@@ -133,7 +133,14 @@ server-side runtimes, and on the long term to upstream those changes into the WH
133133<p> The changes from the WHATWG spec so far are:
134134
135135<ul>
136- <li><p> (none)
136+ <li><p> Added [[#conformance-classes]] to describe the various types of runtimes implementing this
137+ fork.
138+
139+ <li><p> Made the <a>forbidden request-header</a> and <a>forbidden response-header name</a>
140+ definitions dependent on whether the user agent <a>supports CORS</a> and
141+ <a lt="support cookies">cookies</a> . This affects the headers of <a>basic filtered responses</a> ,
142+ as well as <a for=Headers lt=validate>validation</a> in {{Headers}} objects. The behavior for web
143+ browsers doesn't change.
137144</ul>
138145
139146<p class=XXX> Please update this list as new changes are added.
@@ -143,9 +150,6 @@ server-side runtimes, and on the long term to upstream those changes into the WH
143150<ul>
144151 <li><p> Remove CORS restrictions for runtimes with no concept of origins.
145152
146- <li><p> Specify how headers are filtered in {{Request}} and {{Response}} instances in various
147- runtimes.
148-
149153 <li><p> Specify how relative URLs resolve in {{fetch}} and the {{Request}} constructor for runtimes
150154 without a concept of <a>API base URL</a> .
151155
@@ -202,6 +206,32 @@ exposes most of the networking functionality at a fairly low level of abstractio
202206
203207
204208
209+ <h2 id=conformance-classes>Conformance classes</h2>
210+
211+ <p> This specification applies to any <a spec="infra">user agent</a> that chooses to implement it.
212+ However, different types of user agent have different needs in regards to fetching, and so this
213+ specification defines different categories among which implementers might fall.
214+
215+ <p> A user agent implementing this specification:
216+
217+ <dl>
218+ <dt> <dfn>supports CORS</dfn> </dt>
219+ <dd> if it has a concept of an <a for=/>origin</a> which the current EcmaScript execution context
220+ runs in, and which defines a security boundary with code and data from other origins. [[!HTML]]
221+ [[ORIGIN]]
222+
223+ <dt> <dfn>supports cookies</dfn> </dt>
224+ <dd> if it supports the user agent requirements of [[!COOKIES]] . For the purposes of this
225+ specification, user agents which don't <a>support cookies</a> must act as if they were configured
226+ to block cookies for all requests and responses (see
227+ <a href=https://httpwg.org/specs/rfc6265.html#privacy-considerations>section 7</a> of
228+ [[!COOKIES]] )).
229+ </dl>
230+
231+ <p class=note> Web browsers support both CORS and cookies.
232+
233+
234+
205235<h2 id=infrastructure>Infrastructure</h2>
206236
207237<p> This specification depends on the Infra Standard. [[!INFRA]]
@@ -1177,20 +1207,14 @@ is a <a>byte-case-insensitive</a> match for one of
11771207 <ul class=brief>
11781208 <li> `<code> Accept-Charset</code> `
11791209 <li> `<code> Accept-Encoding</code> `
1180- <li> `<a http-header><code>Access-Control-Request-Headers</code></a> `
1181- <li> `<a http-header><code>Access-Control-Request-Method</code></a> `
11821210 <li> `<code> Connection</code> `
11831211 <li> `<code> Content-Length</code> `
1184- <li> `<code> Cookie</code> `
1185- <li> `<code> Cookie2</code> `
11861212 <li> `<code> Date</code> `
11871213 <li> `<code> DNT</code> `
11881214 <li> `<code> Expect</code> `
11891215 <li> `<code> Host</code> `
11901216 <li> `<code> Keep-Alive</code> `
1191- <li> `<a http-header><code>Origin</code></a> `
11921217 <li> `<code> Referer</code> `
1193- <li> `<code> Set-Cookie</code> `
11941218 <li> `<code> TE</code> `
11951219 <li> `<code> Trailer</code> `
11961220 <li> `<code> Transfer-Encoding</code> `
@@ -1200,6 +1224,30 @@ is a <a>byte-case-insensitive</a> match for one of
12001224
12011225 <p> then return true.
12021226
1227+ <li>
1228+ <p> If the user agent <a>supports CORS</a> and <var> name</var> is a <a>byte-case-insensitive</a>
1229+ match for one of:
1230+
1231+ <ul class=brief>
1232+ <li> `<a http-header><code>Access-Control-Request-Headers</code></a> `
1233+ <li> `<a http-header><code>Access-Control-Request-Method</code></a> `
1234+ <li> `<a http-header><code>Origin</code></a> `
1235+ </ul>
1236+
1237+ <p> then return true.
1238+
1239+ <li>
1240+ <p> If the user agent <a>supports cookies</a> and <var> name</var> is a <a>byte-case-insensitive</a>
1241+ match for one of:
1242+
1243+ <ul class=brief>
1244+ <li> `<code> Cookie</code> `
1245+ <li> `<code> Cookie2</code> `
1246+ <li> `<code> Set-Cookie</code> `
1247+ </ul>
1248+
1249+ <p> then return true.
1250+
12031251 <li><p> If <var> name</var> when <a>byte-lowercased</a> <a for="byte sequence">starts with</a>
12041252 `<code> proxy-</code> ` or `<code> sec-</code> `, then return true.
12051253
@@ -1239,13 +1287,16 @@ is a <a>byte-case-insensitive</a> match for one of
12391287</div>
12401288</div>
12411289
1242- <p> A <dfn export>forbidden response-header name</dfn> is a <a for=/>header name</a> that is a
1243- <a>byte-case-insensitive</a> match for one of:
1290+ <div algorithm>
1291+ <p> A <a for=/>header name</a> <var> name</var> is a <dfn export>forbidden response-header name</dfn>
1292+ if the user agent <a>supports cookies</a> and <var> name</var> is a <a>byte-case-insensitive</a>
1293+ match for one of:
12441294
12451295<ul class=brief>
12461296 <li> `<code> Set-Cookie</code> `
12471297 <li> `<code> Set-Cookie2</code> `
12481298</ul>
1299+ </div>
12491300
12501301<p> A <dfn export>request-body-header name</dfn> is a <a for=/>header name</a> that is a
12511302<a>byte-case-insensitive</a> match for one of:
0 commit comments