Fetch

To report timing for a fetch controller controller given a global object global:

1. Assert: controller’s report timing steps is non-null.

2. Call controller’s report timing steps with global.

To process the next manual redirect for a fetch controller controller:

1. Assert: controller’s next manual redirect steps is non-null.

2. Call controller’s next manual redirect steps.

To extract full timing info given a fetch controller controller:

1. Assert: controller’s full timing info is non-null.

2. Return controller’s full timing info.

To abort a fetch controller controller with an optional error:

1. Set controller’s state to "aborted".

2. Let fallbackError be an "AbortError" DOMException.

3. Set error to fallbackError if it is not given.

4. Let serializedError be StructuredSerialize(error). If that threw an exception, catch it, and let serializedError be StructuredSerialize(fallbackError).

5. Set controller’s serialized abort reason to serializedError.

To deserialize a serialized abort reason, given null or a Record abortReason and a realm realm:

1. Let fallbackError be an "AbortError" DOMException.

2. Let deserializedError be fallbackError.

3. If abortReason is non-null, then set deserializedError to StructuredDeserialize(abortReason, realm). If that threw an exception or returned undefined, then set deserializedError to fallbackError.

4. Return deserializedError.

To terminate a fetch controller controller, set controller’s state to "terminated".

To create an opaque timing info, given a fetch timing info timingInfo, return a new fetch timing info whose start time and post-redirect start time are timingInfo’s start time.

To queue a fetch task, given an algorithm algorithm, a global object or a parallel queue taskDestination, run these steps:

1. If taskDestination is a parallel queue, then enqueue algorithm to taskDestination.

2. Otherwise, queue a global task on the networking task source with taskDestination and algorithm.

To collect an HTTP quoted string from a string input, given a position variable position and an optional boolean extract-value (default false):

1. Let positionStart be position.

2. Let value be the empty string.

3. Assert: the code point at position within input is U+0022 (").

4. Advance position by 1.

5. While true:

   1. Append the result of collecting a sequence of code points that are not U+0022 (") or U+005C (\) from input, given position, to value.

   2. If position is past the end of input, then break.

   3. Let quoteOrBackslash be the code point at position within input.

   4. Advance position by 1.

   5. If quoteOrBackslash is U+005C (\), then:

      1. If position is past the end of input, then append U+005C (\) to value and break.

      2. Append the code point at position within input to value.

      3. Advance position by 1.

   6. Otherwise:

      1. Assert: quoteOrBackslash is U+0022 (").

      2. Break.

6. If extract-value is true, then return value.

7. Return the code points from positionStart to position, inclusive, within input.

To get a structured field value given a header name name and a string type from a header list list, run these steps. They return null or a structured field value.

1. Assert: type is one of "dictionary", "list", or "item".

2. Let value be the result of getting name from list.

3. If value is null, then return null.

4. Let result be the result of parsing structured fields with input_string set to value and header_type set to type.

5. If parsing failed, then return null.

6. Return result.

Get a structured field value intentionally does not distinguish between a header not being present and its value failing to parse as a structured field value. This ensures uniform processing across the web platform.

To set a structured field value given a tuple (header name name, structured field value structuredValue), in a header list list:

1. Let serializedValue be the result of executing the serializing structured fields algorithm on structuredValue.

2. Set (name, serializedValue) in list.

Structured field values are defined as objects which HTTP can (eventually) serialize in interesting and efficient ways. For the moment, Fetch only supports header values as byte sequences, which means that these objects can be set in header lists only via serialization, and they can be obtained from header lists only by parsing. In the future the fact that they are objects might be preserved end-to-end. [RFC9651]

A header list list contains a header name name if list contains a header whose name is a byte-case-insensitive match for name.

To get a header name name from a header list list, run these steps. They return null or a header value.

1. If list does not contain name, then return null.

2. Return the values of all headers in list whose name is a byte-case-insensitive match for name, separated from each other by 0x2C 0x20, in order.

To get, decode, and split a header name name from header list list, run these steps. They return null or a list of strings.

1. Let value be the result of getting name from list.

2. If value is null, then return null.

3. Return the result of getting, decoding, and splitting value.

To get, decode, and split a header value value, run these steps. They return a list of strings.

1. Let input be the result of isomorphic decoding value.

2. Let position be a position variable for input, initially pointing at the start of input.

3. Let values be a list of strings, initially « ».

4. Let temporaryValue be the empty string.

5. While true:

   1. Append the result of collecting a sequence of code points that are not U+0022 (") or U+002C (,) from input, given position, to temporaryValue.

      The result might be the empty string.

   2. If position is not past the end of input and the code point at position within input is U+0022 ("):

      1. Append the result of collecting an HTTP quoted string from input, given position, to temporaryValue.

      2. If position is not past the end of input, then continue.

   3. Remove all HTTP tab or space from the start and end of temporaryValue.

   4. Append temporaryValue to values.

   5. Set temporaryValue to the empty string.

   6. If position is past the end of input, then return values.

   7. Assert: the code point at position within input is U+002C (,).

   8. Advance position by 1.

Except for blessed call sites, the algorithm directly above is not to be invoked directly. Use get, decode, and split instead.

To append a header (name, value) to a header list list:

1. If list contains name, then set name to the first such header’s name.

   This reuses the casing of the name of the header already in list, if any. If there are multiple matched headers their names will all be identical.

2. Append (name, value) to list.

To delete a header name name from a header list list, remove all headers whose name is a byte-case-insensitive match for name from list.

To set a header (name, value) in a header list list:

1. If list contains name, then set the value of the first such header to value and remove the others.

2. Otherwise, append (name, value) to list.

To combine a header (name, value) in a header list list:

1. If list contains name, then set the value of the first such header to its value, followed by 0x2C 0x20, followed by value.

2. Otherwise, append (name, value) to list.

Combine is used by XMLHttpRequest and the WebSocket protocol handshake.

To convert header names to a sorted-lowercase set, given a list of names headerNames, run these steps. They return an ordered set of header names.

1. Let headerNamesSet be a new ordered set.

2. For each name of headerNames, append the result of byte-lowercasing name to headerNamesSet.

3. Return the result of sorting headerNamesSet in ascending order with byte less than.

To sort and combine a header list list, run these steps. They return a header list.

1. Let headers be a header list.

2. Let names be the result of convert header names to a sorted-lowercase set with all the names of the headers in list.

3. For each name of names:

   1. If name is `set-cookie`, then:

      1. Let values be a list of all values of headers in list whose name is a byte-case-insensitive match for name, in order.

      2. For each value of values:

         1. Append (name, value) to headers.

   2. Otherwise:

      1. Let value be the result of getting name from list.

      2. Assert: value is non-null.

      3. Append (name, value) to headers.

4. Return headers.

To normalize a byte sequence potentialValue, remove any leading and trailing HTTP whitespace bytes from potentialValue.

To determine whether a header (name, value) is a CORS-safelisted request-header, run these steps:

1. If value’s length is greater than 128, then return false.

2. Byte-lowercase name and switch on the result:

   `accept`

   If value contains a CORS-unsafe request-header byte, then return false.

   `accept-language`

   `content-language`

   If value contains a byte that is not in the range 0x30 (0) to 0x39 (9), inclusive, is not in the range 0x41 (A) to 0x5A (Z), inclusive, is not in the range 0x61 (a) to 0x7A (z), inclusive, and is not 0x20 (SP), 0x2A (*), 0x2C (,), 0x2D (-), 0x2E (.), 0x3B (;), or 0x3D (=), then return false.

   `content-type`

   1. If value contains a CORS-unsafe request-header byte, then return false.

   2. Let mimeType be the result of parsing the result of isomorphic decoding value.

   3. If mimeType is failure, then return false.

   4. If mimeType’s essence is not "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", then return false.

   This intentionally does not use extract a MIME type as that algorithm is rather forgiving and servers are not expected to implement it.

   If extract a MIME type were used the following request would not result in a CORS preflight and a naïve parser on the server might treat the request body as JSON:

   fetch("https://victim.example/naïve-endpoint", {
     method: "POST",
     headers: [
       ["Content-Type", "application/json"],
       ["Content-Type", "text/plain"]
     ],
     credentials: "include",
     body: JSON.stringify(exerciseForTheReader)
   });
   

   `range`

   1. Let rangeValue be the result of parsing a single range header value given value and false.

   2. If rangeValue is failure, then return false.

   3. If rangeValue[0] is null, then return false.

      As web browsers have historically not emitted ranges such as `bytes=-500` this algorithm does not safelist them.

   Otherwise

   Return false.

3. Return true.

There are limited exceptions to the `Content-Type` header safelist, as documented in CORS protocol exceptions.

A CORS-unsafe request-header byte is a byte byte for which one of the following is true:

• byte is less than 0x20 and is not 0x09 HT

• byte is 0x22 ("), 0x28 (left parenthesis), 0x29 (right parenthesis), 0x3A (:), 0x3C (<), 0x3E (>), 0x3F (?), 0x40 (@), 0x5B ([), 0x5C (\), 0x5D (]), 0x7B ({), 0x7D (}), or 0x7F DEL.

The CORS-unsafe request-header names, given a header list headers, are determined as follows:

1. Let unsafeNames be a new list.

2. Let potentiallyUnsafeNames be a new list.

3. Let safelistValueSize be 0.

4. For each header of headers:

   1. If header is not a CORS-safelisted request-header, then append header’s name to unsafeNames.

   2. Otherwise, append header’s name to potentiallyUnsafeNames and increase safelistValueSize by header’s value’s length.

5. If safelistValueSize is greater than 1024, then for each name of potentiallyUnsafeNames, append name to unsafeNames.

6. Return the result of convert header names to a sorted-lowercase set with unsafeNames.

To determine whether a header (name, value) is a no-CORS-safelisted request-header, run these steps:

1. If name is not a no-CORS-safelisted request-header name, then return false.

2. Return whether (name, value) is a CORS-safelisted request-header.

A header (name, value) is forbidden request-header if these steps return true:

1. If name is a byte-case-insensitive match for one of:

   • `Accept-Charset`
   • `Accept-Encoding`
   • `Access-Control-Request-Headers`
   • `Access-Control-Request-Method`
   • `Connection`
   • `Content-Length`
   • `Cookie`
   • `Cookie2`
   • `Date`
   • `DNT`
   • `Expect`
   • `Host`
   • `Keep-Alive`
   • `Origin`
   • `Referer`
   • `Set-Cookie`
   • `TE`
   • `Trailer`
   • `Transfer-Encoding`
   • `Upgrade`
   • `Via`

   then return true.

2. If name when byte-lowercased starts with `proxy-` or `sec-`, then return true.

3. If name is a byte-case-insensitive match for one of:

   • `X-HTTP-Method`
   • `X-HTTP-Method-Override`
   • `X-Method-Override`

   then:

   1. Let parsedValues be the result of getting, decoding, and splitting value.

   2. For each method of parsedValues: if the isomorphic encoding of method is a forbidden method, then return true.

4. Return false.

To extract header values given a header header, run these steps:

1. If parsing header’s value, per the ABNF for header’s name, fails, then return failure.

2. Return one or more values resulting from parsing header’s value, per the ABNF for header’s name.

To extract header list values given a header name name and a header list list, run these steps:

1. If list does not contain name, then return null.

2. If the ABNF for name allows a single header and list contains more than one, then return failure.

   If different error handling is needed, extract the desired header first.

3. Let values be an empty list.

4. For each header header list contains whose name is name:

   1. Let extract be the result of extracting header values from header.

   2. If extract is failure, then return failure.

   3. Append each value in extract, in order, to values.

5. Return values.

To build a content range given an integer rangeStart, an integer rangeEnd, and an integer fullLength, run these steps:

1. Let contentRange be `bytes `.

2. Append rangeStart, serialized and isomorphic encoded, to contentRange.

3. Append 0x2D (-) to contentRange.

4. Append rangeEnd, serialized and isomorphic encoded to contentRange.

5. Append 0x2F (/) to contentRange.

6. Append fullLength, serialized and isomorphic encoded to contentRange.

7. Return contentRange.

To parse a single range header value from a byte sequence value and a boolean allowWhitespace, run these steps:

1. Let data be the isomorphic decoding of value.

2. If data does not start with "bytes", then return failure.

3. Let position be a position variable for data, initially pointing at the 5th code point of data.

4. If allowWhitespace is true, collect a sequence of code points that are HTTP tab or space, from data given position.

5. If the code point at position within data is not U+003D (=), then return failure.

6. Advance position by 1.

7. If allowWhitespace is true, collect a sequence of code points that are HTTP tab or space, from data given position.

8. Let rangeStart be the result of collecting a sequence of code points that are ASCII digits, from data given position.

9. Let rangeStartValue be rangeStart, interpreted as decimal number, if rangeStart is not the empty string; otherwise null.

10. If allowWhitespace is true, collect a sequence of code points that are HTTP tab or space, from data given position.

11. If the code point at position within data is not U+002D (-), then return failure.

12. Advance position by 1.

13. If allowWhitespace is true, collect a sequence of code points that are HTTP tab or space, from data given position.

14. Let rangeEnd be the result of collecting a sequence of code points that are ASCII digits, from data given position.

15. Let rangeEndValue be rangeEnd, interpreted as decimal number, if rangeEnd is not the empty string; otherwise null.

16. If position is not past the end of data, then return failure.

17. If rangeEndValue and rangeStartValue are null, then return failure.

18. If rangeStartValue and rangeEndValue are numbers, and rangeStartValue is greater than rangeEndValue, then return failure.

19. Return (rangeStartValue, rangeEndValue).

    The range end or start can be omitted, e.g., `bytes=0-` or `bytes=-500` are valid ranges.

Parse a single range header value succeeds for a subset of allowed range header values, but it is the most common form used by user agents when requesting media or resuming downloads. This format of range header value can be set using add a range header.

To clone a body body, run these steps:

1. Let « out1, out2 » be the result of teeing body’s stream.

2. Set body’s stream to out1.

3. Return a body whose stream is out2 and other members are copied from body.

To get a byte sequence bytes as a body, return the body of the result of safely extracting bytes.

To incrementally read a body body, given an algorithm processBodyChunk, an algorithm processEndOfBody, an algorithm processBodyError, and an optional null, parallel queue, or global object taskDestination (default null), run these steps. processBodyChunk must be an algorithm accepting a byte sequence. processEndOfBody must be an algorithm accepting no arguments. processBodyError must be an algorithm accepting an exception.

1. If taskDestination is null, then set taskDestination to the result of starting a new parallel queue.

2. Let reader be the result of getting a reader for body’s stream.

   This operation will not throw an exception.

3. Perform the incrementally-read loop given reader, taskDestination, processBodyChunk, processEndOfBody, and processBodyError.

To perform the incrementally-read loop, given a ReadableStreamDefaultReader object reader, parallel queue or global object taskDestination, algorithm processBodyChunk, algorithm processEndOfBody, and algorithm processBodyError:

1. Let readRequest be the following read request:

   chunk steps, given chunk

   1. Let continueAlgorithm be null.

   2. If chunk is not a Uint8Array object, then set continueAlgorithm to this step: run processBodyError given a TypeError.

   3. Otherwise:

      1. Let bytes be a copy of chunk.

         Implementations are strongly encouraged to use an implementation strategy that avoids this copy where possible.

      2. Set continueAlgorithm to these steps:

         1. Run processBodyChunk given bytes.

         2. Perform the incrementally-read loop given reader, taskDestination, processBodyChunk, processEndOfBody, and processBodyError.

   4. Queue a fetch task given continueAlgorithm and taskDestination.

   close steps

   1. Queue a fetch task given processEndOfBody and taskDestination.

   error steps, given e

   1. Queue a fetch task to run processBodyError given e, with taskDestination.

2. Read a chunk from reader given readRequest.

To fully read a body body, given an algorithm processBody, an algorithm processBodyError, and an optional null, parallel queue, or global object taskDestination (default null), run these steps. processBody must be an algorithm accepting a byte sequence. processBodyError must be an algorithm optionally accepting an exception.

1. If taskDestination is null, then set taskDestination to the result of starting a new parallel queue.

2. Let successSteps given a byte sequence bytes be to queue a fetch task to run processBody given bytes, with taskDestination.

3. Let errorSteps optionally given an exception exception be to queue a fetch task to run processBodyError given exception, with taskDestination.

4. Let reader be the result of getting a reader for body’s stream. If that threw an exception, then run errorSteps with that exception and return.

5. Read all bytes from reader, given successSteps and errorSteps.

To handle content codings given codings and bytes, run these steps:

1. If codings are not supported, then return bytes.

2. Return the result of decoding bytes with codings as explained in HTTP, if decoding does not result in an error, and failure otherwise. [HTTP]

To compute the redirect-taint of a request request, perform the following steps. They return "same-origin", "same-site", or "cross-site".

1. Assert: request’s origin is not "client".

2. Let lastURL be null.

3. Let taint be "same-origin".

4. For each url of request’s URL list:

   1. If lastURL is null, then set lastURL to url and continue.

   2. If url’s origin is not same site with lastURL’s origin and request’s origin is not same site with lastURL’s origin, then return "cross-site".

   3. If url’s origin is not same origin with lastURL’s origin and request’s origin is not same origin with lastURL’s origin, then set taint to "same-site".

   4. Set lastURL to url.

5. Return taint.

Serializing a request origin, given a request request, is to run these steps:

1. Assert: request’s origin is not "client".

2. If request’s redirect-taint is not "same-origin", then return "null".

3. Return request’s origin, serialized.

Byte-serializing a request origin, given a request request, is to return the result of serializing a request origin with request, isomorphic encoded.

To clone a request request, run these steps:

1. Let newRequest be a copy of request, except for its body.

2. If request’s body is non-null, set newRequest’s body to the result of cloning request’s body.

3. Return newRequest.

To add a range header to a request request, with an integer first, and an optional integer last, run these steps:

1. Assert: last is not given, or first is less than or equal to last.

2. Let rangeValue be `bytes=`.

3. Serialize and isomorphic encode first, and append the result to rangeValue.

4. Append 0x2D (-) to rangeValue.

5. If last is given, then serialize and isomorphic encode it, and append the result to rangeValue.

6. Append (`Range`, rangeValue) to request’s header list.

A range header denotes an inclusive byte range. There a range header where first is 0 and last is 500, is a range of 501 bytes.

Features that combine multiple responses into one logical resource are historically a source of security bugs. Please seek security review for features that deal with partial responses.

To serialize a response URL for reporting, given a response response, run these steps:

1. Assert: response’s URL list is not empty.

2. Let url be a copy of response’s URL list[0].

   This is not response’s URL in order to avoid leaking information about redirect targets (see similar considerations for CSP reporting too). [CSP]

3. Set the username given url and the empty string.

4. Set the password given url and the empty string.

5. Return the serialization of url with exclude fragment set to true.

To check if Cross-Origin-Embedder-Policy allows credentials, given a request request, run these steps:

1. Assert: request’s origin is not "client".

2. If request’s mode is not "no-cors", then return true.

3. If request’s client is null, then return true.

4. If request’s client’s policy container’s embedder policy’s value is not "credentialless", then return true.

5. If request’s origin is same origin with request’s current URL’s origin and request’s redirect-taint is not "same-origin", then return true.

6. Return false.

To create the appropriate network error given fetch params fetchParams:

1. Assert: fetchParams is canceled.

2. Return an aborted network error if fetchParams is aborted; otherwise return a network error.

To clone a response response, run these steps:

1. If response is a filtered response, then return a new identical filtered response whose internal response is a clone of response’s internal response.

2. Let newResponse be a copy of response, except for its body.

3. If response’s body is non-null, then set newResponse’s body to the result of cloning response’s body.

4. Return newResponse.

The location URL of a response response, given null or an ASCII string requestFragment, is the value returned by the following steps. They return null, failure, or a URL.

1. If response’s status is not a redirect status, then return null.

2. Let location be the result of extracting header list values given `Location` and response’s header list.

3. If location is a header value, then set location to the result of parsing location with response’s URL.

   If response was constructed through the Response constructor, response’s URL will be null, meaning that location will only parse successfully if it is an absolute-URL-with-fragment string.

4. If location is a URL whose fragment is null, then set location’s fragment to requestFragment.

   This ensures that synthetic (indeed, all) responses follow the processing model for redirects defined by HTTP. [HTTP]

5. Return location.

The location URL algorithm is exclusively used for redirect handling in this standard and in HTML’s navigate algorithm which handles redirects manually. [HTML]

To translate a potential destination potentialDestination, run these steps:

1. If potentialDestination is "fetch", then return the empty string.

2. Assert: potentialDestination is a destination.

3. Return potentialDestination.

To resolve an origin, given a network partition key key and an origin origin:

1. If origin’s host is an IP address, then return « origin’s host ».

2. If origin’s host’s public suffix is "localhost" or "localhost.", then return « ::1, 127.0.0.1 ».

3. Perform an implementation-defined operation to turn origin into a set of one or more IP addresses.

   It is also implementation-defined whether other operations might be performed to get connection information beyond just IP addresses. For example, if origin’s scheme is an HTTP(S) scheme, the implementation might perform a DNS query for HTTPS RRs. [SVCB]

   If this operation succeeds, return the set of IP addresses and any additional implementation-defined information.

4. Return failure.

The results of resolve an origin may be cached. If they are cached, key should be used as part of the cache key.

To clamp and coarsen connection timing info, given a connection timing info timingInfo, a DOMHighResTimeStamp defaultStartTime, and a boolean crossOriginIsolatedCapability, run these steps:

1. If timingInfo’s connection start time is less than defaultStartTime, then return a new connection timing info whose domain lookup start time is defaultStartTime, domain lookup end time is defaultStartTime, connection start time is defaultStartTime, connection end time is defaultStartTime, secure connection start time is defaultStartTime, and ALPN negotiated protocol is timingInfo’s ALPN negotiated protocol.

2. Return a new connection timing info whose domain lookup start time is the result of coarsen time given timingInfo’s domain lookup start time and crossOriginIsolatedCapability, domain lookup end time is the result of coarsen time given timingInfo’s domain lookup end time and crossOriginIsolatedCapability, connection start time is the result of coarsen time given timingInfo’s connection start time and crossOriginIsolatedCapability, connection end time is the result of coarsen time given timingInfo’s connection end time and crossOriginIsolatedCapability, secure connection start time is the result of coarsen time given timingInfo’s connection end time and crossOriginIsolatedCapability, and ALPN negotiated protocol is timingInfo’s ALPN negotiated protocol.

To obtain a connection, given a network partition key key, URL url, boolean credentials, an optional new connection setting new (default "no"), and an optional boolean requireUnreliable (default false), run these steps:

1. If new is "no", then:

   1. Let connections be a set of connections in the user agent’s connection pool whose key is key, origin is url’s origin, and credentials is credentials.

   2. If connections is not empty and requireUnreliable is false, then return one of connections.

   3. If there is a connection capable of supporting unreliable transport in connections, e.g., HTTP/3, then return that connection.

2. Let proxies be the result of finding proxies for url in an implementation-defined manner. If there are no proxies, let proxies be « "DIRECT" ».

   This is where non-standard technology such as Web Proxy Auto-Discovery Protocol (WPAD) and proxy auto-config (PAC) come into play. The "DIRECT" value means to not use a proxy for this particular url.

3. Let timingInfo be a new connection timing info.

4. For each proxy of proxies:

   1. Set timingInfo’s domain lookup start time to the unsafe shared current time.

   2. Let hosts be « url’s origin’s host ».

   3. If proxy is "DIRECT", then set hosts to the result of running resolve an origin given key and url’s origin.

   4. If hosts is failure, then continue.

   5. Set timingInfo’s domain lookup end time to the unsafe shared current time.

   6. Let connection be the result of running this step: run create a connection given key, url’s origin, credentials, proxy, an implementation-defined host from hosts, timingInfo, and requireUnreliable an implementation-defined number of times, in parallel from each other, and wait for at least 1 to return a value. In an implementation-defined manner, select a value to return from the returned values and return it. Any other returned values that are connections may be closed.

      Essentially this allows an implementation to pick one or more IP addresses from the return value of resolve an origin (assuming proxy is "DIRECT") and race them against each other, favor IPv6 addresses, retry in case of a timeout, etc.

   7. If connection is failure, then continue.

   8. If new is not "yes-and-dedicated", then append connection to the user agent’s connection pool.

   9. Return connection.

5. Return failure.

This is intentionally a little vague as there are a lot of nuances to connection management that are best left to the discretion of implementers. Describing this helps explain the <link rel=preconnect> feature and clearly stipulates that connections are keyed on credentials. The latter clarifies that, e.g., TLS session identifiers are not reused across connections whose credentials are false with connections whose credentials are true.

To create a connection, given a network partition key key, origin origin, boolean credentials, string proxy, host host, connection timing info timingInfo, and boolean requireUnreliable, run these steps:

1. Set timingInfo’s connection start time to the unsafe shared current time.

2. Let connection be a new connection whose key is key, origin is origin, credentials is credentials, and timing info is timingInfo. Record connection timing info given connection and use connection to establish an HTTP connection to host, taking proxy and origin into account, with the following caveats: [HTTP] [HTTP1] [TLS]

   • If requireUnreliable is true, then establish a connection capable of unreliable transport, e.g., an HTTP/3 connection. [HTTP3]

   • When establishing a connection capable of unreliable transport, enable options that are necessary for WebTransport. For HTTP/3, this means including SETTINGS_ENABLE_WEBTRANSPORT with a value of 1 and H3_DATAGRAM with a value of 1 in the initial SETTINGS frame. [WEBTRANSPORT-HTTP3] [HTTP3-DATAGRAM]

   • If credentials is false, then do not send a TLS client certificate.

   • If establishing a connection does not succeed (e.g., a UDP, TCP, or TLS error), then return failure.

3. Set timingInfo’s ALPN negotiated protocol to connection’s ALPN Protocol ID, with the following caveats: [RFC7301]

   • When a proxy is configured, if a tunnel connection is established then this must be the ALPN Protocol ID of the tunneled protocol, otherwise it must be the ALPN Protocol ID of the first hop to the proxy.

   • In case the user agent is using an experimental, non-registered protocol, the user agent must use the used ALPN Protocol ID, if any. If ALPN was not used for protocol negotiations, the user agent may use another descriptive string.

     timingInfo’s ALPN negotiated protocol is intended to identify the network protocol in use regardless of how it was actually negotiated; that is, even if ALPN is not used to negotiate the network protocol, this is the ALPN Protocol IDs that indicates the protocol in use.

   IANA maintains a list of ALPN Protocol IDs.

4. Return connection.

To record connection timing info given a connection connection, let timingInfo be connection’s timing info and observe these requirements:

• timingInfo’s connection end time should be the unsafe shared current time immediately after establishing the connection to the server or proxy, as follows:

  • The returned time must include the time interval to establish the transport connection, as well as other time intervals such as SOCKS authentication. It must include the time interval to complete enough of the TLS handshake to request the resource.

  • If the user agent used TLS False Start for this connection, this interval must not include the time needed to receive the server’s Finished message. [RFC7918]

  • If the user agent sends the request with early data without waiting for the full handshake to complete, this interval must not include the time needed to receive the server’s ServerHello message. [RFC8470]

  • If the user agent waits for full handshake completion to send the request, this interval includes the full TLS handshake even if other requests were sent using early data on connection.

  Suppose the user agent establishes an HTTP/2 connection over TLS 1.3 to send a GET request and a POST request. It sends the ClientHello at time t1 and then sends the GET request with early data. The POST request is not safe ([HTTP], section 9.2.1), so the user agent waits to complete the handshake at time t2 before sending it. Although both requests used the same connection, the GET request reports a connection end time of t1, while the POST request reports t2.

• If a secure transport is used, timingInfo’s secure connection start time should be the result of calling unsafe shared current time immediately before starting the handshake process to secure connection. [TLS]

• If connection is an HTTP/3 connection, timingInfo’s connection start time and timingInfo’s secure connection start time must be equal. (In HTTP/3 the secure transport handshake process is performed as part of the initial connection setup.) [HTTP3]

The clamp and coarsen connection timing info algorithm ensures that details of reused connections are not exposed and time values are coarsened.

To determine the network partition key, given an environment environment:

1. Let topLevelOrigin be environment’s top-level origin.

2. If topLevelOrigin is null, then set topLevelOrigin to environment’s top-level creation URL’s origin.

3. Assert: topLevelOrigin is an origin.

4. Let topLevelSite be the result of obtaining a site, given topLevelOrigin.

5. Let secondKey be null or an implementation-defined value.

   The second key is intentionally a little vague as the finer points are still evolving. See issue #1035.

6. Return (topLevelSite, secondKey).

To determine the network partition key, given a request request:

1. If request’s reserved client is non-null, then return the result of determining the network partition key given request’s reserved client.

2. If request’s client is non-null, then return the result of determining the network partition key given request’s client.

3. Return null.

To determine the HTTP cache partition, given a request request:

1. Let key be the result of determining the network partition key given request.

2. If key is null, then return null.

3. Return the unique HTTP cache associated with key. [HTTP-CACHING]

To determine whether fetching a request request should be blocked due to a bad port:

1. Let url be request’s current URL.

2. If url’s scheme is an HTTP(S) scheme and url’s port is a bad port, then return blocked.

3. Return allowed.

2.10. Should response to request be blocked due to its MIME type?

Run these steps:

1. Let mimeType be the result of extracting a MIME type from response’s header list.

2. If mimeType is failure, then return allowed.

3. Let destination be request’s destination.

4. If destination is script-like and one of the following is true, then return blocked:

   • mimeType’s essence starts with "audio/", "image/", or "video/".
   • mimeType’s essence is "text/csv".

5. Return allowed.

To append a request `Cookie` header, given a request request:

1. If the user agent is configured to disable cookies for request, then it should return.

2. Let sameSite be the result of determining the same-site mode for request.

3. Let isSecure be true if request’s current URL’s scheme is "https"; otherwise false.

4. Let httpOnlyAllowed be true.

   True follows from this being invoked from fetch, as opposed to the document.cookie getter steps for instance.

5. Let cookies be the result of running retrieve cookies given isSecure, request’s current URL’s host, request’s current URL’s path, httpOnlyAllowed, and sameSite.

   The cookie store returns an ordered list of cookies

6. If cookies is empty, then return.

7. Let value be the result of running serialize cookies given cookies.

8. Append (`Cookie`, value) to request’s header list.

To parse and store response `Set-Cookie` headers, given a request request and a response response:

1. If the user agent is configured to disable cookies for request, then it should return.

2. Let allowNonHostOnlyCookieForPublicSuffix be false.

3. Let isSecure be true if request’s current URL’s scheme is "https"; otherwise false.

4. Let httpOnlyAllowed be true.

   True follows from this being invoked from fetch, as opposed to the document.cookie getter steps for instance.

5. Let sameSiteStrictOrLaxAllowed be true if the result of determine the same-site mode for request is "strict-or-less"; otherwise false.

6. For each header of response’s header list:

   1. If header’s name is not a byte-case-insensitive match for `Set-Cookie`, then continue.

   2. Parse and store a cookie given header’s value, isSecure, request’s current URL’s host, request’s current URL’s path, httpOnlyAllowed, allowNonHostOnlyCookieForPublicSuffix, and sameSiteStrictOrLaxAllowed.

   3. Garbage collect cookies given request’s current URL’s host.

   As noted elsewhere the `Set-Cookie` header cannot be combined and therefore each occurrence is processed independently. This is not allowed for any other header.

To determine the same-site mode for a given request request:

1. Assert: request’s method is "GET" or "POST".

2. If request’s top-level navigation initiator origin is not null and is not same site with request’s URL’s origin, then return "unset-or-less".

3. If request’s method is "GET" and request’s destination is "document", then return "lax-or-less".

4. If request’s client’s has cross-site ancestor is true, then return "unset-or-less".

5. If request’s redirect-taint is "cross-site", then return "unset-or-less".

6. Return "strict-or-less".

To obtain a serialized cookie default path given a URL url:

1. Let cloneURL be a clone of url.

2. Set cloneURL’s path to the cookie default path of cloneURL’s path.

3. Return the URL path serialization of cloneURL.

To append a request `Origin` header, given a request request, run these steps:

1. Assert: request’s origin is not "client".

2. Let serializedOrigin be the result of byte-serializing a request origin with request.

3. If request’s response tainting is "cors" or request’s mode is "websocket", then append (`Origin`, serializedOrigin) to request’s header list.

4. Otherwise, if request’s method is neither `GET` nor `HEAD`, then:

   1. If request’s mode is not "cors", then switch on request’s referrer policy:

      "no-referrer"

      Set serializedOrigin to `null`.

      "no-referrer-when-downgrade"

      "strict-origin"

      "strict-origin-when-cross-origin"

      If request’s origin is a tuple origin, its scheme is "https", and request’s current URL’s scheme is not "https", then set serializedOrigin to `null`.

      "same-origin"

      If request’s origin is not same origin with request’s current URL’s origin, then set serializedOrigin to `null`.

      Otherwise

      Do nothing.

   2. Append (`Origin`, serializedOrigin) to request’s header list.

A request’s referrer policy is taken into account for all fetches where the fetcher did not explicitly opt into sharing their origin with the server, e.g., via using the CORS protocol.

To extract a length from a header list headers, run these steps:

1. Let values be the result of getting, decoding, and splitting `Content-Length` from headers.

2. If values is null, then return null.

3. Let candidateValue be null.

4. For each value of values:

   1. If candidateValue is null, then set candidateValue to value.

   2. Otherwise, if value is not candidateValue, return failure.

5. If candidateValue is the empty string or has a code point that is not an ASCII digit, then return null.

6. Return candidateValue, interpreted as decimal number.

To extract a MIME type from a header list headers, run these steps. They return failure or a MIME type.

1. Let charset be null.

2. Let essence be null.

3. Let mimeType be null.

4. Let values be the result of getting, decoding, and splitting `Content-Type` from headers.

5. If values is null, then return failure.

6. For each value of values:

   1. Let temporaryMimeType be the result of parsing value.

   2. If temporaryMimeType is failure or its essence is "*/*", then continue.

   3. Set mimeType to temporaryMimeType.

   4. If mimeType’s essence is not essence, then:

      1. Set charset to null.

      2. If mimeType’s parameters["charset"] exists, then set charset to mimeType’s parameters["charset"].

      3. Set essence to mimeType’s essence.

   5. Otherwise, if mimeType’s parameters["charset"] does not exist, and charset is non-null, set mimeType’s parameters["charset"] to charset.

7. If mimeType is null, then return failure.

8. Return mimeType.

To legacy extract an encoding given failure or a MIME type mimeType and an encoding fallbackEncoding, run these steps:

1. If mimeType is failure, then return fallbackEncoding.

2. If mimeType["charset"] does not exist, then return fallbackEncoding.

3. Let tentativeEncoding be the result of getting an encoding from mimeType["charset"].

4. If tentativeEncoding is failure, then return fallbackEncoding.

5. Return tentativeEncoding.

To determine nosniff, given a header list list, run these steps:

1. Let values be the result of getting, decoding, and splitting `X-Content-Type-Options` from list.

2. If values is null, then return false.

3. If values[0] is an ASCII case-insensitive match for "nosniff", then return true.

4. Return false.

3.6.1. Should response to request be blocked due to nosniff?

Run these steps:

1. If determine nosniff with response’s header list is false, then return allowed.

2. Let mimeType be the result of extracting a MIME type from response’s header list.

3. Let destination be request’s destination.

4. If destination is script-like and mimeType is failure or is not a JavaScript MIME type, then return blocked.

5. If destination is "style" and mimeType is failure or its essence is not "text/css", then return blocked.

6. Return allowed.

Only request destinations that are script-like or "style" are considered as any exploits pertain to them. Also, considering "image" was not compatible with deployed content.

To perform a cross-origin resource policy check, given an origin origin, an environment settings object settingsObject, a string destination, a response response, and an optional boolean forNavigation, run these steps:

1. Set forNavigation to false if it is not given.

2. Let embedderPolicy be settingsObject’s policy container’s embedder policy.

3. If the cross-origin resource policy internal check with origin, "unsafe-none", response, and forNavigation returns blocked, then return blocked.

   This step is needed because we don’t want to report violations not related to Cross-Origin Embedder Policy below.

4. If the cross-origin resource policy internal check with origin, embedderPolicy’s report only value, response, and forNavigation returns blocked, then queue a cross-origin embedder policy CORP violation report with response, settingsObject, destination, and true.

5. If the cross-origin resource policy internal check with origin, embedderPolicy’s value, response, and forNavigation returns allowed, then return allowed.

6. Queue a cross-origin embedder policy CORP violation report with response, settingsObject, destination, and false.

7. Return blocked.

Only HTML’s navigate algorithm uses this check with forNavigation set to true, and it’s always for nested navigations. Otherwise, response is either the internal response of an opaque filtered response or a response which will be the internal response of an opaque filtered response. [HTML]

To perform a cross-origin resource policy internal check, given an origin origin, an embedder policy value embedderPolicyValue, a response response, and a boolean forNavigation, run these steps:

1. If forNavigation is true and embedderPolicyValue is "unsafe-none", then return allowed.

2. Let policy be the result of getting `Cross-Origin-Resource-Policy` from response’s header list.

   This means that `Cross-Origin-Resource-Policy: same-site, same-origin` ends up as allowed below as it will never match anything, as long as embedderPolicyValue is "unsafe-none". Two or more `Cross-Origin-Resource-Policy` headers will have the same effect.

3. If policy is neither `same-origin`, `same-site`, nor `cross-origin`, then set policy to null.

4. If policy is null, then switch on embedderPolicyValue:

   "unsafe-none"

   Do nothing.

   "credentialless"

   Set policy to `same-origin` if:

   • response’s request-includes-credentials is true, or
   • forNavigation is true.

   "require-corp"

   Set policy to `same-origin`.

5. Switch on policy:

   null

   `cross-origin`

   Return allowed.

   `same-origin`

   If origin is same origin with response’s URL’s origin, then return allowed.

   Otherwise, return blocked.

   `same-site`

   If all of the following are true

   • origin is schemelessly same site with response’s URL’s origin

   • origin’s scheme is "https" or response’s URL’s scheme is not "https"

   then return allowed.

   Otherwise, return blocked.

   `Cross-Origin-Resource-Policy: same-site` does not consider a response delivered via a secure transport to match a non-secure requesting origin, even if their hosts are otherwise same site. Securely-transported responses will only match a securely-transported initiator.

To queue a cross-origin embedder policy CORP violation report, given a response response, an environment settings object settingsObject, a string destination, and a boolean reportOnly, run these steps:

1. Let endpoint be settingsObject’s policy container’s embedder policy’s report only reporting endpoint if reportOnly is true and settingsObject’s policy container’s embedder policy’s reporting endpoint otherwise.

2. Let serializedURL be the result of serializing a response URL for reporting with response.

3. Let disposition be "reporting" if reportOnly is true; otherwise "enforce".

4. Let body be a new object containing the following properties:

   key	value
   "type"	"corp"
   "blockedURL"	serializedURL
   "destination"	destination
   "disposition"	disposition

5. Generate and queue a report for settingsObject’s global object given the "coep" report type, endpoint, and body. [REPORTING]

To fetch, given a request request, an optional algorithm processRequestBodyChunkLength, an optional algorithm processRequestEndOfBody, an optional algorithm processEarlyHintsResponse, an optional algorithm processResponse, an optional algorithm processResponseEndOfBody, an optional algorithm processResponseConsumeBody, and an optional boolean useParallelQueue (default false), run the steps below. If given, processRequestBodyChunkLength must be an algorithm accepting an integer representing the number of bytes transmitted. If given, processRequestEndOfBody must be an algorithm accepting no arguments. If given, processEarlyHintsResponse must be an algorithm accepting a response. If given, processResponse must be an algorithm accepting a response. If given, processResponseEndOfBody must be an algorithm accepting a response. If given, processResponseConsumeBody must be an algorithm accepting a response and null, failure, or a byte sequence.

The user agent may be asked to suspend the ongoing fetch. The user agent may either accept or ignore the suspension request. The suspended fetch can be resumed. The user agent should ignore the suspension request if the ongoing fetch is updating the response in the HTTP cache for the request.

The user agent does not update the entry in the HTTP cache for a request if request’s cache mode is "no-store" or a `Cache-Control: no-store` header appears in the response. [HTTP-CACHING]

1. Assert: request’s mode is "navigate" or processEarlyHintsResponse is null.

   Processing of early hints (responses whose status is 103) is only vetted for navigations.

2. Let taskDestination be null.

3. Let crossOriginIsolatedCapability be false.

4. Populate request from client given request.

5. If request’s client is non-null, then:

   1. Set taskDestination to request’s client’s global object.

   2. Set crossOriginIsolatedCapability to request’s client’s cross-origin isolated capability.

6. If useParallelQueue is true, then set taskDestination to the result of starting a new parallel queue.

7. Let timingInfo be a new fetch timing info whose start time and post-redirect start time are the coarsened shared current time given crossOriginIsolatedCapability, and render-blocking is set to request’s render-blocking.

8. Let fetchParams be a new fetch params whose request is request, timing info is timingInfo, process request body chunk length is processRequestBodyChunkLength, process request end-of-body is processRequestEndOfBody, process early hints response is processEarlyHintsResponse, process response is processResponse, process response consume body is processResponseConsumeBody, process response end-of-body is processResponseEndOfBody, task destination is taskDestination, and cross-origin isolated capability is crossOriginIsolatedCapability.

9. If request’s body is a byte sequence, then set request’s body to request’s body as a body.

10. If all of the following conditions are true:

    • request’s URL’s scheme is an HTTP(S) scheme

    • request’s mode is "same-origin", "cors", or "no-cors"

    • request’s client is not null, and request’s client’s global object is a Window object

    • request’s method is `GET`

    • request’s unsafe-request flag is not set or request’s header list is empty

    then:

    1. Assert: request’s origin is same origin with request’s client’s origin.

    2. Let onPreloadedResponseAvailable be an algorithm that runs the following step given a response response: set fetchParams’s preloaded response candidate to response.

    3. Let foundPreloadedResource be the result of invoking consume a preloaded resource for request’s client, given request’s URL, request’s destination, request’s mode, request’s credentials mode, request’s integrity metadata, and onPreloadedResponseAvailable.

    4. If foundPreloadedResource is true and fetchParams’s preloaded response candidate is null, then set fetchParams’s preloaded response candidate to "pending".

11. If request’s header list does not contain `Accept`, then:

    1. Let value be `*/*`.

    2. If request’s initiator is "prefetch", then set value to the document `Accept` header value.

    3. Otherwise, the user agent should set value to the first matching statement, if any, switching on request’s destination:

       "document"

       "frame"

       "iframe"

       the document `Accept` header value

       "image"

       `image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5`

       "json"

       `application/json,*/*;q=0.5`

       "style"

       `text/css,*/*;q=0.1`

    4. Append (`Accept`, value) to request’s header list.

12. If request’s header list does not contain `Accept-Language`, then user agents should append (`Accept-Language, an appropriate header value) to request’s header list.

13. If request’s internal priority is null, then use request’s priority, initiator, destination, and render-blocking in an implementation-defined manner to set request’s internal priority to an implementation-defined object.

    The implementation-defined object could encompass stream weight and dependency for HTTP/2, priorities used in Extensible Prioritization Scheme for HTTP for transports where it applies (including HTTP/3), and equivalent information used to prioritize dispatch and processing of HTTP/1 fetches. [RFC9218]

14. If request is a subresource request:

    1. Let record be a new fetch record whose request is request and controller is fetchParams’s controller.

    2. Append record to request’s client’s fetch group’s fetch records.

15. Run main fetch given fetchParams.

16. Return fetchParams’s controller.

To populate request from client given a request request:

1. If request’s traversable for user prompts is "client":

   1. Set request’s traversable for user prompts to "no-traversable".

   2. If request’s client is non-null:

      1. Let global be request’s client’s global object.

      2. If global is a Window object and global’s navigable is not null, then set request’s traversable for user prompts to global’s navigable’s traversable navigable.

2. If request’s origin is "client":

   1. Assert: request’s client is non-null.

   2. Set request’s origin to request’s client’s origin.

3. If request’s policy container is "client":

   1. If request’s client is non-null, then set request’s policy container to a clone of request’s client’s policy container. [HTML]

   2. Otherwise, set request’s policy container to a new policy container.

To main fetch, given a fetch params fetchParams and an optional boolean recursive (default false), run these steps:

1. Let request be fetchParams’s request.

2. Let response be null.

3. If request’s local-URLs-only flag is set and request’s current URL is not local, then set response to a network error.

4. Run report Content Security Policy violations for request.

5. Upgrade request to a potentially trustworthy URL, if appropriate.

6. Upgrade a mixed content request to a potentially trustworthy URL, if appropriate.

7. If should request be blocked due to a bad port, should fetching request be blocked as mixed content, should request be blocked by Content Security Policy, or should request be blocked by Integrity Policy Policy returns blocked, then set response to a network error.

8. If request’s referrer policy is the empty string, then set request’s referrer policy to request’s policy container’s referrer policy.

9. If request’s referrer is not "no-referrer", then set request’s referrer to the result of invoking determine request’s referrer. [REFERRER]

   As stated in Referrer Policy, user agents can provide the end user with options to override request’s referrer to "no-referrer" or have it expose less sensitive information.

10. Set request’s current URL’s scheme to "https" if all of the following conditions are true:

    • request’s current URL’s scheme is "http"
    • request’s current URL’s host is a domain
    • request’s current URL’s host’s public suffix is not "localhost" or "localhost."
    • Matching request’s current URL’s host per Known HSTS Host Domain Name Matching results in either a superdomain match with an asserted includeSubDomains directive or a congruent match (with or without an asserted includeSubDomains directive) [HSTS]; or DNS resolution for the request finds a matching HTTPS RR per section 9.5 of [SVCB]. [HSTS] [SVCB]

    As all DNS operations are generally implementation-defined, how it is determined that DNS resolution contains an HTTPS RR is also implementation-defined. As DNS operations are not traditionally performed until attempting to obtain a connection, user agents might need to perform DNS operations earlier, consult local DNS caches, or wait until later in the fetch algorithm and potentially unwind logic on discovering the need to change request’s current URL’s scheme.

11. If recursive is false, then run the remaining steps in parallel.

12. If response is null, then set response to the result of running the steps corresponding to the first matching statement:

    fetchParams’s preloaded response candidate is non-null

    1. Wait until fetchParams’s preloaded response candidate is not "pending".

    2. Assert: fetchParams’s preloaded response candidate is a response.

    3. Return fetchParams’s preloaded response candidate.

    request’s current URL’s origin is same origin with request’s origin, and request’s response tainting is "basic"

    request’s current URL’s scheme is "data"

    request’s mode is "navigate" or "websocket"

    1. Set request’s response tainting to "basic".

    2. Return the result of running override fetch given "scheme-fetch" and fetchParams.

    HTML assigns any documents and workers created from URLs whose scheme is "data" a unique opaque origin. Service workers can only be created from URLs whose scheme is an HTTP(S) scheme. [HTML] [SW]

    request’s mode is "same-origin"

    Return a network error.

    request’s mode is "no-cors"

    1. If request’s redirect mode is not "follow", then return a network error.

    2. Set request’s response tainting to "opaque".

    3. Return the result of running override fetch given "scheme-fetch" and fetchParams.

    request’s current URL’s scheme is not an HTTP(S) scheme

    Return a network error.

    request’s use-CORS-preflight flag is set

    request’s unsafe-request flag is set and either request’s method is not a CORS-safelisted method or CORS-unsafe request-header names with request’s header list is not empty

    1. Set request’s response tainting to "cors".

    2. Let corsWithPreflightResponse be the result of running override fetch given "http-fetch", fetchParams, and true.

    3. If corsWithPreflightResponse is a network error, then clear cache entries using request.

    4. Return corsWithPreflightResponse.

    Otherwise

    1. Set request’s response tainting to "cors".

    2. Return the result of running override fetch given "http-fetch" and fetchParams.

13. If recursive is true, then return response.

14. If response is not a network error and response is not a filtered response, then:

    1. If request’s response tainting is "cors", then:

       1. Let headerNames be the result of extracting header list values given `Access-Control-Expose-Headers` and response’s header list.

       2. If request’s credentials mode is not "include" and headerNames contains `*`, then set response’s CORS-exposed header-name list to all unique header names in response’s header list.

       3. Otherwise, if headerNames is non-null or failure, then set response’s CORS-exposed header-name list to headerNames.

          One of the headerNames can still be `*` at this point, but will only match a header whose name is `*`.

    2. Set response to the following filtered response with response as its internal response, depending on request’s response tainting:

       "basic"

       basic filtered response

       "cors"

       CORS filtered response

       "opaque"

       opaque filtered response

15. Let internalResponse be response, if response is a network error; otherwise response’s internal response.

16. If internalResponse’s URL list is empty, then set it to a clone of request’s URL list.

    A response’s URL list can be empty, e.g., when fetching an about: URL.

17. Set internalResponse’s redirect taint to request’s redirect-taint.

18. If request’s timing allow failed flag is unset, then set internalResponse’s timing allow passed flag.

19. If response is not a network error and any of the following returns blocked

    • should internalResponse to request be blocked as mixed content

    • should internalResponse to request be blocked by Content Security Policy

    • should internalResponse to request be blocked due to its MIME type

    • should internalResponse to request be blocked due to nosniff

    then set response and internalResponse to a network error.

20. If response’s type is "opaque", internalResponse’s status is 206, internalResponse’s range-requested flag is set, and request’s header list does not contain `Range`, then set response and internalResponse to a network error.

    Traditionally, APIs accept a ranged response even if a range was not requested. This prevents a partial response from an earlier ranged request being provided to an API that did not make a range request.

    Further details

    The above steps prevent the following attack:

    A media element is used to request a range of a cross-origin HTML resource. Although this is invalid media, a reference to a clone of the response can be retained in a service worker. This can later be used as the response to a script element’s fetch. If the partial response is valid JavaScript (even though the whole resource is not), executing it would leak private data.

21. If response is not a network error and either request’s method is `HEAD` or `CONNECT`, or internalResponse’s status is a null body status, set internalResponse’s body to null and disregard any enqueuing toward it (if any).

    This standardizes the error handling for servers that violate HTTP.

22. If request’s integrity metadata is not the empty string, then:

    1. Let processBodyError be this step: run fetch response handover given fetchParams and a network error.

    2. If response’s body is null, then run processBodyError and abort these steps.

    3. Let processBody given bytes be these steps:

       1. If bytes do not match request’s integrity metadata, then run processBodyError and abort these steps. [SRI]

       2. Set response’s body to bytes as a body.

       3. Run fetch response handover given fetchParams and response.

    4. Fully read response’s body given processBody and processBodyError.

23. Otherwise, run fetch response handover given fetchParams and response.

The fetch response handover, given a fetch params fetchParams and a response response, run these steps:

1. Let timingInfo be fetchParams’s timing info.

2. If response is not a network error and fetchParams’s request’s client is a secure context, then set timingInfo’s server-timing headers to the result of getting, decoding, and splitting `Server-Timing` from response’s internal response’s header list.

   Using _response_’s internal response is safe as exposing `Server-Timing` header data is guarded through the `Timing-Allow-Origin` header.

   The user agent may decide to expose `Server-Timing` headers to non-secure contexts requests as well.

3. If fetchParams’s request’s destination is "document", then set fetchParams’s controller’s full timing info to fetchParams’s timing info.

4. Let processResponseEndOfBody be the following steps:

   1. Let unsafeEndTime be the unsafe shared current time.

   2. Set fetchParams’s controller’s report timing steps to the following steps given a global object global:

      1. If fetchParams’s request’s URL’s scheme is not an HTTP(S) scheme, then return.

      2. Set timingInfo’s end time to the relative high resolution time given unsafeEndTime and global.

      3. Let cacheState be response’s cache state.

      4. Let bodyInfo be response’s body info.

      5. If response’s timing allow passed flag is not set, then set timingInfo to the result of creating an opaque timing info for timingInfo and set cacheState to the empty string.

         This covers the case of response being a network error.

      6. Let responseStatus be 0.

      7. If fetchParams’s request’s mode is not "navigate" or response’s redirect taint is "same-origin":

         1. Set responseStatus to response’s status.

         2. Let mimeType be the result of extracting a MIME type from response’s header list.

         3. If mimeType is not failure, then set bodyInfo’s content type to the result of minimizing a supported MIME type given mimeType.

      8. If fetchParams’s request’s initiator type is non-null, then mark resource timing given timingInfo, fetchParams’s request’s URL, fetchParams’s request’s initiator type, global, cacheState, bodyInfo, and responseStatus.

   3. Let processResponseEndOfBodyTask be the following steps:

      1. Set fetchParams’s request’s done flag.

      2. If fetchParams’s process response end-of-body is non-null, then run fetchParams’s process response end-of-body given response.

      3. If fetchParams’s request’s initiator type is non-null and fetchParams’s request’s client’s global object is fetchParams’s task destination, then run fetchParams’s controller’s report timing steps given fetchParams’s request’s client’s global object.

   4. Queue a fetch task to run processResponseEndOfBodyTask with fetchParams’s task destination.

5. If fetchParams’s process response is non-null, then queue a fetch task to run fetchParams’s process response given response, with fetchParams’s task destination.

6. Let internalResponse be response, if response is a network error; otherwise response’s internal response.

7. If internalResponse’s body is null, then run processResponseEndOfBody.

8. Otherwise:

   1. Let transformStream be a new TransformStream.

   2. Let identityTransformAlgorithm be an algorithm which, given chunk, enqueues chunk in transformStream.

   3. Set up transformStream with transformAlgorithm set to identityTransformAlgorithm and flushAlgorithm set to processResponseEndOfBody.

   4. Set internalResponse’s body’s stream to the result of internalResponse’s body’s stream piped through transformStream.

   This TransformStream is needed for the purpose of receiving a notification when the stream reaches its end, and is otherwise an identity transform stream.

9. If fetchParams’s process response consume body is non-null, then:

   1. Let processBody given nullOrBytes be this step: run fetchParams’s process response consume body given response and nullOrBytes.

   2. Let processBodyError be this step: run fetchParams’s process response consume body given response and failure.

   3. If internalResponse’s body is null, then queue a fetch task to run processBody given null, with fetchParams’s task destination.

   4. Otherwise, fully read internalResponse’s body given processBody, processBodyError, and fetchParams’s task destination.

To override fetch, given "scheme-fetch" or "http-fetch" type, a fetch params fetchParams, and an optional boolean makeCORSPreflight (default false):

1. Let request be fetchParams’ request.

2. Let response be the result of executing potentially override response for a request on request.

3. If response is non-null, then return response.

4. Switch on type and run the associated step:

   "scheme fetch"

   Set response be the result of running scheme fetch given fetchParams.

   "HTTP fetch"

   Set response be the result of running HTTP fetch given fetchParams and makeCORSPreflight.

5. Return response.

The potentially override response for a request algorithm takes a request request, and returns either a response or null. Its behavior is implementation-defined, allowing user agents to intervene on the request by returning a response directly, or allowing the request to proceed by returning null.

By default, the algorithm has the following trivial implementation:

1. Return null.

To scheme fetch, given a fetch params fetchParams:

1. If fetchParams is canceled, then return the appropriate network error for fetchParams.

2. Let request be fetchParams’s request.

3. Switch on request’s current URL’s scheme and run the associated steps:

   "about"

   If request’s current URL’s path is the string "blank", then return a new response whose status message is `OK`, header list is « (`Content-Type`, `text/html;charset=utf-8`) », and body is the empty byte sequence as a body.

   URLs such as "about:config" are handled during navigation and result in a network error in the context of fetching.

   "blob"

   1. Let blobURLEntry be request’s current URL’s blob URL entry.

   2. If request’s method is not `GET` or blobURLEntry is null, then return a network error. [FILEAPI]

      The `GET` method restriction serves no useful purpose other than being interoperable.

   3. Let requestEnvironment be the result of determining the environment given request.

   4. Let isTopLevelNavigation be true if request’s destination is "document"; otherwise, false.

   5. If isTopLevelNavigation is false and requestEnvironment is null, then return a network error.

   6. Let navigationOrEnvironment be the string "navigation" if isTopLevelNavigation is true; otherwise, requestEnvironment.

   7. Let blob be the result of obtaining a blob object given blobURLEntry and navigationOrEnvironment.

   8. If blob is not a Blob object, then return a network error.

   9. Let response be a new response.

   10. Let fullLength be blob’s size.

   11. Let serializedFullLength be fullLength, serialized and isomorphic encoded.

   12. Let type be blob’s type.

   13. If request’s header list does not contain `Range`:

       1. Let bodyWithType be the result of safely extracting blob.

       2. Set response’s status message to `OK`.

       3. Set response’s body to bodyWithType’s body.

       4. Set response’s header list to « (`Content-Length`, serializedFullLength), (`Content-Type`, type) ».

   14. Otherwise:

       1. Set response’s range-requested flag.

       2. Let rangeHeader be the result of getting `Range` from request’s header list.

       3. Let rangeValue be the result of parsing a single range header value given rangeHeader and true.

       4. If rangeValue is failure, then return a network error.

       5. Let (rangeStart, rangeEnd) be rangeValue.

       6. If rangeStart is null:

          1. Set rangeStart to fullLength − rangeEnd.

          2. Set rangeEnd to rangeStart + rangeEnd − 1.

       7. Otherwise:

          1. If rangeStart is greater than or equal to fullLength, then return a network error.

          2. If rangeEnd is null or rangeEnd is greater than or equal to fullLength, then set rangeEnd to fullLength − 1.

       8. Let slicedBlob be the result of invoking slice blob given blob, rangeStart, rangeEnd + 1, and type.

          A range header denotes an inclusive byte range, while the slice blob algorithm input range does not. To use the slice blob algorithm, we have to increment rangeEnd.

       9. Let slicedBodyWithType be the result of safely extracting slicedBlob.

       10. Set response’s body to slicedBodyWithType’s body.

       11. Let serializedSlicedLength be slicedBlob’s size, serialized and isomorphic encoded.

       12. Let contentRange be the result of invoking build a content range given rangeStart, rangeEnd, and fullLength.

       13. Set response’s status to 206.

       14. Set response’s status message to `Partial Content`.

       15. Set response’s header list to « (`Content-Length`, serializedSlicedLength), (`Content-Type`, type), (`Content-Range`, contentRange) ».

   15. Return response.

   "data"

   1. Let dataURLStruct be the result of running the data: URL processor on request’s current URL.

   2. If dataURLStruct is failure, then return a network error.

   3. Let mimeType be dataURLStruct’s MIME type, serialized.

   4. Return a new response whose status message is `OK`, header list is « (`Content-Type`, mimeType) », and body is dataURLStruct’s body as a body.

   "file"

   For now, unfortunate as it is, file: URLs are left as an exercise for the reader.

   When in doubt, return a network error.

   HTTP(S) scheme

   Return the result of running HTTP fetch given fetchParams.

4. Return a network error.

To determine the environment, given a request request:

1. If request’s reserved client is non-null, then return request’s reserved client.

2. If request’s client is non-null, then return request’s client.

3. Return null.

To HTTP fetch, given a fetch params fetchParams and an optional boolean makeCORSPreflight (default false), run these steps:

1. Let request be fetchParams’s request.

2. Let response and internalResponse be null.

3. If request’s service-workers mode is "all", then:

   1. Let requestForServiceWorker be a clone of request.

   2. If requestForServiceWorker’s body is non-null, then:

      1. Let transformStream be a new TransformStream.

      2. Let transformAlgorithm given chunk be these steps:

         1. If fetchParams is canceled, then abort these steps.

         2. If chunk is not a Uint8Array object, then terminate fetchParams’s controller.

         3. Otherwise, enqueue chunk in transformStream. The user agent may split the chunk into implementation-defined practical sizes and enqueue each of them. The user agent also may concatenate the chunks into an implementation-defined practical size and enqueue it.

      3. Set up transformStream with transformAlgorithm set to transformAlgorithm.

      4. Set requestForServiceWorker’s body’s stream to the result of requestForServiceWorker’s body’s stream piped through transformStream.

   3. Let serviceWorkerStartTime be the coarsened shared current time given fetchParams’s cross-origin isolated capability.

   4. Set response to the result of invoking handle fetch for requestForServiceWorker, with fetchParams’s controller and fetchParams’s cross-origin isolated capability. [HTML] [SW]

   5. If response is non-null, then:

      1. Set fetchParams’s timing info’s final service worker start time to serviceWorkerStartTime.

      2. If request’s body is non-null, then cancel request’s body with undefined.

      3. Set internalResponse to response, if response is not a filtered response; otherwise to response’s internal response.

      4. If one of the following is true

         • response’s type is "error"

         • request’s mode is "same-origin" and response’s type is "cors"

         • request’s mode is not "no-cors" and response’s type is "opaque"

         • request’s redirect mode is not "manual" and response’s type is "opaqueredirect"
         • request’s redirect mode is not "follow" and response’s URL list has more than one item.

         then return a network error.

4. If response is null, then:

   1. If makeCORSPreflight is true and one of these conditions is true:

      • There is no method cache entry match for request’s method using request, and either request’s method is not a CORS-safelisted method or request’s use-CORS-preflight flag is set.

      • There is at least one item in the CORS-unsafe request-header names with request’s header list for which there is no header-name cache entry match using request.

      Then:

      1. Let preflightResponse be the result of running CORS-preflight fetch given request.

      2. If preflightResponse is a network error, then return preflightResponse.

      This step checks the CORS-preflight cache and if there is no suitable entry it performs a CORS-preflight fetch which, if successful, populates the cache. The purpose of the CORS-preflight fetch is to ensure the fetched resource is familiar with the CORS protocol. The cache is there to minimize the number of CORS-preflight fetches.

   2. If request’s redirect mode is "follow", then set request’s service-workers mode to "none".

      Redirects coming from the network (as opposed to from a service worker) are not to be exposed to a service worker.

   3. Set response and internalResponse to the result of running HTTP-network-or-cache fetch given fetchParams.

   4. If request’s response tainting is "cors" and a CORS check for request and response returns failure, then return a network error.

      As the CORS check is not to be applied to responses whose status is 304 or 407, or responses from a service worker for that matter, it is applied here.

   5. If the TAO check for request and response returns failure, then set request’s timing allow failed flag.

5. If either request’s response tainting or response’s type is "opaque", and the cross-origin resource policy check with request’s origin, request’s client, request’s destination, and internalResponse returns blocked, then return a network error.

   The cross-origin resource policy check runs for responses coming from the network and responses coming from the service worker. This is different from the CORS check, as request’s client and the service worker can have different embedder policies.

6. If internalResponse’s status is a redirect status:

   1. If internalResponse’s status is not 303, request’s body is non-null, and the connection uses HTTP/2, then user agents may, and are even encouraged to, transmit an RST_STREAM frame.

      303 is excluded as certain communities ascribe special status to it.

   2. Switch on request’s redirect mode:

      "error"

      1. Set response to a network error.

      "manual"

      1. If request’s mode is "navigate", then set fetchParams’s controller’s next manual redirect steps to run HTTP-redirect fetch given fetchParams and response.

      2. Otherwise, set response to an opaque-redirect filtered response whose internal response is internalResponse.

      "follow"

      1. Set response to the result of running HTTP-redirect fetch given fetchParams and response.

7. Return response. Typically internalResponse’s body’s stream is still being enqueued to after returning.