Fetch

To report timing for a fetch controller controller given a global object global:

1. Assert: controller’s report timing steps is non-null.

2. Call controller’s report timing steps with global.

To process the next manual redirect for a fetch controller controller:

1. Assert: controller’s next manual redirect steps is non-null.

2. Call controller’s next manual redirect steps.

To extract full timing info given a fetch controller controller:

1. Assert: controller’s full timing info is non-null.

2. Return controller’s full timing info.

To abort a fetch controller controller with an optional error:

1. Set controller’s state to "aborted".

2. Let fallbackError be an "AbortError" DOMException.

3. Set error to fallbackError if it is not given.

4. Let serializedError be StructuredSerialize(error). If that threw an exception, catch it, and let serializedError be StructuredSerialize(fallbackError).

5. Set controller’s serialized abort reason to serializedError.

To deserialize a serialized abort reason, given null or a Record abortReason and a realm realm:

1. Let fallbackError be an "AbortError" DOMException.

2. Let deserializedError be fallbackError.

3. If abortReason is non-null, then set deserializedError to StructuredDeserialize(abortReason, realm). If that threw an exception or returned undefined, then set deserializedError to fallbackError.

4. Return deserializedError.

To terminate a fetch controller controller, set controller’s state to "terminated".

To create an opaque timing info, given a fetch timing info timingInfo, return a new fetch timing info whose start time and post-redirect start time are timingInfo’s start time.

To queue a fetch task, given an algorithm algorithm, a global object or a parallel queue taskDestination, run these steps:

1. If taskDestination is a parallel queue, then enqueue algorithm to taskDestination.

2. Otherwise, queue a global task on the networking task source with taskDestination and algorithm.

To check if the environment settings object environment is offline:

• If the user agent assumes it does not have internet connectivity, then return true.

• Return environment’s WebDriver BiDi network is offline.

To collect an HTTP quoted string from a string input, given a position variable position and an optional boolean extract-value (default false):

1. Let positionStart be position.

2. Let value be the empty string.

3. Assert: the code point at position within input is U+0022 (").

4. Advance position by 1.

5. While true:

   1. Append the result of collecting a sequence of code points that are not U+0022 (") or U+005C (\) from input, given position, to value.

   2. If position is past the end of input, then break.

   3. Let quoteOrBackslash be the code point at position within input.

   4. Advance position by 1.

   5. If quoteOrBackslash is U+005C (\), then:

      1. If position is past the end of input, then append U+005C (\) to value and break.

      2. Append the code point at position within input to value.

      3. Advance position by 1.

   6. Otherwise:

      1. Assert: quoteOrBackslash is U+0022 (").

      2. Break.

6. If extract-value is true, then return value.

7. Return the code points from positionStart to position, inclusive, within input.

To get a structured field value given a header name name and a string type from a header list list, run these steps. They return null or a structured field value.

1. Assert: type is one of "dictionary", "list", or "item".

2. Let value be the result of getting name from list.

3. If value is null, then return null.

4. Let result be the result of parsing structured fields with input_string set to value and header_type set to type.

5. If parsing failed, then return null.

6. Return result.

Get a structured field value intentionally does not distinguish between a header not being present and its value failing to parse as a structured field value. This ensures uniform processing across the web platform.

To set a structured field value given a tuple (header name name, structured field value structuredValue), in a header list list:

1. Let serializedValue be the result of executing the serializing structured fields algorithm on structuredValue.

2. Set (name, serializedValue) in list.

Structured field values are defined as objects which HTTP can (eventually) serialize in interesting and efficient ways. For the moment, Fetch only supports header values as byte sequences, which means that these objects can be set in header lists only via serialization, and they can be obtained from header lists only by parsing. In the future the fact that they are objects might be preserved end-to-end. [RFC9651]

A header list list contains a header name name if list contains a header whose name is a byte-case-insensitive match for name.

To get a header name name from a header list list, run these steps. They return null or a header value.

1. If list does not contain name, then return null.

2. Return the values of all headers in list whose name is a byte-case-insensitive match for name, separated from each other by 0x2C 0x20, in order.

To get, decode, and split a header name name from header list list, run these steps. They return null or a list of strings.

1. Let value be the result of getting name from list.

2. If value is null, then return null.

3. Return the result of getting, decoding, and splitting value.

To get, decode, and split a header value value, run these steps. They return a list of strings.

1. Let input be the result of isomorphic decoding value.

2. Let position be a position variable for input, initially pointing at the start of input.

3. Let values be a list of strings, initially « ».

4. Let temporaryValue be the empty string.

5. While true:

   1. Append the result of collecting a sequence of code points that are not U+0022 (") or U+002C (,) from input, given position, to temporaryValue.

      The result might be the empty string.

   2. If position is not past the end of input and the code point at position within input is U+0022 ("):

      1. Append the result of collecting an HTTP quoted string from input, given position, to temporaryValue.

      2. If position is not past the end of input, then continue.

   3. Remove all HTTP tab or space from the start and end of temporaryValue.

   4. Append temporaryValue to values.

   5. Set temporaryValue to the empty string.

   6. If position is past the end of input, then return values.

   7. Assert: the code point at position within input is U+002C (,).

   8. Advance position by 1.

Except for blessed call sites, the algorithm directly above is not to be invoked directly. Use get, decode, and split instead.

To append a header (name, value) to a header list list:

1. If list contains name, then set name to the first such header’s name.

   This reuses the casing of the name of the header already in list, if any. If there are multiple matched headers their names will all be identical.

2. Append (name, value) to list.

To delete a header name name from a header list list, remove all headers whose name is a byte-case-insensitive match for name from list.

To set a header (name, value) in a header list list:

1. If list contains name, then set the value of the first such header to value and remove the others.

2. Otherwise, append (name, value) to list.

To combine a header (name, value) in a header list list:

1. If list contains name, then set the value of the first such header to its value, followed by 0x2C 0x20, followed by value.

2. Otherwise, append (name, value) to list.

Combine is used by XMLHttpRequest and the WebSocket protocol handshake.

To convert header names to a sorted-lowercase set, given a list of names headerNames, run these steps. They return an ordered set of header names.

1. Let headerNamesSet be a new ordered set.

2. For each name of headerNames, append the result of byte-lowercasing name to headerNamesSet.

3. Return the result of sorting headerNamesSet in ascending order with byte less than.

To sort and combine a header list list, run these steps. They return a header list.

1. Let headers be a header list.

2. Let names be the result of convert header names to a sorted-lowercase set with all the names of the headers in list.

3. For each name of names:

   1. If name is `set-cookie`, then:

      1. Let values be a list of all values of headers in list whose name is a byte-case-insensitive match for name, in order.

      2. For each value of values:

         1. Append (name, value) to headers.

   2. Otherwise:

      1. Let value be the result of getting name from list.

      2. Assert: value is non-null.

      3. Append (name, value) to headers.

4. Return headers.

To normalize a byte sequence potentialValue, remove any leading and trailing HTTP whitespace bytes from potentialValue.

To determine whether a header (name, value) is a CORS-safelisted request-header, run these steps:

1. If value’s length is greater than 128, then return false.

2. Byte-lowercase name and switch on the result:

   `accept`

   If value contains a CORS-unsafe request-header byte, then return false.

   `accept-language`

   `content-language`

   If value contains a byte that is not in the range 0x30 (0) to 0x39 (9), inclusive, is not in the range 0x41 (A) to 0x5A (Z), inclusive, is not in the range 0x61 (a) to 0x7A (z), inclusive, and is not 0x20 (SP), 0x2A (*), 0x2C (,), 0x2D (-), 0x2E (.), 0x3B (;), or 0x3D (=), then return false.

   `content-type`

   1. If value contains a CORS-unsafe request-header byte, then return false.

   2. Let mimeType be the result of parsing the result of isomorphic decoding value.

   3. If mimeType is failure, then return false.

   4. If mimeType’s essence is not "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", then return false.

   This intentionally does not use extract a MIME type as that algorithm is rather forgiving and servers are not expected to implement it.

   If extract a MIME type were used the following request would not result in a CORS preflight and a naïve parser on the server might treat the request body as JSON:

   fetch("https://victim.example/naïve-endpoint", {
     method: "POST",
     headers: [
       ["Content-Type", "application/json"],
       ["Content-Type", "text/plain"]
     ],
     credentials: "include",
     body: JSON.stringify(exerciseForTheReader)
   });
   

   `range`

   1. Let rangeValue be the result of parsing a single range header value given value and false.

   2. If rangeValue is failure, then return false.

   3. If rangeValue[0] is null, then return false.

      As web browsers have historically not emitted ranges such as `bytes=-500` this algorithm does not safelist them.

   Otherwise

   Return false.

3. Return true.

There are limited exceptions to the `Content-Type` header safelist, as documented in CORS protocol exceptions.

A CORS-unsafe request-header byte is a byte byte for which one of the following is true:

• byte is less than 0x20 and is not 0x09 HT

• byte is 0x22 ("), 0x28 (left parenthesis), 0x29 (right parenthesis), 0x3A (:), 0x3C (<), 0x3E (>), 0x3F (?), 0x40 (@), 0x5B ([), 0x5C (\), 0x5D (]), 0x7B ({), 0x7D (}), or 0x7F DEL.

The CORS-unsafe request-header names, given a header list headers, are determined as follows:

1. Let unsafeNames be a new list.

2. Let potentiallyUnsafeNames be a new list.

3. Let safelistValueSize be 0.

4. For each header of headers:

   1. If header is not a CORS-safelisted request-header, then append header’s name to unsafeNames.

   2. Otherwise, append header’s name to potentiallyUnsafeNames and increase safelistValueSize by header’s value’s length.

5. If safelistValueSize is greater than 1024, then for each name of potentiallyUnsafeNames, append name to unsafeNames.

6. Return the result of convert header names to a sorted-lowercase set with unsafeNames.

To determine whether a header (name, value) is a no-CORS-safelisted request-header, run these steps:

1. If name is not a no-CORS-safelisted request-header name, then return false.

2. Return whether (name, value) is a CORS-safelisted request-header.

A header (name, value) is forbidden request-header if these steps return true:

1. If name is a byte-case-insensitive match for one of:

   • `Accept-Charset`
   • `Accept-Encoding`
   • `Access-Control-Request-Headers`
   • `Access-Control-Request-Method`
   • `Connection`
   • `Content-Length`
   • `Cookie`
   • `Cookie2`
   • `Date`
   • `DNT`
   • `Expect`
   • `Host`
   • `Keep-Alive`
   • `Origin`
   • `Referer`
   • `Set-Cookie`
   • `TE`
   • `Trailer`
   • `Transfer-Encoding`
   • `Upgrade`
   • `Via`

   then return true.

2. If name when byte-lowercased starts with `proxy-` or `sec-`, then return true.

3. If name is a byte-case-insensitive match for one of:

   • `X-HTTP-Method`
   • `X-HTTP-Method-Override`
   • `X-Method-Override`

   then:

   1. Let parsedValues be the result of getting, decoding, and splitting value.

   2. For each method of parsedValues: if the isomorphic encoding of method is a forbidden method, then return true.

4. Return false.

To extract header values given a header header, run these steps:

1. If parsing header’s value, per the ABNF for header’s name, fails, then return failure.

2. Return one or more values resulting from parsing header’s value, per the ABNF for header’s name.

To extract header list values given a header name name and a header list list, run these steps:

1. If list does not contain name, then return null.

2. If the ABNF for name allows a single header and list contains more than one, then return failure.

   If different error handling is needed, extract the desired header first.

3. Let values be an empty list.

4. For each header header list contains whose name is name:

   1. Let extract be the result of extracting header values from header.

   2. If extract is failure, then return failure.

   3. Append each value in extract, in order, to values.

5. Return values.

To build a content range given an integer rangeStart, an integer rangeEnd, and an integer fullLength, run these steps:

1. Let contentRange be `bytes `.

2. Append rangeStart, serialized and isomorphic encoded, to contentRange.

3. Append 0x2D (-) to contentRange.

4. Append rangeEnd, serialized and isomorphic encoded to contentRange.

5. Append 0x2F (/) to contentRange.

6. Append fullLength, serialized and isomorphic encoded to contentRange.

7. Return contentRange.

To parse a single range header value from a byte sequence value and a boolean allowWhitespace, run these steps:

1. Let data be the isomorphic decoding of value.

2. If data does not start with "bytes", then return failure.

3. Let position be a position variable for data, initially pointing at the 5th code point of data.

4. If allowWhitespace is true, collect a sequence of code points that are HTTP tab or space, from data given position.

5. If the code point at position within data is not U+003D (=), then return failure.

6. Advance position by 1.

7. If allowWhitespace is true, collect a sequence of code points that are HTTP tab or space, from data given position.

8. Let rangeStart be the result of collecting a sequence of code points that are ASCII digits, from data given position.

9. Let rangeStartValue be rangeStart, interpreted as decimal number, if rangeStart is not the empty string; otherwise null.

10. If allowWhitespace is true, collect a sequence of code points that are HTTP tab or space, from data given position.

11. If the code point at position within data is not U+002D (-), then return failure.

12. Advance position by 1.

13. If allowWhitespace is true, collect a sequence of code points that are HTTP tab or space, from data given position.

14. Let rangeEnd be the result of collecting a sequence of code points that are ASCII digits, from data given position.

15. Let rangeEndValue be rangeEnd, interpreted as decimal number, if rangeEnd is not the empty string; otherwise null.

16. If position is not past the end of data, then return failure.

17. If rangeEndValue and rangeStartValue are null, then return failure.

18. If rangeStartValue and rangeEndValue are numbers, and rangeStartValue is greater than rangeEndValue, then return failure.

19. Return (rangeStartValue, rangeEndValue).

    The range end or start can be omitted, e.g., `bytes=0-` or `bytes=-500` are valid ranges.

Parse a single range header value succeeds for a subset of allowed range header values, but it is the most common form used by user agents when requesting media or resuming downloads. This format of range header value can be set using add a range header.

To get the environment settings object environment’s environment default `User-Agent` value:

1. Let userAgent be the WebDriver BiDi emulated User-Agent for environment.

2. If userAgent is non-null, then return userAgent, isomorphic encoded.

3. Return the default `User-Agent` value.

To clone a body body, run these steps:

1. Let « out1, out2 » be the result of teeing body’s stream.

2. Set body’s stream to out1.

3. Return a body whose stream is out2 and other members are copied from body.

To get a byte sequence bytes as a body, return the body of the result of safely extracting bytes.

To incrementally read a body body, given an algorithm processBodyChunk, an algorithm processEndOfBody, an algorithm processBodyError, and an optional null, parallel queue, or global object taskDestination (default null), run these steps. processBodyChunk must be an algorithm accepting a byte sequence. processEndOfBody must be an algorithm accepting no arguments. processBodyError must be an algorithm accepting an exception.

1. If taskDestination is null, then set taskDestination to the result of starting a new parallel queue.

2. Let reader be the result of getting a reader for body’s stream.

   This operation will not throw an exception.

3. Perform the incrementally-read loop given reader, taskDestination, processBodyChunk, processEndOfBody, and processBodyError.

To perform the incrementally-read loop, given a ReadableStreamDefaultReader object reader, parallel queue or global object taskDestination, algorithm processBodyChunk, algorithm processEndOfBody, and algorithm processBodyError:

1. Let readRequest be the following read request:

   chunk steps, given chunk

   1. Let continueAlgorithm be null.

   2. If chunk is not a Uint8Array object, then set continueAlgorithm to this step: run processBodyError given a TypeError.

   3. Otherwise:

      1. Let bytes be a copy of chunk.

         Implementations are strongly encouraged to use an implementation strategy that avoids this copy where possible.

      2. Set continueAlgorithm to these steps:

         1. Run processBodyChunk given bytes.

         2. Perform the incrementally-read loop given reader, taskDestination, processBodyChunk, processEndOfBody, and processBodyError.

   4. Queue a fetch task given continueAlgorithm and taskDestination.

   close steps

   1. Queue a fetch task given processEndOfBody and taskDestination.

   error steps, given e

   1. Queue a fetch task to run processBodyError given e, with taskDestination.

2. Read a chunk from reader given readRequest.

To fully read a body body, given an algorithm processBody, an algorithm processBodyError, and an optional null, parallel queue, or global object taskDestination (default null), run these steps. processBody must be an algorithm accepting a byte sequence. processBodyError must be an algorithm optionally accepting an exception.

1. If taskDestination is null, then set taskDestination to the result of starting a new parallel queue.

2. Let successSteps given a byte sequence bytes be to queue a fetch task to run processBody given bytes, with taskDestination.

3. Let errorSteps optionally given an exception exception be to queue a fetch task to run processBodyError given exception, with taskDestination.

4. Let reader be the result of getting a reader for body’s stream. If that threw an exception, then run errorSteps with that exception and return.

5. Read all bytes from reader, given successSteps and errorSteps.

To handle content codings given codings and bytes, run these steps:

1. If codings are not supported, then return bytes.

2. Return the result of decoding bytes with codings as explained in HTTP, if decoding does not result in an error, and failure otherwise. [HTTP]

To compute the redirect-taint of a request request, perform the following steps. They return "same-origin", "same-site", or "cross-site".

1. Assert: request’s origin is not "client".

2. Let lastURL be null.

3. Let taint be "same-origin".

4. For each url of request’s URL list:

   1. If lastURL is null, then set lastURL to url and continue.

   2. If url’s origin is not same site with lastURL’s origin and request’s origin is not same site with lastURL’s origin, then return "cross-site".

   3. If url’s origin is not same origin with lastURL’s origin and request’s origin is not same origin with lastURL’s origin, then set taint to "same-site".

   4. Set lastURL to url.

5. Return taint.

Serializing a request origin, given a request request, is to run these steps:

1. Assert: request’s origin is not "client".

2. If request’s redirect-taint is not "same-origin", then return "null".

3. Return request’s origin, serialized.

Byte-serializing a request origin, given a request request, is to return the result of serializing a request origin with request, isomorphic encoded.

To clone a request request, run these steps:

1. Let newRequest be a copy of request, except for its body.

2. If request’s body is non-null, set newRequest’s body to the result of cloning request’s body.

3. Return newRequest.

To add a range header to a request request, with an integer first, and an optional integer last, run these steps:

1. Assert: last is not given, or first is less than or equal to last.

2. Let rangeValue be `bytes=`.

3. Serialize and isomorphic encode first, and append the result to rangeValue.

4. Append 0x2D (-) to rangeValue.

5. If last is given, then serialize and isomorphic encode it, and append the result to rangeValue.

6. Append (`Range`, rangeValue) to request’s header list.

A range header denotes an inclusive byte range. There a range header where first is 0 and last is 500, is a range of 501 bytes.

Features that combine multiple responses into one logical resource are historically a source of security bugs. Please seek security review for features that deal with partial responses.

To serialize a response URL for reporting, given a response response, run these steps:

1. Assert: response’s URL list is not empty.

2. Let url be a copy of response’s URL list[0].

   This is not response’s URL in order to avoid leaking information about redirect targets (see similar considerations for CSP reporting too). [CSP]

3. Set the username given url and the empty string.

4. Set the password given url and the empty string.

5. Return the serialization of url with exclude fragment set to true.

To check if Cross-Origin-Embedder-Policy allows credentials, given a request request, run these steps:

1. Assert: request’s origin is not "client".

2. If request’s mode is not "no-cors", then return true.

3. If request’s client is null, then return true.

4. If request’s client’s policy container’s embedder policy’s value is not "credentialless", then return true.

5. If request’s origin is same origin with request’s current URL’s origin and request’s redirect-taint is not "same-origin", then return true.

6. Return false.

To create the appropriate network error given fetch params fetchParams:

1. Assert: fetchParams is canceled.

2. Return an aborted network error if fetchParams is aborted; otherwise return a network error.

To clone a response response, run these steps:

1. If response is a filtered response, then return a new identical filtered response whose internal response is a clone of response’s internal response.

2. Let newResponse be a copy of response, except for its body.

3. If response’s body is non-null, then set newResponse’s body to the result of cloning response’s body.

4. Return newResponse.

The location URL of a response response, given null or an ASCII string requestFragment, is the value returned by the following steps. They return null, failure, or a URL.

1. If response’s status is not a redirect status, then return null.

2. Let location be the result of extracting header list values given `Location` and response’s header list.

3. If location is a header value, then set location to the result of parsing location with response’s URL.

   If response was constructed through the Response constructor, response’s URL will be null, meaning that location will only parse successfully if it is an absolute-URL-with-fragment string.

4. If location is a URL whose fragment is null, then set location’s fragment to requestFragment.

   This ensures that synthetic (indeed, all) responses follow the processing model for redirects defined by HTTP. [HTTP]

5. Return location.

The location URL algorithm is exclusively used for redirect handling in this standard and in HTML’s navigate algorithm which handles redirects manually. [HTML]

To translate a potential destination potentialDestination, run these steps:

1. If potentialDestination is "fetch", then return the empty string.

2. Assert: potentialDestination is a destination.

3. Return potentialDestination.

To resolve an origin, given a network partition key key and an origin origin:

1. If origin’s host is an IP address, then return « origin’s host ».

2. If origin’s host’s public suffix is "localhost" or "localhost.", then return « ::1, 127.0.0.1 ».

3. Perform an implementation-defined operation to turn origin into a set of one or more IP addresses.

   It is also implementation-defined whether other operations might be performed to get connection information beyond just IP addresses. For example, if origin’s scheme is an HTTP(S) scheme, the implementation might perform a DNS query for HTTPS RRs. [SVCB]

   If this operation succeeds, return the set of IP addresses and any additional implementation-defined information.

4. Return failure.

The results of resolve an origin may be cached. If they are cached, key should be used as part of the cache key.

To clamp and coarsen connection timing info, given a connection timing info timingInfo, a DOMHighResTimeStamp defaultStartTime, and a boolean crossOriginIsolatedCapability, run these steps:

1. If timingInfo’s connection start time is less than defaultStartTime, then return a new connection timing info whose domain lookup start time is defaultStartTime, domain lookup end time is defaultStartTime, connection start time is defaultStartTime, connection end time is defaultStartTime, secure connection start time is defaultStartTime, and ALPN negotiated protocol is timingInfo’s ALPN negotiated protocol.

2. Return a new connection timing info whose domain lookup start time is the result of coarsen time given timingInfo’s domain lookup start time and crossOriginIsolatedCapability, domain lookup end time is the result of coarsen time given timingInfo’s domain lookup end time and crossOriginIsolatedCapability, connection start time is the result of coarsen time given timingInfo’s connection start time and crossOriginIsolatedCapability, connection end time is the result of coarsen time given timingInfo’s connection end time and crossOriginIsolatedCapability, secure connection start time is the result of coarsen time given timingInfo’s connection end time and crossOriginIsolatedCapability, and ALPN negotiated protocol is timingInfo’s ALPN negotiated protocol.

To obtain a connection, given a network partition key key, URL url, boolean credentials, an optional new connection setting new (default "no"), and an optional boolean requireUnreliable (default false), run these steps:

1. If new is "no", then:

   1. Let connections be a set of connections in the user agent’s connection pool whose key is key, origin is url’s origin, and credentials is credentials.

   2. If connections is not empty and requireUnreliable is false, then return one of connections.

   3. If there is a connection capable of supporting unreliable transport in connections, e.g., HTTP/3, then return that connection.

2. Let proxies be the result of finding proxies for url in an implementation-defined manner. If there are no proxies, let proxies be « "DIRECT" ».

   This is where non-standard technology such as Web Proxy Auto-Discovery Protocol (WPAD) and proxy auto-config (PAC) come into play. The "DIRECT" value means to not use a proxy for this particular url.

3. Let timingInfo be a new connection timing info.

4. For each proxy of proxies:

   1. Set timingInfo’s domain lookup start time to the unsafe shared current time.

   2. Let hosts be « url’s origin’s host ».

   3. If proxy is "DIRECT", then set hosts to the result of running resolve an origin given key and url’s origin.

   4. If hosts is failure, then continue.

   5. Set timingInfo’s domain lookup end time to the unsafe shared current time.

   6. Let connection be the result of running this step: run create a connection given key, url’s origin, credentials, proxy, an implementation-defined host from hosts, timingInfo, and requireUnreliable an implementation-defined number of times, in parallel from each other, and wait for at least 1 to return a value. In an implementation-defined manner, select a value to return from the returned values and return it. Any other returned values that are connections may be closed.

      Essentially this allows an implementation to pick one or more IP addresses from the return value of resolve an origin (assuming proxy is "DIRECT") and race them against each other, favor IPv6 addresses, retry in case of a timeout, etc.

   7. If connection is failure, then continue.

   8. If new is not "yes-and-dedicated", then append connection to the user agent’s connection pool.

   9. Return connection.

5. Return failure.

This is intentionally a little vague as there are a lot of nuances to connection management that are best left to the discretion of implementers. Describing this helps explain the <link rel=preconnect> feature and clearly stipulates that connections are keyed on credentials. The latter clarifies that, e.g., TLS session identifiers are not reused across connections whose credentials are false with connections whose credentials are true.

To create a connection, given a network partition key key, origin origin, boolean credentials, string proxy, host host, connection timing info timingInfo, and boolean requireUnreliable, run these steps:

1. Set timingInfo’s connection start time to the unsafe shared current time.

2. Let connection be a new connection whose key is key, origin is origin, credentials is credentials, and timing info is timingInfo. Record connection timing info given connection and use connection to establish an HTTP connection to host, taking proxy and origin into account, with the following caveats: [HTTP] [HTTP1] [TLS]

   • If requireUnreliable is true, then establish a connection capable of unreliable transport, e.g., an HTTP/3 connection. [HTTP3]

   • When establishing a connection capable of unreliable transport, enable options that are necessary for WebTransport. For HTTP/3, this means including SETTINGS_ENABLE_WEBTRANSPORT with a value of 1 and H3_DATAGRAM with a value of 1 in the initial SETTINGS frame. [WEBTRANSPORT-HTTP3] [HTTP3-DATAGRAM]

   • If credentials is false, then do not send a TLS client certificate.

   • If establishing a connection does not succeed (e.g., a UDP, TCP, or TLS error), then return failure.

3. Set timingInfo’s ALPN negotiated protocol to connection’s ALPN Protocol ID, with the following caveats: [RFC7301]

   • When a proxy is configured, if a tunnel connection is established then this must be the ALPN Protocol ID of the tunneled protocol, otherwise it must be the ALPN Protocol ID of the first hop to the proxy.

   • In case the user agent is using an experimental, non-registered protocol, the user agent must use the used ALPN Protocol ID, if any. If ALPN was not used for protocol negotiations, the user agent may use another descriptive string.

     timingInfo’s ALPN negotiated protocol is intended to identify the network protocol in use regardless of how it was actually negotiated; that is, even if ALPN is not used to negotiate the network protocol, this is the ALPN Protocol IDs that indicates the protocol in use.

   IANA maintains a list of ALPN Protocol IDs.

4. Return connection.

To record connection timing info given a connection connection, let timingInfo be connection’s timing info and observe these requirements:

• timingInfo’s connection end time should be the unsafe shared current time immediately after establishing the connection to the server or proxy, as follows:

  • The returned time must include the time interval to establish the transport connection, as well as other time intervals such as SOCKS authentication. It must include the time interval to complete enough of the TLS handshake to request the resource.

  • If the user agent used TLS False Start for this connection, this interval must not include the time needed to receive the server’s Finished message. [RFC7918]

  • If the user agent sends the request with early data without waiting for the full handshake to complete, this interval must not include the time needed to receive the server’s ServerHello message. [RFC8470]

  • If the user agent waits for full handshake completion to send the request, this interval includes the full TLS handshake even if other requests were sent using early data on connection.

  Suppose the user agent establishes an HTTP/2 connection over TLS 1.3 to send a GET request and a POST request. It sends the ClientHello at time t1 and then sends the GET request with early data. The POST request is not safe ([HTTP], section 9.2.1), so the user agent waits to complete the handshake at time t2 before sending it. Although both requests used the same connection, the GET request reports a connection end time of t1, while the POST request reports t2.

• If a secure transport is used, timingInfo’s secure connection start time should be the result of calling unsafe shared current time immediately before starting the handshake process to secure connection. [TLS]

• If connection is an HTTP/3 connection, timingInfo’s connection start time and timingInfo’s secure connection start time must be equal. (In HTTP/3 the secure transport handshake process is performed as part of the initial connection setup.) [HTTP3]

The clamp and coarsen connection timing info algorithm ensures that details of reused connections are not exposed and time values are coarsened.

To determine the network partition key, given an environment environment:

1. Let topLevelOrigin be environment’s top-level origin.

2. If topLevelOrigin is null, then set topLevelOrigin to environment’s top-level creation URL’s origin.

3. Assert: topLevelOrigin is an origin.

4. Let topLevelSite be the result of obtaining a site, given topLevelOrigin.

5. Let secondKey be null or an implementation-defined value.

   The second key is intentionally a little vague as the finer points are still evolving. See issue #1035.

6. Return (topLevelSite, secondKey).

To determine the network partition key, given a request request:

1. If request’s reserved client is non-null, then return the result of determining the network partition key given request’s reserved client.

2. If request’s client is non-null, then return the result of determining the network partition key given request’s client.

3. Return null.

To determine the HTTP cache partition, given a request request:

1. Let key be the result of determining the network partition key given request.

2. If key is null, then return null.

3. Return the unique HTTP cache associated with key. [HTTP-CACHING]

To determine whether fetching a request request should be blocked due to a bad port:

1. Let url be request’s current URL.

2. If url’s scheme is an HTTP(S) scheme and url’s port is a bad port, then return blocked.

3. Return allowed.

2.10. Should response to request be blocked due to its MIME type?

Run these steps:

1. Let mimeType be the result of extracting a MIME type from response’s header list.

2. If mimeType is failure, then return allowed.

3. Let destination be request’s destination.

4. If destination is script-like and one of the following is true, then return blocked:

   • mimeType’s essence starts with "audio/", "image/", or "video/".
   • mimeType’s essence is "text/csv".

5. Return allowed.

To append a request `Cookie` header, given a request request:

1. If the user agent is configured to disable cookies for request, then it should return.

2. Let sameSite be the result of determining the same-site mode for request.

3. Let isSecure be true if request’s current URL’s scheme is "https"; otherwise false.

4. Let httpOnlyAllowed be true.

   True follows from this being invoked from fetch, as opposed to the document.cookie getter steps for instance.

5. Let cookies be the result of running retrieve cookies given isSecure, request’s current URL’s host, request’s current URL’s path, httpOnlyAllowed, and sameSite.

   The cookie store returns an ordered list of cookies

6. If cookies is empty, then return.

7. Let value be the result of running serialize cookies given cookies.

8. Append (`Cookie`, value) to request’s header list.

To parse and store response `Set-Cookie` headers, given a request request and a response response:

1. If the user agent is configured to disable cookies for request, then it should return.

2. Let allowNonHostOnlyCookieForPublicSuffix be false.

3. Let isSecure be true if request’s current URL’s scheme is "https"; otherwise false.

4. Let httpOnlyAllowed be true.

   True follows from this being invoked from fetch, as opposed to the document.cookie getter steps for instance.

5. Let sameSiteStrictOrLaxAllowed be true if the result of determine the same-site mode for request is "strict-or-less"; otherwise false.

6. For each header of response’s header list:

   1. If header’s name is not a byte-case-insensitive match for `Set-Cookie`, then continue.

   2. Parse and store a cookie given header’s value, isSecure, request’s current URL’s host, request’s current URL’s path, httpOnlyAllowed, allowNonHostOnlyCookieForPublicSuffix, and sameSiteStrictOrLaxAllowed.

   3. Garbage collect cookies given request’s current URL’s host.

   As noted elsewhere the `Set-Cookie` header cannot be combined and therefore each occurrence is processed independently. This is not allowed for any other header.

To determine the same-site mode for a given request request:

1. Assert: request’s method is "GET" or "POST".

2. If request’s top-level navigation initiator origin is not null and is not same site with request’s URL’s origin, then return "unset-or-less".

3. If request’s method is "GET" and request’s destination is "document", then return "lax-or-less".

4. If request’s client’s has cross-site ancestor is true, then return "unset-or-less".

5. If request’s redirect-taint is "cross-site", then return "unset-or-less".

6. Return "strict-or-less".

To obtain a serialized cookie default path given a URL url:

1. Let cloneURL be a clone of url.

2. Set cloneURL’s path to the cookie default path of cloneURL’s path.

3. Return the URL path serialization of cloneURL.

To append a request `Origin` header, given a request request, run these steps:

1. Assert: request’s origin is not "client".

2. Let serializedOrigin be the result of byte-serializing a request origin with request.

3. If request’s response tainting is "cors" or request’s mode is either "websocket" or "webtransport", then append (`Origin`, serializedOrigin) to request’s header list.

4. Otherwise, if request’s method is neither `GET` nor `HEAD`, then:

   1. If request’s mode is not "cors", then switch on request’s referrer policy:

      "no-referrer"

      Set serializedOrigin to `null`.

      "no-referrer-when-downgrade"

      "strict-origin"

      "strict-origin-when-cross-origin"

      If request’s origin is a tuple origin, its scheme is "https", and request’s current URL’s scheme is not "https", then set serializedOrigin to `null`.

      "same-origin"

      If request’s origin is not same origin with request’s current URL’s origin, then set serializedOrigin to `null`.

      Otherwise

      Do nothing.

   2. Append (`Origin`, serializedOrigin) to request’s header list.

A request’s referrer policy is taken into account for all fetches where the fetcher did not explicitly opt into sharing their origin with the server, e.g., via using the CORS protocol.