryNavigation;
  readonly attribute AbortSignal signal;

  [NewObject] Request clone();
};
Request includes Body;

dictionary RequestInit {
  ByteString method;
  HeadersInit headers;
  BodyInit? body;
  USVString referrer;
  ReferrerPolicy referrerPolicy;
  RequestMode mode;
  RequestCredentials credentials;
  RequestCache cache;
  RequestRedirect redirect;
  DOMString integrity;
  boolean keepalive;
  AbortSignal? signal;
  any window; // can only be set to null
};

enum RequestDestination { "", "audio", "audioworklet", "document", "embed", "font", "frame", "iframe", "image", "manifest", "object", "paintworklet", "report", "script", "sharedworker", "style",  "track", "video", "worker", "xslt" };
enum RequestMode { "navigate", "same-origin", "no-cors", "cors" };
enum RequestCredentials { "omit", "same-origin", "include" };
enum RequestCache { "default", "no-store", "reload", "no-cache", "force-cache", "only-if-cached" };
enum RequestRedirect { "follow", "error", "manual" };
</pre>

<p class="note no-backref">"<code>serviceworker</code>" is omitted from
<a enum><code>RequestDestination</code></a> as it cannot be observed from JavaScript. Implementations
will still need to support it as a
<a for=request>destination</a>. "<code>websocket</code>" is
omitted from <a enum><code>RequestMode</code></a> as it cannot be used nor observed from JavaScript.

<p>A {{Request}} object has an associated
<dfn id=concept-request-request for=Request export>request</dfn> (a <a for=/>request</a>).

<p>A {{Request}} object also has an associated <dfn for=Request export>headers</dfn> (null or a
{{Headers}} object), initially null.

<p>A {{Request}} object has an associated <dfn for=Request>signal</dfn> (null or an {{AbortSignal}}
object), initially null.

<p>A {{Request}} object's <a for=Body>MIME type</a> is to return the result of
<a for="header list">extracting a MIME type</a> from its <a for=Request>request</a>'s
<a for=request>header list</a>.

<p>A {{Request}} object's <a for=Body>body</a> is its
<a for=Request>request</a>'s
<a for=request>body</a>.

<hr>

<dl class=domintro>
 <dt><code><var>request</var> = new <a constructor lt="Request()">Request</a>(<var>input</var> [,
 <var>init</var>])</code>
 <dd>
  <p>Returns a new <var>request</var> whose {{Request/url}} property is <var>input</var> if
  <var>input</var> is a string, and <var>input</var>'s {{Request/url}} if <var>input</var> is a
  {{Request}} object.

  <p>The <var>init</var> argument is an object whose properties can be set as follows:</p>

  <dl>
   <dt>{{RequestInit/method}}
   <dd>A string to set <var>request</var>'s {{Request/method}}.

   <dt>{{RequestInit/headers}}
   <dd>A {{Headers}} object, an object literal, or an array of two-item arrays to set
   <var>request</var>'s {{Request/headers}}.

   <dt>{{RequestInit/body}}
   <dd>A {{BodyInit}} object or null to set <var>request</var>'s <a for=request>body</a>.

   <dt>{{RequestInit/referrer}}
   <dd>A string whose value is a same-origin URL, "<code>about:client</code>", or the empty string,
   to set <var>request</var>'s <a>referrer</a>.

   <dt>{{RequestInit/referrerPolicy}}
   <dd>A <a for=/>referrer policy</a> to set <var>request</var>'s {{Request/referrerPolicy}}.

   <dt>{{RequestInit/mode}}
   <dd>A string to indicate whether the request will use CORS, or will be restricted to same-origin
   URLs. Sets <var>request</var>'s {{Request/mode}}. If <var>input</var> is a string, it defaults to
   "<code>cors</code>".

   <dt>{{RequestInit/credentials}}
   <dd>A string indicating whether credentials will be sent with the request always, never, or only
   when sent to a same-origin URL — as well as whether any credentials sent back in the response
   will be used always, never, or only when received from a same-origin URL. Sets
   <var>request</var>'s {{Request/credentials}}. If <var>input</var> is a string, it defaults to
   "<code>same-origin</code>".

   <dt>{{RequestInit/cache}}
   <dd>A string indicating how the request will interact with the browser's cache to set
   <var>request</var>'s {{Request/cache}}.

   <dt>{{RequestInit/redirect}}
   <dd>A string indicating whether <var>request</var> follows redirects, results in an error upon
   encountering a redirect, or returns the redirect (in an opaque fashion). Sets
   <var>request</var>'s {{Request/redirect}}.

   <dt>{{RequestInit/integrity}}
   <dd>A cryptographic hash of the resource to be fetched by <var>request</var>. Sets
   <var>request</var>'s {{Request/integrity}}.

   <dt>{{RequestInit/keepalive}}
   <dd>A boolean to set <var>request</var>'s {{Request/keepalive}}.

   <dt>{{RequestInit/signal}}
   <dd>An {{AbortSignal}} to set <var>request</var>'s {{Request/signal}}.

   <dt>{{RequestInit/window}}
   <dd>Can only be null. Used to disassociate <var>request</var> from any {{Window}}.
  </dl>

 <dt><code><var>request</var> . <a attribute for=Request>method</a></code>
 <dd>Returns <var>request</var>'s HTTP method, which is "<code>GET</code>" by default.

 <dt><code><var>request</var> . <a attribute for=Request>url</a></code>
 <dd>Returns the URL of <var>request</var> as a string.

 <dt><code><var>request</var> . <a attribute for=Request>headers</a></code>
 <dd>Returns a {{Headers}} object consisting of the headers associated with <var>request</var>.
 Note that headers added in the network layer by the user agent will not be accounted for in this
 object, e.g., the "<code>Host</code>" header.

 <dt><code><var>request</var> . <a attribute for=Request>destination</a></code>
 <dd>Returns the kind of resource requested by <var>request</var>, e.g., "<code>document</code>" or
 "<code>script</code>".

 <dt><code><var>request</var> . <a attribute for=Request>referrer</a></code>
 <dd>Returns the referrer of <var>request</var>. Its value can be a same-origin URL if
 explicitly set in <var>init</var>, the empty string to indicate no referrer, and
 "<code>about:client</code>" when defaulting to the global's default. This is used during
 fetching to determine the value of the `<code>Referer</code>` header of the request being made.

 <dt><code><var>request</var> . <a attribute for=Request>referrerPolicy</a></code>
 <dd>Returns the referrer policy associated with <var>request</var>. This is used during
 fetching to compute the value of the <var>request</var>'s referrer.

 <dt><code><var>request</var> . <a attribute for=Request>mode</a></code>
 <dd>Returns the <a>mode</a> associated with <var>request</var>, which is a string indicating
 whether the request will use CORS, or will be restricted to same-origin URLs.

 <dt><code><var>request</var> . <a attribute for=Request>credentials</a></code>
 <dd>Returns the <a>credentials mode</a> associated with <var>request</var>, which is a string
 indicating whether credentials will be sent with the request always, never, or only when sent to a
 same-origin URL.

 <dt><code><var>request</var> . <a attribute for=Request>cache</a></code>
 <dd>Returns the <a>cache mode</a> associated with <var>request</var>, which is a string indicating
 how the request will interact with the browser's cache when fetching.

 <dt><code><var>request</var> . <a attribute for=Request>redirect</a></code>
 <dd>Returns the <a>redirect mode</a> associated with <var>request</var>, which is a string
 indicating how redirects for the request will be handled during fetching. A <a for=/>request</a>
 will follow redirects by default.

 <dt><code><var>request</var> . <a attribute for=Request>integrity</a></code>
 <dd>Returns <var>request</var>'s subresource integrity metadata, which is a cryptographic hash of
 the resource being fetched. Its value consists of multiple hashes separated by whitespace. [[SRI]]

 <dt><code><var>request</var> . <a attribute for=Request>keepalive</a></code>
 <dd>Returns a boolean indicating whether or not <var>request</var> can outlive the global in which
 it was created.

 <dt><code><var>request</var> . <a attribute for=Request>isReloadNavigation</a></code>
 <dd>Returns a boolean indicating whether or not <var>request</var> is for a reload navigation.

 <dt><code><var>request</var> . <a attribute for=Request>isHistoryNavigation</a></code>
 <dd>Returns a boolean indicating whether or not <var>request</var> is for a history
 navigation (a.k.a. back-foward navigation).

 <dt><code><var>request</var> . <a attribute for=Request>signal</a></code>
 <dd>Returns the signal associated with <var>request</var>, which is an
 {{AbortSignal}} object indicating whether or not <var>request</var> has been aborted, and its abort
 event handler.

 <dt><code><var>request</var> . <a method for=Request>clone</a>()</code>
 <dd><p>Returns a clone of <var>request</var>.
</dl>

<hr>

<p>To <dfn export for=Request lt=create|creating>create</dfn> a {{Request}} object, given a
<a for=/>request</a> <var>request</var>, <a for=/>headers guard</a> <var>guard</var>, and Realm
<var>realm</var>, run these steps:

<ol>
 <li><p>Let <var>requestObject</var> be a <a for=/>new</a> {{Request}} object with <var>realm</var>.

 <li><p>Set <var>requestObject</var>'s <a for=Request>request</a> to <var>request</var>.

 <li><p>Set <var>requestObject</var>'s <a for=Request>headers</a> to a <a for=/>new</a> {{Headers}}
 object with <var>realm</var>, whose <a for=Headers>headers list</a> is <var>request</var>'s
 <a for=request>headers list</a> and <a for=Headers>guard</a> is <var>guard</var>.

 <li><p>Set <var>requestObject</var>'s <a for=Request>signal</a> to a <a for=/>new</a>
 {{AbortSignal}} object with <var>realm</var>.

 <li><p>Return <var>request</var>.
</ol>

<hr>

<p>The
<dfn constructor for=Request id=dom-request lt="Request(input, init)"><code>new Request(<var>input</var>, <var>init</var>)</code></dfn>
constructor steps are:

<ol>
 <li><p>Let <var>request</var> be null.

 <li><p>Let <var>fallbackMode</var> be null.

 <li><p>Let <var>baseURL</var> be <a>this</a>'s <a>relevant settings object</a>'s
 <a for="environment settings object">API base URL</a>.

 <li><p>Let <var>signal</var> be null.

 <li>
  <p>If <var>input</var> is a string, then:

  <ol>
   <li><p>Let <var>parsedURL</var> be the result of
   <a lt="url parser">parsing</a> <var>input</var> with
   <var>baseURL</var>.

   <li><p>If <var>parsedURL</var> is failure, then <a>throw</a> a {{TypeError}}.

   <li><p>If <var>parsedURL</var> <a lt="include credential">includes credentials</a>, then
   <a>throw</a> a {{TypeError}}.

   <li><p>Set <var>request</var> to a new <a for=/>request</a> whose <a for=request>URL</a> is
   <var>parsedURL</var>.

   <li><p>Set <var>fallbackMode</var> to "<code>cors</code>".
  </ol>

 <li>
  <p>Otherwise:

  <ol>
   <li><p>Assert: <var>input</var> is a {{Request}} object.

   <li><p>Set <var>request</var> to <var>input</var>'s
   <a for=Request>request</a>.

   <li><p>Set <var>signal</var> to <var>input</var>'s <a for=Request>signal</a>.
  </ol>

 <li><p>Let <var>origin</var> be <a>this</a>'s <a>relevant settings object</a>'s
 <a for="environment settings object">origin</a>.

 <li><p>Let <var>window</var> be "<code>client</code>".

 <li><p>If <var>request</var>'s <a for=request>window</a> is
 an <a>environment settings object</a> and its
 <a for="environment settings object">origin</a> is <a>same origin</a> with
 <var>origin</var>, then set <var>window</var> to <var>request</var>'s
 <a for=request>window</a>.

 <li><p>If <var>init</var>["{{RequestInit/window}}"] <a for=map>exists</a> and is non-null, then
 <a>throw</a> a {{TypeError}}.

 <li><p>If <var>init</var>["{{RequestInit/window}}"] <a for=map>exists</a>, then set
 <var>window</var> to "<code>no-window</code>".

 <li>
  <p>Set <var>request</var> to a new <a for=/>request</a> with the following properties:

  <dl>
   <dt><a for=request>URL</a>
   <dd><var>request</var>'s <a for=request>current URL</a>.

   <dt><a for=request>method</a>
   <dd><var>request</var>'s <a for=request>method</a>.

   <dt><a for=request>header list</a>
   <dd>A copy of <var>request</var>'s <a for=request>header list</a>.

   <dt><a>unsafe-request flag</a>
   <dd>Set.

   <dt><a for=request>client</a>
   <dd><a>This</a>'s <a>relevant settings object</a>.

   <dt><a for=request>window</a>
   <dd><var>window</var>.

   <dt><a for=request>priority</a>
   <dd><var>request</var>'s <a for=request>priority</a>.

   <dt><a for=request>origin</a>
   <dd>"<code>client</code>".

   <dt><a for=request>referrer</a>
   <dd><var>request</var>'s <a for=request>referrer</a>.

   <dt><a for=request>referrer policy</a>
   <dd><var>request</var>'s <a for=request>referrer policy</a>.

   <dt><a for=request>mode</a>
   <dd><var>request</var>'s <a for=request>mode</a>.

   <dt><a for=request>credentials mode</a>
   <dd><var>request</var>'s <a for=request>credentials mode</a>.

   <dt><a for=request>cache mode</a>
   <dd><var>request</var>'s <a for=request>cache mode</a>.

   <dt><a for=request>redirect mode</a>
   <dd><var>request</var>'s <a for=request>redirect mode</a>.

   <dt><a for=request>integrity metadata</a>
   <dd><var>request</var>'s <a for=request>integrity metadata</a>.

   <dt><a for=request>keepalive</a>
   <dd><var>request</var>'s <a for=request>keepalive</a>.

   <dt><a for=request>reload-navigation flag</a>
   <dd><var>request</var>'s <a for=request>reload-navigation flag</a>.

   <dt><a for=request>history-navigation flag</a>
   <dd><var>request</var>'s <a for=request>history-navigation flag</a>.
  </dl>

 <li>
  <p>If <var>init</var> <a for=map>is not empty</a>, then:

  <ol>
   <li><p>If <var>request</var>'s <a for=request>mode</a> is
   "<code>navigate</code>", then set it to "<code>same-origin</code>".
   <!-- This works because we have reset request's client too. -->

   <li><p>Unset <var>request</var>'s <a for=request>reload-navigation flag</a>.

   <li><p>Unset <var>request</var>'s <a for=request>history-navigation flag</a>.

   <li><p>Set <var>request</var>'s <a for=request>referrer</a> to
   "<code>client</code>"

   <li><p>Set <var>request</var>'s <a for=request>referrer policy</a> to the empty string.
  </ol>

  <p class=note>This is done to ensure that when a service worker "redirects" a request, e.g., from
  an image in a cross-origin style sheet, and makes modifications, it no longer appears to come from
  the original source (i.e., the cross-origin style sheet), but instead from the service worker that
  "redirected" the request. This is important as the original source might not even be able to
  generate the same kind of requests as the service worker. Services that trust the original source
  could therefore be exploited were this not done, although that is somewhat farfetched.

 <li>
  <p>If <var>init</var>["{{RequestInit/referrer}}"] <a for=map>exists</a>, then:

  <ol>
   <li><p>Let <var>referrer</var> be <var>init</var>["{{RequestInit/referrer}}"].

   <li><p>If <var>referrer</var> is the empty string, then set <var>request</var>'s
   <a for=request>referrer</a> to "<code>no-referrer</code>".

   <li>
    <p>Otherwise:

    <ol>
     <li><p>Let <var>parsedReferrer</var> be the result of <a lt="URL parser">parsing</a>
     <var>referrer</var> with <var>baseURL</var>.

     <li><p>If <var>parsedReferrer</var> is failure, then <a>throw</a> a {{TypeError}}.

     <li>
      <p>If one of the following is true

      <ul class=brief>
       <li><p><var>parsedReferrer</var>'s <a>cannot-be-a-base-URL</a> is true, <a for=url>scheme</a>
       is "<code>about</code>", and <a for=url>path</a> contains a single string
       "<code>client</code>"

       <li><p><var>parsedReferrer</var>'s <a for=url>origin</a> is not <a>same origin</a> with
       <var>origin</var>
      </ul>

      <p>then set <var>request</var>'s <a for=request>referrer</a> to "<code>client</code>".
      <!-- This can happen when you create a fresh request with values from an older request.
           Throwing would be rather hostile as preventing it requires implementing the same-origin
           check in developer space. -->

     <li><p>Otherwise, set <var>request</var>'s <a for=request>referrer</a> to
     <var>parsedReferrer</var>.
    </ol>
  </ol>

 <li><p>If <var>init</var>["{{RequestInit/referrerPolicy}}"] <a for=map>exists</a>, then set
 <var>request</var>'s <a for=request>referrer policy</a> to it.

 <li><p>Let <var>mode</var> be <var>init</var>["{{RequestInit/mode}}"] if it <a for=map>exists</a>,
 and <var>fallbackMode</var> otherwise.

 <li><p>If <var>mode</var> is "<code>navigate</code>", then <a>throw</a> a {{TypeError}}.

 <li><p>If <var>mode</var> is non-null, set <var>request</var>'s
 <a for=request>mode</a> to <var>mode</var>.

 <li><p>If <var>init</var>["{{RequestInit/credentials}}"] <a for=map>exists</a>, then set
 <var>request</var>'s <a for=request>credentials mode</a> to it.

 <li><p>If <var>init</var>["{{RequestInit/cache}}"] <a for=map>exists</a>, then set
 <var>request</var>'s <a for=request>cache mode</a> to it.

 <li><p>If <var>request</var>'s <a for=request>cache mode</a> is "<code>only-if-cached</code>" and
 <var>request</var>'s <a for=request>mode</a> is <em>not</em> "<code>same-origin</code>", then
 <a>throw</a> a {{TypeError}}.

 <li><p>If <var>init</var>["{{RequestInit/redirect}}"] <a for=map>exists</a>, then set
 <var>request</var>'s <a for=request>redirect mode</a> to it.

 <li><p>If <var>init</var>["{{RequestInit/integrity}}"] <a for=map>exists</a>, then set
 <var>request</var>'s <a for=request>integrity metadata</a> to it.

 <li><p>If <var>init</var>["{{RequestInit/keepalive}}"] <a for=map>exists</a>, then set
 <var>request</var>'s <a for=request>keepalive</a> to it.

 <li>
  <p>If <var>init</var>["{{RequestInit/method}}"] <a for=map>exists</a>, then:

  <ol>
   <li><p>Let <var>method</var> be <var>init</var>["{{RequestInit/method}}"].

   <li><p>If <var>method</var> is not a <a for=/>method</a> or <var>method</var> is a
   <a>forbidden method</a>, then <a>throw</a> a {{TypeError}}.

   <li><p><a lt=normalize for=method>Normalize</a> <var>method</var>.

   <li><p>Set <var>request</var>'s <a for=request>method</a> to <var>method</var>.
  </ol>

 <li><p>If <var>init</var>["{{RequestInit/signal}}"] <a for=map>exists</a>, then set
 <var>signal</var> to it.

 <li><p>Set <a>this</a>'s <a for=Request>request</a> to <var>request</var>.

 <li><p>Set <a>this</a>'s <a for=Request>signal</a> to a <a for=/>new</a> {{AbortSignal}} object
 with <a>this</a>'s <a>relevant Realm</a>.

 <li><p>If <var>signal</var> is not null, then make <a>this</a>'s <a for=Request>signal</a>
 <a for=AbortSignal>follow</a> <var>signal</var>.

 <li><p>Set <a>this</a>'s <a for=Request>headers</a> to a <a for=/>new</a> {{Headers}} object with
 <a>this</a>'s <a>relevant Realm</a>, whose <a for=Headers>header list</a> is <var>request</var>'s
 <a for=request>header list</a> and <a for=Headers>guard</a> is "<code>request</code>".

 <li>
  <p>If <a>this</a>'s <a for=Request>request</a>'s <a for=request>mode</a> is
  "<code>no-cors</code>", then:

  <ol>
   <li><p>If <a>this</a>'s <a for=Request>request</a>'s <a for=request>method</a> is not a
   <a>CORS-safelisted method</a>, then <a>throw</a> a {{TypeError}}.
   <!-- This will throw in cases where APIs have created no-cors requests with a non-safe method and
   the developer has called new Request(fetchEvent.request) or fetch(fetchEvent.request) within a
   service worker fetch event. This shouldn't happen, as APIs shouldn't create no-cors requests with
   a non-safe method -->

   <li><p>Set <a>this</a>'s <a for=Request>headers</a>'s <a for=Headers>guard</a> to
   "<code>request-no-cors</code>".
  </ol>
 </li>

 <li>
  <p>If <var>init</var> <a for=map>is not empty</a>, then:

  <p class=note>The headers are sanitized as they might contain headers that are not allowed by this
  mode. Otherwise, they were previously sanitized or are unmodified since they were set by a
  privileged API.

  <ol>
   <li><p>Let <var>headers</var> be a copy of <a>this</a>'s <a for=Request>headers</a> and its
   associated <a for=Headers>header list</a>.

   <li><p>If <var>init</var>["{{RequestInit/headers}}"] <a for=map>exists</a>, then set
   <var>headers</var> to <var>init</var>["{{RequestInit/headers}}"].

   <li><p>Empty <a>this</a>'s <a for=Request>headers</a>'s <a for=Headers>header list</a>.

   <li><p>If <var>headers</var> is a {{Headers}} object, then <a for=list>for each</a>
   <var>header</var> in its <a for=Headers>header list</a>, <a for=Headers>append</a>
   <var>header</var>'s <a for=header>name</a>/<var>header</var>'s <a for=header>value</a> to
   <a>this</a>'s <a for=Request>headers</a>.

   <li><p>Otherwise, <a for=Headers>fill</a> <a>this</a>'s <a for=Request>headers</a> with
   <var>headers</var>.
  </ol>
 </li>

 <li><p>Let <var>inputBody</var> be <var>input</var>'s <a for=Request>request</a>'s
 <a for=request>body</a> if <var>input</var> is a {{Request}} object; otherwise null.

 <li><p>If either <var>init</var>["{{RequestInit/body}}"] <a for=map>exists</a> and is non-null or
 <var>inputBody</var> is non-null, and <var>request</var>'s <a for=request>method</a> is
 `<code>GET</code>` or `<code>HEAD</code>`, then <a>throw</a> a {{TypeError}}.

 <li><p>Let <var>initBody</var> be null.

 <li>
  <p>If <var>init</var>["{{RequestInit/body}}"] <a for=map>exists</a> and is non-null, then:

  <ol>
   <li><p>Let <var>Content-Type</var> be null.

   <li><p>Set <var>initBody</var> and <var>Content-Type</var> to the result of
   <a for=BodyInit>extracting</a> <var>init</var>["{{RequestInit/body}}"], with
   <a for=BodyInit/extract><var>keepalive</var></a> set to <var>request</var>'s
   <a for=request>keepalive</a>.

   <li><p>If <var>Content-Type</var> is non-null and <a>this</a>'s <a for=Request>headers</a>'s
   <a for=Headers>header list</a> <a for="header list">does not contain</a>
   `<code>Content-Type</code>`, then <a for=Headers>append</a>
   `<code>Content-Type</code>`/<var>Content-Type</var> to <a>this</a>'s <a for=Request>headers</a>.
  </ol>

 <li><p>Let <var>inputOrInitBody</var> be <var>initBody</var> if it is non-null; otherwise
 <var>inputBody</var>.

 <li>
  <p>If <var>inputOrInitBody</var> is non-null and <var>inputOrInitBody</var>'s
  <a for=body>source</a> is null, then:

  <ol>
   <li><p>If <a>this</a>'s <a for=Request>request</a>'s <a for=request>mode</a> is neither
   "<code>same-origin</code>" nor "<code>cors</code>", then throw a {{TypeError}}.

   <li><p>Set <a>this</a>'s <a for=Request>request</a>'s
   <a for=request>use-CORS-preflight flag</a>.
  </ol>

 <li><p>Let <var>finalBody</var> be <var>inputOrInitBody</var>.

 <li>
  <p>If <var>initBody</var> is null and <var>inputBody</var> is non-null, then:

  <ol>
   <li><p>If <var>input</var> is <a for=Body>unusable</a>, then <a>throw</a> a {{TypeError}}.

   <!-- Any steps after this must not throw. -->

   <li><p>Set <var>finalBody</var> to the result of <a for=ReadableStream>creating a proxy</a> for
   <var>inputBody</var>.
  </ol>

 <li><p>Set <a>this</a>'s <a for=Request>request</a>'s <a for=request>body</a> to
 <var>finalBody</var>.
</ol>

<p>The <dfn attribute for=Request><code>method</code></dfn> getter steps are to return <a>this</a>'s
<a for=Request>request</a>'s <a for=request>method</a>.

<p>The <dfn attribute for=Request><code>url</code></dfn> getter steps are to return <a>this</a>'s
<a for=Request>request</a>'s <a for=request>URL</a>, <a lt="URL serializer">serialized</a>.

<p>The <dfn attribute for=Request><code>headers</code></dfn> getter steps are to return
<a>this</a>'s <a for=Request>headers</a>.

<p>The <dfn attribute for=Request><code>destination</code></dfn> getter are to return <a>this</a>'s
<a for=Request>request</a>'s <a for=request>destination</a>.

<p>The <dfn attribute for=Request><code>referrer</code></dfn> getter steps are:

<ol>
 <li><p>If <a>this</a>'s <a for=Request>request</a>'s <a for=request>referrer</a> is
 "<code>no-referrer</code>", then return the empty string.

 <li><p>If <a>this</a>'s <a for=Request>request</a>'s <a for=request>referrer</a> is
 "<code>client</code>", then return "<code>about:client</code>".

 <li><p>Return <a>this</a>'s <a for=Request>request</a>'s <a for=request>referrer</a>,
 <a lt="URL serializer">serialized</a>.
</ol>

<p>The <dfn attribute for=Request><code>referrerPolicy</code></dfn> getter steps are to return
<a>this</a>'s <a for=Request>request</a>'s <a for=request>referrer policy</a>.

<p>The <dfn attribute for=Request><code>mode</code></dfn> getter steps are to return <a>this</a>'s
<a for=Request>request</a>'s <a for=request>mode</a>.

<p>The <dfn attribute for=Request><code>credentials</code></dfn> getter steps are to return
<a>this</a>'s <a for=Request>request</a>'s <a for=request>credentials mode</a>.

<p>The <dfn attribute for=Request><code>cache</code></dfn> getter steps are to return <a>this</a>'s
<a for=Request>request</a>'s <a for=request>cache mode</a>.

<p>The <dfn attribute for=Request><code>redirect</code></dfn> getter steps are to return
<a>this</a>'s <a for=Request>request</a>'s <a for=request>redirect mode</a>.

<p>The <dfn attribute for=Request><code>integrity</code></dfn> getter steps are to return
<a>this</a>'s <a for=Request>request</a>'s <a for=request>integrity metadata</a>.

<p>The <dfn attribute for=Request><code>keepalive</code></dfn> getter steps are to return
<a>this</a>'s <a for=Request>request</a>'s <a for=request>keepalive</a>.

<p>The <dfn attribute for=Request><code>isReloadNavigation</code></dfn> getter steps are to return
true if <a>this</a>'s <a for=Request>request</a>'s <a for=request>reload-navigation flag</a> is set;
otherwise false.

<p>The <dfn attribute for=Request><code>isHistoryNavigation</code></dfn> getter steps are to return
true if <a>this</a>'s <a for=Request>request</a>'s <a for=request>history-navigation flag</a> is
set; otherwise false.

<p>The <dfn attribute for=Request><code>signal</code></dfn> getter steps are to return <a>this</a>'s
<a for="Request">signal</a>.

<hr>

<p>The <dfn method for=Request><code>clone()</code></dfn> method steps are:

<ol>
 <li><p>If <a>this</a> is <a for=Body>unusable</a>, then <a>throw</a> a {{TypeError}}.

 <li><p>Let <var>clonedRequest</var> be the result of <a lt=clone for=request>cloning</a>
 <a>this</a>'s <a for=Request>request</a>.

 <li><p>Let <var>clonedRequestObject</var> be the result of <a for=Request>creating</a> a
 {{Request}} object, given <var>clonedRequest</var>, <a>this</a>'s
 <a for=Request>headers</a>'s <a for=Headers>guard</a>, and <a>this</a>'s <a>relevant Realm</a>.

 <li><p>Make <var>clonedRequestObject</var>'s <a for=Request>signal</a>
 <a for=AbortSignal>follow</a> <a>this</a>'s <a for=Request>signal</a>.

 <li><p>Return <var>clonedRequestObject</var>.
</ol>


<h3 id=response-class>Response class</h3>

<pre class=idl>[Exposed=(Window,Worker)]
interface Response {
  constructor(optional BodyInit? body = null, optional ResponseInit init = {});

  [NewObject] static Response error();
  [NewObject] static Response redirect(USVString url, optional unsigned short status = 302);

  readonly attribute ResponseType type;

  readonly attribute USVString url;
  readonly attribute boolean redirected;
  readonly attribute unsigned short status;
  readonly attribute boolean ok;
  readonly attribute ByteString statusText;
  [SameObject] readonly attribute Headers headers;

  [NewObject] Response clone();
};
Response includes Body;

dictionary ResponseInit {
  unsigned short status = 200;
  ByteString statusText = "";
  HeadersInit headers;
};

enum ResponseType { "basic", "cors", "default", "error", "opaque", "opaqueredirect" };
</pre>

<p>A {{Response}} object has an associated
<dfn id=concept-response-response for=Response export>response</dfn> (a
<a for=/>response</a>).

<p>A {{Response}} object also has an associated <dfn for=Response export>headers</dfn> (null or a
{{Headers}} object), initially null.

<p>A {{Response}} object's <a for=Body>MIME type</a> is to return the result of
<a for="header list">extracting a MIME type</a> from its <a for=Response>response</a>'s
<a for=response>header list</a>.

<p>A {{Response}} object's <a for=Body>body</a> is its
<a for=Response>response</a>'s <a for=response>body</a>.

<hr>

<dl class=domintro>
 <dt><code><var>response</var> = new <a constructor lt="Response(body, init)">Response</a>(<var>body</var> = null [, <var>init</var>])</code>
 <dd><p>Creates a {{Response}} whose body is <var>body</var>, and status, status message, and
 headers are provided by <var>init</var>.

 <dt><code><var>response</var> = <a idl>Response</a> . <a method for=Response lt=error()>error</a>()</code>
 <dd><p>Creates network error {{Response}}.

 <dt><code><var>response</var> = <a idl>Response</a> . <a method for=Response lt=redirect()>redirect</a>(<var>url</var>, <var>status</var> = 302)</code>
 <dd><p>Creates a redirect {{Response}} that redirects to <var>url</var> with status
 <var>status</var>.

 <dt><code><var>response</var> . <a attribute for=Response>type</a></code>
 <dd><p>Returns <var>response</var>'s type, e.g., "<code>cors</code>".

 <dt><code><var>response</var> . <a attribute for=Response>url</a></code>
 <dd><p>Returns <var>response</var>'s URL, if it has one; otherwise the empty string.

 <dt><code><var>response</var> . <a attribute for=Response>redirected</a></code>
 <dd><p>Returns whether <var>response</var> was obtained through a redirect.

 <dt><code><var>response</var> . <a attribute for=Response>status</a></code>
 <dd><p>Returns <var>response</var>'s status.

 <dt><code><var>response</var> . <a attribute for=Response>ok</a></code>
 <dd><p>Returns whether <var>response</var>'s status is an <a for=/>ok status</a>.

 <dt><code><var>response</var> . <a attribute for=Response>statusText</a></code>
 <dd><p>Returns <var>response</var>'s status message.

 <dt><code><var>response</var> . <a attribute for=Response>headers</a></code>
 <dd><p>Returns <var>response</var>'s headers as {{Headers}}.

 <dt><code><var>response</var> . <a method for=Response>clone</a>()</code>
 <dd><p>Returns a clone of <var>response</var>.
</dl>

<hr>

<p>To <dfn export for=Response lt=create|creating>create</dfn> a {{Response}} object, given a
<a for=/>response</a> <var>response</var>, <a for=/>headers guard</a> <var>guard</var>, and Realm
<var>realm</var>, run these steps:

<ol>
 <li><p>Let <var>responseObject</var> be a <a for=/>new</a> {{Response}} object with
 <var>realm</var>.

 <li><p>Set <var>responseObject</var>'s <a for=Response>response</a> to <var>response</var>.

 <li><p>Set <var>responseObject</var>'s <a for=Response>headers</a> to a <a for=/>new</a>
 {{Headers}} object with <var>realm</var>, whose <a for=Headers>headers list</a> is
 <var>response</var>'s <a for=response>headers list</a> and <a for=Headers>guard</a> is
 <var>guard</var>.

 <li><p>Return <var>responseObject</var>.
</ol>

<hr>

<p>The
<dfn constructor for=Response id=dom-response lt="Response(body, init)"><code>new Response(<var>body</var>, <var>init</var>)</code></dfn>
constructor steps are:

<ol>
 <li><p>If <var>init</var>["{{ResponseInit/status}}"] is not in the range 200 to 599, inclusive,
 then <a>throw</a> a {{RangeError}}.

 <li><p>If <var>init</var>["{{ResponseInit/statusText}}"] does not match the
 <a spec=http>reason-phrase</a> token production, then <a>throw</a> a {{TypeError}}.

 <li><p>Set <a>this</a>'s <a for=Response>response</a> to a new <a for=/>response</a>.

 <li><p>Set <a>this</a>'s <a for=Response>headers</a> to a <a for=/>new</a> {{Headers}} object with
 <a>this</a>'s <a>relevant Realm</a>, whose <a for=Headers>header list</a> is <a>this</a>'s
 <a for=Response>response</a>'s <a for=response>header list</a> and <a for=Headers>guard</a> is
 "<code>response</code>".

 <li><p>Set <a>this</a>'s <a for=Response>response</a>'s <a for=response>status</a> to
 <var>init</var>["{{ResponseInit/status}}"].

 <li><p>Set <a>this</a>'s <a for=Response>response</a>'s <a for=response>status message</a> to
 <var>init</var>["{{ResponseInit/statusText}}"].

 <li><p>If <var>init</var>["{{ResponseInit/headers}}"] <a for=map>exists</a>, then
 <a for=Headers>fill</a> <a>this</a>'s <a for=Response>headers</a> with
 <var>init</var>["{{ResponseInit/headers}}"].

 <li>
  <p>If <var>body</var> is non-null, then:

  <ol>
   <li>
    <p>If <var>init</var>["{{ResponseInit/status}}"] is a <a>null body status</a>, then <a>throw</a>
    a {{TypeError}}.

    <p class="note no-backref">101 is included in <a>null body status</a> due to its use elsewhere.
    It does not affect this step.

   <li><p>Let <var>Content-Type</var> be null.

   <li><p>Set <a>this</a>'s <a for=Response>response</a>'s <a for=response>body</a> and
   <var>Content-Type</var> to the result of <a for=BodyInit>extracting</a> <var>body</var>.

   <li><p>If <var>Content-Type</var> is non-null and <a>this</a>'s <a for=Response>response</a>'s
   <a for=response>header list</a> <a for="header list">does not contain</a>
   `<code>Content-Type</code>`, then <a for="header list">append</a>
   `<code>Content-Type</code>`/<var>Content-Type</var> to <a>this</a>'s
   <a for=Response>response</a>'s <a for=response>header list</a>.
  </ol>
</ol>

<p>The static <dfn method for=Response><code>error()</code></dfn> method steps are to return the
result of <a for=Response>creating</a> a {{Response}} object, given a new <a>network error</a>,
"<code>immutable</code>", and <a>this</a>'s <a>relevant Realm</a>.

<p>The static
<dfn method for=Response><code>redirect(<var>url</var>, <var>status</var>)</code></dfn> method steps
are:

<ol>
 <li><p>Let <var>parsedURL</var> be the result of <a lt="URL parser">parsing</a> <var>url</var> with
 <a>current settings object</a>'s <a for="environment settings object">API base URL</a>.

 <li><p>If <var>parsedURL</var> is failure, then <a>throw</a> a {{TypeError}}.

 <li><p>If <var>status</var> is not a <a>redirect status</a>, then <a>throw</a> a {{RangeError}}.

 <li><p>Let <var>responseObject</var> be the result of <a for=Response>creating</a> a {{Response}}
 object, given a new <a for=/>response</a>, "<code>immutable</code>", and <a>this</a>'s
 <a>relevant Realm</a>.

 <li><p>Set <var>responseObject</var>'s <a for=Response>response</a>'s <a for=response>status</a> to
 <var>status</var>.

 <li><p>Let <var>value</var> be <var>parsedURL</var>, <a lt="URL serializer">serialized</a> and
 <a>isomorphic encoded</a>.

 <li><p><a for="header list">Append</a> `<code>Location</code>`/<var>value</var> to
 <var>responseObject</var>'s <a for=Response>response</a>'s <a for=response>header list</a>.

 <li><p>Return <var>responseObject</var>.
</ol>

<p>The <dfn attribute for=Response><code>type</code></dfn> getter steps are to return <a>this</a>'s
<a for=Response>response</a>'s <a for=response>type</a>.

<p>The <dfn attribute for=Response><code>url</code></dfn> getter steps are to return
the empty string if <a>this</a>'s <a for=Response>response</a>'s <a for=response>URL</a> is null;
otherwise <a>this</a>'s <a for=Response>response</a>'s <a for=response>URL</a>,
<a lt="URL serializer">serialized</a> with <a for="URL serializer"><i>exclude fragment</i></a> set
to true.

<p>The <dfn attribute for=Response><code>redirected</code></dfn> getter steps are to return true if
<a>this</a>'s <a for=Response>response</a>'s <a for=response>URL list</a> has more than one item;
otherwise false.

<p class=note>To filter out <a for=/>responses</a> that are the result of a
redirect, do this directly through the API, e.g., <code>fetch(url, { redirect:"error" })</code>.
This way a potentially unsafe <a for=/>response</a> cannot accidentally leak.

<p>The <dfn attribute for=Response><code>status</code></dfn> getter steps are to return
<a>this</a>'s <a for=Response>response</a>'s <a for=response>status</a>.

<p>The <dfn attribute for=Response><code>ok</code></dfn> getter steps are to return true if
<a>this</a>'s <a for=Response>response</a>'s <a for=response>status</a> is an <a>ok status</a>;
otherwise false.

<p>The <dfn attribute for=Response><code>statusText</code></dfn> getter steps are to return
<a>this</a>'s <a for=Response>response</a>'s <a for=response>status message</a>.

<p>The <dfn attribute for=Response><code>headers</code></dfn> getter steps are to return
<a>this</a>'s <a for=Response>headers</a>.

<hr>

<p>The <dfn method for=Response><code>clone()</code></dfn> method steps are:

<ol>
 <li><p>If <a>this</a> is <a for=Body>unusable</a>, then <a>throw</a> a {{TypeError}}.

 <li><p>Let <var>clonedResponse</var> be the result of <a lt=clone for=response>cloning</a>
 <a>this</a>'s <a for=Response>response</a>.

 <li><p>Return the result of <a for=Response>creating</a> a {{Response}} object, given
 <var>clonedResponse</var>, <a>this</a>'s <a for=Response>headers</a>'s <a for=Headers>guard</a>,
 and <a>this</a>'s <a>relevant Realm</a>.
</ol>


<h3 id=fetch-method>Fetch method</h3>

<pre class=idl>
partial interface mixin WindowOrWorkerGlobalScope {
  [NewObject] Promise&lt;Response> fetch(RequestInfo input, optional RequestInit init = {});
};
</pre>

<p>The
<dfn id=dom-global-fetch method for=WindowOrWorkerGlobalScope><code>fetch(<var>input</var>, <var>init</var>)</code></dfn>
method steps are:

<ol>
 <li><p>Let <var>p</var> be a new promise.

 <li><p>Let <var>requestObject</var> be the result of invoking the initial value of {{Request}} as
 constructor with <var>input</var> and <var>init</var> as arguments. If this throws an exception,
 <a for=/>reject</a> <var>p</var> with it and return <var>p</var>.

 <li><p>Let <var>request</var> be <var>requestObject</var>'s <a for=Request>request</a>.

 <li>
  <p>If <var>requestObject</var>'s <a for=Request>signal</a>'s <a for=AbortSignal>aborted flag</a>
  is set, then:

  <ol>
   <li><p><a>Abort fetch</a> with <var>p</var>, <var>request</var>, and null.

   <li><p>Return <var>p</var>.
  </ol>

 <li>Let <var>globalObject</var> be  <var>request</var>'s <a for=request>client</a>'s
 <a for="environment settings object">global object</a>.

 <li>If <var>globalObject</var> is a {{ServiceWorkerGlobalScope}} object,
 then set <var>request</var>'s <a>service-workers mode</a> to "<code>none</code>".

 <li><p>Let <var>responseObject</var> be null.

 <li><p>Let <var>relevantRealm</var> be <a>this</a>'s <a>relevant Realm</a>.

 <li>
  <p>Let <var>locallyAborted</var> be false.

  <p class=note>This lets us reject promises with predictable timing, when the request to abort
  comes from the same thread as the call to fetch.

 <li>
  <p><a for=AbortSignal lt=add>Add the following abort steps</a> to <var>requestObject</var>'s
  <a for=Request>signal</a>:

  <ol>
   <li><p>Set <var>locallyAborted</var> to true.

   <li><p><a>Abort fetch</a> with <var>p</var>, <var>request</var>, and <var>responseObject</var>.

   <li><p><a lt=terminated for=fetch>Terminate</a> the ongoing fetch with the aborted flag set.
  </ol>

 <li><p>Let <var>handleFetchDone</var> given <a for=/>response</a> <var>response</var> be to
 <a>finalize and report timing</a> with <var>response</var>, <var>globalObject</var>, and
 "<code>fetch</code>".

 <li>
  <p><a for=/>Fetch</a> <var>request</var> with <a for=fetch><i>processResponseDone</i></a> set to
  <var>handleFetchDone</var>, and <a for=fetch><i>processResponse</i></a> given <var>response</var>
  being these substeps:

  <ol>
   <li><p>If <var>locallyAborted</var> is true, terminate these substeps.

   <li><p>If <var>response</var>'s <a for=response>aborted flag</a> is set, then <a>abort fetch</a>
   with <var>p</var>, <var>request</var>, and <var>responseObject</var>, and terminate these
   substeps.

   <li><p>If <var>response</var> is a <a>network error</a>, then <a for=/>reject</a> <var>p</var>
   with a {{TypeError}} and terminate these substeps.

   <li><p>Set <var>responseObject</var> to the result of <a for=Response>creating</a> a {{Response}}
   object, given <var>response</var>, "<code>immutable</code>", and <var>relevantRealm</var>.

   <li><p><a for=/>Resolve</a> <var>p</var> with <var>responseObject</var>.
  </ol>

 <li><p>Return <var>p</var>.
</ol>

<p>To <dfn>abort fetch</dfn> with a <var>promise</var>, <var>request</var>, and
<var>responseObject</var>, run these steps:

<ol>
 <li><p>Let <var>error</var> be an "<code><a exception>AbortError</a></code>" {{DOMException}}.

 <li>
  <p><a for=/>Reject</a> <var>promise</var> with <var>error</var>.

  <p class=note>This is a no-op if <var>promise</var> has already fulfilled.

 <li><p>If <var>request</var>'s <a for=request>body</a> is not null and is
 <a for=ReadableStream>readable</a>, then <a for=ReadableStream>cancel</a> <var>request</var>'s
 <a for=request>body</a> with <var>error</var>.

 <li><p>If <var>responseObject</var> is null, then return.

 <li><p>Let <var>response</var> be <var>responseObject</var>'s <a for=Response>response</a>.

 <li><p>If <var>response</var>'s <a for=response>body</a> is not null and is
 <a for=ReadableStream>readable</a>, then <a for=ReadableStream>error</a> <var>response</var>'s
 <a for=response>body</a> with <var>error</var>.
</ol>


<h3 id=garbage-collection>Garbage collection</h3>

<p>The user agent may <a lt=terminated for=fetch>terminate</a> an ongoing fetch if that termination
is not observable through script.

<p class="note no-backref">"Observable through script" means observable through
<a method><code>fetch()</code></a>'s arguments and return value. Other ways, such as
communicating with the server through a side-channel are not included.

<p class="note no-backref">The server being able to observe garbage collection has precedent, e.g.,
with {{WebSocket}} and {{XMLHttpRequest}} objects.

<div id=terminate-examples class="example no-backref">
 <p>The user agent can terminate the fetch because the termination cannot be observed.
 <pre><code class=lang-javascript>
fetch("https://www.example.com/")
</code></pre>

 <p>The user agent cannot terminate the fetch because the termination can be observed through
 the promise.
 <pre><code class=lang-javascript>
window.promise = fetch("https://www.example.com/")
</code></pre>

 <p>The user agent can terminate the fetch because the associated body is not observable.
 <pre><code class=lang-javascript>
window.promise = fetch("https://www.example.com/").then(res => res.headers)
</code></pre>

 <p>The user agent can terminate the fetch because the termination cannot be observed.
 <pre><code class=lang-javascript>
fetch("https://www.example.com/").then(res => res.body.getReader().closed)
</code></pre>

 <p>The user agent cannot terminate the fetch because one can observe the termination by registering
 a handler for the promise object.
 <pre><code class=lang-javascript>
window.promise = fetch("https://www.example.com/")
  .then(res => res.body.getReader().closed)
</code></pre>

 <p>The user agent cannot terminate the fetch as termination would be observable via the registered
 handler.
 <pre><code class=lang-javascript>
fetch("https://www.example.com/")
  .then(res => {
    res.body.getReader().closed.then(() => console.log("stream closed!"))
  })
</code></pre>

  <p>(The above examples of non-observability assume that built-in properties and functions, such as
  {{ReadableStream/getReader()|body.getReader()}}, have not been overwritten.)
</div>



<h2 id=websocket-protocol>WebSocket protocol alterations</h2>

<div class=note>
 <p>This section replaces part of the WebSocket protocol opening handshake client requirement to
 integrate it with algorithms defined in Fetch. This way CSP, cookies, HSTS, and other Fetch-related
 protocols are handled in a single location. Ideally the RFC would be updated with this language,
 but it is never that easy. The WebSocket API, defined in the HTML Standard, has been updated to use
 this language. [[!WSP]] [[!HTML]]

 <p>The way this works is by replacing The WebSocket Protocol's "establish a WebSocket connection"
 algorithm with a new one that integrates with Fetch. "Establish a WebSocket connection" consists of
 three algorithms: setting up a connection, creating and transmiting a handshake request, and
 validating the handshake response. That layering is different from Fetch, which first creates a
 handshake, then sets up a connection and transmits the handshake, and finally validates the
 response. Keep that in mind while reading these alterations.
</div>


<h3 id=websocket-connections>Connections</h3>

<p>To <dfn id=concept-websocket-connection-obtain>obtain a WebSocket connection</dfn>, given a
<var>url</var>, run these steps:

<ol>
 <li><p>Let <var ignore>host</var> be <var>url</var>'s <a for=url>host</a>.

 <li><p>Let <var ignore>port</var> be <var>url</var>'s <a for=url>port</a>.

 <li><p>Let <var ignore>secure</var> be false, if <var>url</var>'s <a for=url>scheme</a> is
 "<code>http</code>", and true otherwise.

 <li><p>Follow the requirements stated in step 2 to 5, inclusive, of the first set of steps in
 <a href=https://datatracker.ietf.org/doc/html/rfc6455#section-4.1>section 4.1</a> of The WebSocket
 Protocol to establish a <a lt="obtain a WebSocket connection">WebSocket connection</a>. [[!WSP]]

 <li><p>If that established a connection, return it, and return failure otherwise.
</ol>

<p class=note>Although structured a little differently, carrying different properties, and
therefore not shareable, a WebSocket connection is very close to identical to an "ordinary"
<a>connection</a>.


<h3 id=websocket-opening-handshake>Opening handshake</h3>

<p>To <dfn id=concept-websocket-establish>establish a WebSocket connection</dfn>, given a
<var>url</var>, <var>protocols</var>, and <var>client</var>, run these steps:

<ol>
 <li>
  <p>Let <var>requestURL</var> be a copy of <var>url</var>, with its
  <a for=url>scheme</a> set to
  "<code>http</code>", if <var>url</var>'s
  <a for=url>scheme</a> is "<code>ws</code>", and
  to "<code>https</code>" otherwise.

  <p class="note no-backref">This change of scheme is essential to integrate well with
  <a lt=fetch for=/>fetching</a>. E.g., HSTS would not work without it. There is no real
  reason for WebSocket to have distinct schemes, it's a legacy artefact.
  [[!HSTS]]

 <li><p>Let <var>request</var> be a new <a for=/>request</a>, whose
 <a for=request>URL</a> is <var>requestURL</var>,
 <a for=request>client</a> is <var>client</var>,
 <a>service-workers mode</a> is "<code>none</code>",
 <a for=request>referrer</a> is "<code>no-referrer</code>",
 <a for=request>mode</a> is "<code>websocket</code>",
 <a for=request>credentials mode</a> is
 "<code>include</code>",
 <a for=request>cache mode</a> is "<code>no-store</code>", and
 <a for=request>redirect mode</a> is "<code>error</code>".

 <li><p><a for="header list">Append</a>
 `<code>Upgrade</code>`/`<code>websocket</code>` to
 <var>request</var>'s <a for=request>header list</a>.

 <li><p><a for="header list">Append</a>
 `<code>Connection</code>`/`<code>Upgrade</code>` to
 <var>request</var>'s <a for=request>header list</a>.

 <li>
  <p>Let <var>keyValue</var> be a nonce consisting of a randomly selected 16-byte value that has
  been <a lt="forgiving-base64 encode">forgiving-base64-encoded</a> and <a>isomorphic encoded</a>.

  <p id=example-random-value class=example>If the randomly selected value was the byte sequence 0x01 0x02 0x03 0x04 0x05
  0x06 0x07 0x08 0x09 0x0a 0x0b 0x0c 0x0d 0x0e 0x0f 0x10, <var>keyValue</var> would be
  forgiving-base64-encoded to "<code>AQIDBAUGBwgJCgsMDQ4PEC==</code>" and isomorphic encoded
  to `<code>AQIDBAUGBwgJCgsMDQ4PEC==</code>`.

 <li><p><a for="header list">Append</a>
 `<code>Sec-WebSocket-Key</code>`/<var>keyValue</var> to
 <var>request</var>'s <a for=request>header list</a>.

 <li><p><a for="header list">Append</a>
 `<code>Sec-WebSocket-Version</code>`/`<code>13</code>` to
 <var>request</var>'s <a for=request>header list</a>.

 <li><p>For each <var>protocol</var> in <var>protocols</var>, <a for="header list">combine</a>
 `<code>Sec-WebSocket-Protocol</code>`/<var>protocol</var> in <var>request</var>'s
 <a for=request>header list</a>.

 <li>
  <p>Let <var>permessageDeflate</var> be a user-agent defined
  "<code>permessage-deflate</code>" extension <a for=/>header</a>
  <a for=header>value</a>. [[!WSP]]

  <p id=example-permessage-deflate class=example>`<code>permessage-deflate; client_max_window_bits</code>`

 <li><p><a for="header list">Append</a>
 `<code>Sec-WebSocket-Extensions</code>`/<var>permessageDeflate</var>
 to <var>request</var>'s <a for=request>header list</a>.

 <li>
  <p><a lt=fetch for=/>Fetch</a> <var>request</var> with <a for=fetch><i>useParallelQueue</i></a>
  set to true, and <a for=fetch><i>processResponse</i></a> given <var>response</var> being these
  steps:

  <ol>
   <li><p>If <var>response</var> is a <a>network error</a> or its <a for=response>status</a> is not
   101, <a>fail the WebSocket connection</a>.

   <li>
    <p>If <var>protocols</var> is not the empty list and <a>extracting header list values</a> given
    `<code>Sec-WebSocket-Protocol</code>` and <var>response</var>'s <a for=request>header list</a>
    results in null, failure, or the empty byte sequence, then <a>fail the WebSocket connection</a>.

    <p class=note>This is different from the check on this header defined by The WebSocket Protocol.
    That only covers a subprotocol not requested by the client. This covers a subprotocol requested
    by the client, but not acknowledged by the server.

   <li><p>Follow the requirements stated step 2 to step 6, inclusive, of the last set of steps in
   <a href=https://datatracker.ietf.org/doc/html/rfc6455#section-4.1>section 4.1</a> of The
   WebSocket Protocol to validate <var>response</var>. This either results in
   <a>fail the WebSocket connection</a> or <a>the WebSocket connection is established</a>.
  </ol>
</ol>

<p><dfn>Fail the WebSocket connection</dfn> and <dfn>the WebSocket connection is established</dfn>
are defined by The WebSocket Protocol. [[!WSP]]

<p class=warning>The reason redirects are not followed and this handshake is generally restricted is
because it could introduce serious security problems in a web browser context. For example, consider
a host with a WebSocket server at one path and an open HTTP redirector at another. Suddenly, any
script that can be given a particular WebSocket URL can be tricked into communicating to (and
potentially sharing secrets with) any host on the internet, even if the script checks that the URL
has the right hostname.
<!-- https://www.ietf.org/mail-archive/web/hybi/current/msg06951.html -->



<h2 id=data-urls><code>data:</code> URLs</h2>

<p>For an informative description of <code>data:</code> URLs, see RFC 2397. This section replaces
that RFC's normative processing requirements to be compatible with deployed content. [[RFC2397]]

<p>A <dfn><code>data:</code> URL struct</dfn> is a <a>struct</a> that consists of a
<dfn for="data: URL struct">MIME type</dfn> (a <a for=/>MIME type</a>) and a
<dfn for="data: URL struct">body</dfn> (a <a>byte sequence</a>).

<p>The <dfn export><code>data:</code> URL processor</dfn> takes a <a for=/>URL</a>
<var>dataURL</var> and then runs these steps:

<ol>
 <li><p>Assert: <var>dataURL</var>'s <a for=url>scheme</a> is "<code>data</code>".

 <li><p>Let <var>input</var> be the result of running the <a>URL serializer</a> on
 <var>dataURL</var> with <a for="URL serializer"><i>exclude fragment</i></a> set to true.

 <li><p>Remove the leading "<code>data:</code>" string from <var>input</var>.

 <li><p>Let <var>position</var> point at the start of <var>input</var>.

 <li><p>Let <var>mimeType</var> be the result of <a>collecting a sequence of code points</a> that
 are not equal to U+002C (,), given <var>position</var>.

 <li>
  <p><a>Strip leading and trailing ASCII whitespace</a> from <var>mimeType</var>.

  <p class="note">This will only remove U+0020 SPACE <a>code points</a>, if any.

 <li><p>If <var>position</var> is past the end of <var>input</var>, then return failure.

 <li><p>Advance <var>position</var> by 1.

 <li><p>Let <var>encodedBody</var> be the remainder of <var>input</var>.

 <li><p>Let <var>body</var> be the <a for=string>percent-decoding</a> of <var>encodedBody</var>.

 <li>
  <p>If <var>mimeType</var> ends with U+003B (;), followed by zero or more U+0020 SPACE, followed by
  an <a>ASCII case-insensitive</a> match for "<code>base64</code>", then:

  <ol>
   <li><p>Let <var>stringBody</var> be the <a>isomorphic decode</a> of <var>body</var>.

   <li><p>Set <var>body</var> to the <a>forgiving-base64 decode</a> of <var>stringBody</var>.

   <li><p>If <var>body</var> is failure, then return failure.

   <li><p>Remove the last 6 <a>code points</a> from <var>mimeType</var>.

   <li><p>Remove trailing U+0020 SPACE <a>code points</a> from <var>mimeType</var>, if any.

   <li><p>Remove the last U+003B (;) <a>code point</a> from <var>mimeType</var>.
  </ol>

 <li><p>If <var>mimeType</var> starts with U+003B (;), then prepend "<code>text/plain</code>"
 to <var>mimeType</var>.

 <li><p>Let <var>mimeTypeRecord</var> be the result of <a lt="parse a MIME type">parsing</a>
 <var>mimeType</var>.

 <li><p>If <var>mimeTypeRecord</var> is failure, then set <var>mimeTypeRecord</var> to
 <code>text/plain;charset=US-ASCII</code>.

 <li><p>Return a new <a><code>data:</code> URL struct</a> whose
 <a for="data: URL struct">MIME type</a> is <var>mimeTypeRecord</var> and
 <a for="data: URL struct">body</a> is <var>body</var>.
</ol>



<h2 id=background-reading class=no-num>Background reading</h2>

<p><em>This section and its subsections are informative only.</em>

<h3 id=http-header-layer-division dfn class=no-num>HTTP header layer division</h3>

<p>For the purposes of fetching, there is an API layer (HTML's
<code>img</code>, CSS' <code>background-image</code>), early fetch layer,
service worker layer, and network &amp; cache layer.
`<code>Accept</code>` and
`<code>Accept-Language</code>` are set in the early fetch layer
(typically by the user agent). Most other headers controlled by the user agent, such as
`<code>Accept-Encoding</code>`,
`<code>Host</code>`, and `<code>Referer</code>`, are
set in the network &amp; cache layer. Developers can set headers either at the API layer
or in the service worker layer (typically through a {{Request}} object).
Developers have almost no control over
<a lt="forbidden header name">forbidden headers</a>, but can control
`<code>Accept</code>` and have the means to constrain and omit
`<code>Referer</code>` for instance.


<h3 id=atomic-http-redirect-handling dfn class=no-num>Atomic HTTP redirect handling</h3>

<p>Redirects (a <a for=/>response</a> whose <a for=response>status</a> or
<a for="filtered response">internal response</a>'s (if any) <a for=response>status</a> is a
<a>redirect status</a>) are not exposed to APIs. Exposing redirects might leak information not
otherwise available through a cross-site scripting attack.

<p id=example-xss-redirect class=example>A fetch to <code>https://example.org/auth</code> that includes a
<code>Cookie</code> marked <code>HttpOnly</code> could result in a redirect to
<code>https://other-origin.invalid/4af955781ea1c84a3b11</code>. This new URL contains a
secret. If we expose redirects that secret would be available through a cross-site
scripting attack.


<h3 id=basic-safe-cors-protocol-setup class=no-num>Basic safe CORS protocol setup</h3>

<p>For resources where data is protected through IP authentication or a firewall
(unfortunately relatively common still), using the <a>CORS protocol</a> is
<strong>unsafe</strong>. (This is the reason why the <a>CORS protocol</a> had to be
invented.)

<p>However, otherwise using the following <a for=/>header</a> is
<strong>safe</strong>:

<pre><code class=lang-http>
Access-Control-Allow-Origin: *
</code></pre>

<p>Even if a resource exposes additional information based on cookie or HTTP
authentication, using the above <a for=/>header</a> will not reveal
it. It will share the resource with APIs such as
{{XMLHttpRequest}}, much like it is already shared with
<code>curl</code> and <code>wget</code>.

<p>Thus in other words, if a resource cannot be accessed from a random device connected to
the web using <code>curl</code> and <code>wget</code> the aforementioned
<a for=/>header</a> is not to be included. If it can be accessed
however, it is perfectly fine to do so.


<h3 id=cors-protocol-and-http-caches class=no-num>CORS protocol and HTTP caches</h3>

<p>If <a>CORS protocol</a> requirements are more complicated than setting
`<a http-header><code>Access-Control-Allow-Origin</code></a>` to <code>*</code> or a static
<a for=/>origin</a>, `<code>Vary</code>` is to be used.
[[!HTML]]
[[!HTTP]] [[!HTTP-SEMANTICS]] [[!HTTP-COND]] [[!HTTP-CACHING]] [[!HTTP-AUTH]]

<pre id=example-vary-origin class=example><code class=lang-http>
Vary: Origin
</code></pre>

<p>In particular, consider what happens if `<code>Vary</code>` is <em>not</em> used and a server is
configured to send `<a http-header><code>Access-Control-Allow-Origin</code></a>` for a certain
resource only in response to a <a>CORS request</a>. When a user agent receives a response to a
non-<a>CORS request</a> for that resource (for example, as the result of a <a>navigation
request</a>), the response will lack `<a http-header><code>Access-Control-Allow-Origin</code></a>`
and the user agent will cache that response. Then, if the user agent subsequently encounters a
<a>CORS request</a> for the resource, it will use that cached response from the previous
non-<a>CORS request</a>, without `<a http-header><code>Access-Control-Allow-Origin</code></a>`.

<p>But if `<code>Vary: Origin</code>` is used in the same scenario described above, it will cause
the user agent to <a for=/>fetch</a> a response that includes
`<a http-header><code>Access-Control-Allow-Origin</code></a>`, rather than using the cached response
from the previous non-<a>CORS request</a> that lacks
`<a http-header><code>Access-Control-Allow-Origin</code></a>`.

<p>However, if `<a http-header><code>Access-Control-Allow-Origin</code></a>` is set to
<code>*</code> or a static <a for=/>origin</a> for a particular resource, then configure the server
to always send `<a http-header><code>Access-Control-Allow-Origin</code></a>` in responses for the
resource — for non-<a>CORS requests</a> as well as <a>CORS
requests</a> — and do not use `<code>Vary</code>`.


<h2 id=acknowledgments class=no-num>Acknowledgments</h2>

<p>Thanks to
Adam Barth,
Adam Lavin,
Alan Jeffrey,
Alexey Proskuryakov,
Andrés Gutiérrez,
Andrew Sutherland,
Ángel González,
Anssi Kostiainen,
Arkadiusz Michalski,
Arne Johannessen,
Artem Skoretskiy,
Arthur Barstow,
Asanka Herath,
Axel Rauschmayer,
Ben Kelly,
Benjamin Gruenbaum,
Benjamin Hawkes-Lewis,
Bert Bos,
Björn Höhrmann,
Boris Zbarsky,
Brad Hill,
Brad Porter,
Bryan Smith,
Caitlin Potter,
Cameron McCormack,
Chris Needham,
Chris Rebert,
Clement Pellerin,
Collin Jackson,
Daniel Robertson,
Daniel Veditz,
Dave Tapuska,
David Benjamin,
David Håsäther,
David Orchard,
Dean Jackson,
Devdatta Akhawe,
Domenic Denicola,
Dominic Farolino,
Dominique Hazaël-Massieux,
Doug Turner,
Douglas Creager,
Eero Häkkinen,
Ehsan Akhgari,
Emily Stark,
Eric Lawrence,
François Marier,
Frank Ellerman,
Frederick Hirsch,
Frederik Braun,
Gary Blackwood,
Gavin Carothers,
Glenn Maynard,
Graham Klyne,
Gregory Terzian,
Hal Lockhart,
Hallvord R. M. Steen,
Harris Hancock,
Henri Sivonen,
Henry Story,
Hiroshige Hayashizaki,
Honza Bambas,
Ian Hickson,
Ilya Grigorik,
isonmad,
Jake Archibald<!-- technically B.J. Archibald -->,
James Graham,
Janusz Majnert,
Jeena Lee,
Jeff Carpenter,
Jeff Hodges,
Jeffrey Yasskin,
Jensen Chappell,
Jesse M. Heines,
Jianjun Chen,
Jinho Bang,
Jochen Eisinger,
John Wilander,
Jonas Sicking,
Jonathan Kingston,
Jonathan Watt,
최종찬 (Jongchan Choi),
Jordan Stephens,
Jörn Zaefferer,
Joseph Pecoraro,
Josh Matthews,
Julian Krispel-Samsel,
Julian Reschke,
송정기 (Jungkee Song),
Jussi Kalliokoski,
Jxck,
Kagami Sascha Rosylight,
Keith Yeung,
Kenji Baheux,
Lachlan Hunt,
Larry Masinter,
Liam Brummitt,
Louis Ryan,
Luca Casonato,
Lucas Gonze,
Łukasz Anforowicz,
呂康豪 (Kang-Hao Lu),
Maciej Stachowiak,
Malisa<!-- malisas; GitHub -->,
Manfred Stock,
Manish Goregaokar,
Marc Silbey,
Marcos Caceres,
Marijn Kruisselbrink,
Mark Nottingham,
Mark S. Miller,
Martin Dürst,
Martin Thomson,
Matt Andrews,
Matt Falkenhagen,
Matt Menke,
Matt Oshry,
Matt Seddon,
Matt Womer,
Mhano Harkness,
Michael Ficarra,
Michael Kohler,
Michael™ Smith,
Mike Pennisi,
Mike West,
Mohamed Zergaoui,
Mohammed Zubair Ahmed<!-- M-ZubairAhmed; GitHub -->,
Moritz Kneilmann,
Ms2ger,
Nico Schlömer,
Nicolás Peña Moreno,
Nikhil Marathe,
Nikki Bee,
Nikunj Mehta,
Odin Hørthe Omdal,
Ondřej Žára,
O. Opsec,
Perry Jiang<!-- perryjiang; Github -->,
Philip Jägenstedt,
R. Auburn,
Raphael Kubo da Costa,
Robert Linder,
Rondinelly,
Rory Hewitt,
Ryan Sleevi,
Samy Kamkar,
Sébastien Cevey,
Sendil Kumar N,
Shao-xuan Kang,
Sharath Udupa,
Shivakumar Jagalur Matt,
Shivani Sharma,
Sigbjørn Finne,
Simon Pieters,
Simon Sapin,
Srirama Chandra Sekhar Mogali,
Stephan Paul,
Steven Salat,
Sunava Dutta,
Surya Ismail,
Tab Atkins-Bittner,
Takashi Toyoshima,
吉野剛史 (Takeshi Yoshino),
Thomas Roessler,
Thomas Steiner,
Thomas Wisniewski,
Tiancheng "Timothy" Gu,
Tobie Langel,
Tom Schuster,
Tomás Aparicio,
triple-underscore<!-- GitHub -->,
保呂毅 (Tsuyoshi Horo),
Tyler Close,
Ujjwal Sharma,
Vignesh Shanmugam,
Vladimir Dzhuvinov,
Wayne Carr,
Xabier Rodríguez,
Yehuda Katz,
Yoav Weiss,
Youenn Fablet<!-- youennf; GitHub -->,
Yoichi Osato,
平野裕 (Yutaka Hirano), and
Zhenbin Xu
for being awesome.

<p>This standard is written by
<a href=https://annevankesteren.nl/ lang=nl>Anne van Kesteren</a>
(<a href=https://www.mozilla.org/>Mozilla</a>,
<a href=mailto:annevk@annevk.nl>annevk@annevk.nl</a>).