Fetch Standard Pull Request #1442 Previe

Fetch Standard Pull Request #1442 Preview
Fetch
PR #1442
PR Preview — Last Updated
27 October 2022
Participate:
GitHub whatwg/fetch
new issue
open issues
Chat on Matrix
Commits:
GitHub whatwg/fetch/commits
Go to the living standard
@fetchstandard
Tests:
web-platform-tests fetch/
ongoing work
Translations
(non-normative)
This is a pull request preview of the standard
This document contains the contents of the standard as modified by
pull request #1442
and should only be used as a preview.
Do not attempt to implement this version of the standard.
Do not reference this version as authoritative in any way.
Instead, see
for the living standard.
Abstract
The Fetch standard defines requests, responses, and the process that binds them: fetching.
Goals
The goal is to unify fetching across the web platform and provide consistent handling of
everything that involves, including:
URL schemes
Redirects
Cross-origin semantics
CSP
[CSP]
Fetch Metadata
[FETCH-METADATA]
Service workers
[SW]
Mixed Content
[MIX]
Upgrade Insecure Requests
[UPGRADE-INSECURE-REQUESTS]
Referer
[REFERRER]
To do so it also supersedes the HTTP `
Origin
` header semantics
originally defined in
The Web Origin Concept
[ORIGIN]
1.
Preface
At a high level, fetching a resource is a fairly simple operation. A request goes in, a
response comes out. The details of that operation are
however quite involved and used to not be written down carefully and differ from one API
to the next.
Numerous APIs provide the ability to fetch a resource, e.g. HTML’s
img
and
script
element, CSS'
cursor
and
list-style-image
the
navigator.sendBeacon()
and
self.importScripts()
JavaScript
APIs. The Fetch Standard provides a unified architecture for these features so they are
all consistent when it comes to various aspects of fetching, such as redirects and the
CORS protocol.
The Fetch Standard also defines the
fetch()
JavaScript API, which
exposes most of the networking functionality at a fairly low level of abstraction.
2.
Infrastructure
This specification depends on the Infra Standard.
[INFRA]
This specification uses terminology from
ABNF
Encoding
HTML
HTTP
MIME Sniffing
Streams
URL
Web IDL
, and
WebSockets
[ABNF]
[ENCODING]
[HTML]
[HTTP]
[MIMESNIFF]
[STREAMS]
[URL]
[WEBIDL]
[WEBSOCKETS]
ABNF
means ABNF as augmented by HTTP (in particular the addition of
and RFC 7405.
[RFC7405]
Credentials
are HTTP cookies, TLS client certificates, and
authentication entries
(for HTTP authentication).
[COOKIES]
[TLS]
[HTTP]
fetch params
is a
struct
used as a bookkeeping detail by the
fetch
algorithm. It has the following
items
request
request
process request body chunk length
(default null)
process request end-of-body
(default null)
process early hints response
(default null)
process response
(default null)
process response end-of-body
(default null)
process response consume body
(default null)
Null or an algorithm.
task destination
(default null)
Null, a
global object
, or a
parallel queue
cross-origin isolated capability
(default false)
A boolean.
controller
(default a new
fetch controller
fetch controller
timing info
fetch timing info
preloaded response candidate
(default null)
Null, "
pending
", or a
response
fetch controller
is a
struct
used to enable callers of
fetch
to perform certain operations on it after it has started. It has the following
items
state
(default "
ongoing
")
ongoing
", "
terminated
", or "
aborted
full timing info
(default null)
Null or a
fetch timing info
report timing steps
(default null)
Null or an algorithm accepting a
global object
serialized abort reason
(default null)
Null or a
Record
(result of
StructuredSerialize
).
next manual redirect steps
(default null)
Null or an algorithm accepting nothing.
To
report timing
for a
fetch controller
controller
given a
global object
global
Assert
this
’s
report timing steps
is not
null.
Call
this
’s
report timing steps
with
global
To
process the next manual redirect
for a
fetch controller
controller
Assert
controller
’s
next manual redirect steps
are not null.
Call
controller
’s
next manual redirect steps
To
extract full timing info
given a
fetch controller
controller
Assert
this
’s
full timing info
is not
null.
Return
this
’s
full timing info
To
abort
fetch controller
controller
with an optional
error
Set
controller
’s
state
to "
aborted
".
Let
fallbackError
be an "
AbortError
DOMException
Set
error
to
fallbackError
if it is not given.
Let
serializedError
be
StructuredSerialize
error
).
If that threw an exception, catch it, and let
serializedError
be
StructuredSerialize
fallbackError
).
Set
controller
’s
serialized abort reason
to
serializedError
To
deserialize a serialized abort reason
, given null or a
Record
abortReason
and a
realm
realm
Let
fallbackError
be an "
AbortError
DOMException
Let
deserializedError
be
fallbackError
If
abortReason
is non-null, then set
deserializedError
to
StructuredDeserialize
abortReason
realm
). If that threw an exception or
returned undefined, then set
deserializedError
to
fallbackError
Return
deserializedError
To
terminate
fetch controller
controller
, set
controller
’s
state
to
terminated
".
fetch params
fetchParams
is
aborted
if
its
controller
’s
state
is
aborted
".
fetch params
fetchParams
is
canceled
if
its
controller
’s
state
is
aborted
" or "
terminated
".
fetch timing info
is a
struct
used to maintain timing
information needed by
Resource Timing
and
Navigation Timing
. It has the
following
items
[RESOURCE-TIMING]
[NAVIGATION-TIMING]
start time
(default 0)
redirect start time
(default 0)
redirect end time
(default 0)
post-redirect start time
(default 0)
final service worker start time
(default 0)
final network-request start time
(default 0)
final network-response start time
(default 0)
end time
(default 0)
DOMHighResTimeStamp
final connection timing info
(default null)
Null or a
connection timing info
server-timing headers
(default « »)
list
of strings.
render-blocking
(default false)
A boolean.
response body info
is a
struct
used to maintain
information needed by
Resource Timing
and
Navigation Timing
. It has the
following
items
[RESOURCE-TIMING]
[NAVIGATION-TIMING]
encoded
size
(default 0)
decoded
size
(default 0)
A number.
To
create an opaque timing info
given a
fetch timing info
timingInfo
, return a new
fetch timing info
whose
start time
and
post-redirect start time
are
timingInfo
’s
start time
To
queue a fetch task
, given an algorithm
algorithm
, a
global object
or a
parallel queue
taskDestination
, run these
steps:
If
taskDestination
is a
parallel queue
, then
enqueue
algorithm
to
taskDestination
Otherwise,
queue a global task
on the
networking task source
with
taskDestination
and
algorithm
To
serialize an integer
, represent it as a string of the shortest possible decimal
number.
This will be replaced by a more descriptive algorithm in Infra. See
infra/201
2.1.
URL
local scheme
is "
about
", "
blob
", or
data
".
URL
is local
if its
scheme
is a
local scheme
This definition is also used by
Referrer Policy
[REFERRER]
An
HTTP(S) scheme
is "
http
" or
https
".
fetch scheme
is "
about
", "
blob
",
data
", "
file
", or an
HTTP(S) scheme
HTTP(S) scheme
and
fetch scheme
are also used by
HTML
[HTML]
2.2.
HTTP
While
fetching
encompasses more than just HTTP, it
borrows a number of concepts from HTTP and applies these to resources obtained via other
means (e.g.,
data
URLs).
An
HTTP tab or space
is U+0009 TAB or U+0020 SPACE.
HTTP whitespace
is U+000A LF, U+000D CR, or an
HTTP tab or space
HTTP whitespace
is only useful for specific constructs that are
reused outside the context of HTTP headers (e.g.,
MIME types
). For HTTP header values,
using
HTTP tab or space
is preferred, and outside that context
ASCII whitespace
is
preferred. Unlike
ASCII whitespace
this excludes U+000C FF.
An
HTTP newline byte
is 0x0A (LF) or 0x0D (CR).
An
HTTP tab or space byte
is 0x09 (HT) or 0x20 (SP).
An
HTTP whitespace byte
is an
HTTP newline byte
or
HTTP tab or space byte
To
collect an HTTP quoted string
from a
string
input
, given a
position variable
position
and optionally an
extract-value flag
, run these steps:
Let
positionStart
be
position
Let
value
be the empty string.
Assert: the
code point
at
position
within
input
is U+0022 (").
Advance
position
by 1.
While true:
Append the result of
collecting a sequence of code points
that are not U+0022 (")
or U+005C (\) from
input
, given
position
, to
value
If
position
is past the end of
input
, then
break
Let
quoteOrBackslash
be the
code point
at
position
within
input
Advance
position
by 1.
If
quoteOrBackslash
is U+005C (\), then:
If
position
is past the end of
input
, then append U+005C (\) to
value
and
break
Append the
code point
at
position
within
input
to
value
Advance
position
by 1.
Otherwise:
Assert:
quoteOrBackslash
is U+0022 (").
Break
If the
extract-value flag
is set, then return
value
Return the
code points
from
positionStart
to
position
inclusive, within
input
Input
Output
Output with the
extract-value flag
set
Final
position variable
value
"\
"\
"Hello"
World
"Hello"
Hello
"Hello \\ World\""
"Hello \\ World\""
Hello \ World"
18
The
position variable
always starts at 0 in these examples.
2.2.1.
Methods
method
is a
byte sequence
that matches the
method
token production.
CORS-safelisted method
is a
method
that is `
GET
`,
HEAD
`, or `
POST
`.
forbidden method
is a
method
that is a
byte-case-insensitive
match for `
CONNECT
`,
TRACE
`, or `
TRACK
`.
[HTTPVERBSEC1]
[HTTPVERBSEC2]
[HTTPVERBSEC3]
To
normalize
method
, if it is a
byte-case-insensitive
match for `
DELETE
`, `
GET
`,
HEAD
`, `
OPTIONS
`, `
POST
`, or
PUT
`,
byte-uppercase
it.
Normalization
is
done for backwards compatibility and consistency across APIs as
methods
are actually "case-sensitive".
Using `
patch
` is highly likely to result in a
405 Method Not Allowed
`. `
PATCH
` is much more likely to
succeed.
There are no restrictions on
methods
CHICKEN
` is perfectly acceptable (and not a misspelling of
CHECKIN
`). Other than those that are
normalized
there are no casing restrictions either.
Egg
` or `
eGg
` would be fine, though uppercase is encouraged
for consistency.
2.2.2.
Headers
header list
is a
list
of zero or more
headers
. It is initially the empty list.
header list
is essentially a
specialized multimap: an ordered list of key-value pairs with potentially duplicate keys.
To
get a structured field value
given a
header name
name
and a string
type
from a
header list
list
, run these steps:
Assert:
type
is one of "
dictionary
", "
list
", or
item
".
Let
value
be the result of
getting
name
from
list
If
value
is null, then return null.
Let
result
be the result of
parsing structured fields
with
input_string
set to
value
and
header_type
set to
type
If parsing failed, then return null.
Return
result
Get a structured field value
intentionally does not distinguish between a
header
not being present and its
value
failing to parse as a
structured field value
. This ensures uniform processing across the web platform.
To
set a structured field value
given a
tuple
header name
name
structured field value
structuredValue
), in a
header list
list
, run these steps:
Let
serializedValue
be the result of executing the
serializing structured fields
algorithm on
structuredValue
Set
name
serializedValue
) in
list
Structured field values
are defined as objects which HTTP can (eventually)
serialize in interesting and efficient ways. For the moment, Fetch only supports
header values
as
byte sequences
, which means that these objects can be set in
header lists
only via serialization, and they can be obtained from
header lists
only by parsing. In the future the fact that they are objects might be
preserved end-to-end.
[RFC8941]
header list
list
contains
header name
name
if
list
contains
header
whose
name
is a
byte-case-insensitive
match for
name
To
get
header name
name
from a
header list
list
, run these steps:
If
list
does not contain
name
, then return
null.
Return the
values
of all
headers
in
list
whose
name
is a
byte-case-insensitive
match for
name
, separated
from each other by 0x2C 0x20, in order.
To
get, decode, and split
header name
name
from
header list
list
, run these
steps:
Let
initialValue
be the result of
getting
name
from
list
If
initialValue
is null, then return null.
Let
input
be the result of
isomorphic decoding
initialValue
Let
position
be a
position variable
for
input
initially pointing at the start of
input
Let
values
be a
list
of
strings
, initially empty.
Let
value
be the empty string.
While
position
is not past the end of
input
Append the result of
collecting a sequence of code points
that are not U+0022 (") or
U+002C (,) from
input
, given
position
, to
value
The result might be the empty string.
If
position
is not past the end of
input
, then:
If the
code point
at
position
within
input
is
U+0022 ("), then:
Append the result of
collecting an HTTP quoted string
from
input
given
position
, to
value
If
position
is not past the end of
input
, then
continue
Otherwise:
Assert: the
code point
at
position
within
input
is
U+002C (,).
Advance
position
by 1.
Remove all
HTTP tab or space
from the start and end of
value
Append
value
to
values
Set
value
to the empty string.
Return
values
This is how
get, decode, and split
functions in practice with `
` as the
name
argument:
Headers (as on the network)
Output
A: nosniff,
« "
nosniff
", "" »
A: nosniff
B: sniff
A:
A: text/html;", x/x
« "
text/html;", x/x
" »
A: text/html;"
A: x/x
A: x/x;test="hi",y/y
« "
x/x;test="hi"
", "
y/y
" »
A: x/x;test="hi"
C: **bingo**
A: y/y
A: x / x,,,1
« "
x / x
", "", "", "
" »
A: x / x
A: ,
A: 1
A: "1,2", 3
« "
"1,2"
", "
" »
A: "1,2"
D: 4
A: 3
To
append
header
name
value
) to a
header list
list
, run these steps:
If
list
contains
name
, then set
name
to the first such
header
’s
name
This reuses the casing of the
name
of the
header
already in
list
, if any. If there are multiple matched
headers
their
names
will all be identical.
Append
name
value
) to
list
To
delete
header name
name
from a
header list
list
remove
all
headers
whose
name
is a
byte-case-insensitive
match for
name
from
list
To
set
header
name
value
) in a
header list
list
, run these steps:
If
list
contains
name
, then set the
value
of the first such
header
to
value
and
remove
the others.
Otherwise,
append
header
name
value
) to
list
To
combine
header
name
value
) in a
header list
list
, run these steps:
If
list
contains
name
, then set the
value
of the first such
header
to its
value
followed by 0x2C 0x20, followed by
value
Otherwise,
append
name
value
) to
list
Combine
is used by
XMLHttpRequest
and the
WebSocket protocol handshake
To
convert header names to a sorted-lowercase set
, given a
list
of
names
headerNames
, run these steps:
Let
headerNamesSet
be a new
ordered set
For each
name
of
headerNames
append
the result of
byte-lowercasing
name
to
headerNamesSet
Return the result of
sorting
headerNamesSet
in ascending order
with
byte less than
To
sort and combine
header list
list
, run these steps:
Let
headers
be an empty
list
of
headers
with the key
being the
name
and value the
value
Let
names
be the result of
convert header names to a sorted-lowercase set
with all the
names
of the
headers
in
list
For each
name
in
names
Let
value
be the result of
getting
name
from
list
Assert:
value
is not null.
Append
name
value
) to
headers
Return
headers
header
is a
tuple
that consists of a
name
(a
header name
) and
value
(a
header value
).
header name
is a
byte sequence
that matches the
field-name
token production.
header value
is a
byte sequence
that matches the following
conditions:
Has no leading or trailing
HTTP tab or space bytes
Contains no 0x00 (NUL) or
HTTP newline bytes
The definition of
header value
is not defined in terms of an HTTP token
production as
it is broken
To
normalize
byte sequence
potentialValue
, remove any leading and trailing
HTTP whitespace bytes
from
potentialValue
To determine whether a
header
name
value
is a
CORS-safelisted request-header
, run these steps:
If
value
’s
length
is greater than 128, then return
false.
Byte-lowercase
name
and switch on the result:
accept
If
value
contains a
CORS-unsafe request-header byte
, then return false.
accept-language
content-language
If
value
contains a byte that is not in the range 0x30 (0) to 0x39 (9),
inclusive, is not in the range 0x41 (A) to 0x5A (Z), inclusive, is not in the range 0x61 (a) to
0x7A (z), inclusive, and is not 0x20 (SP), 0x2A (*), 0x2C (,), 0x2D (-), 0x2E (.), 0x3B (;), or
0x3D (=), then return false.
content-type
If
value
contains a
CORS-unsafe request-header byte
, then return
false.
Let
mimeType
be the result of
parsing
value
If
mimeType
is failure, then return false.
If
mimeType
’s
essence
is not
application/x-www-form-urlencoded
", "
multipart/form-data
", or
text/plain
", then return false.
This intentionally does not use
extract a MIME type
as that algorithm is
rather forgiving and servers are not expected to implement it.
If
extract a MIME type
were used the following request would not result in a CORS
preflight and a naïve parser on the server might treat the request body as JSON:
fetch
"https://victim.example/naïve-endpoint"
method
"POST"
headers
"Content-Type"
"application/json"
],
"Content-Type"
"text/plain"
],
credentials
"include"
body
JSON
stringify
exerciseForTheReader
});
range
Let
rangeValue
be the result of
parsing a single range header value
given
value
If
rangeValue
is failure, then return false.
If
rangeValue
[0] is null, then return false.
As web browsers have historically not emitted ranges such as
bytes=-500
` this algorithm does not safelist them.
Otherwise
Return false.
Return true.
There are limited exceptions to the `
Content-Type
` header safelist, as
documented in
CORS protocol exceptions
CORS-unsafe request-header byte
is a byte
byte
for which one of the
following is true:
byte
is less than 0x20 and is not 0x09 HT
byte
is 0x22 ("), 0x28 (left parenthesis), 0x29 (right parenthesis), 0x3A (:),
0x3C (<), 0x3E (>), 0x3F (?), 0x40 (@), 0x5B ([), 0x5C (\), 0x5D (]), 0x7B ({), 0x7D (}), or
0x7F DEL.
The
CORS-unsafe request-header names
, given a
header list
headers
, are determined as follows:
Let
unsafeNames
be a new
list
Let
potentiallyUnsafeNames
be a new
list
Let
safelistValueSize
be 0.
For each
header
of
headers
If
header
is not a
CORS-safelisted request-header
, then
append
header
’s
name
to
unsafeNames
Otherwise,
append
header
’s
name
to
potentiallyUnsafeNames
and increase
safelistValueSize
by
header
’s
value
’s
length
If
safelistValueSize
is greater than 1024, then
for each
name
of
potentiallyUnsafeNames
append
name
to
unsafeNames
Return the result of
convert header names to a sorted-lowercase set
with
unsafeNames
CORS non-wildcard request-header name
is a
header name
that is a
byte-case-insensitive
match for `
Authorization
`.
privileged no-CORS request-header name
is a
header name
that is
byte-case-insensitive
match for one of
Range
`.
These are headers that can be set by privileged APIs, and will be preserved if their associated
request object is copied, but will be removed if the request is modified by unprivileged APIs.
Range
` headers are commonly used by
downloads
and
media fetches
, although neither of these currently specify
how.
html/2914
aims to solve this.
A helper is provided to
add a range header
to a particular request.
CORS-safelisted response-header name
, given a
list
of
header names
list
, is a
header name
that is a
byte-case-insensitive
match for one of
Cache-Control
Content-Language
Content-Length
Content-Type
Expires
Last-Modified
Pragma
Any
item
in
list
that is not a
forbidden response-header name
no-CORS-safelisted request-header name
is a
header name
that
is a
byte-case-insensitive
match for one of
Accept
Accept-Language
Content-Language
Content-Type
To determine whether a
header
header
is a
no-CORS-safelisted request-header
, run these steps:
If
header
’s
name
is not a
no-CORS-safelisted request-header name
, then return false.
Return whether
header
is a
CORS-safelisted request-header
forbidden header name
is a
header name
that is a
byte-case-insensitive
match for one of
Accept-Charset
Accept-Encoding
Access-Control-Request-Headers
Access-Control-Request-Method
Connection
Content-Length
Cookie2
Date
DNT
Expect
Host
Keep-Alive
Origin
Referer
Set-Cookie
TE
Trailer
Transfer-Encoding
Upgrade
Via
or a
header name
that when
byte-lowercased
starts with
proxy-
` or `
sec-
`.
These are forbidden so the user agent remains in full control over them.
Header names
starting with `
Sec-
` are reserved to allow new
headers
to be minted that are safe from APIs using
fetch
that allow
control over
headers
by developers, such as
XMLHttpRequest
[XHR]
The `
Set-Cookie
` header is semantically a response header, so it is not useful on
requests. Because `
Set-Cookie
` headers cannot be combined, they require more complex
handling in the
Headers
object. It is forbidden here to avoid leaking this complexity into
requests.
forbidden response-header name
is a
header name
that is a
byte-case-insensitive
match for one of:
Set-Cookie
Set-Cookie2
request-body-header name
is a
header name
that is a
byte-case-insensitive
match for one of:
Content-Encoding
Content-Language
Content-Location
Content-Type
To
extract header values
given a
header
header
, run these steps:
If parsing
header
’s
value
, per the
ABNF
for
header
’s
name
, fails, then return failure.
Return one or more
values
resulting from parsing
header
’s
value
, per the
ABNF
for
header
’s
name
To
extract header list values
given a
header name
name
and a
header list
list
run these steps:
If
list
does not contain
name
, then return
null.
If the
ABNF
for
name
allows a single
header
and
list
contains
more than one, then return failure.
If different error handling is needed, extract the desired
header
first.
Let
values
be an empty
list
For each
header
header
list
contains
whose
name
is
name
Let
extract
be the result of
extracting header values
from
header
If
extract
is failure, then return failure.
Append each
value
in
extract
, in order, to
values
Return
values
To
parse a single range header value
from a
byte sequence
value
, run these steps:
Let
data
be the
isomorphic decoding
of
value
If
data
does not
start with
bytes=
", then return
failure.
Let
position
be a
position variable
for
data
, initially
pointing at the 6th
code point
of
data
Let
rangeStart
be the result of
collecting a sequence of code points
that
are
ASCII digits
, from
data
given
position
Let
rangeStartValue
be
rangeStart
, interpreted as decimal number, if
rangeStart
is not the empty string; otherwise null.
If the
code point
at
position
within
data
is not U+002D (-),
then return failure.
Advance
position
by 1.
Let
rangeEnd
be the result of
collecting a sequence of code points
that
are
ASCII digits
, from
data
given
position
Let
rangeEndValue
be
rangeEnd
, interpreted as decimal number, if
rangeEnd
is not the empty string; otherwise null.
If
position
is not past the end of
data
, then return failure.
If
rangeEndValue
and
rangeStartValue
are null, then return failure.
If
rangeStartValue
and
rangeEndValue
are numbers, and
rangeStartValue
is greater than
rangeEndValue
, then return failure.
Return (
rangeStartValue
rangeEndValue
).
The range end or start can be omitted, e.g., `
bytes=0-
` or
bytes=-500
` are valid ranges.
Parse a single range header value
succeeds for a subset of allowed range header
values, but it is the most common form used by user agents when requesting media or resuming
downloads. This format of range header value can be set using
add a range header
default `
User-Agent
` value
is an
implementation-defined
header value
for the `
User-Agent
header
2.2.3.
Statuses
status
is an integer in the range 0 to 999, inclusive.
Various edge cases in mapping HTTP/1’s
status-code
to this concept are
worked on in
issue #1156
null body status
is a
status
that is 101, 103, 204, 205, or 304.
An
ok status
is a
status
in the range 200 to 299, inclusive.
redirect status
is a
status
that is 301, 302, 303, 307, or 308.
2.2.4.
Bodies
body
consists of:
stream
(a
ReadableStream
object).
source
(null, a
byte sequence
, a
Blob
object, or a
FormData
object), initially null.
length
(null or an integer),
initially null.
To
clone
body
body
, run these steps:
Let «
out1
out2
» be the result of
teeing
body
’s
stream
Set
body
’s
stream
to
out1
Return a
body
whose
stream
is
out2
and other members are copied from
body
To get a
byte sequence
bytes
as a body
, return the
body
of the
result of
safely extracting
bytes
To
incrementally read
body
body
, given an
algorithm
processBodyChunk
, an algorithm
processEndOfBody
, an algorithm
processBodyError
, and an optional null,
parallel queue
, or
global object
taskDestination
(default null), run these steps.
processBodyChunk
must be an algorithm accepting a
byte sequence
processEndOfBody
must be an algorithm accepting no arguments.
processBodyError
must be an algorithm accepting an exception.
If
taskDestination
is null, then set
taskDestination
to the result of
starting a new parallel queue
Let
reader
be the result of
getting a reader
for
body
’s
stream
This operation will not throw an exception.
Perform the
incrementally-read loop
given
reader
taskDestination
processBodyChunk
processEndOfBody
, and
processBodyError
To perform the
incrementally-read loop
, given a
ReadableStreamDefaultReader
object
reader
parallel queue
or
global object
taskDestination
, algorithm
processBodyChunk
, algorithm
processEndOfBody
, and algorithm
processBodyError
Let
readRequest
be the following
read request
chunk steps
, given
chunk
Let
continueAlgorithm
be null.
If
chunk
is not a
Uint8Array
object, then set
continueAlgorithm
to this step: run
processBodyError
given a
TypeError
Otherwise:
Let
bytes
be a
copy of
chunk
Implementations are strongly encouraged to use an implementation strategy that
avoids this copy where possible.
Set
continueAlgorithm
to these steps:
Run
processBodyChunk
given
bytes
Perform the
incrementally-read loop
given
reader
taskDestination
processBodyChunk
processEndOfBody
, and
processBodyError
Queue a fetch task
given
continueAlgorithm
and
taskDestination
close steps
Queue a fetch task
given
processEndOfBody
and
taskDestination
error steps
, given
Queue a fetch task
to run
processBodyError
given
with
taskDestination
Read a chunk
from
reader
given
readRequest
To
fully read
body
body
, given an algorithm
processBody
, an algorithm
processBodyError
, and an optional null,
parallel queue
, or
global object
taskDestination
(default
null), run these steps.
processBody
must be an algorithm accepting a
byte sequence
processBodyError
must be an algorithm accepting no arguments.
If
taskDestination
is null, then set
taskDestination
to the result of
starting a new parallel queue
Let
promise
be the result of
fully reading body as promise
given
body
Let
fulfilledSteps
given a
byte sequence
bytes
be to
queue a fetch task
to run
processBody
given
bytes
, with
taskDestination
Let
rejectedSteps
be to
queue a fetch task
to run
processBodyError
, with
taskDestination
React
to
promise
with
fulfilledSteps
and
rejectedSteps
To
fully read body as promise
, given a
body
body
, run these steps:
Let
reader
be the result of
getting a reader
for
body
’s
stream
. If that threw an exception, then return
a promise rejected with
that exception.
Return the result of
reading all bytes
from
reader
body with type
is a
tuple
that consists of a
body
(a
body
) and a
type
(a
header value
or null).
To
handle content codings
given
codings
and
bytes
, run
these steps:
If
codings
are not supported, then return
bytes
Return the result of decoding
bytes
with
codings
as explained in HTTP,
if decoding does not result in an error, and failure otherwise.
[HTTP]
2.2.5.
Requests
The input to
fetch
is a
request
request
has an associated
method
(a
method
). Unless stated otherwise it is
GET
`.
This can be updated during redirects to `
GET
` as
described in
HTTP fetch
request
has an associated
URL
(a
URL
).
Implementations are encouraged to make this a pointer to the first
URL
in
request
’s
URL list
. It is provided as a distinct
field solely for the convenience of other standards hooking into Fetch.
request
has an associated
local-URLs-only flag
. Unless stated otherwise it is
unset.
request
has an associated
header list
(a
header list
). Unless stated otherwise it is empty.
request
has an associated
unsafe-request flag
. Unless stated otherwise it
is unset.
The
unsafe-request flag
is set by APIs such as
fetch()
and
XMLHttpRequest
to ensure a
CORS-preflight fetch
is done based on the supplied
method
and
header list
. It does
not free an API from outlawing
forbidden methods
and
forbidden header names
request
has an associated
body
(null, a
byte sequence
, or a
body
). Unless stated otherwise it is null.
byte sequence
will be
safely extracted
into a
body
early on in
fetch
. As part of
HTTP fetch
it is possible
for this field to be set to null due to certain redirects.
request
has an associated
client
(null or an
environment settings object
).
request
has an associated
reserved client
(null, an
environment
, or an
environment settings object
). Unless stated otherwise it is null.
This is only used by
navigation requests
and worker
requests, but not service worker requests. It references an
environment
for a
navigation request
and an
environment settings object
for a worker request.
request
has an associated
replaces client id
(a string). Unless stated otherwise it is the empty string.
This is only used by
navigation requests
. It is the
id
of the
target browsing context
’s
active document
’s
environment settings object
request
has an associated
window
("
no-window
", "
client
", or an
environment settings object
whose
global object
is a
Window
object). Unless stated otherwise it is
client
".
The "
client
" value is changed to "
no-window
" or
request
’s
client
during
fetching
. It provides a convenient way for standards to not have to
explicitly set
request
’s
window
request
has an associated boolean
keepalive
. Unless stated otherwise it is
false.
This can be used to allow the request to outlive the
environment settings object
, e.g.,
navigator.sendBeacon
and the HTML
img
element set this flag. Requests with
this flag set are subject to additional processing requirements.
request
has an associated
initiator type
, which is null,
audio
",
beacon
",
body
",
css
",
early-hint
",
embed
",
fetch
",
font
",
frame
",
iframe
",
image
",
img
",
input
",
link
",
object
",
ping
",
script
",
track
",
video
",
xmlhttprequest
", or
other
". Unless stated otherwise it is null.
[RESOURCE-TIMING]
request
has an associated
service-workers mode
, that
is "
all
" or "
none
". Unless stated otherwise it is "
all
".
This determines which service workers will receive a
fetch
event for this fetch.
all
Relevant service workers will get a
fetch
event for this fetch.
none
No service workers will get events for this fetch.
request
has an associated
initiator
, which is
the empty string,
",
imageset
",
manifest
",
prefetch
",
prerender
", or
xslt
". Unless stated otherwise it is the empty string.
request
’s
initiator
is not particularly granular for
the time being as other specifications do not require it to be. It is primarily a
specification device to assist defining CSP and Mixed Content. It is not exposed to
JavaScript.
[CSP]
[MIX]
request
has an associated
destination
, which is
the empty string,
audio
",
audioworklet
",
document
",
embed
",
font
",
frame
",
iframe
",
image
",
manifest
",
object
",
paintworklet
",
report
",
script
",
serviceworker
",
sharedworker
",
style
",
track
",
video
",
webidentity
",
worker
", or
xslt
". Unless stated otherwise it is the empty string.
These are reflected on
RequestDestination
except for "
serviceworker
and "
webidentity
" as fetches with those destinations skip service workers.
request
’s
destination
is
script-like
if it is "
audioworklet
",
paintworklet
", "
script
", "
serviceworker
",
sharedworker
", or "
worker
".
Algorithms that use
script-like
should also consider
xslt
" as that too can cause script execution. It is not included in the list as it is
not always relevant and might require different behavior.
The following table illustrates the relationship between a
request
’s
initiator
destination
, CSP directives, and features. It is
not exhaustive with respect to features. Features need to have the relevant values defined in their
respective standards.
Initiator
Destination
CSP directive
Features
""
report
CSP, NEL reports.
document
HTML’s navigate algorithm (top-level only).
frame
child-src
HTML’s

iframe
child-src
HTML’s
 "" connect-src navigator.sendBeacon() EventSource HTML’s <a ping=""> and <area ping=""> fetch() XMLHttpRequest WebSocket , Cache API object object-src HTML’s <object> embed object-src HTML’s <embed> audio media-src HTML’s <audio> font font-src CSS' @font-face image img-src HTML’s <img src> /favicon.ico resource, SVG’s <image> , CSS' background-image , CSS' cursor , CSS' list-style-image , … audioworklet script-src audioWorklet.addModule() paintworklet script-src CSS.paintWorklet.addModule() script script-src HTML’s <script> importScripts() serviceworker child-src script-src worker-src navigator.serviceWorker.register() sharedworker child-src script-src worker-src SharedWorker webidentity connect-src Federated Credential Management requests worker child-src script-src worker-src Worker style style-src HTML’s <link rel=stylesheet> , CSS' @import track media-src HTML’s <track> video media-src HTML’s <video> element "" HTML’s download="" , "Save Link As…" UI imageset image img-src HTML’s <img srcset> and <picture> manifest manifest manifest-src HTML’s <link rel=manifest> prefetch "" prefetch-src HTML’s <link rel=prefetch> prerender HTML’s <link rel=prerender> xslt xslt script-src <?xml-stylesheet> CSP’s form-action needs to be a hook directly in HTML’s navigate or form submission algorithm. CSP will also need to check request ’s client ’s global object ’s browsing context ’s ancestor browsing contexts for various CSP directives. request has an associated priority (null or a user-agent-defined object). Unless otherwise stated it is null. request has an associated origin , which is client " or an origin . Unless stated otherwise it is client ". client " is changed to an origin during fetching . It provides a convenient way for standards to not have to set request ’s origin request has an associated policy container , which is client " or a policy container . Unless stated otherwise it is client ". client " is changed to a policy container during fetching . It provides a convenient way for standards to not have to set request ’s policy container request has an associated referrer , which is no-referrer ", " client ", or a URL . Unless stated otherwise it is " client ". client " is changed to " no-referrer " or a URL during fetching . It provides a convenient way for standards to not have to set request ’s referrer request has an associated referrer policy , which is a referrer policy . Unless stated otherwise it is the empty string. [REFERRER] This can be used to override the referrer policy to be used for this request request has an associated mode , which is same-origin ", " cors ", " no-cors ", navigate ", or " websocket ". Unless stated otherwise, it is no-cors ". same-origin Used to ensure requests are made to same-origin URLs. Fetch will return a network error if the request is not made to a same-origin URL. cors For requests whose response tainting gets set to " cors ", makes the request a CORS request — in which case, fetch will return a network error if the requested resource does not understand the CORS protocol , or if the requested resource is one that intentionally does not participate in the CORS protocol no-cors Restricts requests to using CORS-safelisted methods and CORS-safelisted request-headers . Upon success, fetch will return an opaque filtered response navigate This is a special mode used only when navigating between documents. websocket This is a special mode used only when establishing a WebSocket connection Even though the default request mode is " no-cors ", standards are highly discouraged from using it for new features. It is rather unsafe. request has an associated use-CORS-preflight flag . Unless stated otherwise, it is unset. The use-CORS-preflight flag being set is one of several conditions that results in a CORS-preflight request . The use-CORS-preflight flag is set if either one or more event listeners are registered on an XMLHttpRequestUpload object or if a ReadableStream object is used in a request. request has an associated credentials mode which is " omit ", " same-origin ", or include ". Unless stated otherwise, it is " same-origin ". omit Excludes credentials from this request, and causes any credentials sent back in the response to be ignored. same-origin Include credentials with requests made to same-origin URLs, and use any credentials sent back in responses from same-origin URLs. include Always includes credentials with this request, and always use any credentials sent back in the response. Request ’s credentials mode controls the flow of credentials during a fetch . When request ’s mode is " navigate ", its credentials mode is assumed to be " include " and fetch does not currently account for other values. If HTML changes here, this standard will need corresponding changes. request has an associated use-URL-credentials flag Unless stated otherwise, it is unset. When this flag is set, when a request ’s URL has a username and password , and there is an available authentication entry for the request , then the URL ’s credentials are preferred over that of the authentication entry . Modern specifications avoid setting this flag, since putting credentials in URLs is discouraged, but some older features set it for compatibility reasons. request has an associated cache mode , which is default ", " no-store ", " reload ", no-cache ", " force-cache ", or only-if-cached ". Unless stated otherwise, it is " default ". default Fetch will inspect the HTTP cache on the way to the network. If the HTTP cache contains a matching fresh response it will be returned. If the HTTP cache contains a matching stale-while-revalidate response it will be returned, and a conditional network fetch will be made to update the entry in the HTTP cache. If the HTTP cache contains a matching stale response , a conditional network fetch will be returned to update the entry in the HTTP cache. Otherwise, a non-conditional network fetch will be returned to update the entry in the HTTP cache. [HTTP] [HTTP-CACHING] [STALE-WHILE-REVALIDATE] no-store Fetch behaves as if there is no HTTP cache at all. reload Fetch behaves as if there is no HTTP cache on the way to the network. Ergo, it creates a normal request and updates the HTTP cache with the response. no-cache Fetch creates a conditional request if there is a response in the HTTP cache and a normal request otherwise. It then updates the HTTP cache with the response. force-cache Fetch uses any response in the HTTP cache matching the request, not paying attention to staleness. If there was no response, it creates a normal request and updates the HTTP cache with the response. only-if-cached Fetch uses any response in the HTTP cache matching the request, not paying attention to staleness. If there was no response, it returns a network error. (Can only be used when request ’s mode is same-origin ". Any cached redirects will be followed assuming request ’s redirect mode is " follow " and the redirects do not violate request ’s mode .) If header list contains If-Modified-Since `, If-None-Match `, If-Unmodified-Since `, If-Match `, or If-Range `, fetch will set cache mode to " no-store " if it is default ". request has an associated redirect mode , which is follow ", " error ", or " manual ". Unless stated otherwise, it is " follow ". follow Follow all redirects incurred when fetching a resource. error Return a network error when a request is met with a redirect. manual Retrieves an opaque-redirect filtered response when a request is met with a redirect, to allow a service worker to replay the redirect offline. The response is otherwise indistinguishable from a network error , to not violate atomic HTTP redirect handling request has associated integrity metadata (a string). Unless stated otherwise, it is the empty string. request has associated cryptographic nonce metadata (a string). Unless stated otherwise, it is the empty string. request has associated parser metadata which is the empty string, " parser-inserted ", or not-parser-inserted ". Unless otherwise stated, it is the empty string. request ’s cryptographic nonce metadata and parser metadata are generally populated from attributes and flags on the HTML element responsible for creating a request . They are used by various algorithms in Content Security Policy to determine whether requests or responses are to be blocked in a given context. [CSP] request has an associated reload-navigation flag Unless stated otherwise, it is unset. This flag is for exclusive use by HTML’s navigate algorithm. [HTML] request has an associated history-navigation flag Unless stated otherwise, it is unset. This flag is for exclusive use by HTML’s navigate algorithm. [HTML] request has an associated boolean user-activation Unless stated otherwise, it is false. This is for exclusive use by HTML’s navigate algorithm. [HTML] request has an associated boolean render-blocking Unless stated otherwise, it is false. This flag is for exclusive use by HTML’s render-blocking mechanism. [HTML] request has an associated no-cors media request state ... This is for exclusive use by the opaque-response-safelist check request has an associated no-cors JavaScript fallback encoding (an encoding ). Unless stated otherwise, it is UTF-8 This is for exclusive use by the opaque-response-safelist check request has an associated URL list (a list of one or more URLs ). Unless stated otherwise, it is a list containing a copy of request ’s URL request has an associated current URL . It is a pointer to the last URL in request ’s URL list request has an associated redirect count Unless stated otherwise, it is zero. request has an associated response tainting which is " basic ", " cors ", or " opaque ". Unless stated otherwise, it is " basic ". request has an associated prevent no-cache cache-control header modification flag Unless stated otherwise, it is unset. request has an associated done flag Unless stated otherwise, it is unset. request has an associated timing allow failed flag . Unless stated otherwise, it is unset. request ’s URL list current URL redirect count response tainting done flag , and timing allow failed flag are used as bookkeeping details by the fetch algorithm. subresource request is a request whose destination is " audio ", " audioworklet ", font ", " image ", " manifest ", " paintworklet ", script ", " style ", " track ", " video ", xslt ", or the empty string. non-subresource request is a request whose destination is " document ", " embed ", frame ", " iframe ", " object ", " report ", serviceworker ", " sharedworker ", or " worker ". navigation request is a request whose destination is document ", " embed ", " frame ", " iframe ", or " object ". See handle fetch for usage of these terms. [SW] request request has a redirect-tainted origin if these steps return true: Let lastURL be null. For each url in request ’s URL list If lastURL is null, then set lastURL to url and continue If url ’s origin is not same origin with lastURL ’s origin and request ’s origin is not same origin with lastURL ’s origin , then return true. Set lastURL to url Return false. Serializing a request origin , given a request request , is to run these steps: If request has a redirect-tainted origin , then return null ". Return request ’s origin serialized Byte-serializing a request origin , given a request request is to return the result of serializing a request origin with request isomorphic encoded To clone request request , run these steps: Let newRequest be a copy of request , except for its body If request ’s body is non-null, set newRequest ’s body to the result of cloning request ’s body Return newRequest To add a range header to a request request , with an integer first , and an optional integer last , run these steps: Assert: last is not given, or first is less than or equal to last Let rangeValue be ` bytes= `. Serialize and isomorphic encode first and append the result to rangeValue Append 0x2D (-) to rangeValue If last is given, then serialize and isomorphic encode it, and append the result to rangeValue Append (` Range `, rangeValue ) to request ’s header list A range header denotes an inclusive byte range. There a range header where first is 0 and last is 500, is a range of 501 bytes. Features that combine multiple responses into one logical resource are historically a source of security bugs. Please seek security review for features that deal with partial responses. To serialize a response URL for reporting , given a response response , run these steps: Assert: response ’s URL list is not empty Let url be a copy of response ’s URL list ’s first element. This is not response ’s URL in order to avoid leaking information about redirect targets (see similar considerations for CSP reporting too). [CSP] Set the username given url and the empty string. Set the password given url and the empty string. Return the serialization of url with exclude fragment set to true. To check if Cross-Origin-Embedder-Policy allows credentials , given a request request , run these steps: If request ’s mode is not " no-cors ", then return true. If request ’s client is null, then return true. If request ’s client ’s policy container ’s embedder policy ’s value is not credentialless ", then return true. If request ’s origin is same origin with request ’s current URL ’s origin and request does not have a redirect-tainted origin , then return true. Return false. 2.2.6. Responses The result of fetch is a response . A response evolves over time. That is, not all its fields are available straight away. response has an associated type which is basic ", cors ", default ", error ", opaque ", or opaqueredirect ". Unless stated otherwise, it is " default ". response can have an associated aborted flag , which is initially unset. This indicates that the request was intentionally aborted by the developer or end-user. response has an associated URL . It is a pointer to the last URL in response ’s URL list and null if response ’s URL list is empty response has an associated URL list (a list of zero or more URLs ). Unless stated otherwise, it is the empty list. Except for the last URL , if any, a response ’s URL list is not exposed to script as that would violate atomic HTTP redirect handling response has an associated status , which is a status Unless stated otherwise it is 200. response has an associated status message . Unless stated otherwise it is the empty byte sequence. Responses over an HTTP/2 connection will always have the empty byte sequence as status message as HTTP/2 does not support them. response has an associated header list (a header list ). Unless stated otherwise it is empty. response has an associated body (null or a body ). Unless stated otherwise it is null. The source and length concepts of a network’s response ’s body are always null. response has an associated cache state (the empty string, local ", or " validated "). Unless stated otherwise, it is the empty string. This is intended for usage by Service Workers and Resource Timing [SW] [RESOURCE-TIMING] response has an associated CORS-exposed header-name list (a list of zero or more header names ). The list is empty unless otherwise specified. response will typically get its CORS-exposed header-name list set by extracting header values from the Access-Control-Expose-Headers ` header. This list is used by a CORS filtered response to determine which headers to expose. response has an associated range-requested flag , which is initially unset. This is used to prevent a partial response from an earlier ranged request being provided to an API that didn’t make a range request. See the flag’s usage for a detailed description of the attack. response has an associated request-includes-credentials (a boolean), which is initially true. response has an associated timing allow passed flag , which is initially unset. This is used so that the caller to a fetch can determine if sensitive timing data is allowed on the resource fetched by looking at the flag of the response returned. Because the flag on the response of a redirect has to be set if it was set for previous responses in the redirect chain, this is also tracked internally using the request’s timing allow failed flag response has an associated body info (a response body info ). Unless stated otherwise, it is a new response body info response has an associated service worker timing info (null or a service worker timing info ), which is initially null. response has an associated has-cross-origin-redirects (a boolean), which is initially false. response whose type is " error " and aborted flag is set is known as an aborted network error response whose type is " error " is known as a network error network error is a response whose status is always 0, status message is always the empty byte sequence, header list is always empty, and body is always null. To create the appropriate network error given fetch params fetchParams Assert: fetchParams is canceled Return an aborted network error if fetchParams is aborted ; otherwise return a network error filtered response is a response that offers a limited view on an associated response . This associated response can be accessed through filtered response ’s internal response (a response that is neither a network error nor a filtered response ). Unless stated otherwise a filtered response ’s associated concepts (such as its body ) refer to the associated concepts of its internal response . (The exceptions to this are listed below as part of defining the concrete types of filtered responses .) The fetch algorithm by way of processResponse and equivalent parameters exposes filtered responses to callers to ensure they do not accidentally leak information. If the information needs to be revealed for legacy reasons, e.g., to feed image data to a decoder, the associated internal response can be used by specification algorithms. New specifications ought not to build further on opaque filtered responses or opaque-redirect filtered responses . Those are legacy constructs and cannot always be adequately protected given contemporary computer architecture. basic filtered response is a filtered response whose type is " basic " and header list excludes any headers in internal response ’s header list whose name is a forbidden response-header name CORS filtered response is a filtered response whose type is " cors " and header list excludes any headers in internal response ’s header list whose name is not CORS-safelisted response-header name , given internal response ’s CORS-exposed header-name list An opaque filtered response is a filtered response whose type is " opaque ", URL list is the empty list, status is 0, status message is the empty byte sequence, header list is empty, and body is null. An opaque-redirect filtered response is a filtered response whose type is " opaqueredirect ", status is 0, status message is the empty byte sequence, header list is empty, and body is null. Exposing the URL list for opaque-redirect filtered responses is harmless since no redirects are followed. In other words, an opaque filtered response and an opaque-redirect filtered response are nearly indistinguishable from a network error When introducing new APIs, do not use the internal response for internal specification algorithms as that will leak information. This also means that JavaScript APIs, such as response.ok , will return rather useless results. The type of a response is exposed to script through the type getter: console log new Response (). type ); // "default" console log (( await fetch "/" )). type ); // "basic" console log (( await fetch "https://api.example/status" )). type ); // "cors" console log (( await fetch "https://crossorigin.example/image" mode "no-cors" })). type ); // "opaque" console log (( await fetch "/surprise-me" redirect "manual" })). type ); // "opaqueredirect" (This assumes that the various resources exist, has the appropriate CORS headers, and /surprise-me uses a redirect status .) To clone response response , run these steps: If response is a filtered response , then return a new identical filtered response whose internal response is a clone of response ’s internal response Let newResponse be a copy of response , except for its body If response ’s body is non-null, then set newResponse ’s body to the result of cloning response ’s body Return newResponse fresh response is a response whose current age is within its freshness lifetime stale-while-revalidate response is a response that is not a fresh response and whose current age is within the stale-while-revalidate lifetime stale response is a response that is not a fresh response or a stale-while-revalidate response The location URL of a response response , given null or an ASCII string requestFragment , is the value returned by the following steps. They return null, failure, or a URL If response ’s status is not a redirect status , then return null. Let location be the result of extracting header list values given Location ` and response ’s header list If location is a header value , then set location to the result of parsing location with response ’s URL If response was constructed through the Response constructor, response ’s URL will be null, meaning that location will only parse successfully if it is an absolute-URL-with-fragment string If location is a URL whose fragment is null, then set location ’s fragment to requestFragment This ensures that synthetic (indeed, all) responses follow the processing model for redirects defined by HTTP. [HTTP] Return location The location URL algorithm is exclusively used for redirect handling in this standard and in HTML ’s navigate algorithm which handles redirects manually. [HTML] 2.2.7. Miscellaneous potential destination is fetch " or a destination which is not the empty string. To translate potential destination potentialDestination , run these steps: If potentialDestination is " fetch ", then return the empty string. Assert: potentialDestination is a destination Return potentialDestination 2.3. Authentication entries An authentication entry and a proxy-authentication entry are tuples of username, password, and realm, used for HTTP authentication and HTTP proxy authentication, and associated with one or more requests User agents should allow both to be cleared together with HTTP cookies and similar tracking functionality. Further details are defined by HTTP. [HTTP] [HTTP-CACHING] 2.4. Fetch groups Each environment settings object has an associated fetch group fetch group holds an ordered list of fetch records fetch record has an associated request (a request ). fetch record has an associated controller (a fetch controller or null). When a fetch group is terminated , for each associated fetch record whose fetch record ’s controller is not null, and whose request ’s done flag is unset or keepalive is false, terminate the fetch record ’s controller 2.5. Resolving domains To resolve an origin , given a network partition key key and an origin origin If origin ’s host is an IP address , then return origin ’s host ». If origin ’s host ’s public suffix is localhost " or " localhost. ", then return « ::1 127.0.0.1 ». Perform an implementation-defined operation to turn origin into a set of one or more IP addresses It is also implementation-defined whether other operations might be performed to get connection information beyond just IP addresses . For example, if origin ’s scheme is an HTTP(S) scheme , the implementation might perform a DNS query for HTTPS RRs. [SVCB] If this operation succeeds, return the set of IP addresses and any additional implementation-defined information. Return failure. The results of resolve an origin may be cached. If they are cached, key should be used as part of the cache key. Typically this operation would involve DNS and as such caching can happen on DNS servers without key being taken into account. Depending on the implementation it might also not be possible to take key into account locally. [RFC1035] The order of the IP addresses that the resolve an origin algorithm can return can differ between invocations. The particulars (apart from the cache key) are not tied down as they are not pertinent to the system the Fetch Standard establishes. Other documents ought not to build on this primitive without having a considered discussion with the Fetch Standard community first. 2.6. Connections A user agent has an associated connection pool . A connection pool is an ordered set of zero or more connections . Each connection is identified by an associated key (a network partition key ), origin (an origin ), and credentials (a boolean). Each connection has an associated timing info (a connection timing info ). connection timing info is a struct used to maintain timing information pertaining to the process of obtaining a connection. It has the following items domain lookup start time (default 0) domain lookup end time (default 0) connection start time (default 0) connection end time (default 0) secure connection start time (default 0) DOMHighResTimeStamp ALPN negotiated protocol (default the empty byte sequence byte sequence To clamp and coarsen connection timing info , given a connection timing info timingInfo , a DOMHighResTimeStamp defaultStartTime , and a boolean crossOriginIsolatedCapability , run these steps: If timingInfo ’s connection start time is less than defaultStartTime , then return a new connection timing info whose domain lookup start time is defaultStartTime domain lookup end time is defaultStartTime connection start time is defaultStartTime connection end time is defaultStartTime secure connection start time is defaultStartTime and ALPN negotiated protocol is timingInfo ’s ALPN negotiated protocol Return a new connection timing info whose domain lookup start time is the result of coarsen time given timingInfo ’s domain lookup start time and crossOriginIsolatedCapability domain lookup end time is the result of coarsen time given timingInfo ’s domain lookup end time and crossOriginIsolatedCapability connection start time is the result of coarsen time given timingInfo ’s connection start time and crossOriginIsolatedCapability connection end time is the result of coarsen time given timingInfo ’s connection end time and crossOriginIsolatedCapability secure connection start time is the result of coarsen time given timingInfo ’s connection end time and crossOriginIsolatedCapability , and ALPN negotiated protocol is timingInfo ’s ALPN negotiated protocol new connection setting is " no ", " yes ", or yes-and-dedicated ". To obtain a connection , given a network partition key key URL url , boolean credentials , an optional new connection setting new (default no "), and an optional boolean http3Only (default false), run these steps: If new is " no ", then: Let connections be a set of connections in the user agent’s connection pool whose key is key origin is url ’s origin , and credentials is credentials If connections is not empty and http3Only is false, then return one of connections If there is an HTTP/3 connection in connections , then return that connection Let proxies be the result of finding proxies for url in an implementation-defined manner. If there are no proxies, let proxies be « " DIRECT " ». This is where non-standard technology such as Web Proxy Auto-Discovery Protocol (WPAD) and proxy auto-config (PAC) come into play. The " DIRECT " value means to not use a proxy for this particular url Let timingInfo be a new connection timing info For each proxy of proxies Set timingInfo ’s domain lookup start time to the unsafe shared current time Let hosts be « origin ’s host ». If proxy is " DIRECT ", then set hosts to the result of running resolve an origin given key and url ’s origin If hosts is failure, then continue Set timingInfo ’s domain lookup end time to the unsafe shared current time Let connection be the result of running this step: run create a connection given key url ’s origin credentials proxy , an implementation-defined host from hosts timingInfo , and http3Only an implementation-defined number of times, in parallel from each other, and wait for at least 1 to return a value. In an implementation-defined manner, select a value to return from the returned values and return it. Any other returned values that are connections may be closed. Essentially this allows an implementation to pick one or more IP addresses from the return value of resolve an origin (assuming proxy is " DIRECT ") and race them against each other, favor IPv6 addresses , retry in case of a timeout, etc. If connection is failure, then continue If new is not " yes-and-dedicated ", then append connection to the user agent’s connection pool Return connection Return failure. This is intentionally a little vague as there are a lot of nuances to connection management that are best left to the discretion of implementers. Describing this helps explain the <link rel=preconnect> feature and clearly stipulates that connections are keyed on credentials . The latter clarifies that, e.g., TLS session identifiers are not reused across connections whose credentials are false with connections whose credentials are true. To create a connection , given a network partition key key origin origin , boolean credentials , string proxy host host connection timing info timingInfo , and boolean http3Only , run these steps: Set timingInfo ’s connection start time to the unsafe shared current time Let connection be a new connection whose key is key origin is origin credentials is credentials , and timing info is timingInfo Record connection timing info given connection and use connection to establish an HTTP connection to host , taking proxy and origin into account. [HTTP] [HTTP1] [TLS] If http3Only is true, then establish an HTTP/3 connection. [HTTP3] When establishing an HTTP/3 connection, include SETTINGS_ENABLE_WEBTRANSPORT with a value of 1 and H3_DATAGRAM with a value of 1 in the initial SETTINGS frame. [WEBTRANSPORT-HTTP3] [HTTP3-DATAGRAM] If credentials is false, then do not send a TLS client certificate. If establishing a connection does not succeed (e.g., a TCP or TLS error), then return failure. Set timingInfo ’s ALPN negotiated protocol to connection ’s ALPN Protocol ID, with the following caveats: [RFC7301] When a proxy is configured, if a tunnel connection is established then this must be the ALPN Protocol ID of the tunneled protocol, otherwise it must be the ALPN Protocol ID of the first hop to the proxy. In case the user agent is using an experimental, non-registered protocol, the user agent must use the used ALPN Protocol ID, if any. If ALPN was not used for protocol negotiations, the user agent may use another descriptive string. timingInfo ’s ALPN negotiated protocol is intended to identify the network protocol in use regardless of how it was actually negotiated; that is, even if ALPN is not used to negotiate the network protocol, this is the ALPN Protocol IDs that indicates the protocol in use. IANA maintains a list of ALPN Protocol IDs Return connection To record connection timing info given a connection connection , let timingInfo be connection ’s timing info and observe these requirements: timingInfo ’s connection end time should be the unsafe shared current time immediately after establishing the connection to the server or proxy, as follows: The returned time must include the time interval to establish the transport connection, as well as other time intervals such as SOCKS authentication. It must include the time interval to complete enough of the TLS handshake to request the resource. If the user agent used TLS False Start for this connection, this interval must not include the time needed to receive the server’s Finished message. [RFC7918] If the user agent sends the request with early data without waiting for the full handshare to complete, this interval must not include the time needed to receive the server’s ServerHello message. [RFC8470] If the user agent waits for full handshake completion to send the request, this interval includes the full TLS handshake even if other requests were sent using early data on connection Suppose the user agent establishes an HTTP/2 connection over TLS 1.3 to send a GET request and a POST request. It sends the ClientHello at time t1 and then sends the GET request with early data. The POST request is not safe ( [HTTP] , section 9.2.1), so the user agent waits to complete the handshake at time t2 before sending it. Although both requests used the same connection, the GET request reports a connection end time of t1 , while the POST request reports t2 If a secure transport is used, timingInfo ’s secure connection start time should be the result of calling unsafe shared current time immmediately before starting the handshake process to secure connection [TLS] If connection is an HTTP/3 connection, timingInfo ’s connection start time and timingInfo ’s secure connection start time must be equal. (In HTTP/3 the secure transport handshake process is performed as part of the initial connection setup.) [HTTP3] The clamp and coarsen connection timing info algorithm ensures that details of reused connections are not exposed and time values are coarsened. 2.7. Network partition keys network partition key is a tuple consisting of a site and null or an implementation-defined value. To determine the network partition key given an environment environment , run these steps: Let topLevelOrigin be environment ’s top-level origin If topLevelOrigin is null, then set topLevelOrigin to environment ’s top-level creation URL ’s origin Assert: topLevelOrigin is an origin Let topLevelSite be the result of obtaining a site given topLevelOrigin Let secondKey be null or an implementation-defined value. The second key is intentionally a little vague as the finer points are still evolving. See issue #1035 Return ( topLevelSite secondKey ). To determine the network partition key given request , run these steps: If request ’s reserved client is non-null, then return the result of determining the network partition key given request ’s reserved client If request ’s client is non-null, then return the result of determining the network partition key given request ’s client Return null. 2.8. HTTP cache partitions To determine the HTTP cache partition given request , run these steps: Let key be the result of determining the network partition key given request If key is null, then return null. Return the unique HTTP cache associated with key [HTTP-CACHING] 2.9. Port blocking New protocols can avoid the need for blocking ports by negotiating the protocol through TLS using ALPN. The protocol cannot be spoofed through HTTP requests in that case. [RFC7301] To determine whether fetching a request request should be blocked due to a bad port run these steps: Let url be request ’s current URL If url ’s scheme is an HTTP(S) scheme and url ’s port is a bad port , then return blocked Return allowed port is a bad port if it is listed in the first column of the following table. Port Typical service tcpmux echo discard 11 systat 13 daytime 15 netstat 17 qotd 19 chargen 20 ftp-data 21 ftp 22 ssh 23 telnet 25 smtp 37 time 42 name 43 nicname 53 domain 69 tftp 77 79 finger 87 95 supdup 101 hostname 102 iso-tsap 103 gppitnp 104 acr-nema 109 pop2 110 pop3 111 sunrpc 113 auth 115 sftp 117 uucp-path 119 nntp 123 ntp 135 epmap 137 netbios-ns 139 netbios-ssn 143 imap 161 snmp 179 bgp 389 ldap 427 svrloc 465 submissions 512 exec 513 514 shell 515 printer 526 tempo 530 courier 531 chat 532 netnews 540 uucp 548 afp 554 rtsp 556 remotefs 563 nntps 587 submission 601 syslog-conn 636 ldaps 989 ftps-data 990 ftps 993 imaps 995 pop3s 1719 h323gatestat 1720 h323hostcall 1723 pptp 2049 nfs 3659 apple-sasl 4045 npp 5060 sip 5061 sips 6000 x11 6566 sane-port 6665 ircu 6666 ircu 6667 ircu 6668 ircu 6669 ircu 6697 ircs-u 10080 amanda 2.10. Should response to request be blocked due to its MIME type? Run these steps: Let mimeType be the result of extracting a MIME type from response ’s header list If mimeType is failure, then return allowed Let destination be request ’s destination If destination is script-like and one of the following is true, then return blocked mimeType ’s essence starts with audio/ ", " image/ ", or " video/ ". mimeType ’s essence is " text/csv ". Return allowed 2.11. Opaque-response blocking Opaque-response blocking, also known as ORB , is a network filter that blocks access to opaque filtered responses . These responses would likely would not have been useful to the fetching party. Blocking them reduces information leakage to potential attackers. Essentially, CSS, JavaScript, images, and media (audio and video) can be requested across origins without the CORS protocol . And unfortunately except for CSS there is no MIME type enforcement. This algorithm aims to block as many responses as possible that are not one of these types (or are newer variants of those types) to avoid leaking their contents through side channels. The network filter combines pro-active blocking based on response headers, sniffing a limited set of bytes, and ultimately falls back to a full parse due to unfortunate (lack of) design decisions in the early days of the web platform. As a result there are still quite a few responses whose secrets can end up being revealed to attackers. Web developers are strongly encouraged to use the ` Cross-Origin-Resource-Policy ` response header to defend them. 2.11.1. The opaque-response-safelist check The opaque-response-safelist check , given a request request and a response response , is to run these steps: Let mimeType be the result of extracting a MIME type from response ’s header list Let nosniff be the result of determining nosniff given response ’s header list If mimeType is not failure, then: If mimeType is an opaque-response-safelisted MIME type , then return true. If mimeType is an opaque-response-blocklisted-never-sniffed MIME type then return false. If response ’s status is 206 and mimeType is an opaque-response-blocklisted MIME type , then return false. If nosniff is true and mimeType is an opaque-response-blocklisted MIME type or its essence is text/plain ", then return false. If request ’s no-cors media request state is subsequent ", then return true. If response ’s status is 206 and validate a partial response given 0 and response returns invalid, then return false. Let bytes be the result of running obtain a copy of the first 1024 bytes of response given response If bytes is failure, then return false. If the audio or video type pattern matching algorithm given bytes does not return undefined, then: If requests ’s no-cors media request state is not initial ", then return false. If response ’s status is not 200 or 206, then return false. Return true. If requests ’s no-cors media request state is not N/A ", then return false. If the image type pattern matching algorithm given bytes does not return undefined, then return true. If nosniff is true, then return false. This check is made late as unfortunately images and media are always sniffed. If response ’s status is not an ok status , then return false. If mimeType is failure, then return true. This could be improved at somewhat significant cost. See annevk/orb #28 If mimeType ’s essence starts with audio/ ", " image/ ", or " video/ ", then return false. Return determine if response is JavaScript and not JSON given response To obtain a copy of the first 1024 bytes of response , given a response response , run these steps: Let first1024Bytes be null. In parallel Let bytes be the empty byte sequence Let transformStream be a new TransformStream Let transformAlgorithm given a chunk be these steps: Enqueue chunk in transformStream If first1024Bytes is null, then: Let chunkBytes be a copy of the bytes held by chunk Append chunkBytes to bytes If bytes ’s length is greater than 1024, then: Truncate bytes from the end so that it only contains 1024 bytes. Set first1024Bytes to bytes Let flushAlgorithm be this step: if first1024Bytes is null, then set first1024Bytes to bytes Set up transformStream with transformAlgorithm set to transformAlgorithm and flushAlgorithm set to flushAlgorithm Set response ’s body ’s stream to the result of response ’s body ’s stream piped through transformStream Wait until first1024Bytes is non-null or response ’s body ’s stream is errored If first1024Bytes is null, then return failure. Return first1024Bytes To determine if response is JavaScript and not JSON given a response response , run these steps: Let responseBodyBytes be null. Let processBody given a byte sequence bytes be these steps: Set responseBodyBytes to bytes Set response ’s body to the body of the result of safely extracting bytes Let processBodyError be this step: set responseBodyBytes to failure. Fully read response ’s body given processBody and processBodyError Wait for responseBodyBytes to be non-null. If responseBodyBytes is failure, then return false. Assert responseBodyBytes is a byte sequence If parse JSON bytes to a JavaScript value given responseBodyBytes does not throw, then return false. If it throws, catch the exception and ignore it. If there is an exception, response is not JSON. If there is not, it is. Let potentialMIMETypeForEncoding be the result of extracting a MIME type given response ’s header list Let encoding be the result of legacy extracting an encoding given potentialMIMETypeForEncoding and request ’s no-cors JavaScript fallback encoding Equivalently to fetch a classic script , this ignores the MIME type essence Let sourceText be the result of decoding responseBodyBytes given encoding If ParseText sourceText Script ) returns a Script Record then return true. Return false. 2.11.2. New MIME type sets The definitions in this section are solely for the purpose of abstracting parts of the opaque-response-safelist check . They are not suited for usage elsewhere. An opaque-response-safelisted MIME type is a JavaScript MIME type or a MIME type whose essence is " text/css " or image/svg+xml ". An opaque-response-blocklisted MIME type is an HTML MIME type JSON MIME type , or XML MIME type An opaque-response-blocklisted-never-sniffed MIME type is a MIME type whose essence is one of: application/gzip application/msexcel application/mspowerpoint application/msword application/msword-template application/pdf application/vnd.ces-quickpoint application/vnd.ces-quicksheet application/vnd.ces-quickword application/vnd.ms-excel application/vnd.ms-excel.sheet.macroenabled.12 application/vnd.ms-powerpoint application/vnd.ms-powerpoint.presentation.macroenabled.12 application/vnd.ms-word application/vnd.ms-word.document.12 application/vnd.ms-word.document.macroenabled.12 application/vnd.msword application/vnd.openxmlformats-officedocument.presentationml.presentation application/vnd.openxmlformats-officedocument.presentationml.template application/vnd.openxmlformats-officedocument.spreadsheetml.sheet application/vnd.openxmlformats-officedocument.spreadsheetml.template application/vnd.openxmlformats-officedocument.wordprocessingml.document application/vnd.openxmlformats-officedocument.wordprocessingml.template application/vnd.presentation-openxml application/vnd.presentation-openxmlm application/vnd.spreadsheet-openxml application/vnd.wordprocessing-openxml application/x-gzip application/x-protobuf application/x-protobuffer application/zip multipart/byteranges multipart/signed text/event-stream text/csv 3. HTTP extensions 3.1. Origin ` header Headers/Origin In all current engines. Firefox 70+ Safari Yes Chrome Yes Opera Edge Yes Edge (Legacy) 12+ IE Yes Firefox for Android iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile The ` Origin request header indicates where a fetch originates from. The ` Origin ` header is a version of the Referer ` [sic] header that does not reveal a path . It is used for all HTTP fetches whose request ’s response tainting is " cors ", as well as those where request ’s method is neither ` GET ` nor HEAD `. Due to compatibility constraints it is not included in all fetches Its possible values are all the return values of byte-serializing a request origin , given a request This supplants the definition in The Web Origin Concept [ORIGIN] To append a request ` Origin ` header given a request request , run these steps: Let serializedOrigin be the result of byte-serializing a request origin with request If request ’s response tainting is " cors " or request ’s mode is " websocket ", then append (` Origin `, serializedOrigin ) to request ’s header list Otherwise, if request ’s method is neither ` GET ` nor HEAD `, then: If request ’s mode is not " cors ", then switch on request ’s referrer policy no-referrer Set serializedOrigin to ` null `. no-referrer-when-downgrade strict-origin strict-origin-when-cross-origin If request ’s origin is a tuple origin , its scheme is " https ", and request ’s current URL ’s scheme is not " https ", then set serializedOrigin to ` null `. same-origin If request ’s origin is not same origin with request ’s current URL ’s origin , then set serializedOrigin to ` null `. Otherwise Do nothing. Append (` Origin `, serializedOrigin ) to request ’s header list request ’s referrer policy is taken into account for all fetches where the fetcher did not explicitly opt into sharing their origin with the server, e.g., via using the CORS protocol 3.2. CORS protocol To allow sharing responses cross-origin and allow for more versatile fetches than possible with HTML’s form element, the CORS protocol exists. It is layered on top of HTTP and allows responses to declare they can be shared with other origins It needs to be an opt-in mechanism to prevent leaking data from responses behind a firewall (intranets). Additionally, for requests including credentials it needs to be opt-in to prevent leaking potentially-sensitive data. This section explains the CORS protocol as it pertains to server developers. Requirements for user agents are part of the fetch algorithm, except for the new HTTP header syntax 3.2.1. General The CORS protocol consists of a set of headers that indicates whether a response can be shared cross-origin. For requests that are more involved than what is possible with HTML’s form element, a CORS-preflight request is performed, to ensure request ’s current URL supports the CORS protocol 3.2.2. HTTP requests CORS request is an HTTP request that includes an Origin ` header. It cannot be reliably identified as participating in the CORS protocol as the ` Origin ` header is also included for all requests whose method is neither ` GET ` nor HEAD `. CORS-preflight request is a CORS request that checks to see if the CORS protocol is understood. It uses ` OPTIONS ` as method and includes these headers Headers/Access-Control-Request-Method In all current engines. Firefox 3.5+ Safari 4+ Chrome 4+ Opera 12+ Edge 79+ Edge (Legacy) 12+ IE 10+ Firefox for Android iOS Safari Chrome for Android Yes Android WebView 2+ Samsung Internet Opera Mobile 12+ Access-Control-Request-Method Indicates which method a future CORS request to the same resource might use. Headers/Access-Control-Request-Headers In all current engines. Firefox 3.5+ Safari 4+ Chrome 4+ Opera 12+ Edge 79+ Edge (Legacy) 12+ IE 10+ Firefox for Android iOS Safari Chrome for Android Yes Android WebView 2+ Samsung Internet Opera Mobile 12+ Access-Control-Request-Headers Indicates which headers a future CORS request to the same resource might use. 3.2.3. HTTP responses An HTTP response to a CORS request can include the following headers Headers/Access-Control-Allow-Origin In all current engines. Firefox 3.5+ Safari 4+ Chrome 4+ Opera 12+ Edge 79+ Edge (Legacy) 12+ IE 10+ Firefox for Android iOS Safari Chrome for Android Yes Android WebView 2+ Samsung Internet Opera Mobile 12+ Access-Control-Allow-Origin Indicates whether the response can be shared, via returning the literal value of the Origin ` request header (which can be ` null `) or ` ` in a response. Headers/Access-Control-Allow-Credentials In all current engines. Firefox 3.5+ Safari 4+ Chrome 4+ Opera 12+ Edge 79+ Edge (Legacy) 12+ IE 10+ Firefox for Android iOS Safari Chrome for Android Yes Android WebView 2+ Samsung Internet Opera Mobile 12+ Access-Control-Allow-Credentials Indicates whether the response can be shared when request ’s credentials mode is include ". For a CORS-preflight request request ’s credentials mode is always " same-origin ", i.e., it excludes credentials, but for any subsequent CORS requests it might not be. Support therefore needs to be indicated as part of the HTTP response to the CORS-preflight request as well. An HTTP response to a CORS-preflight request can include the following headers Headers/Access-Control-Allow-Methods In all current engines. Firefox 3.5+ Safari 4+ Chrome 4+ Opera 12+ Edge 79+ Edge (Legacy) 12+ IE 10+ Firefox for Android iOS Safari Chrome for Android Yes Android WebView 2+ Samsung Internet Opera Mobile 12+ Access-Control-Allow-Methods Indicates which methods are supported by the response ’s URL for the purposes of the CORS protocol The ` Allow header is not relevant for the purposes of the CORS protocol Headers/Access-Control-Allow-Headers In all current engines. Firefox 3.5+ Safari 4+ Chrome 4+ Opera 12+ Edge 79+ Edge (Legacy) 12+ IE 10+ Firefox for Android iOS Safari Chrome for Android Yes Android WebView 2+ Samsung Internet Opera Mobile 12+ Access-Control-Allow-Headers Indicates which headers are supported by the response ’s URL for the purposes of the CORS protocol Headers/Access-Control-Max-Age In all current engines. Firefox 3.5+ Safari 4+ Chrome 4+ Opera 12+ Edge 79+ Edge (Legacy) 12+ IE 10+ Firefox for Android iOS Safari Chrome for Android Yes Android WebView 2+ Samsung Internet Opera Mobile 12+ Access-Control-Max-Age Indicates the number of seconds (5 by default) the information provided by the Access-Control-Allow-Methods ` and Access-Control-Allow-Headers headers can be cached. An HTTP response to a CORS request that is not a CORS-preflight request can also include the following header Headers/Access-Control-Expose-Headers In all current engines. Firefox 3.5+ Safari 4+ Chrome 4+ Opera 12+ Edge 79+ Edge (Legacy) 12+ IE 10+ Firefox for Android iOS Safari Chrome for Android Yes Android WebView 2+ Samsung Internet Opera Mobile 12+ Access-Control-Expose-Headers Indicates which headers can be exposed as part of the response by listing their names A successful HTTP response, i.e., one where the server developer intends to share it, to a CORS request can use any status , as long as it includes the headers stated above with values matching up with the request. A successful HTTP response to a CORS-preflight request is similar, except it is restricted to an ok status , e.g., 200 or 204. Any other kind of HTTP response is not successful and will either end up not being shared or fail the CORS-preflight request . Be aware that any work the server performs might nonetheless leak through side channels, such as timing. If server developers wish to denote this explicitly, the 403 status can be used, coupled with omitting the relevant headers If desired, “failure” could also be shared, but that would make it a successful HTTP response. That is why for a successful HTTP response to a CORS request that is not a CORS-preflight request the status can be anything, including 403. Ultimately server developers have a lot of freedom in how they handle HTTP responses and these tactics can differ between the response to the CORS-preflight request and the CORS request that follows it: They can provide a static response. This can be helpful when working with caching intermediaries. A static response can both be successful and not successful depending on the CORS request . This is okay. They can provide a dynamic response, tuned to CORS request . This can be helpful when the response body is to be tailored to a specific origin or a response needs to have credentials and be successful for a set of origins. 3.2.4. HTTP new-header syntax ABNF for the values of the headers used by the CORS protocol Access-Control-Request-Method method Access-Control-Request-Headers field-name wildcard "*" Access-Control-Allow-Origin origin-or-null wildcard Access-Control-Allow-Credentials %s"true" ; case-sensitive Access-Control-Expose-Headers field-name Access-Control-Max-Age delta-seconds Access-Control-Allow-Methods method Access-Control-Allow-Headers field-name For ` Access-Control-Expose-Headers `, Access-Control-Allow-Methods `, and ` Access-Control-Allow-Headers response headers , the value ` counts as a wildcard for requests without credentials . For such requests there is no way to solely match a header name or method that is ` `. 3.2.5. CORS protocol and credentials When request ’s credentials mode is " include " it has an impact on the functioning of the CORS protocol other than including credentials in the fetch In the old days, XMLHttpRequest could be used to set request ’s credentials mode to " include ": var client new XMLHttpRequest () client open "GET" "./" client withCredentials true /* … */ Nowadays, fetch("./", { credentials:"include" }).then(/* … */) suffices. request ’s credentials mode is not necessarily observable on the server; only when credentials exist for a request can it be observed by virtue of the credentials being included. Note that even so, a CORS-preflight request never includes credentials The server developer therefore needs to decide whether or not responses "tainted" with credentials can be shared. And also needs to decide if requests necessitating a CORS-preflight request can include credentials . Generally speaking, both sharing responses and allowing requests with credentials is rather unsafe, and extreme care has to be taken to avoid the confused deputy problem To share responses with credentials , the Access-Control-Allow-Origin ` and Access-Control-Allow-Credentials headers are important. The following table serves to illustrate the various legal and illegal combinations for a request to Request’s credentials mode Access-Control-Allow-Origin Access-Control-Allow-Credentials Shared? Notes omit Omitted omit true If credentials mode is not " include ", then Access-Control-Allow-Credentials ` is ignored. omit Omitted serialized origin has no trailing slash. omit Omitted include true If credentials mode is " include ", then Access-Control-Allow-Origin ` cannot be `. include true include True true ` is (byte) case-sensitive. Similarly, ` Access-Control-Expose-Headers `, Access-Control-Allow-Methods `, and Access-Control-Allow-Headers ` response headers can only use ` as value when request ’s credentials mode is not include ". 3.2.6. Examples A script at wants to fetch some data from . (Neither credentials nor response header access is important.) var url "https://bar.invalid/api?key=730d67a37d7f3d802e96396d00280768773813fbe726d116944d814422fc1a45&data=about:unicorn" fetch url ). then success failure This will use the CORS protocol , though this is entirely transparent to the developer from foo.invalid . As part of the CORS protocol , the user agent will include the ` Origin ` header in the request: Origin: https://foo.invalid Upon receiving a response from bar.invalid , the user agent will verify the Access-Control-Allow-Origin ` response header. If its value is either ` ` or ` `, the user agent will invoke the success callback. If it has any other value, or is missing, the user agent will invoke the failure callback. The developer of foo.invalid is back, and now wants to fetch some data from bar.invalid while also accessing a response header. fetch url ). then response => var hsts response headers get "strict-transport-security" ), csp response headers get "content-security-policy" log hsts csp }) bar.invalid provides a correct Access-Control-Allow-Origin ` response header per the earlier example. The values of hsts and csp will depend on the Access-Control-Expose-Headers ` response header. For example, if the response included the following headers Content-Security-Policy: default-src 'self' Strict-Transport-Security: max-age=31536000; includeSubdomains; preload Access-Control-Expose-Headers: Content-Security-Policy then hsts would be null and csp would be default-src 'self' ", even though the response did include both headers. This is because bar.invalid needs to explicitly share each header by listing their names in the ` Access-Control-Expose-Headers ` response header. Alternatively, if bar.invalid wanted to share all its response headers, for requests that do not include credentials , it could use ` ` as value for the ` Access-Control-Expose-Headers ` response header. If the request would have included credentials , the response header names would have to be listed explicitly and ` ` could not be used. The developer of foo.invalid returns, now fetching some data from bar.invalid while including credentials . This time around the CORS protocol is no longer transparent to the developer as credentials require an explicit opt-in: fetch url credentials "include" }). then success failure This also makes any ` Set-Cookie ` response headers bar.invalid includes fully functional (they are ignored otherwise). The user agent will make sure to include any relevant credentials in the request. It will also put stricter requirements on the response. Not only will bar.invalid need to list ` ` as value for the Access-Control-Allow-Origin ` header (` ` is not allowed when credentials are involved), the Access-Control-Allow-Credentials ` header has to be present too: Access-Control-Allow-Origin: https://foo.invalid Access-Control-Allow-Credentials: true If the response does not include those two headers with those values, the failure callback will be invoked. However, any ` Set-Cookie ` response headers will be respected. 3.2.7. CORS protocol exceptions Specifications have allowed limited exceptions to the CORS safelist for non-safelisted Content-Type ` header values. These exceptions are made for requests that can be triggered by web content but whose headers and bodies can be only minimally controlled by the web content. Therefore, servers should expect cross-origin web content to be allowed to trigger non-preflighted requests with the following non-safelisted ` Content-Type ` header values: application/csp-report [CSP] application/expect-ct-report+json [EXPECT-CT] application/xss-auditor-report application/ocsp-request [OCSP] Specifications should avoid introducing new exceptions and should only do so with careful consideration for the security consequences. New exceptions can be proposed by filing an issue 3.3. Content-Length ` header The ` Content-Length ` header is largely defined in HTTP. Its processing model is defined here as the model defined in HTTP is not compatible with web content. [HTTP] To extract a length from a header list headers , run these steps: Let values be the result of getting, decoding, and splitting Content-Length ` from headers If values is null, then return null. Let candidateValue be null. For each value of values If candidateValue is null, then set candidateValue to value Otherwise, if value is not candidateValue , return failure. If candidateValue is the empty string or has a code point that is not an ASCII digit , then return null. Return candidateValue , interpreted as decimal number. 3.4. Content-Type ` header The ` Content-Type ` header is largely defined in HTTP. Its processing model is defined here as the model defined in HTTP is not compatible with web content. [HTTP] To extract a MIME type from a header list headers , run these steps: Let charset be null. Let essence be null. Let mimeType be null. Let values be the result of getting, decoding, and splitting Content-Type ` from headers If values is null, then return failure. For each value of values Let temporaryMimeType be the result of parsing value If temporaryMimeType is failure or its essence is */* ", then continue Set mimeType to temporaryMimeType If mimeType ’s essence is not essence , then: Set charset to null. If mimeType ’s parameters [" charset "] exists , then set charset to mimeType ’s parameters [" charset "]. Set essence to mimeType ’s essence Otherwise, if mimeType ’s parameters [" charset "] does not exist , and charset is non-null, set mimeType ’s parameters [" charset "] to charset If mimeType is null, then return failure. Return mimeType When extract a MIME type returns failure or a MIME type whose essence is incorrect for a given format, treat this as a fatal error. Existing web platform features have not always followed this pattern, which has been a major source of security vulnerabilities in those features over the years. In contrast, a MIME type ’s parameters can typically be safely ignored. This is how extract a MIME type functions in practice: Headers (as on the network) Output ( serialized Content-Type: text/plain;charset=gbk, text/html text/html Content-Type: text/html;charset=gbk;a=b, text/html;x=y text/html;x=y;charset=gbk Content-Type: text/html;charset=gbk;a=b Content-Type: text/html;x=y Content-Type: text/html;charset=gbk Content-Type: x/x Content-Type: text/html;x=y text/html;x=y Content-Type: text/html Content-Type: cannot-parse text/html Content-Type: text/html Content-Type: */* Content-Type: text/html Content-Type: To legacy extract an encoding given failure or a MIME type mimeType and an encoding fallbackEncoding , run these steps: If mimeType is failure, then return fallbackEncoding If mimeType [" charset "] does not exist , then return fallbackEncoding Let tentativeEncoding be the result of getting an encoding from mimeType [" charset "]. If tentativeEncoding is failure, then return fallbackEncoding Return tentativeEncoding This algorithm allows mimeType to be failure so it can be more easily combined with extract a MIME type It is denoted as legacy as modern formats are to exclusively use UTF-8 3.5. X-Content-Type-Options ` header Headers/X-Content-Type-Options In all current engines. Firefox 50+ Safari 11+ Chrome 64+ Opera Yes Edge 79+ Edge (Legacy) 12+ IE 8+ Firefox for Android iOS Safari Chrome for Android 64+ Android WebView Samsung Internet Opera Mobile Yes The X-Content-Type-Options response header can be used to require checking of a response ’s Content-Type header against the destination of a request To determine nosniff , given a header list list , run these steps: Let values be the result of getting, decoding, and splitting X-Content-Type-Options ` from list If values is null, then return false. If values [0] is an ASCII case-insensitive match for nosniff ", then return true. Return false. Web developers and conformance checkers must use the following value ABNF for ` X-Content-Type-Options `: X-Content-Type-Options "nosniff" ; case-insensitive 3.5.1. Should response to request be blocked due to nosniff? Run these steps: If determine nosniff with response ’s header list is false, then return allowed Let mimeType be the result of extracting a MIME type from response ’s header list Let destination be request ’s destination If destination is script-like and mimeType is failure or is not a JavaScript MIME type , then return blocked If destination is " style " and mimeType is failure or its essence is not " text/css ", then return blocked Return allowed Only request destinations that are script-like or " style " are considered as any exploits pertain to them. Also, considering " image " was not compatible with deployed content. 3.6. Cross-Origin-Resource-Policy ` header Headers/Cross-Origin-Resource-Policy In all current engines. Firefox 74+ Safari 12+ Chrome 73+ Opera None Edge 79+ Edge (Legacy) None IE None Firefox for Android None iOS Safari Chrome for Android Android WebView Samsung Internet 11.0+ Opera Mobile None The Cross-Origin-Resource-Policy response header can be used to require checking a request ’s current URL ’s origin against a request ’s origin when request ’s mode is no-cors ". Its value ABNF Cross-Origin-Resource-Policy %s"same-origin" %s"same-site" %s"cross-origin" ; case-sensitive To perform a cross-origin resource policy check , given an origin origin , an environment settings object settingsObject , a string destination , a response response , and an optional boolean forNavigation , run these steps: Set forNavigation to false if it is not given. Let embedderPolicy be settingsObject ’s policy container ’s embedder policy If the cross-origin resource policy internal check with origin unsafe-none ", response , and forNavigation returns blocked , then return blocked This step is needed because we don’t want to report violations not related to Cross-Origin Embedder Policy below. If the cross-origin resource policy internal check with origin embedderPolicy ’s report only value response and forNavigation returns blocked , then queue a cross-origin embedder policy CORP violation report with response settingsObject destination , and true. If the cross-origin resource policy internal check with origin embedderPolicy ’s value response , and forNavigation returns allowed , then return allowed Queue a cross-origin embedder policy CORP violation report with response settingsObject destination , and false. Return blocked Only HTML’s navigate algorithm uses this check with forNavigation set to true, and it’s always for nested navigations. Otherwise, response is either the internal response of an opaque filtered response or a response which will be the internal response of an opaque filtered response [HTML] To perform a cross-origin resource policy internal check , given an origin origin , an embedder policy value embedderPolicyValue , a response response , and a boolean forNavigation , run these steps: If forNavigation is true and embedderPolicyValue is unsafe-none ", then return allowed Let policy be the result of getting Cross-Origin-Resource-Policy ` from response ’s header list This means that ` Cross-Origin-Resource-Policy: same-site, same-origin ends up as allowed below as it will never match anything, as long as embedderPolicyValue is " unsafe-none ". Two or more ` Cross-Origin-Resource-Policy ` headers will have the same effect. If policy is neither ` same-origin `, ` same-site `, nor cross-origin `, then set policy to null. If policy is null, then switch on embedderPolicyValue unsafe-none Do nothing. credentialless Set policy to ` same-origin ` if: response ’s request-includes-credentials is true, or forNavigation is true. require-corp Set policy to ` same-origin `. Switch on policy null cross-origin Return allowed same-origin If origin is same origin with response ’s URL ’s origin , then return allowed Otherwise, return blocked same-site If all of the following are true origin is schemelessly same site with response ’s URL ’s origin origin ’s scheme is " https " or response ’s URL ’s scheme is not https then return allowed Otherwise, return blocked Cross-Origin-Resource-Policy: same-site ` does not consider a response delivered via a secure transport to match a non-secure requesting origin, even if their hosts are otherwise same site. Securely-transported responses will only match a securely-transported initiator. To queue a cross-origin embedder policy CORP violation report , given a response response , an environment settings object settingsObject , a string destination , and a boolean reportOnly run these steps: Let endpoint be settingsObject ’s policy container ’s embedder policy ’s report only reporting endpoint if reportOnly is true and settingsObject ’s policy container ’s embedder policy ’s reporting endpoint otherwise. Let serializedURL be the result of serializing a response URL for reporting with response Let disposition be " reporting " if reportOnly is true; otherwise " enforce ". Let body be a new object containing the following properties: key value type corp blockedURL serializedURL destination destination disposition disposition Generate and queue a report for settingsObject ’s global object given the coep " report type endpoint , and body [REPORTING] 4. Fetching The algorithm below defines fetching . In broad strokes, it takes request and one or more algorithms to run at various points during the operation. A response is passed to the last two algorithms listed below. The first two algorithms can be used to capture uploads. To fetch , given a request request , an optional algorithm processRequestBodyChunkLength , an optional algorithm processRequestEndOfBody an optional algorithm processEarlyHintsResponse , an optional algorithm processResponse , an optional algorithm processResponseEndOfBody , an optional algorithm processResponseConsumeBody and an optional boolean useParallelQueue (default false), run the steps below. If given, processRequestBodyChunkLength must be an algorithm accepting an integer representing the number of bytes transmitted. If given, processRequestEndOfBody must be an algorithm accepting no arguments. If given, processEarlyHintsResponse must be an algorithm accepting a response . If given, processResponse must be an algorithm accepting a response . If given, processResponseEndOfBody must be an algorithm accepting a response . If given, processResponseConsumeBody must be an algorithm accepting a response and null, failure, or a byte sequence The user agent may be asked to suspend the ongoing fetch. The user agent may either accept or ignore the suspension request. The suspended fetch can be resumed . The user agent should ignore the suspension request if the ongoing fetch is updating the response in the HTTP cache for the request. The user agent does not update the entry in the HTTP cache for a request if request’s cache mode is "no-store" or a Cache-Control: no-store ` header appears in the response. [HTTP-CACHING] Assert request ’s mode is " navigate " or processEarlyHintsResponse is null. Processing of early hints ( responses whose status is 103) is only vetted for navigations. Let taskDestination be null. Let crossOriginIsolatedCapability be false. If request ’s client is non-null, then: Set taskDestination to request ’s client ’s global object Set crossOriginIsolatedCapability to request ’s client ’s cross-origin isolated capability If useParallelQueue is true, then set taskDestination to the result of starting a new parallel queue Let timingInfo be a new fetch timing info whose start time and post-redirect start time are the coarsened shared current time given crossOriginIsolatedCapability , and render-blocking is set to request ’s render-blocking Let fetchParams be a new fetch params whose request is request timing info is timingInfo process request body chunk length is processRequestBodyChunkLength process request end-of-body is processRequestEndOfBody process early hints response is processEarlyHintsResponse process response is processResponse process response consume body is processResponseConsumeBody process response end-of-body is processResponseEndOfBody task destination is taskDestination , and cross-origin isolated capability is crossOriginIsolatedCapability If request ’s body is a byte sequence , then set request ’s body to request ’s body as a body If request ’s window is " client ", then set request ’s window to request ’s client if request ’s client ’s global object is a Window object; otherwise no-window ". If request ’s origin is " client ", then set request ’s origin to request ’s client ’s origin If all of the following conditions are true: request ’s URL ’s scheme is an HTTP(S) scheme request ’s mode is " same-origin ", cors ", or " no-cors request ’s window is not null request ’s method is ` GET request ’s unsafe-request flag is not set or request ’s header list is empty then: Assert request ’s origin is same origin with request ’s client ’s origin Let onPreloadedResponseAvailable be an algorithm that runs the following step given a response response : set fetchParams ’s preloaded response candidate to response Let foundPreloadedResource be the result of invoking consume a preloaded resource for request ’s window , given request ’s URL request ’s destination request ’s mode request ’s credentials mode request ’s integrity metadata and onPreloadedResponseAvailable If foundPreloadedResource is true and fetchParams ’s preloaded response candidate is null, then set fetchParams ’s preloaded response candidate to " pending ". If request ’s policy container is " client ", then: If request ’s client is non-null, then set request ’s policy container to a clone of request ’s client ’s policy container [HTML] Otherwise, set request ’s policy container to a new policy container If request ’s header list does not contain Accept `, then: Let value be ` */* `. A user agent should set value to the first matching statement, if any, switching on request ’s destination document frame iframe text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 image image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5 style text/css,*/*;q=0.1 Append (` Accept `, value ) to request ’s header list If request ’s header list does not contain Accept-Language `, then user agents should append (` Accept-Language , an appropriate header value ) to request ’s header list If request ’s priority is null, then use request ’s initiator destination , and render-blocking appropriately in setting request ’s priority to a user-agent-defined object. The user-agent-defined object could encompass stream weight and dependency for HTTP/2, and equivalent information used to prioritize dispatch and processing of HTTP/1 fetches. If request is a subresource request , then: Let record be a new fetch record whose request is request and controller is fetchParams ’s controller Append record to request ’s client ’s fetch group list of fetch records Run main fetch given fetchParams Return fetchParams ’s controller 4.1. Main fetch To main fetch , given a fetch params fetchParams and an optional boolean recursive (default false), run these steps: Let request be fetchParams ’s request Let response be null. If request ’s local-URLs-only flag is set and request ’s current URL is not local , then set response to a network error Run report Content Security Policy violations for request Upgrade request to a potentially trustworthy URL, if appropriate If should request be blocked due to a bad port should fetching request be blocked as mixed content , or should request be blocked by Content Security Policy returns blocked , then set response to a network error If request ’s referrer policy is the empty string, then set request ’s referrer policy to request ’s policy container ’s referrer policy If request ’s referrer is not " no-referrer ", then set request ’s referrer to the result of invoking determine request ’s referrer [REFERRER] As stated in Referrer Policy , user agents can provide the end user with options to override request ’s referrer to " no-referrer or have it expose less sensitive information. Set request ’s current URL ’s scheme to https " if all of the following conditions are true: request ’s current URL ’s scheme is http request ’s current URL ’s host is a domain Matching request ’s current URL ’s host per Known HSTS Host Domain Name Matching results in either a superdomain match with an asserted includeSubDomains directive or a congruent match (with or without an asserted includeSubDomains directive) [HSTS] ; or DNS resolution for the request finds a matching HTTPS RR per section 9.5 of [SVCB] [HSTS] [SVCB] As all DNS operations are generally implementation-defined , how it is determined that DNS resolution contains an HTTPS RR is also implementation-defined . As DNS operations are not traditionally performed until attempting to obtain a connection , user agents might need to perform DNS operations earlier, consult local DNS caches, or wait until later in the fetch algorithm and potentially unwind logic on discovering the need to change request ’s current URL ’s scheme If recursive is false, then run the remaining steps in parallel If response is null, then set response to the result of running the steps corresponding to the first matching statement: fetchParams ’s preloaded response candidate is not null Wait until fetchParams ’s preloaded response candidate is not " pending ". Assert fetchParams ’s preloaded response candidate is a response Return fetchParams ’s preloaded response candidate request ’s current URL ’s origin is same origin with request ’s origin , and request ’s response tainting is " basic request ’s current URL ’s scheme is data request ’s mode is navigate " or " websocket Set request ’s response tainting to " basic ". Return the result of running scheme fetch given fetchParams HTML assigns any documents and workers created from URLs whose scheme is " data " a unique opaque origin . Service workers can only be created from URLs whose scheme is an HTTP(S) scheme [HTML] [SW] request ’s mode is " same-origin Return a network error request ’s mode is " no-cors If request ’s redirect mode is not " follow ", then return a network error Set request ’s response tainting to " opaque ". Return the result of running scheme fetch given fetchParams request ’s current URL ’s scheme is not an HTTP(S) scheme Return a network error request ’s use-CORS-preflight flag is set request ’s unsafe-request flag is set and either request ’s method is not a CORS-safelisted method or CORS-unsafe request-header names with request ’s header list is not empty Set request ’s response tainting to cors ". Let corsWithPreflightResponse be the result of running HTTP fetch given fetchParams and true. If corsWithPreflightResponse is a network error , then clear cache entries using request Return corsWithPreflightResponse Otherwise Set request ’s response tainting to cors ". Return the result of running HTTP fetch given fetchParams If recursive is true, then return response If response is not a network error and response is not a filtered response , then: If request ’s response tainting is " cors ", then: Let headerNames be the result of extracting header list values given Access-Control-Expose-Headers ` and response ’s header list If request ’s credentials mode is not include " and headerNames contains ` `, then set response ’s CORS-exposed header-name list to all unique header names in response ’s header list Otherwise, if headerNames is not null or failure, then set response ’s CORS-exposed header-name list to headerNames One of the headerNames can still be ` ` at this point, but will only match a header whose name is ` `. Set response to the following filtered response with response as its internal response , depending on request ’s response tainting basic basic filtered response cors CORS filtered response opaque opaque filtered response Let internalResponse be response , if response is a network error , and response ’s internal response otherwise. If internalResponse ’s URL list is empty , then set it to a clone of request ’s URL list response ’s URL list can be empty (for example, when the response represents an about URL). If request has a redirect-tainted origin , then set internalResponse ’s has-cross-origin-redirects to true. If request ’s timing allow failed flag is unset, then set internalResponse ’s timing allow passed flag If response is not a network error and any of the following returns blocked should internalResponse to request be blocked as mixed content should internalResponse to request be blocked by Content Security Policy should internalResponse to request be blocked due to its MIME type should internalResponse to request be blocked due to nosniff then set response and internalResponse to a network error If response ’s type is " opaque ", internalResponse ’s status is 206, internalResponse ’s range-requested flag is set, and request ’s header list does not contain Range `, then set response and internalResponse to a network error Traditionally, APIs accept a ranged response even if a range was not requested. This prevents a partial response from an earlier ranged request being provided to an API that did not make a range request. Further details The above steps prevent the following attack: A media element is used to request a range of a cross-origin HTML resource. Although this is invalid media, a reference to a clone of the response can be retained in a service worker. This can later be used as the response to a script element’s fetch. If the partial response is valid JavaScript (even though the whole resource is not), executing it would leak private data. If response is not a network error and either request ’s method is HEAD ` or ` CONNECT `, or internalResponse ’s status is a null body status set internalResponse ’s body to null and disregard any enqueuing toward it (if any). This standardizes the error handling for servers that violate HTTP. If request ’s integrity metadata is not the empty string, then: Let processBodyError be this step: run fetch response handover given fetchParams and a network error If response ’s body is null, then run processBodyError and abort these steps. Let processBody given bytes be these steps: If bytes do not match request ’s integrity metadata , then run processBodyError and abort these steps. [SRI] Set response ’s body to bytes as a body Run fetch response handover given fetchParams and response Fully read response ’s body given processBody and processBodyError Otherwise, run fetch response handover given fetchParams and response The fetch response handover , given a fetch params fetchParams and a response response , run these steps: Let timingInfo be fetchParams ’s timing info If response is not a network error and fetchParams ’s request ’s client is a secure context , then set timingInfo ’s server-timing headers to the result of getting, decoding, and splitting Server-Timing from response ’s header list The user agent may decide to expose ` Server-Timing ` headers to non-secure contexts requests as well. Let processResponseEndOfBody be the following steps: Let unsafeEndTime be the unsafe shared current time If fetchParams ’s request ’s destination is " document ", then set fetchParams ’s controller ’s full timing info to fetchParams ’s timing info Set fetchParams ’s controller ’s report timing steps to the following steps given a global object global If fetchParams ’s request ’s URL ’s scheme is not an HTTP(S) scheme , then return. Set timingInfo ’s end time to the relative high resolution time given unsafeEndTime and global Let cacheState be response ’s cache state Let bodyInfo be response ’s body info If response ’s timing allow passed flag is not set, then set timingInfo to the result of creating an opaque timing info for timingInfo , set bodyInfo to a new response body info , and set cacheState to the empty string. This covers the case of response being a network error Let responseStatus be 0 if fetchParams ’s request ’s mode is " navigate " and response ’s has-cross-origin-redirects is true; otherwise response ’s status If fetchParams ’s request ’s initiator type is not null, then mark resource timing given timingInfo request ’s URL request ’s initiator type global cacheState bodyInfo , and responseStatus Let processResponseEndOfBodyTask be the following steps: Set fetchParams ’s request ’s done flag If fetchParams ’s process response end-of-body is non-null, then run fetchParams ’s process response end-of-body given response If fetchParams ’s request ’s initiator type is non-null and fetchParams ’s request ’s client ’s global object is fetchParams ’s task destination , then run fetchParams ’s controller ’s report timing steps given fetchParams ’s request ’s client ’s global object Queue a fetch task to run processResponseEndOfBodyTask with fetchParams ’s task destination If fetchParams ’s process response is non-null, then queue a fetch task to run fetchParams ’s process response given response , with fetchParams ’s task destination If response ’s body is null, then run processResponseEndOfBody Otherwise: Let transformStream be a new TransformStream Let identityTransformAlgorithm be an algorithm which, given chunk enqueues chunk in transformStream Set up transformStream with transformAlgorithm set to identityTransformAlgorithm and flushAlgorithm set to processResponseEndOfBody Set response ’s body ’s stream to the result of response ’s body ’s stream piped through transformStream This TransformStream is needed for the purpose of receiving a notification when the stream reaches its end, and is otherwise an identity transform stream If fetchParams ’s process response consume body is non-null, then: Let processBody given nullOrBytes be this step: run fetchParams ’s process response consume body given response and nullOrBytes Let processBodyError be this step: run fetchParams ’s process response consume body given response and failure. If response ’s body is null, then queue a fetch task to run processBody given null, with fetchParams ’s task destination Otherwise, fully read response ’s body given processBody processBodyError , and fetchParams ’s task destination 4.2. Scheme fetch To scheme fetch , given a fetch params fetchParams If fetchParams is canceled , then return the appropriate network error for fetchParams Let request be fetchParams ’s request Switch on request ’s current URL ’s scheme and run the associated steps: about If request ’s current URL ’s path is the string blank ", then return a new response whose status message is ` OK `, header list is « (` Content-Type `, ` text/html;charset=utf-8 `) », and body is the empty byte sequence as a body URLs such as " about:config " are handled during and result in a network error in the context of fetching blob Let blobURLEntry be request ’s current URL ’s blob URL entry If request ’s method is not ` GET `, blobURLEntry is null, or blobURLEntry ’s object is not a Blob object, then return a network error [FILEAPI] The ` GET method restriction serves no useful purpose other than being interoperable. Let bodyWithType be the result of safely extracting blobURLEntry ’s object Let body be bodyWithType ’s body Let length be body ’s length serialized and isomorphic encoded Let type be bodyWithType ’s type if it is non-null; otherwise the empty byte sequence. Return a new response whose status message is OK `, header list is « (` Content-Length `, length ), (` Content-Type `, type ) », and body is body data Let dataURLStruct be the result of running the data: URL processor on request ’s current URL If dataURLStruct is failure, then return a network error Let mimeType be dataURLStruct ’s MIME type serialized Return a new response whose status message is OK `, header list is « (` Content-Type `, mimeType ) », and body is dataURLStruct ’s body as a body file For now, unfortunate as it is, file: URLs are left as an exercise for the reader. When in doubt, return a network error HTTP(S) scheme Return the result of running HTTP fetch given fetchParams Return a network error 4.3. HTTP fetch To HTTP fetch , given a fetch params fetchParams and an optional boolean makeCORSPreflight (default false), run these steps: Let request be fetchParams ’s request Let response be null. Let actualResponse be null. Let timingInfo be fetchParams ’s timing info If request ’s service-workers mode is " all ", then: Let requestForServiceWorker be a clone of request If requestForServiceWorker ’s body is non-null, then: Let transformStream be a new TransformStream Let transformAlgorithm given chunk be these steps: If fetchParams is canceled , then abort these steps. If chunk is not a Uint8Array object, then terminate fetchParams ’s controller Otherwise, enqueue chunk in transformStream . The user agent may split the chunk into implementation-defined practical sizes and enqueue each of them. The user agent also may concatenate the chunks into an implementation-defined practical size and enqueue it. Set up transformStream with transformAlgorithm set to transformAlgorithm Set requestForServiceWorker ’s body ’s stream to the result of requestForServiceWorker ’s body ’s stream piped through transformStream Let serviceWorkerStartTime be the coarsened shared current time given fetchParams ’s cross-origin isolated capability Set response to the result of invoking handle fetch for requestForServiceWorker , with fetchParams ’s controller and fetchParams ’s cross-origin isolated capability [HTML] [SW] If response is not null, then: Set fetchParams ’s timing info ’s final service worker start time to serviceWorkerStartTime If request ’s body is non-null, then cancel request ’s body with undefined. Set actualResponse to response , if response is not a filtered response , and to response ’s internal response otherwise. If one of the following is true response ’s type is " error request ’s mode is " same-origin " and response ’s type is " cors request ’s mode is not " no-cors " and response ’s type is " opaque request ’s redirect mode is not " manual " and response ’s type is " opaqueredirect request ’s redirect mode is not " follow " and response ’s URL list has more than one item. then return a network error If response is null, then: If makeCORSPreflight is true and one of these conditions is true: There is no method cache entry match for request ’s method using request , and either request ’s method is not a CORS-safelisted method or request ’s use-CORS-preflight flag is set. There is at least one item in the CORS-unsafe request-header names with request ’s header list for which there is no header-name cache entry match using request Then: Let preflightResponse be the result of running CORS-preflight fetch given request If preflightResponse is a network error , then return preflightResponse This step checks the CORS-preflight cache and if there is no suitable entry it performs a CORS-preflight fetch which, if successful, populates the cache. The purpose of the CORS-preflight fetch is to ensure the fetched resource is familiar with the CORS protocol . The cache is there to minimize the number of CORS-preflight fetches If request ’s redirect mode is " follow ", then set request ’s service-workers mode to " none ". Redirects coming from the network (as opposed to from a service worker) are not to be exposed to a service worker. Set response and actualResponse to the result of running HTTP-network-or-cache fetch given fetchParams If request ’s response tainting is " opaque ", response ’s status is not a redirect status , and the opaque-response-safelist check given request and response returns false, then return a network error If request ’s response tainting is " cors " and the CORS check for request and response returns failure, then return network error If the TAO check for request and response returns failure, then set request ’s timing allow failed flag As the opaque-response-safelist check CORS check , and TAO check are not to be applied to responses whose status is 304 or 407, or to responses from a service worker, they are applied here. If either request ’s response tainting or response ’s type is " opaque ", and the cross-origin resource policy check with request ’s origin request ’s client request ’s destination , and actualResponse returns blocked , then return network error The cross-origin resource policy check runs for responses coming from the network and responses coming from the service worker. This is different from the CORS check , as request ’s client and the service worker can have different embedder policies. If actualResponse ’s status is a redirect status , then: If actualResponse ’s status is not 303, request ’s body is not null, and the connection uses HTTP/2, then user agents may, and are even encouraged to, transmit an RST_STREAM frame. 303 is excluded as certain communities ascribe special status to it. Switch on request ’s redirect mode error Set response to a network error manual Set response to an opaque-redirect filtered response whose internal response is actualResponse . If request ’s mode is " navigate ", then set fetchParams ’s controller ’s next manual redirect steps to run HTTP-redirect fetch given fetchParams and response follow Set response to the result of running HTTP-redirect fetch given fetchParams and response Return response Typically actualResponse ’s body ’s stream is still being enqueued to after returning. 4.4. HTTP-redirect fetch To HTTP-redirect fetch , given a fetch params fetchParams and a response response run these steps: Let request be fetchParams ’s request Let actualResponse be response , if response is not a filtered response , and response ’s internal response otherwise. Let locationURL be actualResponse ’s location URL given request ’s current URL ’s fragment If locationURL is null, then return response If locationURL is failure, then return a network error If locationURL ’s scheme is not an HTTP(S) scheme , then return a network error If request ’s redirect count is twenty, return a network error Increase request ’s redirect count by one. If request ’s mode is " cors ", locationURL includes credentials , and request ’s origin is not same origin with locationURL ’s origin , then return a network error If request ’s response tainting is " cors " and locationURL includes credentials , then return a network error This catches a cross-origin resource redirecting to a same-origin URL. If actualResponse ’s status is not 303, request ’s body is non-null, and request ’s body ’s source is null, then return a network error If one of the following is true actualResponse ’s status is 301 or 302 and request ’s method is ` POST actualResponse ’s status is 303 and request ’s method is not ` GET ` or ` HEAD then: Set request ’s method to ` GET ` and request ’s body to null. For each headerName of request-body-header name delete headerName from request ’s header list If request ’s body is non-null, then set request ’s body to the body of the result of safely extracting request ’s body ’s source request ’s body ’s source ’s nullity has already been checked. Let timingInfo be fetchParams ’s timing info Set timingInfo ’s redirect end time and post-redirect start time to the coarsened shared current time given fetchParams ’s cross-origin isolated capability If timingInfo ’s redirect start time is 0, then set timingInfo ’s redirect start time to timingInfo ’s start time Append locationURL to request ’s URL list Invoke set request ’s referrer policy on redirect on request and actualResponse [REFERRER] Return the result of running main fetch given fetchParams and true. This has to invoke main fetch to get request ’s response tainting correct. 4.5. HTTP-network-or-cache fetch To HTTP-network-or-cache fetch , given a fetch params fetchParams , an optional boolean isAuthenticationFetch (default false), and an optional boolean isNewConnectionFetch (default false), run these steps: Some implementations might support caching of partial content, as per HTTP Caching . However, this is not widely supported by browser caches. [HTTP-CACHING] Let request be fetchParams ’s request Let httpFetchParams be null. Let httpRequest be null. Let response be null. Let storedResponse be null. Let httpCache be null. Let the revalidatingFlag be unset. Run these steps, but abort when fetchParams is canceled If request ’s window is " no-window " and request ’s redirect mode is " error ", then set httpFetchParams to fetchParams and httpRequest to request Otherwise: Set httpRequest to a clone of request Implementations are encouraged to avoid teeing request ’s body ’s stream when request ’s body ’s source is null as only a single body is needed in that case. E.g., when request ’s body ’s source is null, redirects and authentication will end up failing the fetch. Set httpFetchParams to a copy of fetchParams Set httpFetchParams ’s request to httpRequest Let includeCredentials be true if one of request ’s credentials mode is include request ’s credentials mode is same-origin " and request ’s response tainting is " basic is true; otherwise false. If Cross-Origin-Embedder-Policy allows credentials with request returns false, then set includeCredentials to false. Let contentLength be httpRequest ’s body ’s length , if httpRequest ’s body is non-null; otherwise null. Let contentLengthHeaderValue be null. If httpRequest ’s body is null and httpRequest ’s method is ` POST ` or ` PUT `, then set contentLengthHeaderValue to ` `. If contentLength is non-null, then set contentLengthHeaderValue to contentLength serialized and isomorphic encoded If contentLengthHeaderValue is non-null, then append (` Content-Length `, contentLengthHeaderValue ) to httpRequest ’s header list If contentLength is non-null and httpRequest ’s keepalive is true, then: Let inflightKeepaliveBytes be 0. Let group be httpRequest ’s client ’s fetch group Let inflightRecords be the set of fetch records in group whose request ’s keepalive is true and done flag is unset. For each fetchRecord in inflightRecords Let inflightRequest be fetchRecord ’s request Increment inflightKeepaliveBytes by inflightRequest ’s body ’s length If the sum of contentLength and inflightKeepaliveBytes is greater than 64 kibibytes, then return a network error The above limit ensures that requests that are allowed to outlive the environment settings object and contain a body, have a bounded size and are not allowed to stay alive indefinitely. If httpRequest ’s referrer is a URL , then: Let referrerValue be httpRequest ’s referrer serialized and isomorphic encoded Append (` Referer `, referrerValue ) to httpRequest ’s header list Append a request ` Origin ` header for httpRequest Append the Fetch metadata headers for httpRequest [FETCH-METADATA] If httpRequest ’s header list does not contain User-Agent `, then user agents should append (` User-Agent `, default ` User-Agent ` value ) to httpRequest ’s header list If httpRequest ’s cache mode is " default " and httpRequest ’s header list contains If-Modified-Since `, If-None-Match `, If-Unmodified-Since `, If-Match `, or If-Range `, then set httpRequest ’s cache mode to " no-store ". If httpRequest ’s cache mode is " no-cache ", httpRequest ’s prevent no-cache cache-control header modification flag is unset, and httpRequest ’s header list does not contain Cache-Control `, then append (` Cache-Control `, ` max-age=0 `) to httpRequest ’s header list If httpRequest ’s cache mode is " no-store " or reload ", then: If httpRequest ’s header list does not contain Pragma `, then append (` Pragma `, ` no-cache `) to httpRequest ’s header list If httpRequest ’s header list does not contain Cache-Control `, then append (` Cache-Control `, ` no-cache `) to httpRequest ’s header list If httpRequest ’s header list contains Range `, then append (` Accept-Encoding `, identity `) to httpRequest ’s header list This avoids a failure when handling content codings with a part of an encoded response Additionally, many servers mistakenly ignore ` Range ` headers if a non-identity encoding is accepted. Modify httpRequest ’s header list per HTTP. Do not append a given header if httpRequest ’s header list contains that header ’s name It would be great if we could make this more normative somehow. At this point headers such as Accept-Encoding `, Connection `, DNT `, and Host `, are to be appended if necessary. Accept `, Accept-Charset `, and Accept-Language ` must not be included at this point. Accept ` and ` Accept-Language ` are already included (unless fetch() is used, which does not include the latter by default), and ` Accept-Charset ` is a waste of bytes. See HTTP header layer division for more details. If includeCredentials is true, then: If the user agent is not configured to block cookies for httpRequest (see section 7 of [COOKIES] ), then: Let be the result of running the "cookie-string" algorithm (see section 5.4 of [COOKIES] ) with the user agent’s cookie store and httpRequest ’s current URL If is not the empty string, then append (` `, ) to httpRequest ’s header list If httpRequest ’s header list does not contain Authorization `, then: Let authorizationValue be null. If there’s an authentication entry for httpRequest and either httpRequest ’s use-URL-credentials flag is unset or httpRequest ’s current URL does not include credentials then set authorizationValue to authentication entry Otherwise, if httpRequest ’s current URL does include credentials and isAuthenticationFetch is true, set authorizationValue to httpRequest ’s current URL converted to an ` Authorization ` value If authorizationValue is non-null, then append (` Authorization `, authorizationValue ) to httpRequest ’s header list If there’s a proxy-authentication entry , use it as appropriate. This intentionally does not depend on httpRequest ’s credentials mode Set httpCache to the result of determining the HTTP cache partition given httpRequest If httpCache is null, then set httpRequest ’s cache mode to " no-store ". If httpRequest ’s cache mode is neither " no-store nor " reload ", then: Let timingInfo be fetchParams ’s timing info Set storedResponse to the result of selecting a response from the httpCache , possibly needing validation, as per the Constructing Responses from Caches chapter of HTTP Caching [HTTP-CACHING] , if any. As mandated by HTTP, this still takes the ` Vary header into account. If storedResponse is non-null, then: If cache mode is " default ", storedResponse is a stale-while-revalidate response , and httpRequest ’s client is non-null, then: Set response to storedResponse Set response ’s cache state to " local ". Let revalidateRequest be a clone of request Set revalidateRequest ’s cache mode set to no-cache ". Set revalidateRequest ’s prevent no-cache cache-control header modification flag Set revalidateRequest ’s service-workers mode set to none ". In parallel , run main fetch given a new fetch params whose request is revalidateRequest This fetch is only meant to update the state of httpCache and the response will be unused until another cache access. The stale response will be used as the response to current request. This fetch is issued in the context of a client so if it goes away the request will be terminated. Otherwise: If storedResponse is a stale response , then set the revalidatingFlag If the revalidatingFlag is set and httpRequest ’s cache mode is neither " force-cache " nor only-if-cached ", then: If storedResponse ’s header list contains ETag `, then append (` If-None-Match `, ` ETag `'s value ) to httpRequest ’s header list If storedResponse ’s header list contains Last-Modified `, then append (` If-Modified-Since `, Last-Modified `'s value ) to httpRequest ’s header list See also the Sending a Validation Request chapter of HTTP Caching [HTTP-CACHING] Otherwise, set response to storedResponse and set response ’s cache state to " local ". If aborted , then return the appropriate network error for fetchParams If response is null, then: If httpRequest ’s cache mode is only-if-cached ", then return a network error Let forwardResponse be the result of running HTTP-network fetch given httpFetchParams includeCredentials , and isNewConnectionFetch If httpRequest ’s method is unsafe and forwardResponse ’s status is in the range 200 to 399, inclusive, invalidate appropriate stored responses in httpCache , as per the Invalidation " chapter of HTTP Caching , and set storedResponse to null. [HTTP-CACHING] If the revalidatingFlag is set and forwardResponse ’s status is 304, then: Update storedResponse ’s header list using forwardResponse ’s header list , as per the Freshening Stored Responses upon Validation chapter of HTTP Caching [HTTP-CACHING] This updates the stored response in cache as well. Set response to storedResponse Set response ’s cache state to " validated ". If response is null, then: Set response to forwardResponse Store httpRequest and forwardResponse in httpCache , as per the " Storing Responses in Caches chapter of HTTP Caching [HTTP-CACHING] If forwardResponse is a network error , this effectively caches the network error, which is sometimes known as "negative caching". The associated body info is stored in the cache alongside the response. Set response ’s URL list to a clone of httpRequest ’s URL list If httpRequest ’s header list contains Range `, then set response ’s range-requested flag Set response ’s request-includes-credentials to includeCredentials If response ’s status is 401, httpRequest ’s response tainting is not " cors ", includeCredentials is true, and request ’s window is an environment settings object then: Needs testing: multiple ` WWW-Authenticate ` headers, missing, parsing issues. If request ’s body is non-null, then: If request ’s body ’s source is null, then return a network error Set request ’s body to the body of the result of safely extracting request ’s body ’s source If request ’s use-URL-credentials flag is unset or isAuthenticationFetch is true, then: If fetchParams is canceled , then return the appropriate network error for fetchParams Let username and password be the result of prompting the end user for a username and password, respectively, in request ’s window Set the username given request ’s current URL and username Set the password given request ’s current URL and password Set response to the result of running HTTP-network-or-cache fetch given fetchParams and true. If response ’s status is 407, then: If request ’s window is no-window ", then return a network error Needs testing: multiple ` Proxy-Authenticate ` headers, missing, parsing issues. If fetchParams is canceled , then return the appropriate network error for fetchParams Prompt the end user as appropriate in request ’s window and store the result as a proxy-authentication entry [HTTP] Remaining details surrounding proxy authentication are defined by HTTP. Set response to the result of running HTTP-network-or-cache fetch given fetchParams If all of the following are true response ’s status is 421 isNewConnectionFetch is false request ’s body is null, or request ’s body is non-null and request ’s body ’s source is non-null then: If fetchParams is canceled , then return the appropriate network error for fetchParams Set response to the result of running HTTP-network-or-cache fetch given fetchParams isAuthenticationFetch , and true. If isAuthenticationFetch is true, then create an authentication entry for request and the given realm. Return response Typically response ’s body ’s stream is still being enqueued to after returning. 4.6. HTTP-network fetch To HTTP-network fetch , given a fetch params fetchParams , an optional boolean includeCredentials (default false), and an optional boolean forceNewConnection (default false), run these steps: Let request be fetchParams ’s request Let response be null. Let timingInfo be fetchParams ’s timing info Let networkPartitionKey be the result of determining the network partition key given request Let newConnection be " yes " if forceNewConnection is true; otherwise " no ". Switch on request ’s mode websocket Let connection be the result of obtaining a WebSocket connection , given request ’s current URL Otherwise Let connection be the result of obtaining a connection , given networkPartitionKey request ’s current URL includeCredentials , and newConnection Run these steps, but abort when fetchParams is canceled If connection is failure, then return a network error Set timingInfo ’s final connection timing info to the result of calling clamp and coarsen connection timing info with connection ’s timing info timingInfo ’s post-redirect start time , and fetchParams ’s cross-origin isolated capability If connection is an HTTP/1.x connection, request ’s body is non-null, and request ’s body ’s source is null, then return a network error Set timingInfo ’s final network-request start time to the coarsened shared current time given fetchParams ’s cross-origin isolated capability Set response to the result of making an HTTP request over connection using request with the following caveats: Follow the relevant requirements from HTTP. [HTTP] [HTTP-CACHING] If request ’s body is non-null, and request ’s body ’s source is null, then the user agent may have a buffer of up to 64 kibibytes and store a part of request ’s body in that buffer. If the user agent reads from request ’s body beyond that buffer’s size and the user agent needs to resend request , then instead return a network error The resending is needed when the connection is timed out, for example. The buffer is not needed when request ’s body ’s source is non-null, because request ’s body can be recreated from it. When request ’s body ’s source is null, it means body is created from a ReadableStream object, which means body cannot be recreated and that is why the buffer is needed. While true: If timingInfo ’s final network-response start time is 0, then set timingInfo ’s final network-response start time to coarsened shared current time given fetchParams ’s cross-origin isolated capability , immediately after the user agent’s HTTP parser receives the first byte of the response (e.g., frame header bytes for HTTP/2 or response status line for HTTP/1.x). Wait until all the HTTP response headers are transmitted. Let status be the HTTP response’s status code. If status is in the range 100 to 199, inclusive: If request ’s mode is " websocket " and status is 101, then break If status is 103 and fetchParams ’s process early hints response is non-null, then queue a fetch task to run fetchParams ’s process early hints response , with response Continue These kind of HTTP responses are eventually followed by a "final" HTTP response. Break The exact layering between Fetch and HTTP still needs to be sorted through and therefore response represents both a response and an HTTP response here. If the HTTP request results in a TLS client certificate dialog, then: If request ’s window is an environment settings object , make the dialog available in request ’s window Otherwise, return a network error To transmit request ’s body body , run these steps: If body is null and fetchParams ’s process request end-of-body is non-null, then queue a fetch task given fetchParams ’s process request end-of-body and fetchParams ’s task destination Otherwise, if body is non-null: Let processBodyChunk given bytes be these steps: If fetchParams is canceled , then abort these steps. Run this step in parallel : transmit bytes If fetchParams ’s process request body chunk length is non-null, then run fetchParams ’s process request body chunk length given bytes ’s length Let processEndOfBody be these steps: If fetchParams is canceled , then abort these steps. If fetchParams ’s process request end-of-body is non-null, then run fetchParams ’s process request end-of-body Let processBodyError given be these steps: If fetchParams is canceled , then abort these steps. If is an " AbortError DOMException then abort fetchParams ’s controller Otherwise, terminate fetchParams ’s controller Incrementally read request ’s body given processBodyChunk processEndOfBody processBodyError , and fetchParams ’s task destination If aborted , then: If connection uses HTTP/2, then transmit an RST_STREAM frame. Return the appropriate network error for fetchParams Let pullAlgorithm be an algorithm that resumes the ongoing fetch if it is suspended Let cancelAlgorithm be an algorithm that aborts fetchParams ’s controller with reason , given reason Let highWaterMark be a non-negative, non-NaN number, chosen by the user agent. Let sizeAlgorithm be an algorithm that accepts a chunk object and returns a non-negative, non-NaN, non-infinite number, chosen by the user agent. Let stream be a new ReadableStream Set up stream with pullAlgorithm set to pullAlgorithm cancelAlgorithm set to cancelAlgorithm highWaterMark set to highWaterMark , and sizeAlgorithm set to sizeAlgorithm Set response ’s body to a new body whose stream is stream If includeCredentials is true and the user agent is not configured to block cookies for request (see section 7 of [COOKIES] ), then run the "set-cookie-string" parsing algorithm (see section 5.2 of [COOKIES] on the value of each header whose name is a byte-case-insensitive match for ` Set-Cookie ` in response ’s header list , if any, and request ’s current URL Run these steps in parallel Run these steps, but abort when fetchParams is canceled While true: If one or more bytes have been transmitted from response ’s message body, then: Let bytes be the transmitted bytes. Let codings be the result of extracting header list values given Content-Encoding ` and response ’s header list Increase response ’s body info ’s encoded size by bytes ’s length Set bytes to the result of handling content codings given codings and bytes This makes the ` Content-Length header unreliable to the extent that it was reliable to begin with. Increase response ’s body info ’s decoded size by bytes ’s length If bytes is failure, then terminate fetchParams ’s controller Enqueue Uint8Array wrapping an ArrayBuffer containing bytes into stream If stream is errored , then terminate fetchParams .'s controller If stream doesn’t need more data ask the user agent to suspend the ongoing fetch. Otherwise, if the bytes transmission for response ’s message body is done normally and stream is readable , then close stream , and abort these in-parallel steps. If aborted , then: If fetchParams is aborted , then: Set response ’s aborted flag If stream is readable , then error stream with the result of deserialize a serialized abort reason given fetchParams ’s controller ’s serialized abort reason and an implementation-defined realm Otherwise, if stream is readable error stream with a TypeError If connection uses HTTP/2, then transmit an RST_STREAM frame. Otherwise, the user agent should close connection unless it would be bad for performance to do so. For instance, the user agent could keep the connection open if it knows there’s only a few bytes of transfer remaining on a reusable connection. In this case it could be worse to close the connection and go through the handshake process again for the next fetch. These are run in parallel as at this point it is unclear whether response ’s body is relevant ( response might be a redirect). Return response Typically response ’s body ’s stream is still being enqueued to after returning. 4.7. CORS-preflight fetch This is effectively the user agent implementation of the check to see if the CORS protocol is understood. The so-called CORS-preflight request . If successful it populates the CORS-preflight cache to minimize the number of these fetches To CORS-preflight fetch , given a request request , run these steps: Let preflight be a new request whose method is ` OPTIONS `, URL list is a clone of request ’s URL list initiator is request ’s initiator destination is request ’s destination origin is request ’s origin referrer is request ’s referrer referrer policy is request ’s referrer policy mode is " cors ", and response tainting is " cors ". The service-workers mode of preflight does not matter as this algorithm uses HTTP-network-or-cache fetch rather than HTTP fetch Append (` Accept `, ` */* `) to preflight ’s header list Append (` Access-Control-Request-Method `, request ’s method ) to preflight ’s header list Let headers be the CORS-unsafe request-header names with request ’s header list If headers is not empty , then: Let value be the items in headers separated from each other by `. Append (` Access-Control-Request-Headers `, value ) to preflight ’s header list This intentionally does not use combine , as 0x20 following 0x2C is not the way this was implemented, for better or worse. Let response be the result of running HTTP-network-or-cache fetch given a new fetch params whose request is preflight If a CORS check for request and response returns success and response ’s status is an ok status , then: The CORS check is done on request rather than preflight to ensure the correct credentials mode is used. Let methods be the result of extracting header list values given Access-Control-Allow-Methods ` and response ’s header list Let headerNames be the result of extracting header list values given Access-Control-Allow-Headers ` and response ’s header list If either methods or headerNames is failure, return a network error If methods is null and request ’s use-CORS-preflight flag is set, then set methods to a new list containing request ’s method This ensures that a CORS-preflight fetch that happened due to request ’s use-CORS-preflight flag being set is cached If request ’s method is not in methods request ’s method is not a CORS-safelisted method , and request ’s credentials mode is " include " or methods does not contain ` `, then return a network error If one of request ’s header list ’s names is a CORS non-wildcard request-header name and is not a byte-case-insensitive match for an item in headerNames , then return a network error For each unsafeName in the CORS-unsafe request-header names with request ’s header list , if unsafeName is not a byte-case-insensitive match for an item in headerNames and request ’s credentials mode is " include " or headerNames does not contain ` `, return a network error Let max-age be the result of extracting header list values given Access-Control-Max-Age ` and response ’s header list If max-age is failure or null, then set max-age to 5. If max-age is greater than an imposed limit on max-age , then set max-age to the imposed limit. If the user agent does not provide for a cache , then return response For each method in methods for which there is a method cache entry match using request , set matching entry’s max-age to max-age For each method in methods for which there is no method cache entry match using request create a new cache entry with request max-age method , and null. For each headerName in headerNames for which there is a header-name cache entry match using request , set matching entry’s max-age to max-age For each headerName in headerNames for which there is no header-name cache entry match using request create a new cache entry with request max-age , null, and headerName Return response Otherwise, return a network error 4.8. CORS-preflight cache A user agent has an associated CORS-preflight cache . A CORS-preflight cache is a list of cache entries cache entry consists of: key (a network partition key byte-serialized origin (a byte sequence URL (a URL max-age (a number of seconds) credentials (a boolean) method (null, ` `, or a method header name (null, ` `, or a header name Cache entries must be removed after the seconds specified in their max-age field have passed since storing the entry. Cache entries may be removed before that moment arrives. To create a new cache entry , given request max-age method , and headerName , run these steps: Let entry be a cache entry , initialized as follows: key The result of determining the network partition key given request byte-serialized origin The result of byte-serializing a request origin with request URL request ’s current URL max-age max-age credentials True if request ’s credentials mode is include ", and false otherwise method method header name headerName Append entry to the user agent’s CORS-preflight cache To clear cache entries , given a request remove any cache entries in the user agent’s CORS-preflight cache whose key is the result of determining the network partition key given request byte-serialized origin is the result of byte-serializing a request origin with request , and URL is request ’s current URL There is a cache entry match for a cache entry entry with request if entry ’s key is the result of determining the network partition key given request entry ’s byte-serialized origin is the result of byte-serializing a request origin with request entry ’s URL is request ’s current URL , and one of entry ’s credentials is true entry ’s credentials is false and request ’s credentials mode is not " include ". is true. There is a method cache entry match for method using request when there is a cache entry in the user agent’s CORS-preflight cache for which there is a cache entry match with request and its method is method or ` `. There is a header-name cache entry match for headerName using request when there is a cache entry in the user agent’s CORS-preflight cache for which there is a cache entry match with request and one of its header name is a byte-case-insensitive match for headerName its header name is ` ` and headerName is not CORS non-wildcard request-header name is true. 4.9. CORS check To perform a CORS check for a request and response , run these steps: Let origin be the result of getting Access-Control-Allow-Origin ` from response ’s header list If origin is null, then return failure. Null is not ` null `. If request ’s credentials mode is not " include and origin is ` `, then return success. If the result of byte-serializing a request origin with request is not origin , then return failure. If request ’s credentials mode is not " include ", then return success. Let credentials be the result of getting Access-Control-Allow-Credentials ` from response ’s header list If credentials is ` true `, then return success. Return failure. 4.10. TAO check To perform a TAO check for a request and response , run these steps: If request ’s timing allow failed flag is set, then return failure. Let values be the result of getting, decoding, and splitting Timing-Allow-Origin ` from response ’s header list If values contains ", then return success. If values contains the result of serializing a request origin with request , then return success. If request ’s mode is " navigate " and request ’s current URL ’s origin is not same origin with request ’s origin , then return failure. This is necessary for navigations of a nested browsing context. There, request ’s origin would be the container document’s origin and the TAO check would return failure. Since navigation timing never validates the results of the TAO check , the nested document would still have access to the full timing information, but the container document would not. If request ’s response tainting is " basic ", then return success. Return failure. 5. Fetch API The fetch() method is relatively low-level API for fetching resources. It covers slightly more ground than XMLHttpRequest although it is currently lacking when it comes to request progression (not response progression). The fetch() method makes it quite straightforward to fetch a resource and extract its contents as a Blob fetch "/music/pk/altes-kamuffel.flac" then res => res blob ()). then playBlob If you just care to log a particular response header: fetch "/" method "HEAD" }) then res => log res headers get "strict-transport-security" ))) If you want to check a particular response header and then process the response of a cross-origin resource: fetch "https://pk.example/berlin-calling.json" mode "cors" }) then res => if res headers get "content-type" && res headers get "content-type" ). toLowerCase (). indexOf "application/json" >= return res json () else throw new TypeError () }). then processJSON If you want to work with URL query parameters: var url new URL "https://geo.example.org/api" ), params lat 35.696233 long 139.570431 Object keys params ). forEach key => url searchParams append key params key ])) fetch url ). then /* … */ If you want to receive the body data progressively: function consume reader var total return pump () function pump () return reader read (). then (({ done value }) => if done return total += value byteLength log `received ${ value byteLength bytes ( ${ total bytes in total)` return pump () }) fetch "/music/pk/altes-kamuffel.flac" then res => consume res body getReader ())) then (() => log "consumed the entire body without keeping the whole thing in memory!" )) catch => log "something went wrong: " )) 5.1. Headers class Headers In all current engines. Firefox 39+ Safari 10.1+ Chrome 42+ Opera Edge 79+ Edge (Legacy) 14+ IE None Firefox for Android 44+ iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile Node.js 18.0.0+ typedef sequence sequence ByteString >> or record ByteString ByteString >) HeadersInit Exposed =( Window Worker )] interface Headers constructor optional HeadersInit init ); undefined append ByteString name ByteString value ); undefined delete ByteString name ); ByteString get ByteString name ); boolean has ByteString name ); undefined set ByteString name ByteString value ); iterable ByteString ByteString >; }; Unlike a header list , a Headers object cannot represent more than one Set-Cookie header . In a way this is problematic as unlike all other headers ` Set-Cookie ` headers cannot be combined, but since ` Set-Cookie headers are not exposed to client-side JavaScript this is deemed an acceptable compromise. Implementations could choose the more efficient Headers object representation even for a header list , as long as they also support an associated data structure for Set-Cookie ` headers. Headers object has an associated header list (a header list ), which is initially empty. This can be a pointer to the header list of something else, e.g., of a request as demonstrated by Request objects. Headers object also has an associated guard , which is a headers guard . A headers guard is " immutable ", " request ", request-no-cors ", " response " or " none ". Headers/Headers In all current engines. Firefox 39+ Safari 10.1+ Chrome 42+ Opera Edge 79+ Edge (Legacy) 14+ IE None Firefox for Android 44+ iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile headers = new Headers ([ init ]) Creates a new Headers object. init can be used to fill its internal header list, as per the example below. const meta "Content-Type" "text/xml" "Breaking-Bad" "<3" }; new Headers meta ); // The above is equivalent to const meta2 "Content-Type" "text/xml" ], "Breaking-Bad" "<3" ]; new Headers meta2 ); Headers/append In all current engines. Firefox 39+ Safari 10.1+ Chrome 42+ Opera Edge 79+ Edge (Legacy) 14+ IE None Firefox for Android 44+ iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile headers append name value Appends a header to headers Headers/delete In all current engines. Firefox 39+ Safari 10.1+ Chrome 42+ Opera Edge 79+ Edge (Legacy) 14+ IE None Firefox for Android 44+ iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile headers delete name Removes a header from headers Headers/get In all current engines. Firefox 39+ Safari 10.1+ Chrome 42+ Opera Edge 79+ Edge (Legacy) 14+ IE None Firefox for Android 44+ iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile headers get name Returns as a string the values of all headers whose name is name , separated by a comma and a space. Headers/has In all current engines. Firefox 39+ Safari 10.1+ Chrome 42+ Opera Edge 79+ Edge (Legacy) 14+ IE None Firefox for Android 44+ iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile headers has name Returns whether there is a header whose name is name Headers/set In all current engines. Firefox 39+ Safari 10.1+ Chrome 42+ Opera Edge 79+ Edge (Legacy) 14+ IE None Firefox for Android 44+ iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile headers set name value Replaces the value of the first header whose name is name with value and removes any remaining headers whose name is name for(const [ name value ] of headers headers can be iterated over. To append header name value ) to a Headers object headers , run these steps: Normalize value If name is not a header name or value is not a header value , then throw TypeError If headers ’s guard is " immutable ", then throw TypeError Otherwise, if headers ’s guard is " request " and name is a forbidden header name , return. Otherwise, if headers ’s guard is " request-no-cors ": Let temporaryValue be the result of getting name from headers ’s header list If temporaryValue is null, then set temporaryValue to value Otherwise, set temporaryValue to temporaryValue , followed by 0x2C 0x20, followed by value If name temporaryValue is not a no-CORS-safelisted request-header , then return. Otherwise, if headers ’s guard is " response " and name is a forbidden response-header name , return. Append name value ) to headers ’s header list If headers ’s guard is " request-no-cors ", then remove privileged no-CORS request headers from headers To fill Headers object headers with a given object object , run these steps: If object is a sequence , then for each header in object If header does not contain exactly two items, then throw TypeError Append header ’s first item, header ’s second item) to headers Otherwise, object is a record , then for each key value in object append key value ) to headers To remove privileged no-CORS request headers from a Headers object ( headers ), run these steps: For each headerName of privileged no-CORS request-header names Delete headerName from headers ’s header list This is called when headers are modified by unprivileged code. The new Headers( init constructor steps are: Set this ’s guard to " none ". If init is given, then fill this with init The append( name value method steps are to append name value ) to this The delete( name method steps are: If name is not a header name , then throw TypeError If this ’s guard is " immutable ", then throw TypeError Otherwise, if this ’s guard is " request " and name is a forbidden header name , return. Otherwise, if this ’s guard is " request-no-cors ", name is not a no-CORS-safelisted request-header name , and name is not privileged no-CORS request-header name , return. Otherwise, if this ’s guard is " response " and name is a forbidden response-header name , return. If this ’s header list does not contain name , then return. Delete name from this ’s header list If this ’s guard is " request-no-cors ", then remove privileged no-CORS request headers from this The get( name method steps are: If name is not a header name , then throw TypeError Return the result of getting name from this ’s header list The has( name method steps are: If name is not a header name , then throw TypeError Return true if this ’s header list contains name ; otherwise false. The set( name value method steps are: Normalize value If name is not a header name or value is not a header value , then throw TypeError If this ’s guard is " immutable ", then throw TypeError Otherwise, if this ’s guard is " request " and name is a forbidden header name , return. Otherwise, if this ’s guard is " request-no-cors " and name value is not a no-CORS-safelisted request-header , return. Otherwise, if this ’s guard is " response " and name is a forbidden response-header name , return. Set name value ) in this ’s header list If this ’s guard is " request-no-cors ", then remove privileged no-CORS request headers from this The value pairs to iterate over are the return value of running sort and combine with this ’s header list 5.2. BodyInit unions typedef Blob or BufferSource or FormData or URLSearchParams or USVString XMLHttpRequestBodyInit typedef ReadableStream or XMLHttpRequestBodyInit BodyInit To safely extract body with type from a byte sequence or BodyInit object object , run these steps: If object is a ReadableStream object, then: Assert: object is neither disturbed nor locked Return the result of extracting object The safely extract operation is a subset of the extract operation that is guaranteed to not throw an exception. To extract body with type from a byte sequence or BodyInit object object , with an optional boolean keepalive (default false), run these steps: Let stream be null. If object is a ReadableStream object, then set stream to object Otherwise, if object is a Blob object, set stream to the result of running object ’s get stream Otherwise, set stream to a new ReadableStream object, and set up stream Assert stream is a ReadableStream object. Let action be null. Let source be null. Let length be null. Let type be null. Switch on object Blob Set source to object Set length to object ’s size If object ’s type attribute is not the empty byte sequence, set type to its value. byte sequence Set source to object BufferSource Set source to a copy of the bytes held by object FormData Set action to this step: run the multipart/form-data encoding algorithm , with object ’s entry list and UTF-8 Set source to object Set length to unclear, see html/6424 for improving this Set type to ` multipart/form-data; boundary= `, followed by the multipart/form-data boundary string generated by the multipart/form-data encoding algorithm URLSearchParams Set source to the result of running the application/x-www-form-urlencoded serializer with object ’s list Set type to application/x-www-form-urlencoded;charset=UTF-8 `. scalar value string Set source to the UTF-8 encoding of object Set type to ` text/plain;charset=UTF-8 `. ReadableStream If keepalive is true, then throw TypeError If object is disturbed or locked , then throw TypeError If source is a byte sequence , then set action to a step that returns source and length to source ’s length If action is non-null, then run these steps in in parallel Run action Whenever one or more bytes are available and stream is not errored enqueue Uint8Array wrapping an ArrayBuffer containing the available bytes into stream When running action is done, close stream Let body be a body whose stream is stream source is source , and length is length Return ( body type ). 5.3. Body mixin interface mixin Body readonly attribute ReadableStream body readonly attribute boolean bodyUsed NewObject Promise ArrayBuffer arrayBuffer (); NewObject Promise Blob blob (); NewObject Promise FormData formData (); NewObject Promise any json (); NewObject Promise USVString text (); }; Formats you would not want a network layer to be dependent upon, such as HTML, will likely not be exposed here. Rather, an HTML parser API might accept a stream in due course. Objects including the Body interface mixin need to define an associated MIME type algorithm which takes no arguments and returns failure or a MIME type Objects including the Body interface mixin have an associated body (null or a body ). An object including the Body interface mixin is said to be unusable if its body is non-null and its body ’s stream is disturbed or locked Request/body Firefox None Safari 11.1+ Chrome 105+ Opera Edge 105+ Edge (Legacy) IE None Firefox for Android iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile Response/body In all current engines. Firefox 65+ Safari 10.1+ Chrome 43+ Opera Edge 79+ Edge (Legacy) 14+ IE None Firefox for Android iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile requestOrResponse body Returns requestOrResponse ’s body as ReadableStream Request/bodyUsed In all current engines. Firefox 39+ Safari 10.1+ Chrome 42+ Opera Edge 79+ Edge (Legacy) 14+ IE None Firefox for Android iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile Response/bodyUsed In all current engines. Firefox 39+ Safari 10.1+ Chrome 42+ Opera Edge 79+ Edge (Legacy) 14+ IE None Firefox for Android iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile requestOrResponse bodyUsed Returns whether requestOrResponse ’s body has been read from. Request/arrayBuffer In all current engines. Firefox 39+ Safari 10.1+ Chrome 42+ Opera Edge 79+ Edge (Legacy) 14+ IE None Firefox for Android iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile Response/arrayBuffer In all current engines. Firefox 39+ Safari 10.1+ Chrome 42+ Opera Edge 79+ Edge (Legacy) 14+ IE None Firefox for Android iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile requestOrResponse arrayBuffer () Returns a promise fulfilled with requestOrResponse ’s body as ArrayBuffer Request/blob In all current engines. Firefox 39+ Safari 10.1+ Chrome 42+ Opera Edge 79+ Edge (Legacy) 14+ IE None Firefox for Android iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile Response/blob In all current engines. Firefox 39+ Safari 10.1+ Chrome 42+ Opera Edge 79+ Edge (Legacy) 14+ IE None Firefox for Android iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile requestOrResponse blob () Returns a promise fulfilled with requestOrResponse ’s body as Blob Request/formData In all current engines. Firefox 39+ Safari 14.1+ Chrome 60+ Opera Edge 79+ Edge (Legacy) IE None Firefox for Android iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile Response/formData In all current engines. Firefox 39+ Safari 14.1+ Chrome 60+ Opera Edge 79+ Edge (Legacy) IE None Firefox for Android iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile requestOrResponse formData () Returns a promise fulfilled with requestOrResponse ’s body as FormData Request/json In all current engines. Firefox 39+ Safari 10.1+ Chrome 42+ Opera Edge 79+ Edge (Legacy) 14+ IE None Firefox for Android iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile Response/json In all current engines. Firefox 39+ Safari 10.1+ Chrome 42+ Opera Edge 79+ Edge (Legacy) 14+ IE None Firefox for Android iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile requestOrResponse json () Returns a promise fulfilled with requestOrResponse ’s body parsed as JSON. Request/text In all current engines. Firefox 39+ Safari 10.1+ Chrome 42+ Opera Edge 79+ Edge (Legacy) 14+ IE None Firefox for Android iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile Response/text In all current engines. Firefox 39+ Safari 10.1+ Chrome 42+ Opera Edge 79+ Edge (Legacy) 14+ IE None Firefox for Android iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile requestOrResponse text () Returns a promise fulfilled with requestOrResponse ’s body as string. The body getter steps are to return null if this ’s body is null; otherwise this ’s body ’s stream The bodyUsed getter steps are to return true if this ’s body is non-null and this ’s body ’s stream is disturbed ; otherwise false. The package data algorithm, given bytes type , and a mimeType , switches on type , and runs the associated steps: ArrayBuffer Return a new ArrayBuffer whose contents are bytes Allocating an ArrayBuffer can throw a RangeError Blob Return a Blob whose contents are bytes and type attribute is mimeType FormData If mimeType ’s essence is " multipart/form-data ", then: Parse bytes , using the value of the ` boundary ` parameter from mimeType , per the rules set forth in Returning Values from Forms: multipart/form-data [RFC7578] Each part whose ` Content-Disposition ` header contains a ` filename parameter must be parsed into an entry whose value is a File object whose contents are the contents of the part. The name attribute of the File object must have the value of the ` filename ` parameter of the part. The type attribute of the File object must have the value of the ` Content-Type ` header of the part if the part has such header, and ` text/plain ` (the default defined by [RFC7578] section 4.4) otherwise. Each part whose ` Content-Disposition ` header does not contain a filename ` parameter must be parsed into an entry whose value is the UTF-8 decoded without BOM content of the part. This is done regardless of the presence or the value of a Content-Type ` header and regardless of the presence or the value of a charset ` parameter. A part whose ` Content-Disposition ` header contains a name ` parameter whose value is ` _charset_ ` is parsed like any other part. It does not change the encoding. If that fails for some reason, then throw TypeError Return a new FormData object, appending each entry , resulting from the parsing operation, to its entry list The above is a rough approximation of what is needed for multipart/form-data `, a more detailed parsing specification is to be written. Volunteers welcome. Otherwise, if mimeType ’s essence is application/x-www-form-urlencoded ", then: Let entries be the result of parsing bytes If entries is failure, then throw TypeError Return a new FormData object whose entry list is entries Otherwise, throw TypeError JSON Return the result of running parse JSON from bytes on bytes text Return the result of running UTF-8 decode on bytes The consume body algorithm, given an object and type , runs these steps: If object is unusable , then return a promise rejected with TypeError Let promise be a promise resolved with an empty byte sequence If object ’s body is non-null, then set promise to the result of fully reading body as promise given object ’s body Let steps be to return the result of package data with the first argument given, type , and object ’s MIME type Return the result of upon fulfillment of promise given steps The arrayBuffer() method steps are to return the result of running consume body with this and ArrayBuffer The blob() method steps are to return the result of running consume body with this and Blob The formData() method steps are to return the result of running consume body with this and FormData The json() method steps are to return the result of running consume body with this and JSON The text() method steps are to return the result of running consume body with this and text 5.4. Request class Request In all current engines. Firefox 39+ Safari 10.1+ Chrome 42+ Opera Edge 79+ Edge (Legacy) 14+ IE None Firefox for Android iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile Node.js 18.0.0+ typedef Request or USVString RequestInfo Exposed =( Window Worker )] interface Request constructor RequestInfo input optional RequestInit init = {}); readonly attribute ByteString method readonly attribute USVString url SameObject readonly attribute Headers headers readonly attribute RequestDestination destination readonly attribute USVString referrer readonly attribute ReferrerPolicy referrerPolicy readonly attribute RequestMode mode readonly attribute RequestCredentials credentials readonly attribute RequestCache cache readonly attribute RequestRedirect redirect readonly attribute DOMString integrity readonly attribute boolean keepalive readonly attribute boolean isReloadNavigation readonly attribute boolean isHistoryNavigation readonly attribute AbortSignal signal readonly attribute RequestDuplex duplex NewObject Request clone (); }; Request includes Body dictionary RequestInit ByteString method HeadersInit headers BodyInit body USVString referrer ReferrerPolicy referrerPolicy RequestMode mode RequestCredentials credentials RequestCache cache RequestRedirect redirect DOMString integrity boolean keepalive AbortSignal signal RequestDuplex duplex any window ; // can only be set to null }; enum RequestDestination "" "audio" "audioworklet" "document" "embed" "font" "frame" "iframe" "image" "manifest" "object" "paintworklet" "report" "script" "sharedworker" "style" "track" "video" "worker" "xslt" }; enum RequestMode "navigate" "same-origin" "no-cors" "cors" }; enum RequestCredentials "omit" "same-origin" "include" }; enum RequestCache "default" "no-store" "reload" "no-cache" "force-cache" "only-if-cached" }; enum RequestRedirect "follow" "error" "manual" }; enum RequestDuplex "half" }; serviceworker " is omitted from RequestDestination as it cannot be observed from JavaScript. Implementations will still need to support it as a destination . " websocket " is omitted from RequestMode as it cannot be used nor observed from JavaScript. Request object has an associated request (a request ). Request object also has an associated headers (null or a Headers object), initially null. Request object has an associated signal (null or an AbortSignal object), initially null. Request object’s MIME type is to return the result of extracting a MIME type from its request ’s header list Request object’s body is its request ’s body Request/Request In all current engines. Firefox 39+ Safari 10.1+ Chrome 40+ Opera 27+ Edge 79+ Edge (Legacy) 14+ IE None Firefox for Android iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile 27+ request = new Request input [, init ]) Returns a new request whose url property is input if input is a string, and input ’s url if input is a Request object. The init argument is an object whose properties can be set as follows: method A string to set request ’s method headers Headers object, an object literal, or an array of two-item arrays to set request ’s headers body BodyInit object or null to set request ’s body referrer A string whose value is a same-origin URL, " about:client ", or the empty string, to set request ’s referrer referrerPolicy referrer policy to set request ’s referrerPolicy mode A string to indicate whether the request will use CORS, or will be restricted to same-origin URLs. Sets request ’s mode . If input is a string, it defaults to cors ". credentials A string indicating whether credentials will be sent with the request always, never, or only when sent to a same-origin URL — as well as whether any credentials sent back in the response will be used always, never, or only when received from a same-origin URL. Sets request ’s credentials . If input is a string, it defaults to same-origin ". cache A string indicating how the request will interact with the browser’s cache to set request ’s cache redirect A string indicating whether request follows redirects, results in an error upon encountering a redirect, or returns the redirect (in an opaque fashion). Sets request ’s redirect integrity A cryptographic hash of the resource to be fetched by request . Sets request ’s integrity keepalive A boolean to set request ’s keepalive signal An AbortSignal to set request ’s signal window Can only be null. Used to disassociate request from any Window duplex half " is the only valid value and it is for initiating a half-duplex fetch (i.e., the user agent sends the entire request before processing the response). full " is reserved for future use, for initiating a full-duplex fetch (i.e., the user agent can process the response before sending the entire request). This member needs to be set when body is a ReadableStream object. See issue #1254 for defining full ". Request/method In all current engines. Firefox 39+ Safari 10.1+ Chrome 40+ Opera Edge 79+ Edge (Legacy) 14+ IE None Firefox for Android iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile request method Returns request ’s HTTP method, which is " GET " by default. Request/url In all current engines. Firefox 39+ Safari 10.1+ Chrome 40+ Opera Edge 79+ Edge (Legacy) 14+ IE None Firefox for Android iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile 27+ request url Returns the URL of request as a string. Request/headers In all current engines. Firefox 39+ Safari 10.1+ Chrome 40+ Opera Edge 79+ Edge (Legacy) 14+ IE None Firefox for Android iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile request headers Returns a Headers object consisting of the headers associated with request Note that headers added in the network layer by the user agent will not be accounted for in this object, e.g., the " Host " header. Request/destination In all current engines. Firefox 61+ Safari 10.1+ Chrome 65+ Opera Edge 79+ Edge (Legacy) 14+ IE None Firefox for Android iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile request destination Returns the kind of resource requested by request , e.g., " document " or script ". Request/referrer In all current engines. Firefox 39+ Safari 10.1+ Chrome 40+ Opera Edge 79+ Edge (Legacy) 14+ IE None Firefox for Android iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile request referrer Returns the referrer of request . Its value can be a same-origin URL if explicitly set in init , the empty string to indicate no referrer, and about:client " when defaulting to the global’s default. This is used during fetching to determine the value of the ` Referer ` header of the request being made. Request/referrerPolicy In all current engines. Firefox 47+ Safari 10.1+ Chrome 52+ Opera Edge 79+ Edge (Legacy) 14+ IE None Firefox for Android iOS Safari Chrome for Android Android WebView Samsung Internet 7.2+ Opera Mobile request referrerPolicy Returns the referrer policy associated with request . This is used during fetching to compute the value of the request ’s referrer. Request/mode In all current engines. Firefox 39+ Safari 10.1+ Chrome 40+ Opera Edge 79+ Edge (Legacy) 14+ IE None Firefox for Android iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile request mode Returns the mode associated with request , which is a string indicating whether the request will use CORS, or will be restricted to same-origin URLs. Request/credentials In all current engines. Firefox 39+ Safari 10.1+ Chrome 40+ Opera Edge 79+ Edge (Legacy) 14+ IE None Firefox for Android iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile request credentials Returns the credentials mode associated with request , which is a string indicating whether credentials will be sent with the request always, never, or only when sent to a same-origin URL. Request/cache In all current engines. Firefox 48+ Safari 10.1+ Chrome 64+ Opera Edge 79+ Edge (Legacy) 14+ IE None Firefox for Android iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile request cache Returns the cache mode associated with request , which is a string indicating how the request will interact with the browser’s cache when fetching. Request/redirect In all current engines. Firefox 43+ Safari 10.1+ Chrome 46+ Opera Edge 79+ Edge (Legacy) 14+ IE None Firefox for Android iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile request redirect Returns the redirect mode associated with request , which is a string indicating how redirects for the request will be handled during fetching. A request will follow redirects by default. Request/integrity In all current engines. Firefox 51+ Safari 10.1+ Chrome 46+ Opera Edge 79+ Edge (Legacy) 14+ IE None Firefox for Android iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile request integrity Returns request ’s subresource integrity metadata, which is a cryptographic hash of the resource being fetched. Its value consists of multiple hashes separated by whitespace. [SRI] request keepalive Returns a boolean indicating whether or not request can outlive the global in which it was created. request isReloadNavigation Returns a boolean indicating whether or not request is for a reload navigation. request isHistoryNavigation Returns a boolean indicating whether or not request is for a history navigation (a.k.a. back-foward navigation). request signal Returns the signal associated with request , which is an AbortSignal object indicating whether or not request has been aborted, and its abort event handler. request duplex Returns " half ", meaning the fetch will be half-duplex (i.e., the user agent sends the entire request before processing the response). In future, it could also return full ", meaning the fetch will be full-duplex (i.e., the user agent can process the response before sending the entire request) to indicate that the fetch will be full-duplex. See issue #1254 for defining " full ". Request/clone In all current engines. Firefox 39+ Safari 10.1+ Chrome 40+ Opera Edge 79+ Edge (Legacy) 14+ IE None Firefox for Android iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile request clone () Returns a clone of request To create Request object, given a request request headers guard guard , and realm realm , run these steps: Let requestObject be a new Request object with realm Set requestObject ’s request to request Set requestObject ’s headers to a new Headers object with realm , whose headers list is request ’s headers list and guard is guard Set requestObject ’s signal to a new AbortSignal object with realm Return requestObject The new Request( input init constructor steps are: Let request be null. Let fallbackMode be null. Let baseURL be this ’s relevant settings object ’s API base URL Let signal be null. If input is a string, then: Let parsedURL be the result of parsing input with baseURL If parsedURL is failure, then throw TypeError If parsedURL includes credentials , then throw TypeError Set request to a new request whose URL is parsedURL Set fallbackMode to " cors ". Otherwise: Assert: input is a Request object. Set request to input ’s request Set signal to input ’s signal Let origin be this ’s relevant settings object ’s origin Let window be " client ". If request ’s window is an environment settings object and its origin is same origin with origin , then set window to request ’s window If init [" window "] exists and is non-null, then throw TypeError If init [" window "] exists , then set window to " no-window ". Set request to a new request with the following properties: URL request ’s URL method request ’s method header list A copy of request ’s header list unsafe-request flag Set. client This ’s relevant settings object window window priority request ’s priority origin request ’s origin The propagation of the origin is only significant for navigation requests being handled by a service worker. In this scenario a request can have an origin that is different from the current client. referrer request ’s referrer referrer policy request ’s referrer policy mode request ’s mode credentials mode request ’s credentials mode cache mode request ’s cache mode redirect mode request ’s redirect mode integrity metadata request ’s integrity metadata keepalive request ’s keepalive reload-navigation flag request ’s reload-navigation flag history-navigation flag request ’s history-navigation flag URL list clone of request ’s URL list initiator type fetch ". If init is not empty , then: If request ’s mode is navigate ", then set it to " same-origin ". Unset request ’s reload-navigation flag Unset request ’s history-navigation flag Set request ’s origin to " client ". Set request ’s referrer to " client ". Set request ’s referrer policy to the empty string. Set request ’s URL to request ’s current URL Set request ’s URL list to « request ’s URL ». This is done to ensure that when a service worker "redirects" a request, e.g., from an image in a cross-origin style sheet, and makes modifications, it no longer appears to come from the original source (i.e., the cross-origin style sheet), but instead from the service worker that "redirected" the request. This is important as the original source might not even be able to generate the same kind of requests as the service worker. Services that trust the original source could therefore be exploited were this not done, although that is somewhat farfetched. If init [" referrer "] exists , then: Let referrer be init [" referrer "]. If referrer is the empty string, then set request ’s referrer to " no-referrer ". Otherwise: Let parsedReferrer be the result of parsing referrer with baseURL If parsedReferrer is failure, then throw TypeError If one of the following is true parsedReferrer ’s scheme is " about " and path is the string " client parsedReferrer ’s origin is not same origin with origin then set request ’s referrer to " client ". Otherwise, set request ’s referrer to parsedReferrer If init [" referrerPolicy "] exists , then set request ’s referrer policy to it. Let mode be init [" mode "] if it exists and fallbackMode otherwise. If mode is " navigate ", then throw TypeError If mode is non-null, set request ’s mode to mode If init [" credentials "] exists , then set request ’s credentials mode to it. If init [" cache "] exists , then set request ’s cache mode to it. If request ’s cache mode is " only-if-cached " and request ’s mode is not same-origin ", then throw TypeError If init [" redirect "] exists , then set request ’s redirect mode to it. If init [" integrity "] exists , then set request ’s integrity metadata to it. If init [" keepalive "] exists , then set request ’s keepalive to it. If init [" method "] exists , then: Let method be init [" method "]. If method is not a method or method is a forbidden method , then throw TypeError Normalize method Set request ’s method to method If init [" signal "] exists , then set signal to it. Set this ’s request to request Set this ’s signal to a new AbortSignal object with this ’s relevant Realm If signal is not null, then make this ’s signal follow signal Set this ’s headers to a new Headers object with this ’s relevant Realm , whose header list is request ’s header list and guard is " request ". If this ’s request ’s mode is no-cors ", then: If this ’s request ’s method is not a CORS-safelisted method , then throw TypeError Set this ’s headers ’s guard to request-no-cors ". If init is not empty , then: The headers are sanitized as they might contain headers that are not allowed by this mode. Otherwise, they were previously sanitized or are unmodified since they were set by a privileged API. Let headers be a copy of this ’s headers and its associated header list If init [" headers "] exists , then set headers to init [" headers "]. Empty this ’s headers ’s header list If headers is a Headers object, then for each header in its header list append header ’s name header ’s value ) to this ’s headers Otherwise, fill this ’s headers with headers Let inputBody be input ’s request ’s body if input is a Request object; otherwise null. If either init [" body "] exists and is non-null or inputBody is non-null, and request ’s method is GET ` or ` HEAD `, then throw TypeError Let initBody be null. If init [" body "] exists and is non-null, then: Let bodyWithType be the result of extracting init [" body "], with keepalive set to request ’s keepalive Set initBody to bodyWithType ’s body Let type be bodyWithType ’s type If type is non-null and this ’s headers ’s header list does not contain Content-Type `, then append (` Content-Type `, type ) to this ’s headers Let inputOrInitBody be initBody if it is non-null; otherwise inputBody If inputOrInitBody is non-null and inputOrInitBody ’s source is null, then: If initBody is non-null and init [" duplex "] does not exist , then throw a TypeError If this ’s request ’s mode is neither same-origin " nor " cors ", then throw a TypeError Set this ’s request ’s use-CORS-preflight flag Let finalBody be inputOrInitBody If initBody is null and inputBody is non-null, then: If input is unusable , then throw TypeError Set finalBody to the result of creating a proxy for inputBody Set this ’s request ’s body to finalBody The method getter steps are to return this ’s request ’s method The url getter steps are to return this ’s request ’s URL serialized The headers getter steps are to return this ’s headers The destination getter are to return this ’s request ’s destination The referrer getter steps are: If this ’s request ’s referrer is no-referrer ", then return the empty string. If this ’s request ’s referrer is client ", then return " about:client ". Return this ’s request ’s referrer serialized The referrerPolicy getter steps are to return this ’s request ’s referrer policy The mode getter steps are to return this ’s request ’s mode The credentials getter steps are to return this ’s request ’s credentials mode The cache getter steps are to return this ’s request ’s cache mode The redirect getter steps are to return this ’s request ’s redirect mode The integrity getter steps are to return this ’s request ’s integrity metadata The keepalive getter steps are to return this ’s request ’s keepalive The isReloadNavigation getter steps are to return true if this ’s request ’s reload-navigation flag is set; otherwise false. The isHistoryNavigation getter steps are to return true if this ’s request ’s history-navigation flag is set; otherwise false. The signal getter steps are to return this ’s signal The duplex getter steps are to return half ". The clone() method steps are: If this is unusable , then throw TypeError Let clonedRequest be the result of cloning this ’s request Let clonedRequestObject be the result of creating Request object, given clonedRequest this ’s headers ’s guard , and this ’s relevant Realm Make clonedRequestObject ’s signal follow this ’s signal Return clonedRequestObject 5.5. Response class Response In all current engines. Firefox 39+ Safari 10.1+ Chrome 42+ Opera Edge 79+ Edge (Legacy) 14+ IE None Firefox for Android iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile Node.js 18.0.0+ Response/type In all current engines. Firefox 39+ Safari 10.1+ Chrome 40+ Opera Edge 79+ Edge (Legacy) 14+ IE None Firefox for Android iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile Exposed =( Window Worker )] interface Response constructor optional BodyInit body null optional ResponseInit init = {}); NewObject static Response error (); NewObject static Response redirect USVString url optional unsigned short status = 302); NewObject static Response json any data optional ResponseInit init = {}); readonly attribute ResponseType type readonly attribute USVString url readonly attribute boolean redirected readonly attribute unsigned short status readonly attribute boolean ok readonly attribute ByteString statusText SameObject readonly attribute Headers headers NewObject Response clone (); }; Response includes Body dictionary ResponseInit unsigned short status = 200; ByteString statusText = ""; HeadersInit headers }; enum ResponseType "basic" "cors" "default" "error" "opaque" "opaqueredirect" }; Response object has an associated response (a response ). Response object also has an associated headers (null or a Headers object), initially null. Response object’s MIME type is to return the result of extracting a MIME type from its response ’s header list Response object’s body is its response ’s body Response/Response In all current engines. Firefox 39+ Safari 10.1+ Chrome 40+ Opera Edge 79+ Edge (Legacy) 14+ IE None Firefox for Android iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile response = new Response body = null [, init ]) Creates a Response whose body is body , and status, status message, and headers are provided by init Response/error In all current engines. Firefox 39+ Safari 10.1+ Chrome 43+ Opera Edge 79+ Edge (Legacy) 16+ IE None Firefox for Android iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile response Response error () Creates network error Response Response/redirect In all current engines. Firefox 39+ Safari 10.1+ Chrome 44+ Opera Edge 79+ Edge (Legacy) 16+ IE None Firefox for Android iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile response Response redirect url status = 302) Creates a redirect Response that redirects to url with status status response Response json data [, init ]) Creates a Response whose body is the JSON-encoded data , and status, status message, and headers are provided by init response type Returns response ’s type, e.g., " cors ". Response/url In all current engines. Firefox 39+ Safari 10.1+ Chrome 40+ Opera Edge 79+ Edge (Legacy) 14+ IE None Firefox for Android iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile response url Returns response ’s URL, if it has one; otherwise the empty string. Response/redirected In all current engines. Firefox 49+ Safari 10.1+ Chrome 57+ Opera Edge 79+ Edge (Legacy) 16+ IE None Firefox for Android iOS Safari Chrome for Android Android WebView 60+ Samsung Internet 8.0+ Opera Mobile response redirected Returns whether response was obtained through a redirect. Response/status In all current engines. Firefox 39+ Safari 10.1+ Chrome 40+ Opera Edge 79+ Edge (Legacy) 14+ IE None Firefox for Android iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile response status Returns response ’s status. Response/ok In all current engines. Firefox 39+ Safari 10.1+ Chrome 42+ Opera Edge 79+ Edge (Legacy) 14+ IE None Firefox for Android iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile response ok Returns whether response ’s status is an ok status Response/statusText In all current engines. Firefox 39+ Safari 10.1+ Chrome 40+ Opera Edge 79+ Edge (Legacy) 14+ IE None Firefox for Android iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile response statusText Returns response ’s status message. Response/headers In all current engines. Firefox 39+ Safari 10.1+ Chrome 40+ Opera Edge 79+ Edge (Legacy) 14+ IE None Firefox for Android iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile response headers Returns response ’s headers as Headers Response/clone In all current engines. Firefox 39+ Safari 10.1+ Chrome 40+ Opera Edge 79+ Edge (Legacy) 14+ IE None Firefox for Android iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile response clone () Returns a clone of response To create Response object, given a response response headers guard guard , and realm realm , run these steps: Let responseObject be a new Response object with realm Set responseObject ’s response to response Set responseObject ’s headers to a new Headers object with realm , whose headers list is response ’s headers list and guard is guard Return responseObject To initialize a response , given a Response object response ResponseInit init , and an optional body with type body , run these steps: If init [" status "] is not in the range 200 to 599, inclusive, then throw RangeError If init [" statusText "] does not match the reason-phrase token production, then throw TypeError Set response ’s response ’s status to init [" status "]. Set response ’s response ’s status message to init [" statusText "]. If init [" headers "] exists , then fill response ’s headers with init [" headers "]. If body was given, then: If response ’s status is a null body status , then throw TypeError 101 and 103 are included in null body status due to their use elsewhere. They do not affect this step. Set response ’s body to body ’s body If body ’s type is non-null and response ’s header list does not contain Content-Type `, then append (` Content-Type `, body ’s type ) to response ’s header list The new Response( body init constructor steps are: Set this ’s response to a new response Set this ’s headers to a new Headers object with this ’s relevant Realm , whose header list is this ’s response ’s header list and guard is response ". Let bodyWithType be null. If body is non-null, then set bodyWithType to the result of extracting body Perform initialize a response given this init , and bodyWithType The static error() method steps are to return the result of creating Response object, given a new network error immutable ", and this ’s relevant Realm The static redirect( url status method steps are: Let parsedURL be the result of parsing url with current settings object ’s API base URL If parsedURL is failure, then throw TypeError If status is not a redirect status , then throw RangeError Let responseObject be the result of creating Response object, given a new response , " immutable ", and this ’s relevant Realm Set responseObject ’s response ’s status to status Let value be parsedURL serialized and isomorphic encoded Append (` Location `, value ) to responseObject ’s response ’s header list Return responseObject The static json( data init method steps are: Let bytes the result of running serialize a JavaScript value to JSON bytes on data Let body be the result of extracting bytes Let responseObject be the result of creating Response object, given a new response , " response ", and this ’s relevant Realm Perform initialize a response given responseObject init , and body , " application/json "). Return responseObject The type getter steps are to return this ’s response ’s type The url getter steps are to return the empty string if this ’s response ’s URL is null; otherwise this ’s response ’s URL serialized with exclude fragment set to true. The redirected getter steps are to return true if this ’s response ’s URL list has more than one item; otherwise false. To filter out responses that are the result of a redirect, do this directly through the API, e.g., fetch(url, { redirect:"error" }) This way a potentially unsafe response cannot accidentally leak. The status getter steps are to return this ’s response ’s status The ok getter steps are to return true if this ’s response ’s status is an ok status otherwise false. The statusText getter steps are to return this ’s response ’s status message The headers getter steps are to return this ’s headers The clone() method steps are: If this is unusable , then throw TypeError Let clonedResponse be the result of cloning this ’s response Return the result of creating Response object, given clonedResponse this ’s headers ’s guard and this ’s relevant Realm 5.6. Fetch method fetch In all current engines. Firefox 39+ Safari 10.1+ Chrome 42+ Opera Edge 79+ Edge (Legacy) 14+ IE None Firefox for Android iOS Safari Chrome for Android Android WebView Samsung Internet Opera Mobile Node.js 18.0.0+ partial interface mixin WindowOrWorkerGlobalScope NewObject Promise Response fetch RequestInfo input optional RequestInit init = {}); }; The fetch( input init method steps are: Let be a new promise. Let requestObject be the result of invoking the initial value of Request as constructor with input and init as arguments. If this throws an exception, reject with it and return Let request be requestObject ’s request If requestObject ’s signal is aborted then: Abort the fetch() call with request , null, and requestObject ’s signal ’s abort reason Return Let globalObject be request ’s client ’s global object If globalObject is a ServiceWorkerGlobalScope object, then set request ’s service-workers mode to " none ". Let responseObject be null. Let relevantRealm be this ’s relevant Realm Let locallyAborted be false. This lets us reject promises with predictable timing, when the request to abort comes from the same thread as the call to fetch. Let controller be null. Add the following abort steps to requestObject ’s signal Set locallyAborted to true. Assert controller is non-null. Abort controller with requestObject ’s signal ’s abort reason Abort the fetch() call with request responseObject , and requestObject ’s signal ’s abort reason Set controller to the result of calling fetch given request and processResponse given response being these steps: If locallyAborted is true, then abort these steps. If response ’s aborted flag is set, then: Let deserializedError be the result of deserialize a serialized abort reason given controller ’s serialized abort reason and relevantRealm Abort the fetch() call with request responseObject , and deserializedError Abort these steps. If response is a network error , then reject with a TypeError and abort these steps. Set responseObject to the result of creating Response object, given response , " immutable ", and relevantRealm Resolve with responseObject Return To abort a fetch() call with a promise request responseObject , and an error Reject promise with error This is a no-op if promise has already fulfilled. If request ’s body is non-null and is readable , then cancel request ’s body with error If responseObject is null, then return. Let response be responseObject ’s response If response ’s body is non-null and is readable , then error response ’s body with error 5.7. Garbage collection The user agent may terminate an ongoing fetch if that termination is not observable through script. "Observable through script" means observable through fetch() ’s arguments and return value. Other ways, such as communicating with the server through a side-channel are not included. The server being able to observe garbage collection has precedent, e.g., with WebSocket and XMLHttpRequest objects. The user agent can terminate the fetch because the termination cannot be observed. fetch "https://www.example.com/" The user agent cannot terminate the fetch because the termination can be observed through the promise. window promise fetch "https://www.example.com/" The user agent can terminate the fetch because the associated body is not observable. window promise fetch "https://www.example.com/" ). then res => res headers The user agent can terminate the fetch because the termination cannot be observed. fetch "https://www.example.com/" ). then res => res body getReader (). closed The user agent cannot terminate the fetch because one can observe the termination by registering a handler for the promise object. window promise fetch "https://www.example.com/" then res => res body getReader (). closed The user agent cannot terminate the fetch as termination would be observable via the registered handler. fetch "https://www.example.com/" then res => res body getReader (). closed then (() => console log "stream closed!" )) }) (The above examples of non-observability assume that built-in properties and functions, such as body.getReader() , have not been overwritten.) 6. data: URLs For an informative description of data: URLs, see RFC 2397. This section replaces that RFC’s normative processing requirements to be compatible with deployed content. [RFC2397] data: URL struct is a struct that consists of a MIME type (a MIME type ) and a body (a byte sequence ). The data: URL processor takes a URL dataURL and then runs these steps: Assert: dataURL ’s scheme is " data ". Let input be the result of running the URL serializer on dataURL with exclude fragment set to true. Remove the leading " data: " string from input Let position point at the start of input Let mimeType be the result of collecting a sequence of code points that are not equal to U+002C (,), given position Strip leading and trailing ASCII whitespace from mimeType This will only remove U+0020 SPACE code points , if any. If position is past the end of input , then return failure. Advance position by 1. Let encodedBody be the remainder of input Let body be the percent-decoding of encodedBody If mimeType ends with U+003B (;), followed by zero or more U+0020 SPACE, followed by an ASCII case-insensitive match for " base64 ", then: Let stringBody be the isomorphic decode of body Set body to the forgiving-base64 decode of stringBody If body is failure, then return failure. Remove the last 6 code points from mimeType Remove trailing U+0020 SPACE code points from mimeType , if any. Remove the last U+003B (;) code point from mimeType If mimeType starts with U+003B (;), then prepend " text/plain to mimeType Let mimeTypeRecord be the result of parsing mimeType If mimeTypeRecord is failure, then set mimeTypeRecord to text/plain;charset=US-ASCII Return a new data: URL struct whose MIME type is mimeTypeRecord and body is body Background reading This section and its subsections are informative only. HTTP header layer division For the purposes of fetching, there is an API layer (HTML’s img , CSS' background-image ), early fetch layer, service worker layer, and network & cache layer. Accept ` and Accept-Language ` are set in the early fetch layer (typically by the user agent). Most other headers controlled by the user agent, such as Accept-Encoding `, Host `, and ` Referer `, are set in the network & cache layer. Developers can set headers either at the API layer or in the service worker layer (typically through a Request object). Developers have almost no control over forbidden headers , but can control Accept ` and have the means to constrain and omit Referer ` for instance. Atomic HTTP redirect handling Redirects (a response whose status or internal response ’s (if any) status is a redirect status ) are not exposed to APIs. Exposing redirects might leak information not otherwise available through a cross-site scripting attack. A fetch to that includes a marked HttpOnly could result in a redirect to . This new URL contains a secret. If we expose redirects that secret would be available through a cross-site scripting attack. Basic safe CORS protocol setup For resources where data is protected through IP authentication or a firewall (unfortunately relatively common still), using the CORS protocol is unsafe . (This is the reason why the CORS protocol had to be invented.) However, otherwise using the following header is safe Access-Control-Allow-Origin: * Even if a resource exposes additional information based on cookie or HTTP authentication, using the above header will not reveal it. It will share the resource with APIs such as XMLHttpRequest , much like it is already shared with curl and wget Thus in other words, if a resource cannot be accessed from a random device connected to the web using curl and wget the aforementioned header is not to be included. If it can be accessed however, it is perfectly fine to do so. CORS protocol and HTTP caches If CORS protocol requirements are more complicated than setting Access-Control-Allow-Origin ` to or a static origin , ` Vary ` is to be used. [HTML] [HTTP] [HTTP-CACHING] Vary: Origin In particular, consider what happens if ` Vary ` is not used and a server is configured to send ` Access-Control-Allow-Origin ` for a certain resource only in response to a CORS request . When a user agent receives a response to a non- CORS request for that resource (for example, as the result of a request ), the response will lack ` Access-Control-Allow-Origin and the user agent will cache that response. Then, if the user agent subsequently encounters a CORS request for the resource, it will use that cached response from the previous non- CORS request , without ` Access-Control-Allow-Origin `. But if ` Vary: Origin ` is used in the same scenario described above, it will cause the user agent to fetch a response that includes Access-Control-Allow-Origin `, rather than using the cached response from the previous non- CORS request that lacks Access-Control-Allow-Origin `. However, if ` Access-Control-Allow-Origin ` is set to or a static origin for a particular resource, then configure the server to always send ` Access-Control-Allow-Origin ` in responses for the resource — for non- CORS requests as well as CORS requests — and do not use ` Vary `. WebSockets As part of establishing a connection, the WebSocket object initiates a special kind of fetch (using a request whose mode is websocket ") which allows it to share in many fetch policy decisions, such HTTP Strict Transport Security (HSTS) . Ultimately this results in fetch calling into WebSockets to obtain a dedicated connection. [WEBSOCKETS] [HSTS] Fetch used to define obtain a WebSocket connection and establish a WebSocket connection directly, but both are now defined in WebSockets [WEBSOCKETS] Using fetch in other standards In its essence fetching is an exchange of a request for a response . In reality it is rather complex mechanism for standards to adopt and use correctly. This section aims to give some advice. Always ask domain experts for review. This is a work in progress. Invoking fetch Aside from a request the fetch operation takes several optional arguments. For those arguments that take an algorithm: the algorithm will be called from a task (or in a parallel queue if useParallelQueue is true). processRequestBodyChunkLength Takes an algorithm that will be passed the number of bytes that have been transmitted from the request ’s body . The algorithm will be invoked for each transmitted chunk. Most standards will not need this. processRequestEndOfBody Takes an algorithm that will be passed nothing. Indicates request ’s body has been transmitted. Most standards will not need this. processEarlyHintsResponse Takes an algorithm that will be passed a response (whose status is 103). Can only be used for navigations as defined by HTML [HTML] processResponse Takes an algorithm that will be passed a response . Indicates response ’s header list has been received and initialized. This is primarily useful for standards that want to operate on response ’s body ’s stream directly. If the request ’s mode is " navigate " and its redirect mode is " manual ", then callers need to follow a very specific flow with this algorithm to get the intended behavior. They should compute the appropriate location URL , and if it is not null or a failure, then they should call process the next manual redirect . This will result in processResponse being called again, with the next response in the redirect chain. processResponseEndOfBody Takes an algorithm that will be passed a response . Indicates the network is done transmitting the response. This does not read response ’s body processResponseConsumeBody Takes an algorithm that will be passed a response and null, failure, or a byte sequence . This is useful for standards that wish to operate on the entire response ’s body , of which the result of reading it is supplied as second argument. The second argument’s values have the following meaning: null The response ’s body is null, due to the response being a network error or having a null body status failure Attempting to fully read the contents of the response ’s body failed, e.g., due to an I/O error. byte sequence Fully reading the contents of the response ’s body succeeded. A standard that uses this argument cannot operate on response ’s body itself as providing this argument will cause it to be read and it can be read only once. useParallelQueue Takes a boolean that defaults to false. Indicates where the algorithms passed as arguments will be invoked. Hopefully most standards will not need this. When invoked, the fetch operation returns a fetch controller . The controller is used for performing actions on a fetch operation that has already started, such as aborting the operation by the user or page logic, or terminating it due to a browser-internal circumstance. Acknowledgments Thanks to Adam Barth, Adam Lavin, Alan Jeffrey, Alexey Proskuryakov, Andrés Gutiérrez, Andrew Sutherland, Ángel González, Anssi Kostiainen, Arkadiusz Michalski, Arne Johannessen, Artem Skoretskiy, Arthur Barstow, Arthur Sonzogni, Asanka Herath, Axel Rauschmayer, Ben Kelly, Benjamin Gruenbaum, Benjamin Hawkes-Lewis, Bert Bos, Björn Höhrmann, Boris Zbarsky, Brad Hill, Brad Porter, Bryan Smith, Caitlin Potter, Cameron McCormack, Chirag S Kumar, Chris Needham, Chris Rebert, Clement Pellerin, Collin Jackson, Daniel Robertson, Daniel Veditz, Dave Tapuska, David Benjamin, David Håsäther, David Orchard, Dean Jackson, Devdatta Akhawe, Domenic Denicola, Dominic Farolino, Dominique Hazaël-Massieux, Doug Turner, Douglas Creager, Eero Häkkinen, Ehsan Akhgari, Emily Stark, Eric Lawrence, Eric Orth, François Marier, Frank Ellerman, Frederick Hirsch, Frederik Braun, Gary Blackwood, Gavin Carothers, Glenn Maynard, Graham Klyne, Gregory Terzian, Hal Lockhart, Hallvord R. M. Steen, Harris Hancock, Henri Sivonen, Henry Story, Hiroshige Hayashizaki, Honza Bambas, Ian Hickson, Ilya Grigorik, isonmad, Jake Archibald, James Graham, Janusz Majnert, Jeena Lee, Jeff Carpenter, Jeff Hodges, Jeffrey Yasskin, Jensen Chappell, Jeremy Roman, Jesse M. Heines, Jianjun Chen, Jinho Bang, Jochen Eisinger, John Wilander, Jonas Sicking, Jonathan Kingston, Jonathan Watt, 최종찬 (Jongchan Choi), Jordan Stephens, Jörn Zaefferer, Joseph Pecoraro, Josh Matthews, jub0bs, Julian Krispel-Samsel, Julian Reschke, 송정기 (Jungkee Song), Jussi Kalliokoski, Jxck, Kagami Sascha Rosylight, Keith Yeung, Kenji Baheux, Lachlan Hunt, Larry Masinter, Liam Brummitt, Linus Groh, Louis Ryan, Luca Casonato, Lucas Gonze, Łukasz Anforowicz, 呂康豪 (Kang-Hao Lu), Maciej Stachowiak, Malisa, Manfred Stock, Manish Goregaokar, Marc Silbey, Marcos Caceres, Marijn Kruisselbrink, Mark Nottingham, Mark S. Miller, Martin Dürst, Martin Thomson, Matt Andrews, Matt Falkenhagen, Matt Menke, Matt Oshry, Matt Seddon, Matt Womer, Mhano Harkness, Michael Ficarra, Michael Kohler, Michael™ Smith, Mike Pennisi, Mike West, Mohamed Zergaoui, Mohammed Zubair Ahmed, Moritz Kneilmann, Ms2ger, Nathan Froyd, Nico Schlömer, Nicolás Peña Moreno, Nidhi Jaju, Nikhil Marathe, Nikki Bee, Nikunj Mehta, Noam Rosenthal, Odin Hørthe Omdal, Olli Pettay, Ondřej Žára, O. Opsec, Perry Jiang, Philip Jägenstedt, R. Auburn, Raphael Kubo da Costa, Robert Linder, Rondinelly, Rory Hewitt, Ross A. Baker, Ryan Sleevi, Samy Kamkar, Sébastien Cevey, Sendil Kumar N, Shao-xuan Kang, Sharath Udupa, Shivakumar Jagalur Matt, Shivani Sharma, Sigbjørn Finne, Simon Pieters, Simon Sapin, Srirama Chandra Sekhar Mogali, Stephan Paul, Steven Salat, Sunava Dutta, Surya Ismail, Tab Atkins-Bittner, Takashi Toyoshima, 吉野剛史 (Takeshi Yoshino), Thomas Roessler, Thomas Steiner, Thomas Wisniewski, Tiancheng "Timothy" Gu, Tobie Langel, Tom Schuster, Tomás Aparicio, triple-underscore, 保呂毅 (Tsuyoshi Horo), Tyler Close, Ujjwal Sharma, Vignesh Shanmugam, Vladimir Dzhuvinov, Wayne Carr, Xabier Rodríguez, Yehuda Katz, Yoav Weiss, Youenn Fablet, Yoichi Osato, 平野裕 (Yutaka Hirano), and Zhenbin Xu for being awesome. This standard is written by Anne van Kesteren Apple annevk@annevk.nl ). Intellectual property rights Copyright © WHATWG (Apple, Google, Mozilla, Microsoft). This work is licensed under a Creative Commons Attribution 4.0 International License . To the extent portions of it are incorporated into source code, such portions in the source code are licensed under the BSD 3-Clause License instead. This is the Living Standard. Those interested in the patent-review version should view the Living Standard Review Draft Index Terms defined by this specification "" , in § 5.4 ABNF , in § 2 abort , in § 2 aborted , in § 2 aborted flag , in § 2.2.6 aborted network error , in § 2.2.6 Abort the fetch() call , in § 5.6 Access-Control-Allow-Credentials , in § 3.2.3 Access-Control-Allow-Headers , in § 3.2.3 Access-Control-Allow-Methods , in § 3.2.3 Access-Control-Allow-Origin , in § 3.2.3 Access-Control-Expose-Headers , in § 3.2.3 Access-Control-Max-Age , in § 3.2.3 Access-Control-Request-Headers , in § 3.2.2 Access-Control-Request-Method , in § 3.2.2 add a range header , in § 2.2.5 ALPN negotiated protocol , in § 2.6 append dfn for Headers , in § 5.1 dfn for header list , in § 2.2.2 append a request `Origin` header , in § 3.1 append(name, value) , in § 5.1 appropriate network error , in § 2.2.6 arrayBuffer() , in § 5.3 as a body , in § 2.2.4 Atomic HTTP redirect handling , in § Unnumbered section "audio" , in § 5.4 "audioworklet" , in § 5.4 authentication entry , in § 2.3 bad port , in § 2.9 "basic" , in § 5.5 basic filtered response , in § 2.2.6 blob() , in § 5.3 block bad port , in § 2.9 Body , in § 5.3 body attribute for Body , in § 5.3 definition of , in § 2.2.4 dfn for Body , in § 5.3 dfn for body with type , in § 2.2.4 dfn for data: URL struct , in § 6 dfn for request , in § 2.2.5 dfn for response , in § 2.2.6 dict-member for RequestInit , in § 5.4 body info , in § 2.2.6 BodyInit , in § 5.2 bodyUsed , in § 5.3 body with type , in § 2.2.4 byte-serialized origin , in § 4.8 Byte-serializing a request origin , in § 2.2.5 cache attribute for Request , in § 5.4 dict-member for RequestInit , in § 5.4 cache entry , in § 4.8 cache entry match , in § 4.8 cache mode , in § 2.2.5 cache state , in § 2.2.6 canceled , in § 2 clamp and coarsen connection timing info , in § 2.6 clear cache entries , in § 4.8 client , in § 2.2.5 clone dfn for body , in § 2.2.4 dfn for request , in § 2.2.5 dfn for response , in § 2.2.6 clone() method for Request , in § 5.4 method for Response , in § 5.5 collect an HTTP quoted string , in § 2.2 collecting an HTTP quoted string , in § 2.2 combine , in § 2.2.2 connection , in § 2.6 connection end time , in § 2.6 connection pool , in § 2.6 connection start time , in § 2.6 connection timing info , in § 2.6 constructor() constructor for Headers , in § 5.1 constructor for Response , in § 5.5 constructor(body) , in § 5.5 constructor(body, init) , in § 5.5 constructor(init) , in § 5.1 constructor(input) , in § 5.4 constructor(input, init) , in § 5.4 consume body , in § 5.3 contains , in § 2.2.2 controller dfn for fetch params , in § 2 dfn for fetch record , in § 2.4 convert header names to a sorted-lowercase set , in § 2.2.2 "cors" enum-value for RequestMode , in § 5.4 enum-value for ResponseType , in § 5.5 CORS check , in § 4.9 CORS-exposed header-name list , in § 2.2.6 CORS filtered response , in § 2.2.6 CORS non-wildcard request-header name , in § 2.2.2 CORS-preflight cache , in § 4.8 CORS-preflight fetch , in § 4.7 CORS-preflight request , in § 3.2.2 CORS protocol , in § 3.2 CORS request , in § 3.2.2 CORS-safelisted method , in § 2.2.1 CORS-safelisted request-header , in § 2.2.2 CORS-safelisted response-header name , in § 2.2.2 CORS-unsafe request-header byte , in § 2.2.2 CORS-unsafe request-header names , in § 2.2.2 create dfn for Request , in § 5.4 dfn for Response , in § 5.5 create a connection , in § 2.6 create a new cache entry , in § 4.8 create an opaque timing info , in § 2 creating dfn for Request , in § 5.4 dfn for Response , in § 5.5 creating an opaque timing info , in § 2 Credentials , in § 2 credentials attribute for Request , in § 5.4 dfn for cache entry , in § 4.8 dfn for connection , in § 2.6 dict-member for RequestInit , in § 5.4 credentials mode , in § 2.2.5 Cross-Origin-Embedder-Policy allows credentials , in § 2.2.5 cross-origin isolated capability , in § 2 Cross-Origin-Resource-Policy , in § 3.6 cross-origin resource policy check , in § 3.6 cross-origin resource policy internal check , in § 3.6 cryptographic nonce metadata , in § 2.2.5 current URL , in § 2.2.5 data: URL processor , in § 6 data: URL struct , in § 6 decoded size , in § 2 "default" enum-value for RequestCache , in § 5.4 enum-value for ResponseType , in § 5.5 default `User-Agent` value , in § 2.2.2 delete , in § 2.2.2 delete(name) , in § 5.1 deserialize a serialized abort reason , in § 2 destination attribute for Request , in § 5.4 dfn for request , in § 2.2.5 determine if response is JavaScript and not JSON , in § 2.11.1 determine nosniff , in § 3.5 determine the HTTP cache partition , in § 2.8 determine the network partition key definition of , in § 2.7 dfn for request , in § 2.7 determining the HTTP cache partition , in § 2.8 determining the network partition key definition of , in § 2.7 dfn for request , in § 2.7 "document" , in § 5.4 does not contain , in § 2.2.2 domain lookup end time , in § 2.6 domain lookup start time , in § 2.6 done flag , in § 2.2.5 duplex attribute for Request , in § 5.4 dict-member for RequestInit , in § 5.4 "embed" , in § 5.4 encoded size , in § 2 end time , in § 2 "error" enum-value for RequestRedirect , in § 5.4 enum-value for ResponseType , in § 5.5 error() , in § 5.5 extract , in § 5.2 extract a length , in § 3.3 extract a MIME type , in § 3.4 extract full timing info given a fetch controller controller: , in § 2 extract header list values , in § 2.2.2 extract header values , in § 2.2.2 extracting a length , in § 3.3 extracting a MIME type , in § 3.4 extracting header list values , in § 2.2.2 extracting header values , in § 2.2.2 fetch , in § 4 fetch controller , in § 2 fetch group , in § 2.4 fetch(input) , in § 5.6 fetch(input, init) , in § 5.6 fetch params , in § 2 fetch record , in § 2.4 fetch response handover , in § 4.1 fetch scheme , in § 2.1 fetch timing info , in § 2 fill , in § 5.1 filtered response , in § 2.2.6 final connection timing info , in § 2 final network-request start time , in § 2 final network-response start time , in § 2 final service worker start time , in § 2 "follow" , in § 5.4 "font" , in § 5.4 forbidden header name , in § 2.2.2 forbidden method , in § 2.2.1 forbidden response-header name , in § 2.2.2 "force-cache" , in § 5.4 formData() , in § 5.3 "frame" , in § 5.4 fresh response , in § 2.2.6 full timing info , in § 2 fully read , in § 2.2.4 fully reading body as promise , in § 2.2.4 get , in § 2.2.2 get a structured field value , in § 2.2.2 get, decode, and split , in § 2.2.2 get(name) , in § 5.1 getting, decoding, and splitting , in § 2.2.2 guard , in § 5.1 "half" , in § 5.4 handle content codings , in § 2.2.4 has-cross-origin-redirects , in § 2.2.6 has(name) , in § 5.1 header , in § 2.2.2 header list definition of , in § 2.2.2 dfn for Headers , in § 5.1 dfn for request , in § 2.2.5 dfn for response , in § 2.2.6 header name definition of , in § 2.2.2 dfn for cache entry , in § 4.8 header-name cache entry match , in § 4.8 Headers , in § 5.1 headers attribute for Request , in § 5.4 attribute for Response , in § 5.5 dfn for Request , in § 5.4 dfn for Response , in § 5.5 dict-member for RequestInit , in § 5.4 dict-member for ResponseInit , in § 5.5 Headers() , in § 5.1 headers guard , in § 5.1 Headers(init) , in § 5.1 HeadersInit , in § 5.1 header value , in § 2.2.2 history-navigation flag , in § 2.2.5 http3Only , in § 2.6 HTTP fetch , in § 4.3 HTTP header layer division , in § Unnumbered section HTTP-network fetch , in § 4.6 HTTP-network-or-cache fetch , in § 4.5 HTTP newline byte , in § 2.2 HTTP-redirect fetch , in § 4.4 HTTP(S) scheme , in § 2.1 HTTP tab or space , in § 2.2 HTTP tab or space byte , in § 2.2 HTTP whitespace , in § 2.2 HTTP whitespace byte , in § 2.2 "iframe" , in § 5.4 "image" , in § 5.4 "include" , in § 5.4 incrementally read , in § 2.2.4 incrementally-read loop , in § 2.2.4 initialize a response , in § 5.5 initiator , in § 2.2.5 initiator type , in § 2.2.5 integrity attribute for Request , in § 5.4 dict-member for RequestInit , in § 5.4 integrity metadata , in § 2.2.5 internal response , in § 2.2.6 isHistoryNavigation , in § 5.4 is local , in § 2.1 isReloadNavigation , in § 5.4 json() , in § 5.3 json(data) , in § 5.5 json(data, init) , in § 5.5 keepalive attribute for Request , in § 5.4 dfn for BodyInit/extract , in § 5.2 dfn for request , in § 2.2.5 dict-member for RequestInit , in § 5.4 key dfn for cache entry , in § 4.8 dfn for connection , in § 2.6 legacy extract an encoding , in § 3.4 length , in § 2.2.4 local scheme , in § 2.1 local-URLs-only flag , in § 2.2.5 location URL , in § 2.2.6 main fetch , in § 4.1 "manifest" , in § 5.4 "manual" , in § 5.4 max-age , in § 4.8 method attribute for Request , in § 5.4 definition of , in § 2.2.1 dfn for cache entry , in § 4.8 dfn for request , in § 2.2.5 dict-member for RequestInit , in § 5.4 method cache entry match , in § 4.8 MIME type dfn for Body , in § 5.3 dfn for data: URL struct , in § 6 mode attribute for Request , in § 5.4 dfn for request , in § 2.2.5 dict-member for RequestInit , in § 5.4 name , in § 2.2.2 "navigate" , in § 5.4 navigation request , in § 2.2.5 network error , in § 2.2.6 network partition key , in § 2.7 new connection setting , in § 2.6 next manual redirect steps , in § 2 "no-cache" , in § 5.4 "no-cors" , in § 5.4 no-cors JavaScript fallback encoding , in § 2.2.5 no-cors media request state , in § 2.2.5 no-CORS-safelisted request-header , in § 2.2.2 no-CORS-safelisted request-header name , in § 2.2.2 non-subresource request , in § 2.2.5 normalize dfn for header value , in § 2.2.2 dfn for method , in § 2.2.1 "no-store" , in § 5.4 null body status , in § 2.2.3 "object" , in § 5.4 obtain a connection , in § 2.6 obtain a copy of the first 1024 bytes of response , in § 2.11.1 ok , in § 5.5 ok status , in § 2.2.3 "omit" , in § 5.4 "only-if-cached" , in § 5.4 "opaque" , in § 5.5 opaque filtered response , in § 2.2.6 "opaqueredirect" , in § 5.5 opaque-redirect filtered response , in § 2.2.6 opaque-response-blocklisted MIME type , in § 2.11.2 opaque-response-blocklisted-never-sniffed MIME type , in § 2.11.2 opaque-response-safelist check , in § 2.11.1 opaque-response-safelisted MIME type , in § 2.11.2 Origin , in § 3.1 origin dfn for connection , in § 2.6 dfn for request , in § 2.2.5 package data , in § 5.3 "paintworklet" , in § 5.4 parse a single range header value , in § 2.2.2 parser metadata , in § 2.2.5 policy container , in § 2.2.5 post-redirect start time , in § 2 potential destination , in § 2.2.7 preloaded response candidate , in § 2 prevent no-cache cache-control header modification flag , in § 2.2.5 priority , in § 2.2.5 privileged no-CORS request-header name , in § 2.2.2 process early hints response , in § 2 processEarlyHintsResponse , in § 4 process request body chunk length , in § 2 processRequestBodyChunkLength , in § 4 process request end-of-body , in § 2 processRequestEndOfBody , in § 4 process response , in § 2 processResponse , in § 4 process response consume body , in § 2 processResponseConsumeBody , in § 4 process response end-of-body , in § 2 processResponseEndOfBody , in § 4 process the next manual redirect , in § 2 proxy-authentication entry , in § 2.3 queue a cross-origin embedder policy CORP violation report , in § 3.6 queue a fetch task , in § 2 range-requested flag , in § 2.2.6 record connection timing info , in § 2.6 redirect attribute for Request , in § 5.4 dict-member for RequestInit , in § 5.4 redirect count , in § 2.2.5 redirected , in § 5.5 redirect end time , in § 2 redirect mode , in § 2.2.5 redirect start time , in § 2 redirect status , in § 2.2.3 redirect-tainted origin , in § 2.2.5 redirect(url) , in § 5.5 redirect(url, status) , in § 5.5 referrer attribute for Request , in § 5.4 dfn for request , in § 2.2.5 dict-member for RequestInit , in § 5.4 referrer policy , in § 2.2.5 referrerPolicy attribute for Request , in § 5.4 dict-member for RequestInit , in § 5.4 "reload" , in § 5.4 reload-navigation flag , in § 2.2.5 remove privileged no-CORS request headers , in § 5.1 render-blocking dfn for fetch timing info , in § 2 dfn for request , in § 2.2.5 replaces client id , in § 2.2.5 "report" , in § 5.4 report timing , in § 2 report timing steps , in § 2 Request , in § 5.4 request definition of , in § 2.2.5 dfn for Request , in § 5.4 dfn for fetch params , in § 2 dfn for fetch record , in § 2.4 request-body-header name , in § 2.2.2 RequestCache , in § 5.4 RequestCredentials , in § 5.4 RequestDestination , in § 5.4 RequestDuplex , in § 5.4 request-includes-credentials , in § 2.2.6 RequestInfo , in § 5.4 RequestInit , in § 5.4 Request(input) , in § 5.4 Request(input, init) , in § 5.4 RequestMode , in § 5.4 RequestRedirect , in § 5.4 reserved client , in § 2.2.5 resolve an origin , in § 2.5 Response , in § 5.5 response definition of , in § 2.2.6 dfn for Response , in § 5.5 Response() , in § 5.5 Response(body) , in § 5.5 response body info , in § 2 Response(body, init) , in § 5.5 ResponseInit , in § 5.5 response tainting , in § 2.2.5 ResponseType , in § 5.5 resumed , in § 4 safely extract , in § 5.2 "same-origin" enum-value for RequestCredentials , in § 5.4 enum-value for RequestMode , in § 5.4 scheme fetch , in § 4.2 "script" , in § 5.4 script-like , in § 2.2.5 secure connection start time , in § 2.6 serialize an integer , in § 2 serialize a response URL for reporting , in § 2.2.5 serialized abort reason , in § 2 Serializing a request origin , in § 2.2.5 server-timing headers , in § 2 service-workers mode , in § 2.2.5 service worker timing info , in § 2.2.6 set , in § 2.2.2 set a structured field value , in § 2.2.2 set(name, value) , in § 5.1 "sharedworker" , in § 5.4 should response to request be blocked due to mime type , in § 2.9 should response to request be blocked due to nosniff , in § 3.5 signal attribute for Request , in § 5.4 dfn for Request , in § 5.4 dict-member for RequestInit , in § 5.4 sort and combine , in § 2.2.2 source , in § 2.2.4 stale response , in § 2.2.6 stale-while-revalidate response , in § 2.2.6 start time , in § 2 state , in § 2 status attribute for Response , in § 5.5 definition of , in § 2.2.3 dfn for response , in § 2.2.6 dict-member for ResponseInit , in § 5.5 status message , in § 2.2.6 statusText attribute for Response , in § 5.5 dict-member for ResponseInit , in § 5.5 stream , in § 2.2.4 "style" , in § 5.4 subresource request , in § 2.2.5 suspend , in § 4 TAO check , in § 4.10 task destination , in § 2 terminate , in § 2 terminated , in § 2.4 text() , in § 5.3 timing allow failed flag , in § 2.2.5 timing allow passed flag , in § 2.2.6 timing info dfn for connection , in § 2.6 dfn for fetch params , in § 2 "track" , in § 5.4 translate , in § 2.2.7 type attribute for Response , in § 5.5 dfn for body with type , in § 2.2.4 dfn for response , in § 2.2.6 unsafe-request flag , in § 2.2.5 unusable , in § 5.3 URL dfn for cache entry , in § 4.8 dfn for request , in § 2.2.5 dfn for response , in § 2.2.6 url attribute for Request , in § 5.4 attribute for Response , in § 5.5 URL list dfn for request , in § 2.2.5 dfn for response , in § 2.2.6 use-CORS-preflight flag , in § 2.2.5 useParallelQueue , in § 4 user-activation , in § 2.2.5 use-URL-credentials flag , in § 2.2.5 value , in § 2.2.2 "video" , in § 5.4 window dfn for request , in § 2.2.5 dict-member for RequestInit , in § 5.4 "worker" , in § 5.4 X-Content-Type-Options , in § 3.5 XMLHttpRequestBodyInit , in § 5.2 "xslt" , in § 5.4 Referenced in: 4.1. Main fetch Referenced in: 4.1. Main fetch Referenced in: 4.1. Main fetch Referenced in: 5.4. Request class (2) (3) (4) (5) (6) (7) Referenced in: 5.6. Fetch method (2) (3) Referenced in: 5.6. Fetch method Referenced in: 5.6. Fetch method Referenced in: 5.4. Request class (2) Referenced in: 4.10. TAO check Referenced in: 2.11.1. The opaque-response-safelist check Referenced in: 2. Infrastructure 4.6. HTTP-network fetch 5.4. Request class 5.5. Response class Referenced in: 2. Infrastructure (2) 5.1. Headers class Referenced in: 2.11.1. The opaque-response-safelist check Referenced in: 2.11.1. The opaque-response-safelist check Referenced in: 2.11.1. The opaque-response-safelist check Referenced in: 2.2.5. Requests 3.4. `Content-Type` header Referenced in: 3.4. `Content-Type` header Referenced in: 2.2.5. Requests 3.4. `Content-Type` header 5.2. BodyInit unions Referenced in: 5.3. Body mixin Referenced in: 5.3. Body mixin Referenced in: 5.2. BodyInit unions Referenced in: 4.5. HTTP-network-or-cache fetch Referenced in: 2.2.4. Bodies 4.2. Scheme fetch 5. Fetch API 5.2. BodyInit unions (2) (3) 5.3. Body mixin (2) (3) Referenced in: 5.3. Body mixin (2) (3) Referenced in: 5.2. BodyInit unions Referenced in: 5.3. Body mixin Referenced in: 4.2. Scheme fetch (2) Referenced in: 5.2. BodyInit unions Referenced in: 5.2. BodyInit unions 5.3. Body mixin (2) Referenced in: 2. Infrastructure 2.6. Connections (2) Referenced in: 2.6. Connections (2) (3) (4) (5) Referenced in: 4. Fetching 4.3. HTTP fetch 4.4. HTTP-redirect fetch 4.6. HTTP-network fetch (2) Referenced in: 4.1. Main fetch Referenced in: 2.6. Connections (2) (3) (4) (5) 4.1. Main fetch Referenced in: 3.6. `Cross-Origin-Resource-Policy` header Referenced in: 2.2.5. Requests Referenced in: 2. Infrastructure Referenced in: 2. Infrastructure (2) (3) Referenced in: 2.2.5. Requests 4. Fetching 5.4. Request class Referenced in: 5.6. Fetch method Referenced in: 2.2.5. Requests Referenced in: 2.2.5. Requests Referenced in: 5.4. Request class 5.5. Response class Referenced in: 2.2.5. Requests 3.2.5. CORS protocol and credentials Referenced in: 2.2.5. Requests Referenced in: 4. Fetching Referenced in: 4. Fetching Referenced in: 2.2.5. Requests 3.6. `Cross-Origin-Resource-Policy` header Referenced in: 4. Fetching Referenced in: 5.5. Response class Referenced in: 2.2.2. Headers Referenced in: 2.2.5. Requests 3.6. `Cross-Origin-Resource-Policy` header (2) (3) Referenced in: 3.6. `Cross-Origin-Resource-Policy` header Referenced in: 2. Infrastructure Referenced in: 5.3. Body mixin (2) (3) Referenced in: 2.2.5. Requests (2) 2.7. Network partition keys Referenced in: 2.2.5. Requests (2) (3) (4) (5) (6) 2.4. Fetch groups 3.6. `Cross-Origin-Resource-Policy` header (2) 4.5. HTTP-network-or-cache fetch (2) 4.6. HTTP-network fetch 5.4. Request class Referenced in: 2.11.1. The opaque-response-safelist check Referenced in: 3.2. CORS protocol 3.2.1. General Referenced in: 2. Infrastructure (2) (3) (4) 2.2.4. Bodies (2) (3) 4.1. Main fetch Referenced in: 2.2.5. Requests (2) 3.6. `Cross-Origin-Resource-Policy` header 4. Fetching (2) 4.1. Main fetch (2) 5.6. Fetch method Referenced in: 2.5. Resolving domains (2) (3) 2.6. Connections Referenced in: 2.2.5. Requests Referenced in: 2.6. Connections 2.11.1. The opaque-response-safelist check 4.1. Main fetch 4.5. HTTP-network-or-cache fetch 4.6. HTTP-network fetch (2) (3) 5.2. BodyInit unions Referenced in: 5.2. BodyInit unions Referenced in: 5.2. BodyInit unions (2) Referenced in: 2.2.5. Requests 4.2. Scheme fetch Referenced in: 2. Infrastructure Referenced in: 2.7. Network partition keys Referenced in: 4.1. Main fetch Referenced in: 2.2.5. Requests (2) 2.5. Resolving domains 2.6. Connections (2) 2.7. Network partition keys 3.1. `Origin` header 3.2. CORS protocol 5.4. Request class CORS protocol and HTTP caches (2) Referenced in: 4. Fetching (2) 5.4. Request class (2) Referenced in: 2. Infrastructure (2) (3) 2.2.4. Bodies (2) (3) Invoking fetch Referenced in: 2.2.5. Requests (2) 4. Fetching Referenced in: 2.2.5. Requests 3.6. `Cross-Origin-Resource-Policy` header (2) (3) 4. Fetching Referenced in: 2. Infrastructure Referenced in: 4.1. Main fetch Referenced in: 5.4. Request class (2) (3) 5.5. Response class (2) (3) (4) (5) 5.6. Fetch method Referenced in: 5.4. Request class (2) (3) Referenced in: 3.6. `Cross-Origin-Resource-Policy` header Referenced in: 3.6. `Cross-Origin-Resource-Policy` header Referenced in: 3.6. `Cross-Origin-Resource-Policy` header Referenced in: 3.6. `Cross-Origin-Resource-Policy` header Referenced in: 2.2.2. Headers Referenced in: 2.2.5. Requests (2) (3) 3.1. `Origin` header 3.6. `Cross-Origin-Resource-Policy` header 4. Fetching 4.1. Main fetch 4.4. HTTP-redirect fetch 4.10. TAO check 5.4. Request class (2) Referenced in: 2.5. Resolving domains Referenced in: 3.6. `Cross-Origin-Resource-Policy` header Referenced in: 4.1. Main fetch Referenced in: 2.2.5. Requests 3.2.5. CORS protocol and credentials Referenced in: 2.7. Network partition keys Referenced in: 2.2.4. Bodies (2) 4. Fetching Referenced in: 2.2.5. Requests Referenced in: 2.7. Network partition keys Referenced in: 2.7. Network partition keys Referenced in: 3.1. `Origin` header Referenced in: 3.6. `Cross-Origin-Resource-Policy` header (2) (3) (4) Referenced in: 2.2.5. Requests 3.6. `Cross-Origin-Resource-Policy` header Referenced in: 2.2.2. Headers 3.2.4. HTTP new-header syntax (2) (3) Referenced in: 2.2.1. Methods 3.2.4. HTTP new-header syntax (2) Referenced in: 5.5. Response class Referenced in: 3.2.4. HTTP new-header syntax Referenced in: 4.5. HTTP-network-or-cache fetch 4.6. HTTP-network fetch (2) Referenced in: 2.2.2. Headers (2) (3) (4) (5) (6) (7) (8) 4.4. HTTP-redirect fetch 4.8. CORS-preflight cache Referenced in: 2.2.2. Headers 2.6. Connections Referenced in: 3.5. `X-Content-Type-Options` header 6. data: URLs Referenced in: 2.2.2. Headers (2) 3.3. `Content-Length` header Referenced in: 2.2.6. Responses Referenced in: 2.2. HTTP (2) Referenced in: 2. Infrastructure (2) (3) 2.11.1. The opaque-response-safelist check 4. Fetching (2) 4.1. Main fetch 5.2. BodyInit unions 5.6. Fetch method Referenced in: Invoking fetch Referenced in: 2.2. HTTP (2) (3) 4.6. HTTP-network fetch (2) Referenced in: 2.2.2. Headers Referenced in: 2.2.1. Methods 2.2.2. Headers (2) (3) (4) (5) 2.2.4. Bodies (2) (3) (4) (5) 2.2.5. Requests (2) 2.6. Connections (2) 2.11.1. The opaque-response-safelist check (2) (3) 4. Fetching (2) 4.8. CORS-preflight cache 5.2. BodyInit unions (2) (3) (4) 5.3. Body mixin 6. data: URLs Invoking fetch (2) Referenced in: 2.2.1. Methods (2) 2.2.2. Headers (2) (3) (4) (5) (6) (7) (8) (9) (10) 4.6. HTTP-network fetch 4.7. CORS-preflight fetch (2) 4.8. CORS-preflight cache Referenced in: 2.2.2. Headers (2) (3) Referenced in: 2.2.1. Methods Referenced in: 4.1. Main fetch 4.5. HTTP-network-or-cache fetch 4.7. CORS-preflight fetch 5.4. Request class Referenced in: 2.2. HTTP (2) (3) (4) 2.2.2. Headers (2) (3) (4) 3.3. `Content-Length` header 6. data: URLs (2) (3) (4) Referenced in: 2.2. HTTP 2.2.2. Headers (2) (3) 6. data: URLs Referenced in: 2.2.2. Headers 4.10. TAO check (2) Referenced in: 2.2.2. Headers 2.2.5. Requests 2.6. Connections (2) 3.4. `Content-Type` header 4.6. HTTP-network fetch Referenced in: 3.4. `Content-Type` header (2) (3) 5.4. Request class (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12) (13) (14) (15) (16) 5.5. Response class Referenced in: 2.2.2. Headers (2) (3) (4) 2.2.5. Requests 2.6. Connections 3.3. `Content-Length` header 3.4. `Content-Type` header 4.4. HTTP-redirect fetch 4.5. HTTP-network-or-cache fetch 4.7. CORS-preflight fetch 5.1. Headers class (2) 5.4. Request class Referenced in: 5.1. Headers class Referenced in: 6. data: URLs Referenced in: 4.5. HTTP-network-or-cache fetch 4.6. HTTP-network fetch (2) Referenced in: 2.2.2. Headers 2.5. Resolving domains (2) (3) 2.6. Connections (2) (3) (4) 2.7. Network partition keys (2) 4.1. Main fetch (2) 4.3. HTTP fetch (2) 4.6. HTTP-network fetch Referenced in: 2.2.5. Requests 2.2.6. Responses 4. Fetching 4.1. Main fetch (2) 4.7. CORS-preflight fetch Referenced in: 2.2.5. Requests 2.2.6. Responses 4. Fetching 4.1. Main fetch (2) 4.7. CORS-preflight fetch Referenced in: 5.4. Request class (2) Referenced in: 2.2.2. Headers (2) 6. data: URLs Referenced in: 2.2.5. Requests (2) (3) 4.2. Scheme fetch 4.5. HTTP-network-or-cache fetch (2) 5.5. Response class Referenced in: 2.2.2. Headers 4.3. HTTP fetch 4.7. CORS-preflight fetch (2) Referenced in: 2. Infrastructure (2) (3) (4) 2.6. Connections Referenced in: 2.2.2. Headers (2) 4.6. HTTP-network fetch (2) (3) 5.2. BodyInit unions Referenced in: 2. Infrastructure 2.2.2. Headers (2) (3) (4) (5) (6) (7) (8) 2.2.5. Requests 2.2.6. Responses 4.8. CORS-preflight cache Referenced in: 2.2.2. Headers 2.5. Resolving domains (2) 2.6. Connections Referenced in: 2.11.1. The opaque-response-safelist check 5.3. Body mixin Referenced in: 2.11.1. The opaque-response-safelist check 5.3. Body mixin Referenced in: 2.2. HTTP (2) (3) 2.2.2. Headers (2) Referenced in: 2.2.2. Headers (2) 4.8. CORS-preflight cache Referenced in: 5.2. BodyInit unions Referenced in: 5.5. Response class Referenced in: 2.2.2. Headers 2.5. Resolving domains (2) 2.6. Connections Referenced in: 2.2.2. Headers Referenced in: 2.2.2. Headers Referenced in: 2.2.2. Headers 2.10. Should response to request be blocked due to its MIME type? 2.11.1. The opaque-response-safelist check Referenced in: 2.2. HTTP 2.2.2. Headers Referenced in: 6. data: URLs Referenced in: 2. Infrastructure (2) (3) (4) 2.6. Connections 6. data: URLs Referenced in: 2.2.2. Headers (2) 2.2.4. Bodies Referenced in: 2.2.2. Headers 2.10. Should response to request be blocked due to its MIME type? (2) 2.11.1. The opaque-response-safelist check (2) (3) 2.11.2. New MIME type sets (2) 3.4. `Content-Type` header (2) (3) (4) 3.5.1. Should response to request be blocked due to nosniff? 5.3. Body mixin (2) Referenced in: 2.11.2. New MIME type sets Referenced in: 2.11.2. New MIME type sets 3.5.1. Should response to request be blocked due to nosniff? Referenced in: 2.11.2. New MIME type sets Referenced in: 2.2. HTTP 2.11.2. New MIME type sets (2) 3.4. `Content-Type` header (2) (3) 5.3. Body mixin 6. data: URLs Referenced in: 3.4. `Content-Type` header (2) (3) (4) (5) Referenced in: 2.2.2. Headers 3.4. `Content-Type` header 6. data: URLs Referenced in: 3.4. `Content-Type` header Referenced in: 4.2. Scheme fetch Referenced in: 2.11.2. New MIME type sets Referenced in: 4.1. Main fetch Referenced in: 4.1. Main fetch Referenced in: 5.4. Request class (2) Referenced in: 4.1. Main fetch Referenced in: 2.2.5. Requests 5.4. Request class Referenced in: 4.4. HTTP-redirect fetch Referenced in: 3.6. `Cross-Origin-Resource-Policy` header Referenced in: 4.1. Main fetch Referenced in: 2.2.2. Headers Referenced in: 2.2.2. Headers Referenced in: 2.2.2. Headers (2) (3) Referenced in: 4.1. Main fetch Referenced in: 2.2.4. Bodies 2.2.5. Requests 4.6. HTTP-network fetch (2) 5.2. BodyInit unions (2) (3) (4) (5) (6) 5.3. Body mixin (2) 5.4. Request class Referenced in: 2.2.4. Bodies Referenced in: 2.11.1. The opaque-response-safelist check 4.1. Main fetch (2) 4.3. HTTP fetch Referenced in: 4.3. HTTP fetch 5.6. Fetch method Referenced in: 4.6. HTTP-network fetch Referenced in: 4.6. HTTP-network fetch Referenced in: 2.2.4. Bodies Referenced in: 4.6. HTTP-network fetch 5.2. BodyInit unions Referenced in: 2.2.4. Bodies Referenced in: 5.4. Request class Referenced in: 5.2. BodyInit unions (2) 5.3. Body mixin (2) Referenced in: 2.11.1. The opaque-response-safelist check 4.3. HTTP fetch (2) (3) 4.6. HTTP-network fetch 5.2. BodyInit unions Referenced in: 4.1. Main fetch Referenced in: 4.6. HTTP-network fetch (2) 5.6. Fetch method Referenced in: 2.2.4. Bodies Referenced in: 2.11.1. The opaque-response-safelist check 4.6. HTTP-network fetch 5.2. BodyInit unions Referenced in: 2.11.1. The opaque-response-safelist check 4.1. Main fetch Referenced in: 5.7. Garbage collection Referenced in: 2.2.4. Bodies (2) Referenced in: 4.6. HTTP-network fetch Referenced in: 4.1. Main fetch Referenced in: 5.2. BodyInit unions (2) 5.3. Body mixin Referenced in: 4.6. HTTP-network fetch Referenced in: 4.1. Main fetch 4.3. HTTP fetch Referenced in: 4.6. HTTP-network fetch Referenced in: 2.2.4. Bodies Referenced in: 2.2.4. Bodies Referenced in: 4.6. HTTP-network fetch (2) (3) 5.6. Fetch method (2) Referenced in: 2.2.4. Bodies Referenced in: 4.6. HTTP-network fetch 5.2. BodyInit unions Referenced in: 2.11.1. The opaque-response-safelist check 4.1. Main fetch 4.3. HTTP fetch Referenced in: 4.6. HTTP-network fetch Referenced in: 2.2.4. Bodies Referenced in: 2.11.1. The opaque-response-safelist check 4.1. Main fetch 4.3. HTTP fetch Referenced in: 5.6. Fetch method Referenced in: 2.2.5. Requests (2) Referenced in: 2.2.5. Requests 4.3. HTTP fetch Referenced in: 2.2.6. Responses Referenced in: 4.1. Main fetch Referenced in: 5.2. BodyInit unions (2) Referenced in: 2.2.6. Responses Referenced in: 4.2. Scheme fetch Referenced in: 4.1. Main fetch Referenced in: 2.2.5. Requests 5.5. Response class 6. data: URLs Referenced in: 2.2.6. Responses (2) 4.4. HTTP-redirect fetch Referenced in: 2.6. Connections (2) Referenced in: 4.1. Main fetch (2) Referenced in: 4.4. HTTP-redirect fetch (2) 4.5. HTTP-network-or-cache fetch (2) 5.4. Request class Referenced in: 4.4. HTTP-redirect fetch (2) 4.5. HTTP-network-or-cache fetch (2) 5.4. Request class Referenced in: 2.5. Resolving domains (2) (3) (4) (5) 2.6. Connections Referenced in: 2.6. Connections Referenced in: 5.2. BodyInit unions Referenced in: 2.2.5. Requests (2) (3) (4) 2.6. Connections (2) (3) 2.7. Network partition keys 3.1. `Origin` header 3.6. `Cross-Origin-Resource-Policy` header (2) (3) (4) (5) 4.1. Main fetch 4.4. HTTP-redirect fetch 4.10. TAO check 5.4. Request class Referenced in: 2.2.5. Requests Referenced in: 3.1. `Origin` header 4.2. Scheme fetch 5.4. Request class Referenced in: 6. data: URLs Referenced in: 2.9. Port blocking (2) Referenced in: 2.5. Resolving domains Referenced in: 2.1. URL 2.9. Port blocking 3.6. `Cross-Origin-Resource-Policy` header (2) 4. Fetching 4.1. Main fetch (2) (3) (4) (5) (6) (7) (8) 4.2. Scheme fetch 4.4. HTTP-redirect fetch 5.4. Request class 6. data: URLs Referenced in: 2.2.5. Requests 4.5. HTTP-network-or-cache fetch Referenced in: 2.2.5. Requests 4.5. HTTP-network-or-cache fetch Referenced in: 2.1. URL 2.2.5. Requests (2) (3) (4) (5) (6) (7) (8) 2.2.6. Responses (2) (3) (4) (5) 2.6. Connections 4.1. Main fetch (2) 4.2. Scheme fetch (2) 4.5. HTTP-network-or-cache fetch 4.8. CORS-preflight cache 6. data: URLs Referenced in: 2.2.6. Responses 5.4. Request class (2) 5.5. Response class Referenced in: 2.2.5. Requests 4.5. HTTP-network-or-cache fetch 5.4. Request class (2) 5.5. Response class (2) 6. data: URLs Referenced in: 5.3. Body mixin Referenced in: 5.2. BodyInit unions Referenced in: 2.2.5. Requests Referenced in: 2. Infrastructure (2) 4.6. HTTP-network fetch Referenced in: 4.6. HTTP-network fetch 5.2. BodyInit unions 5.3. Body mixin (2) (3) (4) Referenced in: 5.2. BodyInit unions (2) Referenced in: 5.1. Headers class (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12) (13) 5.4. Request class (2) 5.5. Response class (2) Referenced in: 2. Infrastructure (2) 4.6. HTTP-network fetch Referenced in: 5.4. Request class (2) Referenced in: 5.1. Headers class 5.4. Request class 5.5. Response class Referenced in: 5.3. Body mixin (2) (3) (4) (5) 5.4. Request class 5.5. Response class (2) (3) (4) 5.6. Fetch method Referenced in: 5.3. Body mixin (2) (3) (4) (5) 5.6. Fetch method Referenced in: 5.3. Body mixin 5.5. Response class (2) Referenced in: 5.4. Request class 5.5. Response class Referenced in: 2.2.4. Bodies 4.6. HTTP-network fetch 5.1. Headers class (2) (3) (4) (5) (6) (7) (8) (9) 5.2. BodyInit unions (2) 5.3. Body mixin (2) (3) (4) 5.4. Request class (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12) (13) 5.5. Response class (2) (3) (4) 5.6. Fetch method Referenced in: 5.2. BodyInit unions 5.3. Body mixin 5.4. Request class (2) (3) (4) 5.5. Response class (2) Referenced in: 2.2.4. Bodies 4.3. HTTP fetch 4.6. HTTP-network fetch 5.2. BodyInit unions Referenced in: 2.2.4. Bodies 5.3. Body mixin Referenced in: 5.3. Body mixin Referenced in: 5.3. Body mixin 5.4. Request class 5.5. Response class Referenced in: 5.1. Headers class 5.3. Body mixin 5.4. Request class (2) (3) (4) 5.5. Response class (2) Referenced in: 2.2.4. Bodies 2.11.1. The opaque-response-safelist check 5.2. BodyInit unions Referenced in: 2.2.4. Bodies 2.11.1. The opaque-response-safelist check 5.2. BodyInit unions Referenced in: 4.6. HTTP-network fetch 5.2. BodyInit unions 5.4. Request class (2) (3) (4) (5) 5.5. Response class (2) (3) Referenced in: 2.2.4. Bodies Referenced in: 5.1. Headers class Referenced in: 5.6. Fetch method (2) (3) Referenced in: 5.6. Fetch method Referenced in: 5.1. Headers class (2) (3) Referenced in: 2. Infrastructure (2) (3) (4) 5.1. Headers class (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12) (13) (14) (15) (16) (17) (18) (19) (20) (21) 5.3. Body mixin (2) (3) (4) (5) (6) (7) (8) (9) 5.4. Request class (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12) (13) (14) (15) (16) (17) (18) (19) (20) (21) (22) (23) (24) (25) (26) (27) (28) (29) (30) (31) (32) (33) (34) (35) (36) (37) (38) (39) (40) (41) (42) (43) 5.5. Response class (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12) (13) (14) (15) (16) (17) (18) (19) (20) 5.6. Fetch method Referenced in: 5.1. Headers class (2) (3) (4) (5) (6) (7) (8) (9) 5.2. BodyInit unions (2) 5.3. Body mixin (2) (3) 5.4. Request class (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) 5.5. Response class (2) (3) (4) (5) (6) Referenced in: 5.1. Headers class (2) (3) Referenced in: 5.5. Response class (2) (3) Referenced in: 5.3. Body mixin Referenced in: 5.1. Headers class Referenced in: 2.2.5. Requests 5.7. Garbage collection WebSockets Referenced in: 2.2.2. Headers 2.2.5. Requests WebSockets Referenced in: 4.6. HTTP-network fetch WebSockets Referenced in: 2.2.4. Bodies 5.2. BodyInit unions (2) 5.3. Body mixin (2) (3) (4) Referenced in: 2.2.2. Headers (2) 2.2.5. Requests (2) 3.2.5. CORS protocol and credentials 5. Fetch API 5.7. Garbage collection Basic safe CORS protocol setup Referenced in: 2.2.5. Requests Referenced in: 5.2. BodyInit unions 5.3. Body mixin (2) Terms defined by reference [CSP] defines the following terms: report content security policy violations for request should request be blocked by content security policy? should response to request be blocked by content security policy? [DOM] defines the following terms: AbortSignal abort reason aborted add follow origin [ECMASCRIPT] defines the following terms: parsetext realm record script script record [ENCODING] defines the following terms: decode encoding getting an encoding utf-8 utf-8 decode utf-8 decode without bom utf-8 encode [FETCH-METADATA] defines the following terms: append the Fetch metadata headers for a request [FILEAPI] defines the following terms: Blob File get stream name object size type [HR-TIME-3] defines the following terms: DOMHighResTimeStamp coarsen time coarsened shared current time relative high resolution time unsafe shared current time [HTML] defines the following terms: "coep" report type EventSource StructuredDeserialize StructuredSerialize Window WindowOrWorkerGlobalScope active document ancestor browsing context api base url ascii serialization of an origin browsing context clone a policy container consume a preloaded resource credentialless cross-origin isolated capability current settings object download the hyperlink embedder policy embedder policy value enqueue steps entry environment environment settings object fetch a classic script form global object global object (for environment settings object) host id in parallel multipart/form-data boundary string multipart/form-data encoding algorithm navigate networking task source obtain a site opaque origin origin origin (for environment settings object) parallel queue policy container policy container (for environment settings object) queue a global task referrer policy relevant realm relevant settings object report only reporting endpoint report only value reporting endpoint require-corp resource fetch algorithm same origin scheme schemelessly same site secure context serialization of an origin site starting a new parallel queue target browsing context top-level creation url top-level origin tuple origin unsafe-none value [HTTP] defines the following terms: field-name method reason-phrase [HTTP-CACHING] defines the following terms: delta-seconds [INFRA] defines the following terms: abort when append (for list) append (for set) ascii case-insensitive ascii digit ascii string ascii whitespace assert boolean break byte less than byte sequence byte-case-insensitive byte-lowercase byte-uppercase clone code point collecting a sequence of code points contain continue exist for each (for list) for each (for map) forgiving-base64 decode if aborted implementation-defined is empty is not empty (for list) is not empty (for map) isomorphic decode isomorphic encode item (for list) item (for struct) length list ordered set parse json bytes to a javascript value parse json from bytes position variable remove scalar value string serialize a javascript value to json bytes set sorting starts with (for byte sequence) starts with (for string) string strip leading and trailing ascii whitespace struct tuple [MIMESNIFF] defines the following terms: essence html mime type javascript mime type json mime type mime type parameters parse a mime type serialize a mime type serialize a mime type to bytes xml mime type [MIX] defines the following terms: should fetching request be blocked as mixed content? should response to request be blocked as mixed content? [REFERRER] defines the following terms: ReferrerPolicy determine request's referrer referrer policy set request's referrer policy on redirect [REPORTING] defines the following terms: generate and queue a report [RESOURCE-TIMING] defines the following terms: mark resource timing [RFC8941] defines the following terms: parsing structured fields serializing structured fields structured field value [SRI] defines the following terms: do bytes match metadatalist? [STREAMS] defines the following terms: ReadableStream ReadableStreamDefaultReader TransformStream cancel cancelalgorithm chunk chunk steps close close steps creating a proxy disturbed enqueue (for ReadableStream) enqueue (for TransformStream) error error steps errored flushalgorithm getReader() getting a reader highwatermark identity transform stream locked need more data piped through pullalgorithm read a chunk read request readable reading all bytes set up (for ReadableStream) set up (for TransformStream) sizealgorithm teeing transformalgorithm [SW] defines the following terms: ServiceWorkerGlobalScope fetch handle fetch service worker timing info [UPGRADE-INSECURE-REQUESTS] defines the following terms: upgrade request to a potentially trustworthy url, if appropriate [URL] defines the following terms: URLSearchParams absolute-url-with-fragment string blob url entry domain exclude fragment fragment host host (for url) include credentials includes credentials ip address ipv6 address list origin password path percent-decode port public suffix scheme set the password set the username url url parser url serializer urlencoded parser urlencoded serializer username [WEBIDL] defines the following terms: AbortError ArrayBuffer BufferSource ByteString DOMException DOMString Exposed NewObject Promise RangeError SameObject TypeError USVString Uint8Array a promise rejected with a promise resolved with any boolean get a copy of the buffer source get a copy of the bytes held by the buffer source new react record reject resolve sequence this throw undefined unsigned short upon fulfillment value pairs to iterate over [WEBSOCKETS] defines the following terms: WebSocket establish a websocket connection obtain a websocket connection [XHR] defines the following terms: FormData XMLHttpRequest XMLHttpRequestUpload entry list References Normative References [ABNF] D. Crocker, Ed.; P. Overell. Augmented BNF for Syntax Specifications: ABNF . January 2008. Internet Standard. URL: [COOKIES] A. Barth. HTTP State Management Mechanism . April 2011. Proposed Standard. URL: [CSP] Mike West; Antonio Sartori. Content Security Policy Level 3 . URL: [DOM] Anne van Kesteren. DOM Standard . Living Standard. URL: [ECMASCRIPT] ECMAScript Language Specification . URL: [ENCODING] Anne van Kesteren. Encoding Standard . Living Standard. URL: [FETCH-METADATA] Mike West. Fetch Metadata Request Headers . URL: [FILEAPI] Marijn Kruisselbrink. File API . URL: [HR-TIME-3] Yoav Weiss. High Resolution Time . URL: [HSTS] J. Hodges; C. Jackson; A. Barth. HTTP Strict Transport Security (HSTS) . November 2012. Proposed Standard. URL: [HTML] Anne van Kesteren; et al. HTML Standard . Living Standard. URL: [HTTP] R. Fielding, Ed.; M. Nottingham, Ed.; J. Reschke, Ed.. HTTP Semantics . June 2022. Internet Standard. URL: [HTTP-CACHING] R. Fielding, Ed.; M. Nottingham, Ed.; J. Reschke, Ed.. HTTP Caching . June 2022. Internet Standard. URL: [HTTP1] R. Fielding, Ed.; M. Nottingham, Ed.; J. Reschke, Ed.. HTTP/1.1 . June 2022. Internet Standard. URL: [HTTP3] M. Bishop, Ed.. Hypertext Transfer Protocol Version 3 (HTTP/3) . URL: [HTTP3-DATAGRAM] David Schinazi; Lucas Pardue. Using QUIC Datagrams with HTTP/3 . URL: [INFRA] Anne van Kesteren; Domenic Denicola. Infra Standard . Living Standard. URL: [MIMESNIFF] Gordon P. Hemsley. MIME Sniffing Standard . Living Standard. URL: [MIX] Emily Stark; Mike West; Carlos IbarraLopez. Mixed Content . URL: [REFERRER] Jochen Eisinger; Emily Stark. Referrer Policy . URL: [REPORTING] Douglas Creager; Ian Clelland; Mike West. Reporting API . URL: [RESOURCE-TIMING] Yoav Weiss; Noam Rosenthal. Resource Timing Level 2 . URL: [RFC7405] P. Kyzivat. Case-Sensitive String Support in ABNF . December 2014. Proposed Standard. URL: [RFC7578] L. Masinter. Returning Values from Forms: multipart/form-data . July 2015. Proposed Standard. URL: [RFC8941] M. Nottingham; P-H. Kamp. Structured Field Values for HTTP . February 2021. Proposed Standard. URL: [SRI] Devdatta Akhawe; et al. Subresource Integrity . URL: [STALE-WHILE-REVALIDATE] M. Nottingham. HTTP Cache-Control Extensions for Stale Content . May 2010. Informational. URL: [STREAMS] Adam Rice; et al. Streams Standard . Living Standard. URL: [SVCB] Ben Schwartz; Mike Bishop; Erik Nygren. Service binding and parameter specification via the DNS (DNS SVCB and HTTPS RRs) . URL: [SW] Jake Archibald; Marijn Kruisselbrink. Service Workers . URL: [TLS] E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.3 . August 2018. Proposed Standard. URL: [UPGRADE-INSECURE-REQUESTS] Mike West. Upgrade Insecure Requests . URL: [URL] Anne van Kesteren. URL Standard . Living Standard. URL: [WEBIDL] Edgar Chen; Timothy Gu. Web IDL Standard . Living Standard. URL: [WEBSOCKETS] Adam Rice. WebSockets Standard . Living Standard. URL: [WEBTRANSPORT-HTTP3] V. Vasiliev. WebTransport over HTTP/3 . URL: [XHR] Anne van Kesteren. XMLHttpRequest Standard . Living Standard. URL: Informative References [EXPECT-CT] Emily Stark. Expect-CT Extension for HTTP . URL: [HTTPVERBSEC1] Multiple vendors' web servers enable HTTP TRACE method by default. . URL: [HTTPVERBSEC2] Microsoft Internet Information Server (IIS) vulnerable to cross-site scripting via HTTP TRACK method. . URL: [HTTPVERBSEC3] HTTP proxy default configurations allow arbitrary TCP connections. . URL: [NAVIGATION-TIMING] Zhiheng Wang. Navigation Timing . 17 December 2012. REC. URL: [OCSP] S. Santesson; et al. X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP . June 2013. Proposed Standard. URL: [ORIGIN] A. Barth. The Web Origin Concept . December 2011. Proposed Standard. URL: [RFC1035] P. Mockapetris. Domain names - implementation and specification . November 1987. Internet Standard. URL: [RFC2397] L. Masinter. The "data" URL scheme . August 1998. Proposed Standard. URL: [RFC7301] S. Friedl; et al. Transport Layer Security (TLS) Application-Layer Protocol Negotiation Extension . July 2014. Proposed Standard. URL: [RFC7918] A. Langley; N. Modadugu; B. Moeller. Transport Layer Security (TLS) False Start . August 2016. Informational. URL: [RFC8470] M. Thomson; M. Nottingham; W. Tarreau. Using Early Data in HTTP . September 2018. Proposed Standard. URL: IDL Index typedef sequence sequence ByteString >> or record ByteString ByteString >) HeadersInit Exposed =( Window Worker )] interface Headers constructor optional HeadersInit init ); undefined append ByteString name ByteString value ); undefined delete ByteString name ); ByteString get ByteString name ); boolean has ByteString name ); undefined set ByteString name ByteString value ); iterable ByteString ByteString >; }; typedef Blob or BufferSource or FormData or URLSearchParams or USVString XMLHttpRequestBodyInit typedef ReadableStream or XMLHttpRequestBodyInit BodyInit interface mixin Body readonly attribute ReadableStream body readonly attribute boolean bodyUsed NewObject Promise ArrayBuffer arrayBuffer (); NewObject Promise Blob blob (); NewObject Promise FormData formData (); NewObject Promise any json (); NewObject Promise USVString text (); }; typedef Request or USVString RequestInfo Exposed =( Window Worker )] interface Request constructor RequestInfo input optional RequestInit init = {}); readonly attribute ByteString method readonly attribute USVString url SameObject readonly attribute Headers headers readonly attribute RequestDestination destination readonly attribute USVString referrer readonly attribute ReferrerPolicy referrerPolicy readonly attribute RequestMode mode readonly attribute RequestCredentials credentials readonly attribute RequestCache cache readonly attribute RequestRedirect redirect readonly attribute DOMString integrity readonly attribute boolean keepalive readonly attribute boolean isReloadNavigation readonly attribute boolean isHistoryNavigation readonly attribute AbortSignal signal readonly attribute RequestDuplex duplex NewObject Request clone (); }; Request includes Body dictionary RequestInit ByteString method HeadersInit headers BodyInit body USVString referrer ReferrerPolicy referrerPolicy RequestMode mode RequestCredentials credentials RequestCache cache RequestRedirect redirect DOMString integrity boolean keepalive AbortSignal signal RequestDuplex duplex any window ; // can only be set to null }; enum RequestDestination "" "audio" "audioworklet" "document" "embed" "font" "frame" "iframe" "image" "manifest" "object" "paintworklet" "report" "script" "sharedworker" "style" "track" "video" "worker" "xslt" }; enum RequestMode "navigate" "same-origin" "no-cors" "cors" }; enum RequestCredentials "omit" "same-origin" "include" }; enum RequestCache "default" "no-store" "reload" "no-cache" "force-cache" "only-if-cached" }; enum RequestRedirect "follow" "error" "manual" }; enum RequestDuplex "half" }; Exposed =( Window Worker )] interface Response constructor optional BodyInit body null optional ResponseInit init = {}); NewObject static Response error (); NewObject static Response redirect USVString url optional unsigned short status = 302); NewObject static Response json any data optional ResponseInit init = {}); readonly attribute ResponseType type readonly attribute USVString url readonly attribute boolean redirected readonly attribute unsigned short status readonly attribute boolean ok readonly attribute ByteString statusText SameObject readonly attribute Headers headers NewObject Response clone (); }; Response includes Body dictionary ResponseInit unsigned short status = 200; ByteString statusText = ""; HeadersInit headers }; enum ResponseType "basic" "cors" "default" "error" "opaque" "opaqueredirect" }; partial interface mixin WindowOrWorkerGlobalScope NewObject Promise Response fetch RequestInfo input optional RequestInit init = {}); }; #abnf Referenced in: 2.2.2. Headers (2) (3) 3.2.4. HTTP new-header syntax 3.5. `X-Content-Type-Options` header 3.6. `Cross-Origin-Resource-Policy` header #credentials Referenced in: 2.2.5. Requests 2.6. Connections 3.2. CORS protocol 3.2.4. HTTP new-header syntax 3.2.5. CORS protocol and credentials (2) (3) (4) (5) (6) (7) (8) 3.2.6. Examples (2) (3) (4) (5) (6) (7) #fetch-params Referenced in: 2. Infrastructure (2) 2.2.6. Responses 4. Fetching 4.1. Main fetch (2) 4.2. Scheme fetch 4.3. HTTP fetch 4.4. HTTP-redirect fetch 4.5. HTTP-network-or-cache fetch (2) 4.6. HTTP-network fetch 4.7. CORS-preflight fetch #fetch-params-request Referenced in: 4. Fetching 4.1. Main fetch (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) 4.2. Scheme fetch 4.3. HTTP fetch 4.4. HTTP-redirect fetch 4.5. HTTP-network-or-cache fetch (2) (3) 4.6. HTTP-network fetch 4.7. CORS-preflight fetch #fetch-params-process-request-body Referenced in: 4. Fetching 4.6. HTTP-network fetch (2) #fetch-params-process-request-end-of-body Referenced in: 4. Fetching 4.6. HTTP-network fetch (2) (3) (4) #fetch-params-process-early-hints-response Referenced in: 4. Fetching 4.6. HTTP-network fetch (2) #fetch-params-process-response Referenced in: 4. Fetching 4.1. Main fetch (2) #fetch-params-process-response-end-of-body Referenced in: 4. Fetching 4.1. Main fetch (2) #fetch-params-process-response-consume-body Referenced in: 4. Fetching 4.1. Main fetch (2) (3) #fetch-params-task-destination Referenced in: 4. Fetching 4.1. Main fetch (2) (3) (4) (5) 4.6. HTTP-network fetch (2) #fetch-params-cross-origin-isolated-capability Referenced in: 4. Fetching 4.3. HTTP fetch (2) 4.4. HTTP-redirect fetch 4.6. HTTP-network fetch (2) (3) #fetch-params-controller Referenced in: 2. Infrastructure (2) 4. Fetching (2) 4.1. Main fetch (2) (3) 4.3. HTTP fetch (2) (3) 4.6. HTTP-network fetch (2) (3) (4) (5) (6) #fetch-params-timing-info Referenced in: 4. Fetching 4.1. Main fetch (2) 4.3. HTTP fetch (2) 4.4. HTTP-redirect fetch 4.5. HTTP-network-or-cache fetch 4.6. HTTP-network fetch #fetch-params-preloaded-response-candidate Referenced in: 4. Fetching (2) (3) 4.1. Main fetch (2) (3) (4) #fetch-controller Referenced in: 2. Infrastructure (2) (3) (4) (5) (6) (7) 2.4. Fetch groups Invoking fetch #fetch-controller-state Referenced in: 2. Infrastructure (2) (3) (4) #fetch-controller-full-timing-info Referenced in: 2. Infrastructure (2) 4.1. Main fetch #fetch-controller-report-timing-steps Referenced in: 2. Infrastructure (2) 4.1. Main fetch (2) #fetch-controller-serialized-abort-reason Referenced in: 2. Infrastructure 4.6. HTTP-network fetch 5.6. Fetch method #fetch-controller-next-manual-redirect-steps Referenced in: 2. Infrastructure (2) 4.3. HTTP fetch #fetch-controller-process-the-next-manual-redirect Referenced in: Invoking fetch #fetch-controller-abort Referenced in: 4.6. HTTP-network fetch (2) 5.6. Fetch method Invoking fetch #deserialize-a-serialized-abort-reason Referenced in: 4.6. HTTP-network fetch 5.6. Fetch method #fetch-controller-terminate Referenced in: 2.4. Fetch groups 4.3. HTTP fetch 4.6. HTTP-network fetch (2) (3) 5.7. Garbage collection Invoking fetch #fetch-params-aborted Referenced in: 2.2.6. Responses 4.6. HTTP-network fetch #fetch-params-canceled Referenced in: 2.2.6. Responses 4.2. Scheme fetch 4.3. HTTP fetch 4.5. HTTP-network-or-cache fetch (2) (3) (4) 4.6. HTTP-network fetch (2) (3) (4) (5) #fetch-timing-info Referenced in: 2. Infrastructure (2) (3) (4) 4. Fetching #fetch-timing-info-start-time Referenced in: 2. Infrastructure (2) 4. Fetching 4.4. HTTP-redirect fetch #fetch-timing-info-redirect-start-time Referenced in: 4.4. HTTP-redirect fetch (2) #fetch-timing-info-redirect-end-time Referenced in: 4.4. HTTP-redirect fetch #fetch-timing-info-post-redirect-start-time Referenced in: 2. Infrastructure 4. Fetching 4.4. HTTP-redirect fetch 4.6. HTTP-network fetch #fetch-timing-info-final-service-worker-start-time Referenced in: 4.3. HTTP fetch #fetch-timing-info-final-network-request-start-time Referenced in: 4.6. HTTP-network fetch #fetch-timing-info-final-network-response-start-time Referenced in: 4.6. HTTP-network fetch (2) #fetch-timing-info-end-time Referenced in: 4.1. Main fetch #fetch-timing-info-final-connection-timing-info Referenced in: 4.6. HTTP-network fetch #fetch-timing-info-server-timing-headers Referenced in: 4.1. Main fetch #fetch-timing-info-render-blocking Referenced in: 4. Fetching #response-body-info Referenced in: 2.2.6. Responses (2) 4.1. Main fetch #fetch-timing-info-encoded-body-size Referenced in: 4.6. HTTP-network fetch #fetch-timing-info-decoded-body-size Referenced in: 4.6. HTTP-network fetch #create-an-opaque-timing-info Referenced in: 4.1. Main fetch #queue-a-fetch-task Referenced in: 2.2.4. Bodies (2) (3) (4) (5) 4.1. Main fetch (2) (3) 4.6. HTTP-network fetch (2) #serialize-an-integer Referenced in: 2.2.5. Requests (2) 4.2. Scheme fetch 4.5. HTTP-network-or-cache fetch #local-scheme Referenced in: 2.1. URL #is-local Referenced in: 4.1. Main fetch #http-scheme Referenced in: 2.1. URL (2) 2.5. Resolving domains 2.9. Port blocking 4. Fetching 4.1. Main fetch (2) (3) 4.2. Scheme fetch 4.4. HTTP-redirect fetch #fetch-scheme Referenced in: 2.1. URL #http-tab-or-space Referenced in: 2.2. HTTP (2) 2.2.2. Headers #http-whitespace Referenced in: 2.2. HTTP #http-newline-byte Referenced in: 2.2. HTTP 2.2.2. Headers #http-tab-or-space-byte Referenced in: 2.2. HTTP 2.2.2. Headers #http-whitespace-byte Referenced in: 2.2.2. Headers #collect-an-http-quoted-string Referenced in: 2.2.2. Headers #concept-method Referenced in: 2.2.1. Methods (2) (3) (4) (5) 2.2.5. Requests 3.2.2. HTTP requests (2) 3.2.3. HTTP responses 3.2.4. HTTP new-header syntax 4.2. Scheme fetch 4.8. CORS-preflight cache 5.4. Request class #cors-safelisted-method Referenced in: 2.2.5. Requests 4.1. Main fetch 4.3. HTTP fetch 4.7. CORS-preflight fetch 5.4. Request class #forbidden-method Referenced in: 2.2.5. Requests 5.4. Request class #concept-method-normalize Referenced in: 2.2.1. Methods (2) 5.4. Request class #concept-header-list Referenced in: 2.2.2. Headers (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12) (13) (14) (15) 2.2.5. Requests 2.2.6. Responses 3.3. `Content-Length` header 3.4. `Content-Type` header 3.5. `X-Content-Type-Options` header 5.1. Headers class (2) (3) (4) #concept-header-list-get-structured-header Referenced in: 2.2.2. Headers #header-list-contains Referenced in: 2.2.2. Headers (2) (3) (4) (5) (6) (7) 2.2.5. Requests 4. Fetching (2) 4.1. Main fetch 4.5. HTTP-network-or-cache fetch (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) 5.1. Headers class (2) 5.4. Request class 5.5. Response class #concept-header-list-get Referenced in: 2.2.2. Headers (2) (3) 3.6. `Cross-Origin-Resource-Policy` header 4.9. CORS check (2) 5.1. Headers class (2) #concept-header-list-get-decode-split Referenced in: 2.2.2. Headers 3.3. `Content-Length` header 3.4. `Content-Type` header 3.5. `X-Content-Type-Options` header 4.1. Main fetch 4.10. TAO check #concept-header-list-append Referenced in: 2.2.5. Requests 3.1. `Origin` header (2) 4. Fetching (2) 4.5. HTTP-network-or-cache fetch (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12) (13) 4.7. CORS-preflight fetch (2) (3) 5.1. Headers class 5.5. Response class (2) #concept-header-list-delete Referenced in: 4.4. HTTP-redirect fetch 5.1. Headers class (2) #concept-header-list-set Referenced in: 2.2.2. Headers 5.1. Headers class #concept-header-list-combine Referenced in: 2.2.2. Headers 4.7. CORS-preflight fetch #convert-header-names-to-a-sorted-lowercase-set Referenced in: 2.2.2. Headers (2) #concept-header-list-sort-and-combine Referenced in: 5.1. Headers class #concept-header Referenced in: 2.2.2. Headers (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12) (13) (14) (15) (16) (17) (18) (19) (20) (21) (22) (23) (24) (25) 2.2.6. Responses (2) (3) 3.1. `Origin` header 3.2.2. HTTP requests (2) 3.2.3. HTTP responses (2) (3) (4) (5) (6) (7) (8) (9) (10) 3.2.4. HTTP new-header syntax (2) 3.2.5. CORS protocol and credentials 3.5. `X-Content-Type-Options` header (2) 3.6. `Cross-Origin-Resource-Policy` header 4.1. Main fetch (2) 4.5. HTTP-network-or-cache fetch (2) (3) (4) 4.6. HTTP-network fetch 5.1. Headers class (2) Basic safe CORS protocol setup (2) (3) #concept-header-name Referenced in: 2.2.2. Headers (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12) (13) (14) (15) 2.2.6. Responses (2) (3) 3.2.3. HTTP responses 4.1. Main fetch (2) 4.5. HTTP-network-or-cache fetch 4.6. HTTP-network fetch 4.7. CORS-preflight fetch 5.4. Request class #concept-header-value Referenced in: 2.2.2. Headers (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) 3.1. `Origin` header 3.2.3. HTTP responses (2) 3.2.4. HTTP new-header syntax (2) 3.5. `X-Content-Type-Options` header 3.6. `Cross-Origin-Resource-Policy` header 4.5. HTTP-network-or-cache fetch (2) 4.6. HTTP-network fetch 5.4. Request class #header-name Referenced in: 2.2.2. Headers (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12) (13) (14) (15) (16) (17) (18) 3.2.4. HTTP new-header syntax 4.8. CORS-preflight cache 5.1. Headers class (2) (3) (4) (5) #header-value Referenced in: 2.2.2. Headers (2) (3) (4) 2.2.4. Bodies 2.2.6. Responses 4. Fetching 5.1. Headers class (2) #concept-header-value-normalize Referenced in: 5.1. Headers class (2) #cors-safelisted-request-header Referenced in: 2.2.2. Headers (2) 2.2.5. Requests #cors-unsafe-request-header-byte Referenced in: 2.2.2. Headers (2) #cors-unsafe-request-header-names Referenced in: 4.1. Main fetch 4.3. HTTP fetch 4.7. CORS-preflight fetch (2) #cors-non-wildcard-request-header-name Referenced in: 4.7. CORS-preflight fetch 4.8. CORS-preflight cache #privileged-no-cors-request-header-name Referenced in: 5.1. Headers class (2) #cors-safelisted-response-header-name Referenced in: 2.2.6. Responses #no-cors-safelisted-request-header-name Referenced in: 2.2.2. Headers 5.1. Headers class #no-cors-safelisted-request-header Referenced in: 5.1. Headers class (2) #forbidden-header-name Referenced in: 2.2.5. Requests 5.1. Headers class (2) (3) HTTP header layer division #forbidden-response-header-name Referenced in: 2.2.2. Headers 2.2.6. Responses 5.1. Headers class (2) (3) #request-body-header-name Referenced in: 4.4. HTTP-redirect fetch #extract-header-values Referenced in: 2.2.2. Headers 2.2.6. Responses #extract-header-list-values Referenced in: 2.2.6. Responses 4.1. Main fetch 4.6. HTTP-network fetch 4.7. CORS-preflight fetch (2) (3) #simple-range-header-value Referenced in: 2.2.2. Headers (2) #default-user-agent-value Referenced in: 4.5. HTTP-network-or-cache fetch #concept-status Referenced in: 2.2.3. Statuses (2) (3) 2.2.6. Responses 3.2.3. HTTP responses (2) (3) #null-body-status Referenced in: 4.1. Main fetch 5.5. Response class (2) Invoking fetch #ok-status Referenced in: 2.11.1. The opaque-response-safelist check 3.2.3. HTTP responses 4.7. CORS-preflight fetch 5.5. Response class (2) #redirect-status Referenced in: 2.2.6. Responses (2) 4.3. HTTP fetch (2) 5.5. Response class Atomic HTTP redirect handling #concept-body Referenced in: 2.2.4. Bodies (2) (3) (4) (5) (6) 2.2.5. Requests (2) 2.2.6. Responses 4.3. HTTP fetch (2) (3) 4.6. HTTP-network fetch 5.2. BodyInit unions 5.3. Body mixin #concept-body-stream Referenced in: 2.2.4. Bodies (2) (3) (4) (5) 2.11.1. The opaque-response-safelist check (2) (3) 4.1. Main fetch (2) 4.3. HTTP fetch (2) (3) 4.5. HTTP-network-or-cache fetch (2) 4.6. HTTP-network fetch (2) 5.2. BodyInit unions 5.3. Body mixin (2) (3) Invoking fetch #concept-body-source Referenced in: 2.2.6. Responses 4.4. HTTP-redirect fetch (2) (3) 4.5. HTTP-network-or-cache fetch (2) (3) (4) (5) 4.6. HTTP-network fetch (2) (3) (4) 5.2. BodyInit unions 5.4. Request class #concept-body-total-bytes Referenced in: 2.2.6. Responses 4.2. Scheme fetch 4.5. HTTP-network-or-cache fetch (2) 5.2. BodyInit unions #concept-body-clone Referenced in: 2.2.5. Requests 2.2.6. Responses #byte-sequence-as-a-body Referenced in: 4. Fetching 4.1. Main fetch 4.2. Scheme fetch (2) #body-incrementally-read Referenced in: 4.6. HTTP-network fetch #incrementally-read-loop Referenced in: 2.2.4. Bodies (2) #body-fully-read Referenced in: 2.11.1. The opaque-response-safelist check 4.1. Main fetch (2) Invoking fetch (2) #fully-reading-body-as-promise Referenced in: 2.2.4. Bodies 5.3. Body mixin #body-with-type Referenced in: 5.2. BodyInit unions (2) 5.5. Response class #body-with-type-body Referenced in: 2.2.4. Bodies 2.11.1. The opaque-response-safelist check 4.2. Scheme fetch 4.4. HTTP-redirect fetch 4.5. HTTP-network-or-cache fetch 5.4. Request class 5.5. Response class #body-with-type-type Referenced in: 4.2. Scheme fetch 5.4. Request class 5.5. Response class (2) #handle-content-codings Referenced in: 4.5. HTTP-network-or-cache fetch 4.6. HTTP-network fetch #concept-request Referenced in: 2. Infrastructure 2.2.5. Requests (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12) (13) (14) (15) (16) (17) (18) (19) (20) (21) (22) (23) (24) (25) (26) (27) (28) (29) (30) (31) (32) (33) (34) (35) (36) (37) (38) (39) (40) (41) (42) (43) (44) (45) (46) (47) (48) (49) (50) (51) (52) (53) (54) (55) (56) (57) (58) (59) (60) (61) (62) (63) (64) (65) (66) (67) (68) (69) (70) (71) (72) (73) (74) (75) 2.3. Authentication entries 2.4. Fetch groups 2.9. Port blocking 2.11.1. The opaque-response-safelist check 3.1. `Origin` header (2) (3) (4) (5) 3.2. CORS protocol 3.2.1. General (2) 3.2.2. HTTP requests 3.2.3. HTTP responses (2) 3.2.4. HTTP new-header syntax (2) 3.2.5. CORS protocol and credentials (2) (3) (4) (5) (6) 3.5. `X-Content-Type-Options` header 3.5.1. Should response to request be blocked due to nosniff? 3.6. `Cross-Origin-Resource-Policy` header (2) (3) 4. Fetching (2) (3) 4.7. CORS-preflight fetch (2) 5.1. Headers class 5.4. Request class (2) (3) (4) (5) WebSockets Using fetch in other standards Invoking fetch (2) (3) (4) #concept-request-method Referenced in: 2.2.5. Requests 3.1. `Origin` header (2) 3.2.2. HTTP requests 4. Fetching 4.1. Main fetch (2) 4.2. Scheme fetch 4.3. HTTP fetch (2) 4.4. HTTP-redirect fetch (2) (3) 4.5. HTTP-network-or-cache fetch (2) 4.7. CORS-preflight fetch (2) (3) (4) (5) 5.4. Request class (2) (3) (4) (5) (6) #concept-request-url Referenced in: 2.2.5. Requests (2) 4. Fetching (2) 4.1. Main fetch (2) 5.4. Request class (2) (3) (4) (5) (6) #local-urls-only-flag Referenced in: 4.1. Main fetch #concept-request-header-list Referenced in: 2.2.5. Requests (2) (3) 3.1. `Origin` header (2) 4. Fetching (2) (3) (4) (5) 4.1. Main fetch (2) 4.3. HTTP fetch 4.4. HTTP-redirect fetch 4.5. HTTP-network-or-cache fetch (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12) (13) (14) (15) (16) (17) (18) (19) (20) (21) 4.7. CORS-preflight fetch (2) (3) (4) (5) (6) 5.4. Request class (2) (3) (4) (5) #unsafe-request-flag Referenced in: 2.2.5. Requests 4. Fetching 4.1. Main fetch 5.4. Request class #concept-request-body Referenced in: 2.2.5. Requests (2) (3) (4) 4. Fetching (2) (3) 4.3. HTTP fetch (2) (3) 4.4. HTTP-redirect fetch (2) (3) (4) (5) (6) (7) 4.5. HTTP-network-or-cache fetch (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12) (13) (14) 4.6. HTTP-network fetch (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12) (13) 5.4. Request class (2) (3) (4) 5.6. Fetch method (2) Invoking fetch (2) #concept-request-client Referenced in: 2.2.5. Requests (2) (3) (4) 2.7. Network partition keys (2) 4. Fetching (2) (3) (4) (5) (6) (7) (8) (9) (10) 4.1. Main fetch (2) (3) 4.3. HTTP fetch (2) 4.5. HTTP-network-or-cache fetch (2) 5.4. Request class 5.6. Fetch method #concept-request-reserved-client Referenced in: 2.7. Network partition keys (2) #concept-request-window Referenced in: 2.2.5. Requests 4. Fetching (2) (3) (4) 4.5. HTTP-network-or-cache fetch (2) (3) (4) (5) 4.6. HTTP-network fetch (2) 5.4. Request class (2) (3) #request-keepalive-flag Referenced in: 2.4. Fetch groups 4.5. HTTP-network-or-cache fetch (2) 5.4. Request class (2) (3) (4) (5) #request-initiator-type Referenced in: 4.1. Main fetch (2) (3) 5.4. Request class #request-service-workers-mode Referenced in: 4.3. HTTP fetch (2) 4.5. HTTP-network-or-cache fetch 4.7. CORS-preflight fetch 5.6. Fetch method #concept-request-initiator Referenced in: 2.2.5. Requests (2) (3) 4. Fetching 4.7. CORS-preflight fetch (2) #concept-request-destination Referenced in: 2.2.5. Requests (2) (3) (4) (5) (6) 2.2.7. Miscellaneous (2) 2.10. Should response to request be blocked due to its MIME type? 3.5. `X-Content-Type-Options` header 3.5.1. Should response to request be blocked due to nosniff? (2) 4. Fetching (2) (3) 4.1. Main fetch 4.3. HTTP fetch 4.7. CORS-preflight fetch (2) 5.4. Request class (2) #request-destination-script-like Referenced in: 2.2.5. Requests 2.10. Should response to request be blocked due to its MIME type? 3.5.1. Should response to request be blocked due to nosniff? (2) #concept-request-priority Referenced in: 4. Fetching (2) 5.4. Request class (2) #concept-request-origin Referenced in: 2.2.5. Requests (2) (3) (4) 3.1. `Origin` header (2) 3.6. `Cross-Origin-Resource-Policy` header 4. Fetching (2) (3) 4.1. Main fetch 4.3. HTTP fetch 4.4. HTTP-redirect fetch 4.7. CORS-preflight fetch (2) 4.10. TAO check (2) 5.4. Request class (2) (3) #concept-request-policy-container Referenced in: 2.2.5. Requests 4. Fetching (2) (3) 4.1. Main fetch #concept-request-referrer Referenced in: 2.2.5. Requests 4.1. Main fetch (2) (3) 4.5. HTTP-network-or-cache fetch (2) 4.7. CORS-preflight fetch (2) 5.4. Request class (2) (3) (4) (5) (6) (7) (8) (9) (10) #concept-request-referrer-policy Referenced in: 3.1. `Origin` header (2) 4.1. Main fetch (2) 4.7. CORS-preflight fetch (2) 5.4. Request class (2) (3) (4) (5) #concept-request-mode Referenced in: 2.2.5. Requests (2) (3) (4) (5) 3.1. `Origin` header (2) 3.6. `Cross-Origin-Resource-Policy` header 4. Fetching (2) (3) 4.1. Main fetch (2) (3) (4) 4.3. HTTP fetch (2) (3) 4.4. HTTP-redirect fetch 4.6. HTTP-network fetch (2) 4.7. CORS-preflight fetch 4.10. TAO check 5.4. Request class (2) (3) (4) (5) (6) (7) (8) (9) WebSockets Invoking fetch #use-cors-preflight-flag Referenced in: 2.2.5. Requests (2) 4.1. Main fetch 4.3. HTTP fetch 4.7. CORS-preflight fetch (2) 5.4. Request class #concept-request-credentials-mode Referenced in: 2.2.5. Requests (2) 3.2.3. HTTP responses (2) 3.2.5. CORS protocol and credentials (2) (3) (4) 4. Fetching 4.1. Main fetch 4.5. HTTP-network-or-cache fetch (2) (3) 4.7. CORS-preflight fetch (2) (3) 4.8. CORS-preflight cache (2) 4.9. CORS check (2) 5.4. Request class (2) (3) (4) (5) #concept-request-use-url-credentials-flag Referenced in: 4.5. HTTP-network-or-cache fetch (2) #concept-request-cache-mode Referenced in: 2.2.5. Requests 4.5. HTTP-network-or-cache fetch (2) (3) (4) (5) (6) (7) (8) (9) (10) 5.4. Request class (2) (3) (4) (5) (6) #concept-request-redirect-mode Referenced in: 2.2.5. Requests 4.1. Main fetch 4.3. HTTP fetch (2) (3) (4) 4.5. HTTP-network-or-cache fetch 5.4. Request class (2) (3) (4) (5) Invoking fetch #concept-request-integrity-metadata Referenced in: 4. Fetching 4.1. Main fetch (2) 5.4. Request class (2) (3) (4) #concept-request-nonce-metadata Referenced in: 2.2.5. Requests #concept-request-parser-metadata Referenced in: 2.2.5. Requests #concept-request-reload-navigation-flag Referenced in: 5.4. Request class (2) (3) (4) #concept-request-history-navigation-flag Referenced in: 5.4. Request class (2) (3) (4) #request-render-blocking Referenced in: 4. Fetching (2) #request-no-cors-media-request-state Referenced in: 2.11.1. The opaque-response-safelist check (2) (3) #request-no-cors-javascript-fallback-encoding Referenced in: 2.11.1. The opaque-response-safelist check #concept-request-url-list Referenced in: 2.2.5. Requests (2) (3) (4) 4.1. Main fetch 4.4. HTTP-redirect fetch 4.5. HTTP-network-or-cache fetch 4.7. CORS-preflight fetch (2) 5.4. Request class (2) (3) #concept-request-current-url Referenced in: 2.2.5. Requests (2) 2.9. Port blocking 3.1. `Origin` header (2) 3.2.1. General 3.6. `Cross-Origin-Resource-Policy` header 4.1. Main fetch (2) (3) (4) (5) (6) (7) (8) (9) 4.2. Scheme fetch (2) (3) (4) 4.4. HTTP-redirect fetch 4.5. HTTP-network-or-cache fetch (2) (3) (4) (5) (6) 4.6. HTTP-network fetch (2) (3) 4.8. CORS-preflight cache (2) (3) 4.10. TAO check 5.4. Request class #concept-request-redirect-count Referenced in: 2.2.5. Requests 4.4. HTTP-redirect fetch (2) #concept-request-response-tainting Referenced in: 2.2.5. Requests (2) 3.1. `Origin` header (2) 4.1. Main fetch (2) (3) (4) (5) (6) (7) 4.3. HTTP fetch (2) (3) 4.4. HTTP-redirect fetch (2) 4.5. HTTP-network-or-cache fetch (2) 4.7. CORS-preflight fetch 4.10. TAO check #no-cache-prevent-cache-control Referenced in: 4.5. HTTP-network-or-cache fetch (2) #done-flag Referenced in: 2.2.5. Requests 2.4. Fetch groups 4.1. Main fetch 4.5. HTTP-network-or-cache fetch #timing-allow-failed Referenced in: 2.2.5. Requests 2.2.6. Responses 4.1. Main fetch 4.3. HTTP fetch 4.10. TAO check #subresource-request Referenced in: 4. Fetching #navigation-request Referenced in: 2.2.5. Requests (2) (3) CORS protocol and HTTP caches #concept-request-tainted-origin Referenced in: 2.2.5. Requests (2) 4.1. Main fetch #serializing-a-request-origin Referenced in: 2.2.5. Requests 4.10. TAO check #byte-serializing-a-request-origin Referenced in: 3.1. `Origin` header (2) 4.8. CORS-preflight cache (2) (3) 4.9. CORS check #concept-request-clone Referenced in: 4.3. HTTP fetch 4.5. HTTP-network-or-cache fetch (2) 5.4. Request class #concept-request-add-range-header Referenced in: 2.2.2. Headers (2) #serialize-a-response-url-for-reporting Referenced in: 3.6. `Cross-Origin-Resource-Policy` header #cross-origin-embedder-policy-allows-credentials Referenced in: 4.5. HTTP-network-or-cache fetch #concept-response Referenced in: 2. Infrastructure 2.2.5. Requests 2.2.6. Responses (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12) (13) (14) (15) (16) (17) (18) (19) (20) (21) (22) (23) (24) (25) (26) (27) (28) (29) (30) (31) (32) (33) (34) (35) 2.11.1. The opaque-response-safelist check (2) (3) 3.2.3. HTTP responses (2) 3.5. `X-Content-Type-Options` header 3.6. `Cross-Origin-Resource-Policy` header (2) (3) (4) 4. Fetching (2) (3) (4) (5) (6) (7) 4.1. Main fetch (2) (3) 4.2. Scheme fetch (2) (3) 4.3. HTTP fetch (2) 4.4. HTTP-redirect fetch 4.5. HTTP-network-or-cache fetch 4.6. HTTP-network fetch (2) 5.5. Response class (2) (3) (4) (5) (6) (7) Atomic HTTP redirect handling Using fetch in other standards Invoking fetch (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12) (13) #concept-response-type Referenced in: 2.2.6. Responses (2) (3) (4) (5) (6) (7) 4.1. Main fetch 4.3. HTTP fetch (2) (3) (4) (5) 5.5. Response class #concept-response-aborted Referenced in: 2.2.6. Responses 4.6. HTTP-network fetch 5.6. Fetch method #concept-response-url Referenced in: 2.2.5. Requests 2.2.6. Responses (2) 3.2.3. HTTP responses (2) 3.6. `Cross-Origin-Resource-Policy` header (2) (3) 5.5. Response class (2) #concept-response-url-list Referenced in: 2.2.5. Requests (2) 2.2.6. Responses (2) (3) (4) (5) 4.1. Main fetch (2) 4.3. HTTP fetch 4.5. HTTP-network-or-cache fetch 5.5. Response class #concept-response-status Referenced in: 2.2.6. Responses (2) (3) (4) 2.11.1. The opaque-response-safelist check (2) (3) (4) 4. Fetching 4.1. Main fetch (2) (3) 4.3. HTTP fetch (2) (3) (4) 4.4. HTTP-redirect fetch (2) (3) 4.5. HTTP-network-or-cache fetch (2) (3) (4) (5) 4.7. CORS-preflight fetch 5.5. Response class (2) (3) (4) (5) Atomic HTTP redirect handling (2) Invoking fetch #concept-response-status-message Referenced in: 2.2.6. Responses (2) (3) 4.2. Scheme fetch (2) (3) 5.5. Response class (2) #concept-response-header-list Referenced in: 2.2.6. Responses (2) (3) (4) (5) (6) (7) (8) 2.10. Should response to request be blocked due to its MIME type? 2.11.1. The opaque-response-safelist check (2) (3) 3.5.1. Should response to request be blocked due to nosniff? (2) 3.6. `Cross-Origin-Resource-Policy` header 4.1. Main fetch (2) (3) 4.2. Scheme fetch (2) (3) 4.5. HTTP-network-or-cache fetch (2) (3) (4) 4.6. HTTP-network fetch (2) 4.7. CORS-preflight fetch (2) (3) 4.9. CORS check (2) 4.10. TAO check 5.5. Response class (2) (3) (4) (5) (6) Invoking fetch #concept-response-body Referenced in: 2.2.6. Responses (2) (3) (4) (5) (6) (7) (8) (9) 2.11.1. The opaque-response-safelist check (2) (3) (4) (5) 4.1. Main fetch (2) (3) (4) (5) (6) (7) (8) (9) 4.2. Scheme fetch (2) (3) 4.3. HTTP fetch 4.5. HTTP-network-or-cache fetch 4.6. HTTP-network fetch (2) (3) 5.5. Response class (2) 5.6. Fetch method (2) Invoking fetch (2) (3) (4) (5) (6) (7) #concept-response-cache-state Referenced in: 4.1. Main fetch 4.5. HTTP-network-or-cache fetch (2) (3) #concept-response-cors-exposed-header-name-list Referenced in: 2.2.6. Responses (2) 4.1. Main fetch (2) #concept-response-range-requested-flag Referenced in: 4.1. Main fetch 4.5. HTTP-network-or-cache fetch #response-request-includes-credentials Referenced in: 3.6. `Cross-Origin-Resource-Policy` header 4.5. HTTP-network-or-cache fetch #concept-response-timing-allow-passed Referenced in: 4.1. Main fetch (2) #concept-response-body-info Referenced in: 4.1. Main fetch 4.5. HTTP-network-or-cache fetch 4.6. HTTP-network fetch (2) #response-has-cross-origin-redirects Referenced in: 4.1. Main fetch (2) #concept-aborted-network-error Referenced in: 2.2.6. Responses #concept-network-error Referenced in: 2.2.5. Requests (2) (3) (4) 2.2.6. Responses (2) (3) (4) 4.1. Main fetch (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12) (13) (14) (15) 4.2. Scheme fetch (2) (3) (4) (5) 4.3. HTTP fetch (2) (3) (4) (5) (6) 4.4. HTTP-redirect fetch (2) (3) (4) (5) (6) 4.5. HTTP-network-or-cache fetch (2) (3) (4) (5) 4.6. HTTP-network fetch (2) (3) (4) 4.7. CORS-preflight fetch (2) (3) (4) (5) 5.5. Response class 5.6. Fetch method Invoking fetch #appropriate-network-error Referenced in: 4.2. Scheme fetch 4.5. HTTP-network-or-cache fetch (2) (3) (4) 4.6. HTTP-network fetch #concept-filtered-response Referenced in: 2.2.6. Responses (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) 4.1. Main fetch (2) 4.3. HTTP fetch 4.4. HTTP-redirect fetch #concept-internal-response Referenced in: 2.2.6. Responses (2) (3) (4) (5) (6) (7) (8) 3.6. `Cross-Origin-Resource-Policy` header (2) 4.1. Main fetch (2) 4.3. HTTP fetch (2) 4.4. HTTP-redirect fetch Atomic HTTP redirect handling #concept-filtered-response-basic Referenced in: 4.1. Main fetch #concept-filtered-response-cors Referenced in: 2.2.6. Responses 4.1. Main fetch #concept-filtered-response-opaque Referenced in: 2.2.5. Requests 2.2.6. Responses (2) 2.11. Opaque-response blocking 3.6. `Cross-Origin-Resource-Policy` header (2) 4.1. Main fetch #concept-filtered-response-opaque-redirect Referenced in: 2.2.5. Requests 2.2.6. Responses (2) (3) 4.3. HTTP fetch #concept-response-clone Referenced in: 2.2.6. Responses 5.5. Response class #concept-fresh-response Referenced in: 2.2.5. Requests 2.2.6. Responses (2) #concept-stale-while-revalidate-response Referenced in: 2.2.5. Requests 2.2.6. Responses 4.5. HTTP-network-or-cache fetch #concept-stale-response Referenced in: 2.2.5. Requests 4.5. HTTP-network-or-cache fetch #concept-response-location-url Referenced in: 2.2.6. Responses 4.4. HTTP-redirect fetch Invoking fetch #concept-potential-destination Referenced in: 2.2.7. Miscellaneous #authentication-entry Referenced in: 2. Infrastructure 2.2.5. Requests (2) 4.5. HTTP-network-or-cache fetch (2) (3) #proxy-authentication-entry Referenced in: 4.5. HTTP-network-or-cache fetch (2) #concept-fetch-group Referenced in: 2.4. Fetch groups (2) 4. Fetching 4.5. HTTP-network-or-cache fetch #concept-fetch-record Referenced in: 2.4. Fetch groups (2) (3) (4) (5) 4. Fetching (2) 4.5. HTTP-network-or-cache fetch #concept-fetch-record-request Referenced in: 2.4. Fetch groups 4. Fetching 4.5. HTTP-network-or-cache fetch (2) #concept-fetch-record-fetch Referenced in: 2.4. Fetch groups (2) 4. Fetching #resolve-an-origin Referenced in: 2.5. Resolving domains (2) 2.6. Connections (2) #concept-connection-pool Referenced in: 2.6. Connections (2) (3) #concept-connection Referenced in: 2.6. Connections (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) 4.3. HTTP fetch #connection-key Referenced in: 2.6. Connections (2) #connection-origin Referenced in: 2.6. Connections (2) #connection-credentials Referenced in: 2.6. Connections (2) (3) (4) #concept-connection-timing-info Referenced in: 2.6. Connections (2) 4.6. HTTP-network fetch #connection-timing-info Referenced in: 2. Infrastructure 2.6. Connections (2) (3) (4) (5) (6) #connection-timing-info-domain-lookup-start-time Referenced in: 2.6. Connections (2) (3) (4) #connection-timing-info-domain-lookup-end-time Referenced in: 2.6. Connections (2) (3) (4) #connection-timing-info-connection-start-time Referenced in: 2.6. Connections (2) (3) (4) (5) (6) #connection-timing-info-connection-end-time Referenced in: 2.6. Connections (2) (3) (4) (5) #connection-timing-info-secure-connection-start-time Referenced in: 2.6. Connections (2) (3) (4) #connection-timing-info-alpn-negotiated-protocol Referenced in: 2.6. Connections (2) (3) (4) (5) (6) #clamp-and-coarsen-connection-timing-info Referenced in: 2.6. Connections 4.6. HTTP-network fetch #new-connection-setting Referenced in: 2.6. Connections #concept-connection-obtain Referenced in: 4.1. Main fetch 4.6. HTTP-network fetch #create-a-connection Referenced in: 2.6. Connections #record-connection-timing-info Referenced in: 2.6. Connections #network-partition-key Referenced in: 2.5. Resolving domains 2.6. Connections (2) (3) 4.8. CORS-preflight cache #determine-the-network-partition-key Referenced in: 2.7. Network partition keys (2) #request-determine-the-network-partition-key Referenced in: 2.8. HTTP cache partitions 4.6. HTTP-network fetch 4.8. CORS-preflight cache (2) (3) #determine-the-http-cache-partition Referenced in: 4.5. HTTP-network-or-cache fetch #block-bad-port Referenced in: 4.1. Main fetch #bad-port Referenced in: 2.9. Port blocking #should-response-to-request-be-blocked-due-to-mime-type? Referenced in: 2.10. Should response to request be blocked due to its MIME type? 4.1. Main fetch #opaque-response-safelist-check Referenced in: 2.2.5. Requests (2) 2.11.2. New MIME type sets 4.3. HTTP fetch (2) #obtain-a-copy-of-the-first-1024-bytes-of-response Referenced in: 2.11.1. The opaque-response-safelist check #determine-if-response-is-javascript-and-not-json Referenced in: 2.11.1. The opaque-response-safelist check #opaque-response-safelisted-mime-type Referenced in: 2.11.1. The opaque-response-safelist check #opaque-response-blocklisted-mime-type Referenced in: 2.11.1. The opaque-response-safelist check (2) #opaque-response-blocklisted-never-sniffed-mime-type Referenced in: 2.11.1. The opaque-response-safelist check #http-origin Referenced in: Goals 2.2.2. Headers 3.1. `Origin` header 3.2.2. HTTP requests (2) 3.2.3. HTTP responses 3.2.6. Examples #append-a-request-origin-header Referenced in: 4.5. HTTP-network-or-cache fetch #cors-protocol Referenced in: 2.2.5. Requests (2) 2.11. Opaque-response blocking 3.1. `Origin` header 3.2. CORS protocol 3.2.1. General (2) 3.2.2. HTTP requests (2) 3.2.3. HTTP responses (2) (3) 3.2.4. HTTP new-header syntax 3.2.5. CORS protocol and credentials 3.2.6. Examples (2) (3) 4.3. HTTP fetch 4.7. CORS-preflight fetch Basic safe CORS protocol setup (2) CORS protocol and HTTP caches #cors-request Referenced in: 2.2.5. Requests 3.2.2. HTTP requests (2) (3) 3.2.3. HTTP responses (2) (3) (4) (5) (6) (7) (8) CORS protocol and HTTP caches (2) (3) (4) (5) (6) (7) #cors-preflight-request Referenced in: 2.2.5. Requests 3.2.1. General 3.2.3. HTTP responses (2) (3) (4) (5) (6) (7) (8) 3.2.5. CORS protocol and credentials (2) 4.7. CORS-preflight fetch #http-access-control-request-method Referenced in: 2.2.2. Headers 4.7. CORS-preflight fetch #http-access-control-request-headers Referenced in: 2.2.2. Headers 4.7. CORS-preflight fetch #http-access-control-allow-origin Referenced in: 3.2.5. CORS protocol and credentials (2) (3) 3.2.6. Examples (2) (3) 4.9. CORS check CORS protocol and HTTP caches (2) (3) (4) (5) (6) (7) (8) #http-access-control-allow-credentials Referenced in: 3.2.5. CORS protocol and credentials (2) (3) 3.2.6. Examples 4.9. CORS check #http-access-control-allow-methods Referenced in: 3.2.3. HTTP responses 3.2.5. CORS protocol and credentials 4.7. CORS-preflight fetch #http-access-control-allow-headers Referenced in: 3.2.3. HTTP responses 3.2.5. CORS protocol and credentials 4.7. CORS-preflight fetch #http-access-control-max-age Referenced in: 4.7. CORS-preflight fetch #http-access-control-expose-headers Referenced in: 2.2.6. Responses 3.2.5. CORS protocol and credentials 3.2.6. Examples (2) (3) 4.1. Main fetch #concept-header-extract-mime-type Referenced in: 2.2.2. Headers (2) 2.10. Should response to request be blocked due to its MIME type? 2.11.1. The opaque-response-safelist check (2) 3.4. `Content-Type` header (2) (3) 3.5.1. Should response to request be blocked due to nosniff? 5.4. Request class 5.5. Response class #http-x-content-type-options Referenced in: 3.5. `X-Content-Type-Options` header (2) #determine-nosniff Referenced in: 2.11.1. The opaque-response-safelist check 3.5.1. Should response to request be blocked due to nosniff? #should-response-to-request-be-blocked-due-to-nosniff? Referenced in: 3.5.1. Should response to request be blocked due to nosniff? 4.1. Main fetch #http-cross-origin-resource-policy Referenced in: 3.6. `Cross-Origin-Resource-Policy` header (2) #cross-origin-resource-policy-check Referenced in: 4.3. HTTP fetch (2) #cross-origin-resource-policy-internal-check Referenced in: 3.6. `Cross-Origin-Resource-Policy` header (2) (3) #queue-a-cross-origin-embedder-policy-corp-violation-report Referenced in: 3.6. `Cross-Origin-Resource-Policy` header (2) #concept-fetch Referenced in: 2. Infrastructure (2) 2.2. HTTP 2.2.2. Headers 2.2.5. Requests (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12) 2.2.6. Responses (2) 3.1. `Origin` header (2) 3.2. CORS protocol (2) 3.2.5. CORS protocol and credentials 4. Fetching 4.2. Scheme fetch 4.3. HTTP fetch 5. Fetch API (2) 5.6. Fetch method CORS protocol and HTTP caches WebSockets Using fetch in other standards Invoking fetch (2) #process-request-body Referenced in: Invoking fetch #process-request-end-of-body Referenced in: Invoking fetch #fetch-processearlyhintsresponse Referenced in: Invoking fetch #process-response Referenced in: 2.2.6. Responses 5.6. Fetch method Invoking fetch (2) #fetch-processresponseendofbody Referenced in: Invoking fetch #process-response-end-of-body Referenced in: Invoking fetch #fetch-useparallelqueue Referenced in: Invoking fetch (2) #concept-fetch-suspend Referenced in: 4.6. HTTP-network fetch (2) #concept-fetch-resume Referenced in: 4.6. HTTP-network fetch #concept-main-fetch Referenced in: 4. Fetching 4.4. HTTP-redirect fetch (2) 4.5. HTTP-network-or-cache fetch #fetch-finale Referenced in: 4.1. Main fetch (2) (3) #concept-scheme-fetch Referenced in: 4.1. Main fetch (2) #concept-http-fetch Referenced in: 2.2.5. Requests (2) 3.1. `Origin` header 4.1. Main fetch (2) 4.2. Scheme fetch 4.7. CORS-preflight fetch #concept-http-redirect-fetch Referenced in: 4.3. HTTP fetch (2) #concept-http-network-or-cache-fetch Referenced in: 4.3. HTTP fetch 4.5. HTTP-network-or-cache fetch (2) (3) 4.7. CORS-preflight fetch (2) #concept-http-network-fetch Referenced in: 4.5. HTTP-network-or-cache fetch #cors-preflight-fetch-0 Referenced in: 2.2.5. Requests 4.3. HTTP fetch (2) (3) (4) 4.7. CORS-preflight fetch (2) #concept-cache Referenced in: 4.3. HTTP fetch 4.7. CORS-preflight fetch (2) (3) 4.8. CORS-preflight cache (2) (3) (4) (5) #cache-entry Referenced in: 4.8. CORS-preflight cache (2) (3) (4) (5) (6) (7) (8) #concept-cache-key Referenced in: 4.8. CORS-preflight cache (2) (3) #concept-cache-origin Referenced in: 4.8. CORS-preflight cache (2) (3) #concept-cache-url Referenced in: 4.8. CORS-preflight cache (2) (3) #concept-cache-max-age Referenced in: 4.7. CORS-preflight fetch (2) (3) 4.8. CORS-preflight cache (2) #concept-cache-credentials Referenced in: 4.8. CORS-preflight cache (2) (3) #concept-cache-method Referenced in: 4.8. CORS-preflight cache (2) #concept-cache-header-name Referenced in: 4.8. CORS-preflight cache (2) (3) #concept-cache-create-entry Referenced in: 4.7. CORS-preflight fetch (2) #concept-cache-clear Referenced in: 4.1. Main fetch #concept-cache-match Referenced in: 4.8. CORS-preflight cache (2) #concept-cache-match-method Referenced in: 4.3. HTTP fetch 4.7. CORS-preflight fetch (2) #concept-cache-match-header Referenced in: 4.3. HTTP fetch 4.7. CORS-preflight fetch (2) #concept-cors-check Referenced in: 4.3. HTTP fetch (2) (3) 4.7. CORS-preflight fetch (2) #concept-tao-check Referenced in: 4.3. HTTP fetch (2) 4.10. TAO check (2) #typedefdef-headersinit Referenced in: 5.1. Headers class 5.4. Request class 5.5. Response class #headers Referenced in: 2.2.2. Headers 5.1. Headers class (2) (3) (4) (5) (6) (7) (8) 5.4. Request class (2) (3) (4) (5) (6) (7) 5.5. Response class (2) (3) (4) (5) #concept-headers-header-list Referenced in: 5.1. Headers class (2) (3) (4) (5) (6) (7) (8) (9) 5.4. Request class (2) (3) (4) (5) (6) 5.5. Response class (2) #concept-headers-guard Referenced in: 5.1. Headers class (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12) (13) (14) (15) (16) 5.4. Request class (2) (3) (4) 5.5. Response class (2) (3) #headers-guard Referenced in: 5.1. Headers class 5.4. Request class 5.5. Response class #concept-headers-append Referenced in: 5.1. Headers class (2) (3) 5.4. Request class (2) #concept-headers-fill Referenced in: 5.1. Headers class 5.4. Request class 5.5. Response class #concept-headers-remove-privileged-no-cors-request-headers Referenced in: 5.1. Headers class (2) (3) #dom-headers Referenced in: 5.1. Headers class (2) #dom-headers-append Referenced in: 5.1. Headers class (2) #dom-headers-delete Referenced in: 5.1. Headers class (2) #dom-headers-get Referenced in: 5.1. Headers class (2) #dom-headers-has Referenced in: 5.1. Headers class (2) #dom-headers-set Referenced in: 5.1. Headers class (2) #typedefdef-xmlhttprequestbodyinit Referenced in: 5.2. BodyInit unions #bodyinit Referenced in: 5.2. BodyInit unions (2) 5.4. Request class (2) 5.5. Response class #bodyinit-safely-extract Referenced in: 2.2.4. Bodies 2.2.5. Requests 2.11.1. The opaque-response-safelist check 4.2. Scheme fetch 4.4. HTTP-redirect fetch 4.5. HTTP-network-or-cache fetch 5.2. BodyInit unions #concept-bodyinit-extract Referenced in: 5.2. BodyInit unions (2) 5.4. Request class 5.5. Response class (2) #keepalive Referenced in: 5.4. Request class #body Referenced in: 5.3. Body mixin (2) (3) 5.4. Request class 5.5. Response class #concept-body-mime-type Referenced in: 5.3. Body mixin 5.4. Request class 5.5. Response class #concept-body-body Referenced in: 5.3. Body mixin (2) (3) (4) (5) (6) (7) (8) 5.4. Request class 5.5. Response class #body-unusable Referenced in: 5.3. Body mixin 5.4. Request class (2) 5.5. Response class #dom-body-body Referenced in: 5.3. Body mixin (2) #dom-body-bodyused Referenced in: 5.3. Body mixin (2) #concept-body-package-data Referenced in: 5.3. Body mixin #concept-body-consume-body Referenced in: 5.3. Body mixin (2) (3) (4) (5) #dom-body-arraybuffer Referenced in: 5.3. Body mixin (2) #dom-body-blob Referenced in: 5.3. Body mixin (2) #dom-body-formdata Referenced in: 5.3. Body mixin (2) #dom-body-json Referenced in: 5.3. Body mixin (2) #dom-body-text Referenced in: 5.3. Body mixin (2) #requestinfo Referenced in: 5.4. Request class 5.6. Fetch method #request Referenced in: 5.1. Headers class 5.4. Request class (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12) (13) (14) 5.6. Fetch method HTTP header layer division #requestinit Referenced in: 5.4. Request class 5.6. Fetch method #dom-requestinit-method Referenced in: 5.4. Request class (2) (3) #dom-requestinit-headers Referenced in: 5.4. Request class (2) (3) #dom-requestinit-body Referenced in: 5.4. Request class (2) (3) (4) (5) #dom-requestinit-referrer Referenced in: 5.4. Request class (2) (3) #dom-requestinit-referrerpolicy Referenced in: 5.4. Request class (2) #dom-requestinit-mode Referenced in: 5.4. Request class (2) #dom-requestinit-credentials Referenced in: 5.4. Request class (2) #dom-requestinit-cache Referenced in: 5.4. Request class (2) #dom-requestinit-redirect Referenced in: 5.4. Request class (2) #dom-requestinit-integrity Referenced in: 5.4. Request class (2) #dom-requestinit-keepalive Referenced in: 5.4. Request class (2) #dom-requestinit-signal Referenced in: 5.4. Request class (2) #dom-requestinit-duplex Referenced in: 5.4. Request class (2) #dom-requestinit-window Referenced in: 5.4. Request class (2) (3) #requestdestination Referenced in: 2.2.5. Requests 5.4. Request class (2) #requestmode Referenced in: 5.4. Request class (2) (3) #requestcredentials Referenced in: 5.4. Request class (2) #requestcache Referenced in: 5.4. Request class (2) #requestredirect Referenced in: 5.4. Request class (2) #enumdef-requestduplex Referenced in: 5.4. Request class (2) #concept-request-request Referenced in: 5.4. Request class (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12) (13) (14) (15) (16) (17) (18) (19) (20) (21) (22) (23) (24) (25) (26) (27) 5.6. Fetch method #request-headers Referenced in: 5.4. Request class (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) #request-signal Referenced in: 5.4. Request class (2) (3) (4) (5) (6) (7) 5.6. Fetch method (2) (3) (4) (5) #request-create Referenced in: 5.4. Request class #dom-request Referenced in: 5.4. Request class (2) #dom-request-method Referenced in: 5.4. Request class (2) (3) #dom-request-url Referenced in: 5.4. Request class (2) (3) (4) #dom-request-headers Referenced in: 5.4. Request class (2) (3) #dom-request-destination Referenced in: 5.4. Request class (2) #dom-request-referrer Referenced in: 5.4. Request class (2) #dom-request-referrerpolicy Referenced in: 5.4. Request class (2) (3) #dom-request-mode Referenced in: 5.4. Request class (2) (3) #dom-request-credentials Referenced in: 5.4. Request class (2) (3) #dom-request-cache Referenced in: 5.4. Request class (2) (3) #dom-request-redirect Referenced in: 5.4. Request class (2) (3) #dom-request-integrity Referenced in: 5.4. Request class (2) (3) #dom-request-keepalive Referenced in: 5.4. Request class (2) (3) #dom-request-isreloadnavigation Referenced in: 5.4. Request class (2) #dom-request-ishistorynavigation Referenced in: 5.4. Request class (2) #dom-request-signal Referenced in: 5.4. Request class (2) (3) #dom-request-duplex Referenced in: 5.4. Request class (2) #dom-request-clone Referenced in: 5.4. Request class (2) #response Referenced in: 2.2.6. Responses 5.5. Response class (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12) (13) (14) (15) (16) (17) (18) (19) (20) (21) (22) (23) 5.6. Fetch method (2) #responseinit Referenced in: 5.5. Response class (2) (3) #dom-responseinit-status Referenced in: 5.5. Response class (2) #dom-responseinit-statustext Referenced in: 5.5. Response class (2) #dom-responseinit-headers Referenced in: 5.5. Response class (2) #responsetype Referenced in: 5.5. Response class #concept-response-response Referenced in: 5.5. Response class (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12) (13) (14) (15) (16) (17) 5.6. Fetch method #response-headers Referenced in: 5.5. Response class (2) (3) (4) (5) #response-create Referenced in: 5.5. Response class (2) (3) (4) 5.6. Fetch method #initialize-a-response Referenced in: 5.5. Response class (2) #dom-response Referenced in: 5.5. Response class (2) #dom-response-error Referenced in: 5.5. Response class (2) #dom-response-redirect Referenced in: 5.5. Response class (2) #dom-response-json Referenced in: 5.5. Response class (2) #dom-response-type Referenced in: 2.2.6. Responses 5.5. Response class (2) #dom-response-url Referenced in: 5.5. Response class (2) #dom-response-redirected Referenced in: 5.5. Response class (2) #dom-response-status Referenced in: 5.5. Response class (2) #dom-response-ok Referenced in: 2.2.6. Responses 5.5. Response class (2) #dom-response-statustext Referenced in: 5.5. Response class (2) #dom-response-headers Referenced in: 5.5. Response class (2) #dom-response-clone Referenced in: 5.5. Response class (2) #dom-global-fetch Referenced in: 1. Preface 2.2.5. Requests (2) 4.5. HTTP-network-or-cache fetch 5. Fetch API (2) 5.6. Fetch method 5.7. Garbage collection #abort-fetch Referenced in: 5.6. Fetch method (2) (3) #data-url-struct Referenced in: 6. data: URLs #data-url-struct-mime-type Referenced in: 4.2. Scheme fetch 6. data: URLs #data-url-struct-body Referenced in: 4.2. Scheme fetch 6. data: URLs #data-url-processor Referenced in: 4.2. Scheme fetch #http-header-layer-division Referenced in: 4.5. HTTP-network-or-cache fetch HTTP header layer division #atomic-http-redirect-handling Referenced in: 2.2.5. Requests 2.2.6. Responses Atomic HTTP redirect handling</div> </div> <div class="detail-actions"> <a href="/search?q=whatpr.org" class="btn">Same domain →</a> <a href="/search?q=Fetch%20Standard%20Pull%20Request%20%231" class="btn btn-secondary">Similar titles →</a> </div> </article> </main> <footer class="site-footer"> <div class="container"> C U Cyber History — Public Interest Web Archive Preserving fading web memories. Discover history that once existed. </div> </footer> <script id="chat-i18n-en" type="application/json">{"button_label":"Need Help?","placeholder":"Ask us anything...","title":"CUCH Assistant","subtitle":"How can we help you?","send":"Send","close":"Close","folder":"/var/www/cu","greeting":"Hi! Welcome to CUCH.org. How can I help you today? Feel free to ask about our archive, search, or anything else!","error":"Sorry, our service is temporarily unavailable. Please try again later.","banner_text":"Need help? Ask our AI assistant!"}</script> <script src="/static/js/chat-widget.js"></script> </body> </html>