Overview.html

<!DOCTYPE html><html lang="en-US"><meta charset="utf-8">
<title>Fetch Standard</title>
<link href="https://resources.whatwg.org/standard.css" rel="stylesheet">
<link href="https://resources.whatwg.org/logo-fetch.svg" rel="icon">

<div class="head">

<p><a class="logo" href="https://whatwg.org/"><img alt="WHATWG" height="100" src="https://resources.whatwg.org/logo-fetch.svg" width="100"></a>
<h1 id="cors">Fetch</h1>
<h2 class="no-num no-toc" id="living-standard-—-last-updated-27-july-2016">Living Standard — Last Updated 27 July 2016</h2>

<dl>
 <dt>Participate:
 <dd><a href="https://github.com/whatwg/fetch">GitHub whatwg/fetch</a>
 (<a href="https://github.com/whatwg/fetch/issues/new">file an issue</a>,
 <a href="https://github.com/whatwg/fetch/issues">open issues</a>,
 <a href="https://www.w3.org/Bugs/Public/buglist.cgi?product=WHATWG&amp;component=Fetch&amp;resolution=---">legacy open bugs</a>)
 <dd><a href="https://wiki.whatwg.org/wiki/IRC">IRC: #whatwg on Freenode</a>

 <dt>Commits:
 <dd><a href="https://github.com/whatwg/fetch/commits">GitHub whatwg/fetch/commits</a>
 <dd><a href="https://twitter.com/fetchstandard">@fetchstandard</a>

 <dt>Translation <small>(non-normative)</small>:
 <dd title="Japanese"><a href="https://triple-underscore.github.io/Fetch-ja.html" hreflang="ja" lang="ja" rel="alternative">日本語</a>
</dl>

<script async="" src="https://resources.whatwg.org/file-issue.js"></script>
<script defer="" id="head" src="https://resources.whatwg.org/dfn.js"></script>

</div>



<h2 class="no-num no-toc short" id="abstract">Abstract</h2>

<p>The Fetch standard defines requests, responses, and the process that binds them:
fetching.



<h2 class="no-num no-toc" id="table-of-contents">Table of Contents</h2>

<!--begin-toc-->
<ol class="toc">
 <li><a class="no-num short" href="#goals">Goals</a></li>
 <li><a class="short" href="#preface"><span class="secno">1 </span>Preface</a></li>
 <li><a class="short" href="#conformance"><span class="secno">2 </span>Conformance</a></li>
 <li><a href="#infrastructure"><span class="secno">3 </span>Infrastructure</a>
  <ol>
   <li><a href="#http"><span class="secno">3.1 </span>HTTP</a>
    <ol>
     <li><a href="#methods"><span class="secno">3.1.1 </span>Methods</a></li>
     <li><a href="#terminology-headers"><span class="secno">3.1.2 </span>Headers</a></li>
     <li><a href="#statuses"><span class="secno">3.1.3 </span>Statuses</a></li>
     <li><a href="#bodies"><span class="secno">3.1.4 </span>Bodies</a></li>
     <li><a href="#requests"><span class="secno">3.1.5 </span>Requests</a></li>
     <li><a href="#responses"><span class="secno">3.1.6 </span>Responses</a></ol></li>
   <li><a href="#authentication-entries"><span class="secno">3.2 </span>Authentication entries</a></li>
   <li><a href="#fetch-groups"><span class="secno">3.3 </span>Fetch groups</a></li>
   <li><a href="#connections"><span class="secno">3.4 </span>Connections</a></li>
   <li><a href="#port-blocking"><span class="secno">3.5 </span>Port blocking</a></li>
   <li><a href="#should-response-to-request-be-blocked-due-to-mime-type?"><span class="secno">3.6 </span>Should
<var>response</var> to <var>request</var> be blocked due to its MIME type?</a></li>
   <li><a href="#referrer-policies"><span class="secno">3.7 </span>Referrer policies</a></li>
   <li><a href="#client-hints-list"><span class="secno">3.8 </span>Client hints list</a></li>
   <li><a href="#streams"><span class="secno">3.9 </span>Streams</a>
    <ol>
     <li><a href="#readablestream"><span class="secno">3.9.1 </span>ReadableStream</a></ol></ol></li>
 <li><a href="#http-extensions"><span class="secno">4 </span>HTTP extensions</a>
  <ol>
   <li><a href="#origin-header"><span class="secno">4.1 </span>`<code title="">Origin</code>` header</a></li>
   <li><a href="#http-cors-protocol"><span class="secno">4.2 </span>CORS protocol</a>
    <ol>
     <li><a href="#general"><span class="secno">4.2.1 </span>General</a></li>
     <li><a href="#http-requests"><span class="secno">4.2.2 </span>HTTP requests</a></li>
     <li><a href="#http-responses"><span class="secno">4.2.3 </span>HTTP responses</a></li>
     <li><a href="#http-new-header-syntax"><span class="secno">4.2.4 </span>HTTP new-header syntax</a></li>
     <li><a href="#cors-protocol-and-credentials"><span class="secno">4.2.5 </span>CORS protocol and credentials</a></li>
     <li><a href="#cors-protocol-examples"><span class="secno">4.2.6 </span>Examples</a></ol></li>
   <li><a href="#x-content-type-options-header"><span class="secno">4.3 </span>`<code title="">X-Content-Type-Options</code>` header</a>
    <ol>
     <li><a href="#should-response-to-request-be-blocked-due-to-nosniff?"><span class="secno">4.3.1 </span>Should
<var>response</var> to <var>request</var> be blocked due to nosniff?</a></ol></ol></li>
 <li><a href="#fetching"><span class="secno">5 </span>Fetching</a>
  <ol>
   <li><a href="#main-fetch"><span class="secno">5.1 </span>Main fetch</a></li>
   <li><a href="#basic-fetch"><span class="secno">5.2 </span>Basic fetch</a></li>
   <li><a href="#http-fetch"><span class="secno">5.3 </span>HTTP fetch</a></li>
   <li><a href="#http-redirect-fetch"><span class="secno">5.4 </span>HTTP-redirect fetch</a></li>
   <li><a href="#http-network-or-cache-fetch"><span class="secno">5.5 </span>HTTP-network-or-cache fetch</a></li>
   <li><a href="#http-network-fetch"><span class="secno">5.6 </span>HTTP-network fetch</a></li>
   <li><a href="#cors-preflight-fetch"><span class="secno">5.7 </span>CORS-preflight fetch</a></li>
   <li><a href="#cors-preflight-cache"><span class="secno">5.8 </span>CORS-preflight cache</a></li>
   <li><a href="#cors-check"><span class="secno">5.9 </span>CORS check</a></ol></li>
 <li><a href="#fetch-api"><span class="secno">6 </span>Fetch API</a>
  <ol>
   <li><a href="#headers-class"><span class="secno">6.1 </span>Headers class</a></li>
   <li><a href="#body-mixin"><span class="secno">6.2 </span>Body mixin</a></li>
   <li><a href="#request-class"><span class="secno">6.3 </span>Request class</a></li>
   <li><a href="#response-class"><span class="secno">6.4 </span>Response class</a></li>
   <li><a href="#structured-cloning-of-headers,-request,-and-response-objects"><span class="secno">6.5 </span>Structured cloning of <code>Headers</code>, <code>Request</code>, and <code>Response</code> objects</a></li>
   <li><a href="#fetch-method"><span class="secno">6.6 </span>Fetch method</a></li>
   <li><a href="#garbage-collection"><span class="secno">6.7 </span>Garbage collection</a></ol></li>
 <li><a href="#websocket-protocol"><span class="secno">7 </span>WebSocket protocol alterations</a>
  <ol>
   <li><a href="#websocket-connections"><span class="secno">7.1 </span>Connections</a></li>
   <li><a href="#websocket-opening-handshake"><span class="secno">7.2 </span>Opening handshake</a></ol></li>
 <li><a class="no-num" href="#background-reading">Background reading</a>
  <ol>
   <li><a class="no-num" href="#http-header-layer-division">HTTP header layer division</a></li>
   <li><a class="no-num" href="#atomic-http-redirect-handling">Atomic HTTP redirect handling</a></li>
   <li><a class="no-num" href="#basic-safe-cors-protocol-setup">Basic safe CORS protocol setup</a></li>
   <li><a class="no-num" href="#cors-protocol-and-http-caches">CORS protocol and HTTP caches</a></ol></li>
 <li><a class="no-num" href="#references">References</a></li>
 <li><a class="no-num" href="#acknowledgments">Acknowledgments</a></ol>
<!--end-toc-->



<h2 class="no-num short" id="goals">Goals</h2>

<p>To unify fetching across the web platform this specification supplants a number of algorithms and
specifications:

<ul class="brief no-backref">
 <li>HTML Standard's fetch and potentially CORS-enabled fetch algorithms
 <a class="informative" href="#refsHTML">[HTML]</a>
 <li>CORS <a class="informative" href="#refsCORS">[CORS]</a>
 <li>HTTP `<a href="#http-origin"><code title="http-origin">Origin</code></a>` header semantics
 <a class="informative" href="#refsORIGIN">[ORIGIN]</a>
</ul>

<p>Unifying fetching provides consistent handling of:

<ul class="brief">
 <li>URL schemes
 <li>Redirects
 <li>Cross-origin semantics
 <li>CSP <a href="#refsCSP">[CSP]</a>
 <li>Service workers <a href="#refsSW">[SW]</a>
 <li>Mixed Content <a href="#refsMIX">[MIX]</a>
 <li>`<code title="">Referer</code>` <a href="#refsREFERRER">[REFERRER]</a>
</ul>



<h2 class="short" id="preface"><span class="secno">1 </span>Preface</h2>

<p>At a high level, fetching a resource is a fairly simple operation. A request goes in, a
response comes out. <!--You can't explain that! -->The details of that operation are
however quite involved and used to not be written down carefully and differ from one API
to the next.

<p>Numerous APIs provide the ability to fetch a resource, e.g. HTML's <code>img</code> and
<code>script</code> element, CSS' <code>cursor</code> and <code>list-style-image</code>,
the <code>navigator.sendBeacon()</code> and <code>self.importScripts()</code> JavaScript
APIs. The Fetch Standard provides a unified architecture for these features so they are
all consistent when it comes to various aspects of fetching, such as redirects and the
CORS protocol.

<p>The Fetch Standard also defines the <a href="#dom-global-fetch"><code title="dom-global-fetch">fetch()</code></a>
JavaScript API, which exposes most of the networking functionality at a fairly low level
of abstraction.



<h2 class="short" id="conformance"><span class="secno">2 </span>Conformance</h2>

<p>All diagrams, examples, and notes in this specification are
non-normative, as are all sections explicitly marked non-normative.
Everything else in this specification is normative.

<p>The key words "MUST", "MUST NOT", "REQUIRED", <!--"SHALL", "SHALL
NOT",--> "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in the normative parts of this specification are to be
interpreted as described in RFC2119. For readability, these words do
not appear in all uppercase letters in this specification.
<a href="#refsRFC2119">[RFC2119]</a>



<h2 id="infrastructure"><span class="secno">3 </span>Infrastructure</h2>

<p>This specification uses terminology from the ABNF, Encoding, HTML, IDL, Streams, and URL Standards.
<a href="#refsABNF">[ABNF]</a>
<a href="#refsENCODING">[ENCODING]</a>
<a href="#refsHTML">[HTML]</a>
<a href="#refsWEBIDL">[WEBIDL]</a>
<a href="#refsSTREAMS">[STREAMS]</a>
<a href="#refsURL">[URL]</a>

<p>A <a class="external" data-anolis-spec="encoding" href="https://encoding.spec.whatwg.org/#byte">byte</a> sequence with bytes in the range 0x00 to
0x7F, inclusive, is represented as a <a class="external" data-anolis-spec="encoding" href="https://encoding.spec.whatwg.org/#utf-8">utf-8</a>-encoded
<a class="external" data-anolis-spec="encoding" href="https://encoding.spec.whatwg.org/#string">string</a> with code points in the range U+0000 to
U+007F, inclusive. To avoid confusion with an actual string, backticks are used.

<p class="example">"<code title="">true</code>" is a
<a class="external" data-anolis-spec="encoding" href="https://encoding.spec.whatwg.org/#string">string</a>, while `<code title="">true</code>` is a
byte sequence.

<p>Comparing two byte sequences in a <dfn id="byte-case-insensitive">byte-case-insensitive</dfn> manner means
comparing them exactly, byte for byte, except that the bytes in the range 0x41 to 0x5A,
inclusive, are considered to also match their corresponding byte in the range 0x61 to
0x7A, inclusive.

<p>A <dfn id="case-insensitive-byte-sequence">case-insensitive byte sequence</dfn> is a byte sequence that when compared to
another byte sequence does so in a <a href="#byte-case-insensitive">byte-case-insensitive</a> manner.

<p class="example">The
<a href="#case-insensitive-byte-sequence" title="case-insensitive byte sequence">case-insensitive byte sequences</a>
`<code title="">Content-Type</code>` and `<code title="">content-TYPE</code>` are equal.

<p>To <dfn id="byte-lowercase">byte-lowercase</dfn> a byte sequence, increase each byte it contains, in the
range 0x41 to 0x5A, inclusive, by 0x20.

<p>To <dfn id="byte-uppercase">byte-uppercase</dfn> a byte sequence, subtract each byte it contains, in the
range 0x61 to 0x7A, inclusive, by 0x20.

<hr>

<p id="fetch-url">A <dfn id="response-url">response URL</dfn> is a
<a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url" title="concept-url">URL</a> for which implementations need not store the
<a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-fragment" title="concept-url-fragment">fragment</a> as it is never exposed. When
<a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-serializer" title="concept-url-serializer">serialized</a>, the
<i title="">exclude fragment flag</i> is set, meaning implementations can store the
<a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-fragment" title="concept-url-fragment">fragment</a> nonetheless.

<hr>

<p><dfn id="credentials">Credentials</dfn> are HTTP cookies, TLS client certificates, and
<a href="#authentication-entry" title="authentication entry">authentication entries</a>.

<hr>

<p><a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-task" title="concept-task">Tasks</a> that are
<a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/webappapis.html#queue-a-task" title="queue a task">queued</a> by this standard are annotated as one
of:

<ul class="brief">
 <li><dfn id="process-request-body">process request body</dfn>
 <li id="process-request-end-of-file"><dfn id="process-request-end-of-body">process request end-of-body</dfn>
 <li><dfn id="process-response">process response</dfn>
 <li id="process-response-end-of-file"><dfn id="process-response-end-of-body">process response end-of-body</dfn>
</ul>

<p>To <dfn id="queue-a-fetch-task">queue a fetch task</dfn> on <a href="#concept-request" title="concept-request">request</a>
<var>request</var> to <var>run an operation</var>, run these steps:

<ol>
 <li><p>If <var>request</var>'s <a href="#concept-request-client" title="concept-request-client">client</a> is
 null, terminate these steps.

 <li><p><a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/webappapis.html#queue-a-task">Queue a task</a> to
 <var>run an operation</var> on <var>request</var>'s
 <a href="#concept-request-client" title="concept-request-client">client</a>'s
 <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/webappapis.html#responsible-event-loop">responsible event loop</a> using the
 <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/webappapis.html#networking-task-source">networking task source</a>.
</ol>

<p>To <dfn id="queue-a-fetch-request-done-task">queue a fetch-request-done task</dfn>, given a <var>request</var>,
<a href="#queue-a-fetch-task">queue a fetch task</a> on <var>request</var> to <a href="#process-request-end-of-body">process request end-of-body</a>
for <var>request</var>.

<hr>

<p>To <dfn id="read-a-request">read a <var>request</var></dfn>, if <var>request</var>'s
<a href="#concept-request-body" title="concept-request-body">body</a> is non-null, whenever
<var>request</var>'s <a href="#concept-request-body" title="concept-request-body">body</a> is read from (i.e.
is transmitted or read by script), increase <var>request</var>'s
<a href="#concept-request-body" title="concept-request-body">body</a>'s
<a href="#concept-body-transmitted" title="concept-body-transmitted">transmitted bytes</a> with the amount of payload body
bytes transmitted and then <a href="#queue-a-fetch-task">queue a fetch task</a> on <var>request</var> to
<a href="#process-request-body">process request body</a> for <var>request</var>.
<!-- XXX xref "read", "payload body" -->


<h3 id="http"><span class="secno">3.1 </span>HTTP</h3>

<p>While <a href="#concept-fetch" title="concept-fetch">fetching</a> encompasses more than just HTTP, it
borrows a number of concepts from HTTP and applies these to resources obtained via other
means (e.g., <code title="">data</code> URLs).

<p>The <dfn id="http-whitespace-bytes">HTTP whitespace bytes</dfn> are 0x09, 0x0A, 0x0D, and 0x20.

<p>An <dfn id="concept-https-state-value" title="concept-https-state-value">HTTPS state value</dfn> is "<code title="">none</code>",
"<code title="">deprecated</code>", or "<code title="">modern</code>".

<p class="note no-backref">A <a href="#concept-response" title="concept-response">response</a> delivered over HTTPS will
typically have its <a href="#concept-response-https-state" title="concept-response-https-state">HTTPS state</a> set to
"<code title="">modern</code>". A user agent can use "<code title="">deprecated</code>" in a transition
period. E.g., while removing support for a hash function, weak cypher suites, certificates for an
"Internal Name", or certificates with an overly long validity period. How exactly a user agent can
use "<code title="">deprecated</code>" is not defined by this specification. An
<a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/webappapis.html#environment-settings-object">environment settings object</a> typically derives its
<a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/webappapis.html#https-state">HTTPS state</a> from a <a href="#concept-response" title="concept-response">response</a>.


<h4 id="methods"><span class="secno">3.1.1 </span>Methods</h4>

<p>A <dfn id="concept-method" title="concept-method">method</dfn> is a byte sequence that matches the
<a class="external" data-anolis-spec="http" href="https://tools.ietf.org/html/rfc7230#section-3.1.1">method</a> token production.

<p id="simple-method">A <dfn id="cors-safelisted-method">CORS-safelisted method</dfn> is a
<a href="#concept-method" title="concept-method">method</a> that is `<code title="">GET</code>`,
`<code title="">HEAD</code>`, or `<code title="">POST</code>`.

<p>A <dfn id="forbidden-method">forbidden method</dfn> is a <a href="#concept-method" title="concept-method">method</a> that is a
<a href="#byte-case-insensitive">byte-case-insensitive</a> match for `<code title="">CONNECT</code>`,
`<code title="">TRACE</code>`, or `<code title="">TRACK</code>`.
<a class="informative" href="#refsHTTPVERBSEC">[HTTPVERBSEC]</a>

<p>To <dfn id="concept-method-normalize" title="concept-method-normalize">normalize</dfn> a
<a href="#concept-method" title="concept-method">method</a>, if it is a <a href="#byte-case-insensitive">byte-case-insensitive</a>
match for `<code title="">DELETE</code>`, `<code title="">GET</code>`,
`<code title="">HEAD</code>`, `<code title="">OPTIONS</code>`, `<code title="">POST</code>`, or
`<code title="">PUT</code>`, <a href="#byte-uppercase">byte-uppercase</a> it.

<p class="note no-backref"><a href="#concept-method-normalize" title="concept-method-normalize">Normalization</a> is
done for backwards compatibility and consistency across APIs as
<a href="#concept-method" title="concept-method">methods</a> are actually "case-sensitive".

<p class="example">Using `<code title="">patch</code>` is highly likely to result in a
`<code title="">405 Method Not Allowed</code>`. `<code title="">PATCH</code>` is much more likely to
succeed.

<p class="note no-backref">There are no restrictions on <a href="#concept-method" title="concept-method">methods</a>.
`<code title="">CHICKEN</code>` is perfectly acceptable (and not a misspelling of
`<code title="">CHECKIN</code>`). Other than those that are
<a href="#concept-method-normalize" title="concept-method-normalize">normalized</a> there are no casing restrictions either.
`<code title="">Egg</code>` or `<code title="">eGg</code>` would be fine, though uppercase is encouraged
for consistency.


<h4 id="terminology-headers"><span class="secno">3.1.2 </span>Headers</h4>

<p>A <dfn id="concept-header-list" title="concept-header-list">header list</dfn> consists of zero or more
<a href="#concept-header" title="concept-header">headers</a>.

<p class="note no-backref">A <a href="#concept-header-list" title="concept-header-list">header list</a> is essentially a
specialized multimap. An ordered list of key-value pairs with potentially duplicate keys.

<p>To <dfn id="concept-header-list-append" title="concept-header-list-append">append</dfn> a
<a href="#concept-header-name" title="concept-header-name">name</a>/<a href="#concept-header-value" title="concept-header-value">value</a>
(<var>name</var>/<var>value</var>) pair to a
<a href="#concept-header-list" title="concept-header-list">header list</a> (<var>list</var>), append a new
<a href="#concept-header" title="concept-header">header</a> whose <a href="#concept-header-name" title="concept-header-name">name</a>
is <var>name</var>, <a href="#byte-lowercase" title="byte-lowercase">byte-lowercased</a>, and
<a href="#concept-header-value" title="concept-header-value">value</a> is <var>value</var>, to
<var>list</var>.

<p>To <dfn id="concept-header-list-delete" title="concept-header-list-delete">delete</dfn> a
<a href="#concept-header-name" title="concept-header-name">name</a> (<var>name</var>) from a
<a href="#concept-header-list" title="concept-header-list">header list</a> (<var>list</var>), remove all
<a href="#concept-header" title="concept-header">headers</a> whose
<a href="#concept-header-name" title="concept-header-name">name</a> is <var>name</var>,
<a href="#byte-lowercase" title="byte-lowercase">byte-lowercased</a>, from <var>list</var>.

<p>To <dfn id="concept-header-list-set" title="concept-header-list-set">set</dfn> a
<a href="#concept-header-name" title="concept-header-name">name</a>/<a href="#concept-header-value" title="concept-header-value">value</a>
(<var>name</var>/<var>value</var>) pair in a
<a href="#concept-header-list" title="concept-header-list">header list</a> (<var>list</var>), run these
steps:

<ol>
 <li><p><a href="#byte-lowercase">Byte-lowercase</a> <var>name</var>.

 <li><p>If there are any <a href="#concept-header" title="concept-header">headers</a> in
 <var>list</var> whose <a href="#concept-header-name" title="concept-header-name">name</a> is
 <var>name</var>, set the <a href="#concept-header-value" title="concept-header-value">value</a> of the first
 such <a href="#concept-header" title="concept-header">header</a> to <var>value</var> and remove the
 others.

 <li><p>Otherwise, append a new <a href="#concept-header" title="concept-header">header</a> whose
 <a href="#concept-header-name" title="concept-header-name">name</a> is <var>name</var> and
 <a href="#concept-header-value" title="concept-header-value">value</a> is <var>value</var>, to
 <var>list</var>.
</ol>

<p>To <dfn id="concept-header-list-combine" title="concept-header-list-combine">combine</dfn> a
<a href="#concept-header-name" title="concept-header-name">name</a>/<a href="#concept-header-value" title="concept-header-value">value</a>
(<var>name</var>/<var>value</var>) pair in a
<a href="#concept-header-list" title="concept-header-list">header list</a> (<var>list</var>), run these
steps:

<ol>
 <li><p><a href="#byte-lowercase">Byte-lowercase</a> <var>name</var>.

 <li><p>If there are any <a href="#concept-header" title="concept-header">headers</a> in <var>list</var> whose
 <a href="#concept-header-name" title="concept-header-name">name</a> is <var>name</var>, set the
 <a href="#concept-header-value" title="concept-header-value">value</a> of the first such
 <a href="#concept-header" title="concept-header">header</a> to its <a href="#concept-header-value" title="concept-header-value">value</a>,
 followed by 0x2C 0x20, followed by <var>value</var>.

 <li><p>Otherwise, append a new <a href="#concept-header" title="concept-header">header</a> whose
 <a href="#concept-header-name" title="concept-header-name">name</a> is <var>name</var> and
 <a href="#concept-header-value" title="concept-header-value">value</a> is <var>value</var>, to
 <var>list</var>.
</ol>

<p class="note no-backref"><a href="#concept-header-list-combine" title="concept-header-list-combine">Combine</a> is used by
<a href="https://xhr.spec.whatwg.org/#xmlhttprequest"><code class="external" data-anolis-spec="xhr">XMLHttpRequest</code></a> and the
<a href="#concept-websocket-establish" title="concept-websocket-establish">WebSocket protocol handshake</a>.

<p>To <dfn id="concept-header-list-sort-and-combine" title="concept-header-list-sort-and-combine">sort and combine</dfn> a
<a href="#concept-header-list" title="concept-header-list">header list</a> (<var>list</var>), run these steps:

<ol>
 <li><p>Let <var>headers</var> be an empty list of
 <a href="#concept-header-name" title="concept-header-name">name</a>-<a href="#concept-header-value" title="concept-header-value">value</a> pairs
 with the key being the <a href="#concept-header-name" title="concept-header-name">name</a> and value the
 <a href="#concept-header-value" title="concept-header-value">value</a>.

 <li><p>Let <var>names</var> be all the <a href="#concept-header-name" title="concept-header-name">names</a> of the
 <a href="#concept-header" title="concept-header">headers</a> in <var>list</var>, with duplicates removed, and sorted
 lexicographically.

 <li>
  <p>For each <var>name</var> in <var>names</var>, run these substeps:

  <ol>
   <li><p>Let <var>value</var> be the
   <a href="#concept-header-value-combined" title="concept-header-value-combined">combined value</a> given <var>name</var> and
   <var>list</var>.

   <li><p>Append <var>name</var>-<var>value</var> to <var>headers</var>.
  </ol>

 <li><p>Return <var>headers</var>.
</ol>

<hr>

<p>A <dfn id="concept-header" title="concept-header">header</dfn> consists of a
<dfn id="concept-header-name" title="concept-header-name">name</dfn> and <dfn id="concept-header-value" title="concept-header-value">value</dfn>.
A <a href="#concept-header-name" title="concept-header-name">name</a> is a
<a href="#case-insensitive-byte-sequence">case-insensitive byte sequence</a> that matches the
<a class="external" data-anolis-spec="http" href="https://tools.ietf.org/html/rfc7230#section-3.2">field-name</a> token production. A
<a href="#concept-header-value" title="concept-header-value">value</a> is a byte sequence that matches the
<a class="external" data-anolis-spec="http" href="https://tools.ietf.org/html/rfc7230#section-3.2">field-content</a> token production.

<p class="note no-backref"><a class="external" data-anolis-spec="http" href="https://tools.ietf.org/html/rfc7230#section-3.2">field-value</a> allows 0x0A and
0x0D bytes which can lead to reparsing issues.

<p>To <dfn id="concept-header-value-normalize" title="concept-header-value-normalize">normalize</dfn> a
<a href="#concept-header-value" title="concept-header-value">value</a>, remove any leading and trailing
<a href="#http-whitespace-bytes">HTTP whitespace bytes</a> from it.

<p>A <dfn id="concept-header-value-combined" title="concept-header-value-combined">combined value</dfn>, given a
<a href="#concept-header-name" title="concept-header-name">name</a> (<var>name</var>) and
<a href="#concept-header-list" title="concept-header-list">header list</a> (<var>list</var>), is the
<a href="#concept-header-value" title="concept-header-value">values</a> of all <a href="#concept-header" title="concept-header">headers</a> in
<var>list</var> whose <a href="#concept-header-name" title="concept-header-name">name</a> is <var>name</var>, separated from
each other by `<code title="">,</code>`, in order.

<hr>

<p id="simple-header">A <dfn id="cors-safelisted-request-header">CORS-safelisted request-header</dfn> is a
<a href="#concept-header" title="concept-header">header</a> whose <a href="#concept-header-name" title="concept-header-name">name</a> is one of

<ul class="brief">
 <li>`<code title="">Accept</code>`
 <li>`<code title="">Accept-Language</code>`
 <li>`<code title="">Content-Language</code>`
 <li>`<code title="">Content-Type</code>` and whose <a href="#concept-header-value" title="concept-header-value">value</a>,
 <a href="#concept-header-parse" title="concept-header-parse">once parsed</a>, has a MIME type (ignoring parameters)
 that is `<code title="">application/x-www-form-urlencoded</code>`,
 `<code title="">multipart/form-data</code>`, or `<code title="">text/plain</code>`
</ul>
<!-- XXX * needs better xref
         * ignoring parameters has been the standard for a long time now
         * interesting test: "Content-Type: text/plain;" -->

<p>or whose <a href="#concept-header-name" title="concept-header-name">name</a> is one of

<ul class="brief">
 <li>`<code title=""><a href="http://httpwg.org/http-extensions/client-hints.html#dpr">DPR</a></code>`
 <li>`<code title=""><a href="http://httpwg.org/http-extensions/client-hints.html#downlink">Downlink</a></code>`
 <li>`<code title=""><a href="http://httpwg.org/http-extensions/client-hints.html#save-data">Save-Data</a></code>`
 <li>`<code title=""><a href="http://httpwg.org/http-extensions/client-hints.html#viewport-width">Viewport-Width</a></code>`
 <li>`<code title=""><a href="http://httpwg.org/http-extensions/client-hints.html#width">Width</a></code>`
</ul>

<p>and whose <a href="#concept-header-value" title="concept-header-value">value</a>,
<a href="#concept-header-parse" title="concept-header-parse">once parsed</a>, is not a failure.

<p>A <dfn id="cors-non-wildcard-request-header-name">CORS non-wildcard request-header name</dfn> is `<code title="">Authorization</code>`.

<p>A <dfn id="cors-safelisted-response-header-name">CORS-safelisted response-header name</dfn>, given a
<a href="#concept-response-cors-exposed-header-name-list" title="concept-response-cors-exposed-header-name-list">CORS-exposed header-name list</a>
<var>list</var>, is a <a href="#concept-header" title="concept-header">header</a>
<a href="#concept-header-name" title="concept-header-name">name</a> that is one of

<ul class="brief">
 <li>`<code title="">Cache-Control</code>`
 <li>`<code title="">Content-Language</code>`
 <li>`<code title="">Content-Type</code>`
 <li>`<code title="">Expires</code>`
 <li>`<code title="">Last-Modified</code>`
 <li>`<code title="">Pragma</code>`
 <li>Any <a href="#concept-header-value" title="concept-header-value">value</a> in <var>list</var> that is not a
 <a href="#forbidden-response-header-name">forbidden response-header name</a>.
</ul>

<p>A <dfn id="forbidden-header-name">forbidden header name</dfn> is a <a href="#concept-header" title="concept-header">header</a>
<a href="#concept-header-name" title="concept-header-name">name</a> that is one of

<ul class="brief">
 <li>`<code title="">Accept-Charset</code>`
 <li>`<code title="">Accept-Encoding</code>`
 <li>`<code title="">Access-Control-Request-Headers</code>`
 <li>`<code title="">Access-Control-Request-Method</code>`
 <li>`<code title="">Connection</code>`
 <li>`<code title="">Content-Length</code>`
 <li>`<code title="">Cookie</code>`
 <li>`<code title="">Cookie2</code>`
 <li>`<code title="">Date</code>`
 <li>`<code title="">DNT</code>`
 <li>`<code title="">Expect</code>`
 <li>`<code title="">Host</code>`
 <li>`<code title="">Keep-Alive</code>`
 <li>`<a href="#http-origin"><code title="http-origin">Origin</code></a>`
 <li>`<code title="">Referer</code>`
 <li>`<code title="">TE</code>`
 <li>`<code title="">Trailer</code>`
 <li>`<code title="">Transfer-Encoding</code>`
 <li>`<code title="">Upgrade</code>`
 <li>`<code title="">Via</code>`
</ul>

<p>or a <a href="#concept-header" title="concept-header">header</a> <a href="#concept-header-name" title="concept-header-name">name</a> that
starts with `<code title="">Proxy-</code>` or `<code title="">Sec-</code>` (including being just
`<code title="">Proxy-</code>` or `<code title="">Sec-</code>`).

<p class="note">These are forbidden so the user agent remains in full control over them.
<a href="#concept-header-name" title="concept-header-name">Names</a> starting with `<code title="">Sec-</code>` are
reserved to allow new <a href="#concept-header" title="concept-header">headers</a> to be minted that are safe
from APIs using <a href="#concept-fetch" title="concept-fetch">fetch</a> that allow control over
<a href="#concept-header" title="concept-header">headers</a> by developers, such as
<a href="https://xhr.spec.whatwg.org/#xmlhttprequest"><code class="external" data-anolis-spec="xhr">XMLHttpRequest</code></a>.
<a class="informative" href="#refsXHR">[XHR]</a>

<p>A <dfn id="forbidden-response-header-name">forbidden response-header name</dfn> is a <a href="#concept-header" title="concept-header">header</a>
<a href="#concept-header-name" title="concept-header-name">name</a> that is one of:

<ul class="brief">
 <li>`<code title="">Set-Cookie</code>`
 <li>`<code title="">Set-Cookie2</code>`
</ul>

<hr>

<p>To <dfn id="concept-header-parse" title="concept-header-parse">parse a header value</dfn> given a
<a href="#concept-header-name" title="concept-header-name">name</a> (<var>name</var>)  and a
<a href="#concept-header" title="concept-header">header</a> or a <a href="#concept-header-list" title="concept-header-list">header list</a>
(<var>headers</var>), run these steps:

<ol>
 <li><p>If <var>name</var> is not in <var>headers</var>, return null.

 <li>
  <p>If the ABNF for <var>name</var> allows a single
  <a href="#concept-header" title="concept-header">header</a> and <var>headers</var> contains more than
  one, return failure.

  <p class="note no-backref">If different error handling is required, extract the desired
  <a href="#concept-header" title="concept-header">header</a> first.

 <li><p>If parsing all the <a href="#concept-header" title="concept-header">headers</a>
 <a href="#concept-header-name" title="concept-header-name">named</a> <var>name</var> in
 <var>headers</var>, per the ABNF for <var>name</var>, failed, return failure.

 <li><p>Return one or more <a href="#concept-header-value" title="concept-header-value">values</a> resulting from
 parsing all the <a href="#concept-header" title="concept-header">headers</a>
 <a href="#concept-header-name" title="concept-header-name">named</a> <var>name</var> in
 <var>headers</var>, per the ABNF for <var>name</var>.
</ol>

<p>To <dfn id="concept-header-extract-mime-type" title="concept-header-extract-MIME-type">extract a MIME type</dfn> from a
<a href="#concept-header-list" title="concept-header-list">header list</a> (<var>headers</var>), run these
steps:

<ol>
 <li><p>Let <var>MIMEType</var> be the result of
 <a href="#concept-header-parse" title="concept-header-parse">parsing</a> `<code title="">Content-Type</code>` in
 <var>headers</var>.

 <li><p>If <var>MIMEType</var> is null or failure, return the empty byte sequence.

 <li><p>Return <var>MIMEType</var>,
 <a href="#byte-lowercase" title="byte-lowercase">byte-lowercased</a>.
</ol>

<hr>

<p>A <dfn id="default-user-agent-value">default `<code>User-Agent</code>` value</dfn> is a
user-agent-defined <a href="#concept-header-value" title="concept-header-value">value</a> for the
`<code title="http-user-agent">User-Agent</code>` <a href="#concept-header" title="concept-header">header</a>.

<h4 id="statuses"><span class="secno">3.1.3 </span>Statuses</h4>

<p>A <dfn id="concept-status">status</dfn> is a code.

<p>A <dfn id="null-body-status">null body status</dfn> is a <a href="#concept-status">status</a> that is <code>101</code>,
<code>204</code>, <code>205</code>, or <code>304</code>.

<p>An <dfn id="ok-status">ok status</dfn> is any <a href="#concept-status">status</a> in the range <code>200</code> to
<code>299</code>, inclusive.

<p>A <dfn id="redirect-status">redirect status</dfn> is a <a href="#concept-status">status</a> that is <code>301</code>, <code>302</code>,
<code>303</code>, <code>307</code>, or <code>308</code>.

<h4 id="bodies"><span class="secno">3.1.4 </span>Bodies</h4>

<p>A <dfn id="concept-body" title="concept-body">body</dfn> consists of:

<ul>
 <li>
  <p>A <dfn id="concept-body-stream" title="concept-body-stream">stream</dfn> (a
  <a href="#concept-readablestream"><code title="concept-ReadableStream">ReadableStream</code></a> object).

  <p class="XXX"><a href="https://github.com/whatwg/streams/issues/379">This might become a
  <code>ReadableByteStream</code> object</a>. While the type might change, the behavior specified
  will be equivalent since the hypothetical <code title="">ReadableByteStream</code> object will have
  the same members as the <a href="#concept-readablestream"><code title="concept-ReadableStream">ReadableStream</code></a> object has today.

 <li><p>A <dfn id="concept-body-transmitted" title="concept-body-transmitted">transmitted bytes</dfn> (an integer), initially 0.

 <li><p>A <dfn id="concept-body-total-bytes" title="concept-body-total-bytes">total bytes</dfn> (an integer), initially 0.
</ul>

<p>A <a href="#concept-body" title="concept-body">body</a> <var>body</var> is said to be
<dfn id="concept-body-done" title="concept-body-done">done</dfn> if <var>body</var> is null or <var>body</var>'s
<a href="#concept-body-stream" title="concept-body-stream">stream</a> is
<a href="#concept-readablestream-closed" title="concept-ReadableStream-closed">closed</a> or
<a href="#concept-readablestream-errored" title="concept-ReadableStream-errored">errored</a>.

<p>To <dfn id="concept-body-wait" title="concept-body-wait">wait</dfn> for a <a href="#concept-body" title="concept-body">body</a>
<var>body</var>, wait for <var>body</var> to be <a href="#concept-body-done" title="concept-body-done">done</a>.

<p>To <dfn id="concept-body-clone" title="concept-body-clone">clone</dfn> a <a href="#concept-body" title="concept-body">body</a>
<var>body</var>, run these steps:

<ol>
 <li><p>Let «<var>out1</var>, <var>out2</var>» be the result of
 <a href="#concept-tee-readablestream" title="concept-tee-ReadableStream">teeing</a> <var>body</var>'s
 <a href="#concept-body-stream" title="concept-body-stream">stream</a>. Rethrow any exceptions.

 <li><p>Set <var>body</var>'s <a href="#concept-body-stream" title="concept-body-stream">stream</a> to <var>out1</var>.

 <li><p>Return a <a href="#concept-body" title="concept-body">body</a> whose
 <a href="#concept-body-stream" title="concept-body-stream">stream</a> is <var>out2</var> and other members are copied from
 <var>body</var>.
</ol>

<p>To <dfn id="handle-content-codings">handle content codings</dfn> given <var>codings</var> and
<var>bytes</var>, run these substeps:

<ol>
 <li><p>If <var>codings</var> are not supported, return <var>bytes</var>.

 <li><p>Return the result of decoding bytes with the given
 <var>codings</var> as explained in HTTP. <a href="#refsHTTP">[HTTP]</a>
</ol>
<!-- XXX no hook in HTTP -->

<h4 id="requests"><span class="secno">3.1.5 </span>Requests</h4>

<p>The input to <a href="#concept-fetch" title="concept-fetch">fetch</a> is a
<dfn id="concept-request" title="concept-request">request</dfn>.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-method" title="concept-request-method">method</dfn> (a
<a href="#concept-method" title="concept-method">method</a>). Unless stated otherwise it is
`<code title="">GET</code>`.

<p class="note no-backref">This can be updated during redirects to `<code title="">GET</code>` as
described in <a href="#concept-http-fetch" title="concept-http-fetch">HTTP fetch</a>.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-url" title="concept-request-url">url</dfn> (a
<a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url" title="concept-url">URL</a>).

<p class="note no-backref">Implementations are encouraged to make this a pointer to the first
<a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url" title="concept-url">URL</a> in
<a href="#concept-request" title="concept-request">request</a>'s <a href="#concept-request-url-list" title="concept-request-url-list">url list</a>.
It is provided as a distinct field solely for the convenience of other standards hooking into Fetch.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="local-urls-only-flag">local-URLs-only flag</dfn>. Unless stated otherwise it is unset.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="sandboxed-storage-area-urls-flag">sandboxed-storage-area-URLs flag</dfn>. Unless stated otherwise it is unset.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-header-list" title="concept-request-header-list">header list</dfn> (a
<a href="#concept-header-list" title="concept-header-list">header list</a>). Unless stated otherwise it is empty.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="unsafe-request-flag">unsafe-request flag</dfn>. Unless stated otherwise it is unset.

<p class="note no-backref">The <a href="#unsafe-request-flag">unsafe-request flag</a> is set by APIs such as
<a href="#dom-global-fetch"><code title="dom-global-fetch">fetch()</code></a>  and
<a href="https://xhr.spec.whatwg.org/#xmlhttprequest"><code class="external" data-anolis-spec="xhr">XMLHttpRequest</code></a> to ensure a
<a href="#cors-preflight-fetch-0">CORS-preflight fetch</a> is done based on the supplied
<a href="#concept-request-method" title="concept-request-method">method</a> and
<a href="#concept-request-header-list" title="concept-request-header-list">header list</a>. It does not free an API from
outlawing <a href="#forbidden-method" title="forbidden method">forbidden methods</a> and
<a href="#forbidden-header-name" title="forbidden header name">forbidden header names</a>.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-body" title="concept-request-body">body</dfn> (null or a
<a href="#concept-body" title="concept-body">body</a>). Unless stated otherwise it is null.

<p class="note no-backref">This can be updated during redirects to null as described in
<a href="#concept-http-fetch" title="concept-http-fetch">HTTP fetch</a>.

<hr>

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-client" title="concept-request-client">client</dfn> (null or an
<a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/webappapis.html#environment-settings-object">environment settings object</a>).

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-window" title="concept-request-window">window</dfn> ("<code>no-window</code>",
"<code>client</code>", or an
<a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/webappapis.html#environment-settings-object">environment settings object</a> whose
<a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-global" title="concept-settings-object-global">global object</a> is a
<a href="https://html.spec.whatwg.org/multipage/browsers.html#window"><code class="external" data-anolis-spec="html">Window</code></a> object). Unless stated otherwise it is
"<code>client</code>".

<p class="note no-backref">The "<code>client</code>" value is changed to "<code>no-window</code>" or
<a href="#concept-request" title="concept-request">request</a>'s <a href="#concept-request-client" title="concept-request-client">client</a> during
<a href="#concept-fetch" title="concept-fetch">fetching</a>. It provides a convenient way for standards to not have to
explicitly set <a href="#concept-request" title="concept-request">request</a>'s
<a href="#concept-request-window" title="concept-request-window">window</a>.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-target-browsing-context" title="concept-request-target-browsing-context">target browsing context</dfn> (null or a
<a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/browsers.html#browsing-context">browsing context</a>). Unless stated otherwise it is null.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="keep-alive-flag">keep-alive flag</dfn>. Unless stated otherwise it is unset.

<p class="note no-backref">This is used by <code>navigator.sendBeacon</code> and the HTML
<code>img</code> element to outlive the
<a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/webappapis.html#environment-settings-object">environment settings object</a>.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="skip-service-worker-flag">skip-service-worker flag</dfn>. Unless stated otherwise it is unset.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-initiator" title="concept-request-initiator">initiator</dfn>, which is
the empty string,
"<code title="">download</code>",
"<code title="">imageset</code>",
"<code title="">manifest</code>", or
"<code title="">xslt</code>". Unless stated otherwise it is the empty string.

<p class="note no-backref">A <a href="#concept-request" title="concept-request">request</a>'s
<a href="#concept-request-initiator" title="concept-request-initiator">initiator</a> is not particularly granular for
the time being as other specifications do not require it to. It is primarily a
specification device to assist defining CSP and Mixed Content. It is not exposed to
JavaScript. <a href="#refsCSP">[CSP]</a> <a href="#refsMIX">[MIX]</a>

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-type" title="concept-request-type">type</dfn>, which is
the empty string,
"<code title="">audio</code>",
"<code title="">font</code>",
"<code title="">image</code>",
"<code title="">script</code>",
"<code title="">style</code>",
"<code title="">track</code>", or
"<code title="">video</code>". Unless stated otherwise it is the empty string.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-destination" title="concept-request-destination">destination</dfn>, which is
the empty string,
"<code title="">document</code>",
"<code title="">embed</code>",
"<code title="">font</code>",
"<code title="">image</code>",
"<code title="">manifest</code>",
"<code title="">media</code>",
"<code title="">object</code>",
"<code title="">report</code>",
"<code title="">script</code>",
"<code title="">serviceworker</code>",
"<code title="">sharedworker</code>",
"<code title="">style</code>",
"<code title="">worker</code>", or
"<code title="">xslt</code>". Unless stated otherwise it is the empty string.

<div class="note">
 <p>The following table illustrates the relationship between a
 <a href="#concept-request" title="concept-request">request</a>'s
 <a href="#concept-request-initiator" title="concept-request-initiator">initiator</a>,
 <a href="#concept-request-type" title="concept-request-type">type</a>,
 <a href="#concept-request-destination" title="concept-request-destination">destination</a>, CSP directives, and features.

 <table>
  <tr>
   <th><a href="#concept-request-initiator" title="concept-request-initiator">Initiator</a>
   <th><a href="#concept-request-type" title="concept-request-type">Type</a>
   <th><a href="#concept-request-destination" title="concept-request-destination">Destination</a>
   <th>CSP directive
   <th>Features
  <tr>
   <td rowspan="16">""
   <td rowspan="6">""
   <td>"<code title="">report</code>"
   <td rowspan="2">?
   <td>CSP, NEL reports.
  <tr>
   <td>"<code title="">document</code>"
   <td>HTML's navigate algorithm.
  <tr>
   <td>"<code title="">document</code>"
   <td><code title="">child-src</code>
   <td>HTML's <code>&lt;iframe&gt;</code> and <code>&lt;frame&gt;</code>
  <tr>
   <td>""
   <td><code title="">connect-src</code>
   <td><code>navigator.sendBeacon()</code>, <code>EventSource</code>,
   HTML's <code>ping=""</code>, <a href="#dom-global-fetch"><code title="dom-global-fetch">fetch()</code></a>,
   <code>XMLHttpRequest</code>, <code>WebSocket</code>, Cache API?
  <tr>
   <td>"<code title="">object</code>"
   <td><code title="">object-src</code>
   <td>HTML's <code>&lt;object&gt;</code>
  <tr>
   <td>"<code title="">embed</code>"
   <td><code title="">object-src</code>
   <td>HTML's <code>&lt;embed&gt;</code>
  <tr>
   <td>"<code title="">audio</code>"
   <td>"<code title="">media</code>"
   <td><code title="">media-src</code>
   <td>HTML's <code>&lt;audio&gt;</code>
  <tr>
   <td>"<code title="">font</code>"
   <td>"<code title="">font</code>"
   <td><code title="">font-src</code>
   <td>CSS' <code>@font-face</code>
  <tr>
   <td>"<code title="">image</code>"
   <td>"<code title="">image</code>"
   <td><code title="">img-src</code>
   <td>HTML's <code>&lt;img src&gt;</code>, <code title="">/favicon.ico</code> resource,
   SVG's <code>&lt;image&gt;</code>, CSS' <code>background-image</code>, CSS'
   <code>cursor</code>, CSS' <code>list-style-image</code>, …
  <tr>
   <td rowspan="4">"<code title="">script</code>"
   <td>"<code title="">script</code>"
   <td><code title="">script-src</code>
   <td>HTML's <code>&lt;script&gt;</code>, <code>importScripts()</code>
  <tr>
   <td>"<code title="">serviceworker</code>"
   <td>?
   <td><code title="">navigator.serviceWorker.register()</code>
  <tr>
   <td>"<code title="">sharedworker</code>"
   <td><code title="">child-src</code>
   <td><code>SharedWorker</code>
  <tr>
   <td>"<code title="">worker</code>"
   <td><code title="">child-src</code>
   <td><code>Worker</code>
  <tr>
   <td>"<code title="">style</code>"
   <td>"<code title="">style</code>"
   <td><code title="">style-src</code>
   <td>HTML's <code>&lt;link rel=stylesheet&gt;</code>, CSS' <code>@import</code>
  <tr>
   <td>"<code title="">track</code>"
   <td>"<code title="">media</code>"
   <td><code title="">media-src</code>
   <td>HTML's <code>&lt;track&gt;</code>
  <tr>
   <td>"<code title="">video</code>"
   <td>"<code title="">media</code>"
   <td><code title="">media-src</code>
   <td>HTML's <code>&lt;video&gt;</code> element
  <tr>
   <td>"<code title="">download</code>"
   <td>""
   <td>""
   <td>?
   <td>HTML's <code>download=""</code>, "Save Link As…" UI
  <tr>
   <td>"<code title="">imageset</code>"
   <td>"<code title="">image</code>"
   <td>"<code title="">image</code>"
   <td><code title="">img-src</code>
   <td>HTML's <code>&lt;img srcset&gt;</code> and <code>&lt;picture&gt;</code>
  <tr>
   <td>"<code title="">manifest</code>"
   <td rowspan="2">""
   <td>"<code title="">manifest</code>"
   <td><code title="">manifest-src</code>
   <td>HTML's <code>&lt;link rel=manifest&gt;</code>
  <tr>
   <td>"<code title="">xslt</code>"
   <td>"<code title="">xslt</code>"
   <td><code title="">script-src</code>
   <td><code>&lt;?xml-stylesheet&gt;</code>
 </table>

 <p>CSP's <code>form-action</code> needs to be a hook directly in HTML's navigate or form
 submission algorithm.

 <p>CSP will also need to check
 <a href="#concept-request" title="concept-request">request</a>'s
 <a href="#concept-request-client" title="concept-request-client">client</a>'s
 <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/browsers.html#browsing-context">browsing context</a>'s
 <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/browsers.html#ancestor-browsing-context" title="ancestor browsing context">ancestor browsing contexts</a>
  for various CSP directives.
</div>

<hr>

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-priority" title="concept-request-priority">priority</dfn> (null or a user-agent-defined object).
Unless otherwise stated it is null.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-origin" title="concept-request-origin">origin</dfn>, which is "<code>client</code>" or an
<a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/browsers.html#origin">origin</a>. Unless stated otherwise it is "<code>client</code>".

<p class="note no-backref">"<code>client</code>" is changed to an
<a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/browsers.html#origin">origin</a> during <a href="#concept-fetch" title="concept-fetch">fetching</a>. It
provides a convenient way for standards to not have to set
<a href="#concept-request" title="concept-request">request</a>'s <a href="#concept-request-origin" title="concept-request-origin">origin</a>.
<a href="#concept-request" title="concept-request">Request</a>'s <a href="#concept-request-origin" title="concept-request-origin">origin</a> can be
changed during redirects too.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="omit-origin-header-flag">omit-<code>Origin</code>-header flag</dfn>. Unless stated otherwise it is unset.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="same-origin-data-url-flag">same-origin data-URL flag</dfn>. Unless stated otherwise it is unset.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-referrer" title="concept-request-referrer">referrer</dfn>, which is "<code>no-referrer</code>",
"<code>client</code>", or a <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url" title="concept-url">URL</a>.
Unless stated otherwise it is "<code>client</code>".

<p class="note no-backref">"<code>client</code>" is changed to "<code>no-referrer</code>" or a
<a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url" title="concept-url">URL</a> during
<a href="#concept-fetch" title="concept-fetch">fetching</a>. It provides a convenient way for standards to not have to
set <a href="#concept-request" title="concept-request">request</a>'s
<a href="#concept-request-referrer" title="concept-request-referrer">referrer</a>.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-referrer-policy" title="concept-request-referrer-policy">referrer policy</dfn>, which is a
<a href="#concept-referrer-policy" title="concept-referrer-policy">referrer policy</a>. Unless stated otherwise it is
the empty string.

<p class="note no-backref">This can be used to override a referrer policy associated with
an <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/webappapis.html#environment-settings-object">environment settings object</a>.
<a href="#refsREFERRER">[REFERRER]</a>

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-client-hints-list" title="concept-request-client-hints-list">client hints list</dfn>, which is a
<a href="#concept-client-hints-list" title="concept-client-hints-list">client-hints list</a>. Unless stated otherwise, it is
the empty list.

<p class="note no-backref">This will be used to override a client hints list associated with
an <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/webappapis.html#environment-settings-object">environment settings object</a>.
<a href="#refsCLIENT-HINTS">[CLIENT-HINTS]</a>

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="synchronous-flag">synchronous flag</dfn>. Unless stated otherwise it is unset.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-mode" title="concept-request-mode">mode</dfn>, which is "<code title="">same-origin</code>",
"<code title="">cors</code>", "<code title="">no-cors</code>", "<code title="">navigate</code>", or
"<code title="">websocket</code>". Unless stated otherwise, it is "<code title="">no-cors</code>".

<p class="note no-backref">Even though the default <a href="#concept-request" title="concept-request">request</a>
<a href="#concept-request-mode" title="concept-request-mode">mode</a> is "<code title="">no-cors</code>", standards are highly
discouraged from using it for new features. It is rather unsafe. "<code title="">navigate</code>" and
"<code title="">websocket</code>" are special values for the HTML Standard.
<a href="#refsHTML">[HTML]</a>

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="use-cors-preflight-flag">use-CORS-preflight flag</dfn>. Unless stated otherwise, it is unset.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-credentials-mode" title="concept-request-credentials-mode">credentials mode</dfn>, which is
"<code title="">omit</code>", "<code title="">same-origin</code>", or
"<code title="">include</code>". Unless stated otherwise, it is "<code title="">omit</code>".

<p class="note no-backref"><a href="#concept-request" title="concept-request">Request</a>'s
<a href="#concept-request-credentials-mode" title="concept-request-credentials-mode">credentials mode</a> controls the flow of
<a href="#credentials">credentials</a> during a <a href="#concept-fetch" title="concept-fetch">fetch</a>. When
<a href="#concept-request" title="concept-request">request</a>'s <a href="#concept-request-mode" title="concept-request-mode">mode</a> is
"<code title="">navigate</code>", its
<a href="#concept-request-credentials-mode" title="concept-request-credentials-mode">credentials mode</a> is assumed to be
"<code title="">include</code>" and <a href="#concept-fetch" title="concept-fetch">fetch</a> does not currently account
for other values. If <cite>HTML</cite> changes here, this standard will need corresponding changes.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-use-url-credentials-flag" title="concept-request-use-url-credentials-flag">use-URL-credentials flag</dfn>.
Unless stated otherwise, it is unset.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-cache-mode" title="concept-request-cache-mode">cache mode</dfn>, which is "<code title="">default</code>",
"<code title="">no-store</code>", "<code title="">reload</code>", "<code title="">no-cache</code>",
"<code title="">force-cache</code>", or "<code title="">only-if-cached</code>". Unless stated otherwise,
it is "<code title="">default</code>".

<div class="note no-backref">
 <dl>
  <dt>"<code title="">default</code>"
  <dd><a href="#concept-fetch" title="concept-fetch">Fetch</a> will inspect the HTTP cache on the way to the network.
  If there is a fresh response it will be used. If there is a stale response a conditional request
  will be created, and a normal request otherwise. It then updates the HTTP cache with the response.
  <a href="#refsHTTP">[HTTP]</a>

  <dt>"<code title="">no-store</code>"
  <dd>Fetch behaves as if there is no HTTP cache at all.

  <dt>"<code title="">reload</code>"
  <dd>Fetch behaves as if there is no HTTP cache on the way to the network. Ergo, it creates a
  normal request and updates the HTTP cache with the response.

  <dt>"<code title="">no-cache</code>"
  <dd>Fetch creates a conditional request if there is a response in the HTTP cache and a normal
  request otherwise. It then updates the HTTP cache with the response.

  <dt>"<code title="">force-cache</code>"
  <dd>Fetch uses any response in the HTTP cache matching the request, not paying attention to
  staleness. If there was no response, it creates a normal request and updates the HTTP cache with
  the response.

  <dt>"<code title="">only-if-cached</code>"
  <dd>Fetch uses any response in the HTTP cache matching the request, not paying attention to
  staleness. If there was no response, it returns a network error. (Can only be used when
  <a href="#concept-request" title="concept-request">request</a>'s <a href="#concept-request-mode" title="concept-request-mode">mode</a> is
  "<code title="">same-origin</code>". Any cached redirects will be followed assuming
  <a href="#concept-request" title="concept-request">request</a>'s
  <a href="#concept-request-redirect-mode" title="concept-request-redirect-mode">redirect mode</a> is "<code>follow</code>" and the
  redirects do not violate <a href="#concept-request" title="concept-request">request</a>'s
  <a href="#concept-request-mode" title="concept-request-mode">mode</a>.)
 </dl>

 <p>If <a href="#concept-request-header-list" title="concept-request-header-list">header list</a> contains a
 <a href="#concept-header" title="concept-header">header</a> whose <a href="#concept-header-name" title="concept-header-name">name</a> is one
 of
 `<code title="">If-Modified-Since</code>`,
 `<code title="">If-None-Match</code>`,
 `<code title="">If-Unmodified-Since</code>`,
 `<code title="">If-Match</code>`, and
 `<code title="">If-Range</code>`,
 <a href="#concept-fetch" title="concept-fetch">fetch</a> will set
 <a href="#concept-request-cache-mode" title="concept-request-cache-mode">cache mode</a> to "<code title="">no-store</code>" if it is
 "<code title="">default</code>".
</div>

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-redirect-mode" title="concept-request-redirect-mode">redirect mode</dfn>, which is
"<code title="">follow</code>", "<code title="">error</code>", or "<code title="">manual</code>".
Unless stated otherwise, it is "<code title="">follow</code>".

<p>A <a href="#concept-request" title="concept-request">request</a> has associated
<dfn id="concept-request-integrity-metadata" title="concept-request-integrity-metadata">integrity metadata</dfn> (a string). Unless
stated otherwise, it is the empty string.

<p>A <a href="#concept-request" title="concept-request">request</a> has associated
<dfn id="concept-request-nonce-metadata" title="concept-request-nonce-metadata">cryptographic nonce metadata</dfn> (a string). Unless
stated otherwise, it is the empty string.

<p>A <a href="#concept-request" title="concept-request">request</a> has associated
<dfn id="concept-request-parser-metadata" title="concept-request-parser-metadata">parser metadata</dfn> which is the empty string,
"<code title="">parser-inserted</code>", or "<code title="">not-parser-inserted</code>". Unless
otherwise stated, it is the empty string.

<p class="note no-backref">A <a href="#concept-request" title="concept-request">request</a>'s
<a href="#concept-request-url-list" title="concept-request-url-list">cryptographic nonce metadata</a> and
<a href="#concept-request-parser-metadata" title="concept-request-parser-metadata">parser metadata</a> are generally populated from
attributes and flags on the HTML element responsible for triggering a fetch. They are used by
various algorithms in <a href="#refsCSP">[CSP]</a> to determine whether requests or responses
should be blocked in a given context.

<hr>

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-url-list" title="concept-request-url-list">url list</dfn> (a list of one or more
<a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url" title="concept-url">URLs</a>). Unless stated otherwise, it is a list
containing a copy of <a href="#concept-request" title="concept-request">request</a>'s
<a href="#concept-request-url" title="concept-request-url">url</a>.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-current-url" title="concept-request-current-url">current url</dfn>. It is a pointer to the last
<a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url" title="concept-url">URL</a> in
<a href="#concept-request" title="concept-request">request</a>'s <a href="#concept-request-url-list" title="concept-request-url-list">url list</a>.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-redirect-count" title="concept-request-redirect-count">redirect count</dfn>. Unless stated otherwise,
it is zero.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-response-tainting" title="concept-request-response-tainting">response tainting</dfn>, which is
"<code title="">basic</code>", "<code title="">cors</code>", or "<code title="">opaque</code>".
Unless stated otherwise, it is "<code title="">basic</code>".

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated <dfn id="done-flag">done flag</dfn>.
Unless stated otherwise, it is unset.

<p class="note no-backref">A <a href="#concept-request" title="concept-request">request</a>'s
<a href="#concept-request-url-list" title="concept-request-url-list">url list</a>,
<a href="#concept-request-current-url" title="concept-request-current-url">current url</a>,
<a href="#concept-request-redirect-count" title="concept-request-redirect-count">redirect count</a>,
<a href="#concept-request-response-tainting" title="concept-request-response-tainting">response tainting</a>, and
<a href="#done-flag">done flag</a> are used as bookkeeping details by the
<a href="#concept-fetch" title="concept-fetch">fetch</a> algorithm.

<hr>

<p>A <dfn id="subresource-request">subresource request</dfn> is a <a href="#concept-request" title="concept-request">request</a>
whose <a href="#concept-request-destination" title="concept-request-destination">destination</a> is "<code title="">font</code>",
"<code title="">image</code>", "<code title="">manifest</code>", "<code title="">media</code>",
"<code title="">script</code>", "<code title="">style</code>", "<code title="">xslt</code>", or the empty
string.

<p>A <dfn id="potential-navigation-or-subresource-request">potential-navigation-or-subresource request</dfn> is a
<a href="#concept-request" title="concept-request">request</a> whose
<a href="#concept-request-destination" title="concept-request-destination">destination</a> is
"<code title="">object</code>" or "<code title="">embed</code>".

<p>A <dfn id="non-subresource-request">non-subresource request</dfn> is a <a href="#concept-request" title="concept-request">request</a>
whose <a href="#concept-request-destination" title="concept-request-destination">destination</a> is "<code title="">document</code>",
"<code title="">report</code>", "<code title="">serviceworker</code>", "<code title="">sharedworker</code>",
or "<code title="">worker</code>".

<p>A <dfn id="navigation-request">navigation request</dfn> is a <a href="#concept-request" title="concept-request">request</a> whose
<a href="#concept-request-destination" title="concept-request-destination">destination</a> is
"<code title="">document</code>".

<p class="note">See <a class="external" data-anolis-spec="sw" href="https://slightlyoff.github.io/ServiceWorker/spec/service_worker/#on-fetch-request-algorithm">handle fetch</a> for usage of these terms.
<a href="#refsSW">[SW]</a>

<p>To <dfn id="concept-request-clone" title="concept-request-clone">clone</dfn> a <a href="#concept-request" title="concept-request">request</a>
<var>request</var>, run these steps:

<ol>
 <li><p>Let <var>newRequest</var> be a copy of <var>request</var>, except for its
 <a href="#concept-request-body" title="concept-request-body">body</a>.

 <li><p>If <var>request</var>'s <a href="#concept-request-body" title="concept-request-body">body</a> is non-null, set
 <var>newRequest</var>'s <a href="#concept-request-body" title="concept-request-body">body</a> to the result of
 <a href="#concept-body-clone" title="concept-body-clone">cloning</a> <var>request</var>'s
 <a href="#concept-request-body" title="concept-request-body">body</a>. Rethrow any exceptions.

 <li><p>Return <var>newRequest</var>.
</ol>


<h4 id="responses"><span class="secno">3.1.6 </span>Responses</h4>

<p>The result of <a href="#concept-fetch" title="concept-fetch">fetch</a> is a
<dfn id="concept-response" title="concept-response">response</dfn>. A <a href="#concept-response" title="concept-response">response</a>
evolves over time. That is, not all its fields are available straight away.

<p>A <a href="#concept-response" title="concept-response">response</a> has an associated
<dfn id="concept-response-type" title="concept-response-type">type</dfn> which is
"<code title="">basic</code>",
"<code title="">cors</code>",
"<code title="">default</code>",
"<code title="">error</code>",
"<code title="">opaque</code>", or
"<code title="">opaqueredirect</code>".
Unless stated otherwise, it is "<code title="">default</code>".

<p>A <a href="#concept-response" title="concept-response">response</a> can have an associated
<dfn id="concept-response-termination-reason" title="concept-response-termination-reason">termination reason</dfn> which is
<i title="">end-user abort</i>, <i title="">fatal</i>, or <i title="">timeout</i>.

<p>A <a href="#concept-response" title="concept-response">response</a> has an associated
<dfn id="concept-response-url" title="concept-response-url">url</dfn>. It is a pointer to the last <a href="#response-url">response URL</a> in
<a href="#concept-response" title="concept-response">response</a>'s <a href="#concept-response-url-list" title="concept-response-url-list">url list</a>
and null if <a href="#concept-response" title="concept-response">response</a>'s
<a href="#concept-response-url-list" title="concept-response-url-list">url list</a> is the empty list.

<p>A <a href="#concept-response" title="concept-response">response</a> has an associated
<dfn id="concept-response-url-list" title="concept-response-url-list">url list</dfn> (a list of zero or more
<a href="#response-url" title="response URL">response URLs</a>). Unless stated otherwise, it is the empty list.

<p class="note no-backref">Except for the last <a href="#response-url">response URL</a>, if any, a
<a href="#concept-response" title="concept-response">response</a>'s <a href="#concept-response-url-list" title="concept-response-url-list">url list</a>
cannot be exposed to script. That would violate <a href="#atomic-http-redirect-handling">atomic HTTP redirect handling</a>.

<p>A <a href="#concept-response" title="concept-response">response</a> has an associated
<dfn id="concept-response-status" title="concept-response-status">status</dfn>, which is a <a href="#concept-status">status</a>. Unless stated
otherwise it is <code>200</code>.

<p>A <a href="#concept-response" title="concept-response">response</a> has an associated
<dfn id="concept-response-status-message" title="concept-response-status-message">status message</dfn>. Unless stated otherwise
it is `<code title="">OK</code>`.

<p>A <a href="#concept-response" title="concept-response">response</a> has an associated
<dfn id="concept-response-header-list" title="concept-response-header-list">header list</dfn> (a
<a href="#concept-header-list" title="concept-header-list">header list</a>). Unless stated otherwise it is empty.

<p>A <a href="#concept-response" title="concept-response">response</a> has an associated
<dfn id="concept-response-body" title="concept-response-body">body</dfn> (null or a
<a href="#concept-body" title="concept-body">body</a>). Unless stated otherwise it is null.

<p>A <a href="#concept-response" title="concept-response">response</a> has an associated
<dfn id="concept-response-https-state" title="concept-response-https-state">HTTPS state</dfn> (an
<a href="#concept-https-state-value" title="concept-https-state-value">HTTPS state value</a>). Unless stated otherwise, it is
"<code title="">none</code>".

<p>A <a href="#concept-response" title="concept-response">response</a> has an associated
<dfn id="concept-response-csp-list" title="concept-response-csp-list">CSP list</dfn>, which is a list of
<a href="https://w3c.github.io/webappsec-csp/#policy">Content Security Policy objects</a>
for the <a href="#concept-response" title="concept-response">response</a>. The list is empty unless otherwise
specified. <a href="#refsCSP">[CSP]</a>

<p>A <a href="#concept-response" title="concept-response">response</a> has an associated
<dfn id="concept-response-cors-exposed-header-name-list" title="concept-response-cors-exposed-header-name-list">CORS-exposed header-name list</dfn> (a
list of zero or more <a href="#concept-header" title="concept-header">header</a>
<a href="#concept-header-name" title="concept-header-name">names</a>). The list is empty unless otherwise specified.

<p class="note no-backref">A <a href="#concept-response" title="concept-response">response</a> will typically get its
<a href="#concept-response-cors-exposed-header-name-list" title="concept-response-cors-exposed-header-name-list">CORS-exposed header-name list</a>
set by <a href="#concept-header-parse" title="concept-header-parse">parsing</a> the
`<a href="#http-access-control-expose-headers"><code title="http-access-control-expose-headers">Access-Control-Expose-Headers</code></a>` header. This
list is used by a <a href="#concept-filtered-response-cors" title="concept-filtered-response-cors">CORS filtered response</a> to
determine which headers to expose.

<p>A <a href="#concept-response" title="concept-response">response</a> can have an associated
<dfn id="concept-response-location-url" title="concept-response-location-url">location URL</dfn> (null, failure, or a
<a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url" title="concept-url">URL</a>). Unless specified otherwise, a
<a href="#concept-response" title="concept-response">response</a> has no
<a href="#concept-response-location-url" title="concept-response-location-url">location URL</a>.

<p class="note no-backref">This concept is used for redirect handling in Fetch and in HTML's
navigate algorithm. It ensures `<code title="">Location</code>` is
<a href="#concept-header-parse" title="concept-header-parse">parsed</a> consistently and only once.
<a href="#refsHTML">[HTML]</a>

<hr>

<p>A <a href="#concept-response" title="concept-response">response</a> whose
<a href="#concept-response-type" title="concept-response-type">type</a> is "<code title="">error</code>" is known as a
<dfn id="concept-network-error" title="concept-network-error">network error</dfn>.

<p>A <a href="#concept-network-error" title="concept-network-error">network error</a> is a
<a href="#concept-response" title="concept-response">response</a> whose
<a href="#concept-response-status" title="concept-response-status">status</a> is always <code title="">0</code>,
<a href="#concept-response-status-message" title="concept-response-status-message">status message</a> is always the empty byte sequence,
<a href="#concept-response-header-list" title="concept-response-header-list">header list</a> is always empty, and
<a href="#concept-response-body" title="concept-response-body">body</a> is always null.

<hr>

<p>A <dfn id="concept-filtered-response" title="concept-filtered-response">filtered response</dfn> is a limited view on a
<a href="#concept-response" title="concept-response">response</a> that is not a
<a href="#concept-network-error" title="concept-network-error">network error</a>. This
<a href="#concept-response" title="concept-response">response</a> is referred to as the
<a href="#concept-filtered-response" title="concept-filtered-response">filtered response</a>'s associated
<dfn id="concept-internal-response" title="concept-internal-response">internal response</dfn>.

<p class="note no-backref">The <a href="#concept-fetch" title="concept-fetch">fetch</a> algorithm returns
such a view to ensure APIs do not accidentally leak information. If the information is
required, e.g., to feed image data to a decoder, the associated
<a href="#concept-internal-response" title="concept-internal-response">internal response</a> can be used, which is only
"accessible" to internal specification algorithms.

<p>A <dfn id="concept-filtered-response-basic" title="concept-filtered-response-basic">basic filtered response</dfn> is a
<a href="#concept-filtered-response" title="concept-filtered-response">filtered response</a> whose
<a href="#concept-response-type" title="concept-response-type">type</a> is "<code title="">basic</code>",
<a href="#concept-response-header-list" title="concept-response-header-list">header list</a> excludes any
<a href="#concept-header" title="concept-header">headers</a> in
<a href="#concept-internal-response" title="concept-internal-response">internal response</a>'s
<a href="#concept-response-header-list" title="concept-response-header-list">header list</a> whose
<a href="#concept-header-name" title="concept-header-name">name</a> is a
<a href="#forbidden-response-header-name">forbidden response-header name</a>.

<p>A <dfn id="concept-filtered-response-cors" title="concept-filtered-response-cors">CORS filtered response</dfn> is a
<a href="#concept-filtered-response" title="concept-filtered-response">filtered response</a> whose
<a href="#concept-response-type" title="concept-response-type">type</a> is "<code title="">cors</code>",
<a href="#concept-response-header-list" title="concept-response-header-list">header list</a> excludes any
<a href="#concept-header" title="concept-header">headers</a> in
<a href="#concept-internal-response" title="concept-internal-response">internal response</a>'s
<a href="#concept-response-header-list" title="concept-response-header-list">header list</a> whose
<a href="#concept-header-name" title="concept-header-name">name</a> is <em>not</em> a
<a href="#cors-safelisted-response-header-name">CORS-safelisted response-header name</a>, given
<a href="#concept-internal-response" title="concept-internal-response">internal response</a>'s
<a href="#concept-response-cors-exposed-header-name-list" title="concept-response-cors-exposed-header-name-list">CORS-exposed header-name list</a>.

<p>An <dfn id="concept-filtered-response-opaque" title="concept-filtered-response-opaque">opaque filtered response</dfn> is a
<a href="#concept-filtered-response" title="concept-filtered-response">filtered response</a> whose
<a href="#concept-response-type" title="concept-response-type">type</a> is "<code title="">opaque</code>",
<a href="#concept-response-url-list" title="concept-response-url-list">url list</a> is the empty list,
<a href="#concept-response-status" title="concept-response-status">status</a> is <code title="">0</code>,
<a href="#concept-response-status-message" title="concept-response-status-message">status message</a> is the empty byte sequence,
<a href="#concept-response-header-list" title="concept-response-header-list">header list</a> is the empty list, and
<a href="#concept-response-body" title="concept-response-body">body</a> is null.

<p>An <dfn id="concept-filtered-response-opaque-redirect" title="concept-filtered-response-opaque-redirect">opaque-redirect filtered response</dfn>
is a <a href="#concept-filtered-response" title="concept-filtered-response">filtered response</a> whose
<a href="#concept-response-type" title="concept-response-type">type</a> is "<code title="">opaqueredirect</code>",
<a href="#concept-response-status" title="concept-response-status">status</a> is <code title="">0</code>,
<a href="#concept-response-status-message" title="concept-response-status-message">status message</a> is the empty byte sequence,
<a href="#concept-response-header-list" title="concept-response-header-list">header list</a> is the empty list, and
<a href="#concept-response-body" title="concept-response-body">body</a> is null.

<div class="note no-backref">
 <p>Exposing the <a href="#concept-response-url-list" title="concept-response-url-list">url list</a> for
 <a href="#concept-filtered-response-opaque-redirect" title="concept-filtered-response-opaque-redirect">opaque-redirect filtered responses</a> is
 harmless since no redirects are followed.

 <p>In other words, an <a href="#concept-filtered-response-opaque" title="concept-filtered-response-opaque">opaque filtered response</a>
 and an
 <a href="#concept-filtered-response-opaque-redirect" title="concept-filtered-response-opaque-redirect">opaque-redirect filtered response</a> are
 nearly indistinguishable from a <a href="#concept-network-error" title="concept-network-error">network error</a>. When
 introducing new APIs, do not use the <a href="#concept-internal-response" title="concept-internal-response">internal response</a>
 for internal specification algorithms as you will leak information.

 <p>This also means that JavaScript APIs, such as <a href="#dom-response-ok"><code title="dom-Response-ok">response.ok</code></a>,
 will return rather useless results.</p>
</div>

<p>To <dfn id="concept-response-clone" title="concept-response-clone">clone</dfn> a <a href="#concept-response" title="concept-response">response</a>
<var>response</var>, run these steps:

<ol>
 <li><p>If <var>response</var> is a <a href="#concept-filtered-response" title="concept-filtered-response">filtered response</a>,
 return a new identical filtered response whose <a href="#concept-internal-response" title="concept-internal-response">internal
 response</a> is a <a href="#concept-response-clone" title="concept-response-clone">clone</a> of <var>response</var>'s
 <a href="#concept-internal-response" title="concept-internal-response">internal response</a>. Rethrow any exceptions.

 <li><p>Let <var>newResponse</var> be a copy of <var>response</var>, except for its
 <a href="#concept-response-body" title="concept-response-body">body</a>.

 <li><p>If <var>response</var>'s <a href="#concept-response-body" title="concept-response-body">body</a> is non-null, set
 <var>newResponse</var>'s <a href="#concept-response-body" title="concept-response-body">body</a> to the result of
 <a href="#concept-body-clone" title="concept-body-clone">cloning</a> <var>response</var>'s
 <a href="#concept-response-body" title="concept-response-body">body</a>. Rethrow any exceptions.

 <li><p>Return <var>newResponse</var>.
</ol>


<h3 id="authentication-entries"><span class="secno">3.2 </span>Authentication entries</h3>

<p>An <dfn id="authentication-entry">authentication entry</dfn> and a <dfn id="proxy-authentication-entry">proxy-authentication entry</dfn> are
tuples of username, password, and realm, associated with one or more
<a href="#concept-request" title="concept-request">requests</a>.

<p>User agents should allow both to be cleared together with HTTP cookies and similar tracking
functionality.
<!-- fingerprinting -->

<p>Further details are defined by HTTP. <a href="#refsHTTP">[HTTP]</a>


<h3 id="fetch-groups"><span class="secno">3.3 </span>Fetch groups</h3>

<p>Each <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/webappapis.html#environment-settings-object">environment settings object</a> has an associated
<dfn id="concept-fetch-group" title="concept-fetch-group">fetch group</dfn>.

<p>A <a href="#concept-fetch-group" title="concept-fetch-group">fetch group</a> holds an ordered list of
<dfn id="concept-fetch-record" title="concept-fetch-record">fetch records</dfn>.

<p>A <a href="#concept-fetch-record" title="concept-fetch-record">fetch record</a> has an associated
<dfn id="concept-fetch-record-request" title="concept-fetch-record-request">request</dfn> (a
<a href="#concept-request" title="concept-request">request</a>).

<p>A <a href="#concept-fetch-record" title="concept-fetch-record">fetch record</a> has an associated
<dfn id="concept-fetch-record-fetch" title="concept-fetch-record-fetch">fetch</dfn> (a
<a href="#concept-fetch" title="concept-fetch">fetch</a> algorithm or null).

<hr>

<p>When a <a href="#concept-fetch-group" title="concept-fetch-group">fetch group</a> is
<dfn id="concept-fetch-group-terminate" title="concept-fetch-group-terminate">terminated</dfn>, for each associated
<a href="#concept-fetch-record" title="concept-fetch-record">fetch record</a> whose
<a href="#concept-fetch-record-request" title="concept-fetch-record-request">request</a>'s <a href="#done-flag">done flag</a> or
<a href="#keep-alive-flag">keep-alive flag</a> is unset,
<a href="#concept-fetch-terminate" title="concept-fetch-terminate">terminate</a> the
<a href="#concept-fetch-record" title="concept-fetch-record">fetch record</a>'s
<a href="#concept-fetch-record-fetch" title="concept-fetch-record-fetch">fetch</a> with reason <i title="">fatal</i>.


<h3 id="connections"><span class="secno">3.4 </span>Connections</h3>

<p>A user agent has an associated <dfn id="concept-connection-pool" title="concept-connection-pool">connection pool</dfn>. A
<a href="#concept-connection-pool" title="concept-connection-pool">connection pool</a> consists of zero or more
<dfn id="concept-connection" title="concept-connection">connections</dfn>. Each
<a href="#concept-connection" title="concept-connection">connection</a> is identified by an <b>origin</b> (an
<a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/browsers.html#origin">origin</a>) and <b>credentials</b> (a boolean).

<p>To <dfn id="concept-connection-obtain" title="concept-connection-obtain">obtain a connection</dfn>, given an <var>origin</var> and
<var>credentials</var>, run these steps:

<ol>
 <li><p>If <a href="#concept-connection-pool" title="concept-connection-pool">connection pool</a> contains a
 <a href="#concept-connection" title="concept-connection">connection</a> whose <b>origin</b> is <var>origin</var> and
 <b>credentials</b> is <var>credentials</var>, return that
 <a href="#concept-connection" title="concept-connection">connection</a>.

 <li>
  <p>Let <var>connection</var> be the result of establishing an HTTP connection to
  <var>origin</var>. <a href="#refsHTTP">[HTTP]</a> <a href="#refsTLS">[TLS]</a>

  <p>If <var>credentials</var> is false, do <em>not</em> send a TLS client certificate.

  <p>If establishing a connection does not succeed (e.g., a DNS, TCP, or TLS error), return failure.

 <li><p>Add <var>connection</var> to the <a href="#concept-connection-pool" title="concept-connection-pool">connection pool</a>
 with <b>origin</b> being <var>origin</var> and <b>credentials</b> being <var>credentials</var>.

 <li><p>Return <var>connection</var>.
</ol>

<p class="note no-backref">This is intentionally a little vague as the finer points are still
evolving. Describing this helps explain the <code>&lt;link rel=preconnect&gt;</code> feature and
clearly stipulates that <a href="#concept-connection" title="concept-connection">connections</a> are keyed on
<b>credentials</b>. The latter clarifies that e.g., TLS session identifiers are not reused across
<a href="#concept-connection" title="concept-connection">connections</a> whose <b>credentials</b> are false with
<a href="#concept-connection" title="concept-connection">connections</a> whose <b>credentials</b> are true.
<!-- See https://github.com/whatwg/fetch/issues/114#issuecomment-143500095 for when we make
     WebSocket saner -->


<h3 id="port-blocking"><span class="secno">3.5 </span>Port blocking</h3>

<p>To determine whether fetching a <a href="#concept-request" title="concept-request">request</a> <var>request</var>
<dfn id="block-bad-port" title="block bad port">should be blocked due to a bad port</dfn>, run these steps:

<ol>
 <li><p>Let <var>url</var> be <var>request</var>'s
 <a href="#concept-request-current-url" title="concept-request-current-url">current url</a>.

 <li><p>Let <var>scheme</var> be <var>url</var>'s
 <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-scheme" title="concept-url-scheme">scheme</a>.

 <li><p>Let <var>port</var> be <var>url</var>'s
 <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-port" title="concept-url-port">port</a>.

 <li><p>If <var>scheme</var> is "<code title="">ftp</code>" and <var>port</var> is 20 or 21, then
 return <b>allowed</b>.

 <li><p>Otherwise, if <var>scheme</var> is a <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#network-scheme">network scheme</a> and
 <var>port</var> is a <a href="#bad-port">bad port</a>, then return <b>blocked</b>.

 <li><p>Return <b>allowed</b>.
</ol>

<p>A <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-port" title="concept-url-port">port</a> is a <dfn id="bad-port">bad port</dfn> if it
is listed in the first column of the following table.

<table>
 <tr><th>Port<th>Typical service
 <tr><td>1<td>tcpmux
 <tr><td>7<td>echo
 <tr><td>9<td>discard
 <tr><td>11<td>systat
 <tr><td>13<td>daytime
 <tr><td>15<td>netstat
 <tr><td>17<td>qotd
 <tr><td>19<td>chargen
 <tr><td>20<td>ftp-data
 <tr><td>21<td>ftp
 <tr><td>22<td>ssh
 <tr><td>23<td>telnet
 <tr><td>25<td>smtp
 <tr><td>37<td>time
 <tr><td>42<td>name
 <tr><td>43<td>nicname
 <tr><td>53<td>domain
 <tr><td>77<td>priv-rjs
 <tr><td>79<td>finger
 <tr><td>87<td>ttylink
 <tr><td>95<td>supdup
 <tr><td>101<td>hostriame
 <tr><td>102<td>iso-tsap
 <tr><td>103<td>gppitnp
 <tr><td>104<td>acr-nema
 <tr><td>109<td>pop2
 <tr><td>110<td>pop3
 <tr><td>111<td>sunrpc
 <tr><td>113<td>auth
 <tr><td>115<td>sftp
 <tr><td>117<td>uucp-path
 <tr><td>119<td>nntp
 <tr><td>123<td>ntp
 <tr><td>135<td>loc-srv / epmap
 <tr><td>139<td>netbios
 <tr><td>143<td>imap2
 <tr><td>179<td>bgp
 <tr><td>389<td>ldap
 <tr><td>465<td>smtp+ssl
 <tr><td>512<td>print / exec
 <tr><td>513<td>login
 <tr><td>514<td>shell
 <tr><td>515<td>printer
 <tr><td>526<td>tempo
 <tr><td>530<td>courier
 <tr><td>531<td>chat
 <tr><td>532<td>netnews
 <tr><td>540<td>uucp
 <tr><td>556<td>remotefs
 <tr><td>563<td>nntp+ssl
 <tr><td>587<td>smtp
 <tr><td>601<td>syslog-conn
 <tr><td>636<td>ldap+ssl
 <tr><td>993<td>ldap+ssl
 <tr><td>995<td>pop3+ssl
 <tr><td>2049<td>nfs
 <tr><td>3659<td>apple-sasl<!-- not in Gecko, Apple addition adopted by Chrome -->
 <tr><td>4045<td>lockd
 <tr><td>6000<td>x11
 <tr><td>6665<td>irc (alternate)<!-- not in Gecko, Apple addition adopted by Chrome -->
 <tr><td>6666<td>irc (alternate)<!-- not in Gecko, Apple addition adopted by Chrome -->
 <tr><td>6667<td>irc (default)<!-- not in Gecko, Apple addition adopted by Chrome -->
 <tr><td>6668<td>irc (alternate)<!-- not in Gecko, Apple addition adopted by Chrome -->
 <tr><td>6669<td>irc (alternate)<!-- not in Gecko, Apple addition adopted by Chrome -->
</table>
<!-- http://www-archive.mozilla.org/projects/netlib/PortBanning.html -->


<h3 id="should-response-to-request-be-blocked-due-to-mime-type?"><span class="secno">3.6 </span><dfn title="should response to request be blocked due to mime type">Should
<var>response</var> to <var>request</var> be blocked due to its MIME type?</dfn></h3>

<p>Run these steps:

<ol>
 <li><p>Let <var>MIMEType</var> be the result of
 <a href="#concept-header-extract-mime-type" title="concept-header-extract-mime-type">extracting a MIME type</a> from
 <var>response</var>'s <a href="#concept-response-header-list" title="concept-response-header-list">header list</a>.

 <li><p>Let <var>type</var> be <var>request</var>'s <a href="#concept-request-type" title="concept-request-type">type</a>.

 <li><p>If <var>type</var> is "<code title="">script</code>", and <var>MIMEType</var> starts with
 `<code title="">image/</code>`, then return <b title="">blocked</b>.

 <li><p>Return <b title="">allowed</b>.
</ol>


<h3 id="referrer-policies"><span class="secno">3.7 </span>Referrer policies</h3>

<p>A <dfn id="concept-referrer-policy" title="concept-referrer-policy">referrer policy</dfn> is the empty string,
"<code>no-referrer</code>", "<code>no-referrer-when-downgrade</code>", "<code>origin</code>",
"<code>origin-when-cross-origin</code>", or "<code>unsafe-url</code>".

<pre class="idl">enum <dfn id="referrerpolicy">ReferrerPolicy</dfn> {
  "",
  "no-referrer",
  "no-referrer-when-downgrade",
  "origin",
  "origin-when-cross-origin",
  "unsafe-url"
};</pre>

<p class="note">The details of referrer policies are discussed in Referrer Policy.
<a href="#refsREFERRER">[REFERRER]</a>


<h3 id="client-hints-list"><span class="secno">3.8 </span>Client hints list</h3>

<p class="note">This section will be integrated into HTTP Client Hints.
<a href="#refsCLIENT-HINTS">[CLIENT-HINTS]</a>
<!-- XXX -->

<p>A <dfn id="concept-client-hints-list" title="concept-client-hints-list">client hints list</dfn> is a list of
<a href="http://httpwg.org/http-extensions/client-hints.html#accept-ch">Client hint tokens</a>,
each of which is one of `<code title="">dpr</code>`,
`<code title="">save-data</code>`, `<code title="">viewport-width</code>`, or
`<code title="">width</code>`.


<h3 id="streams"><span class="secno">3.9 </span>Streams</h3>

<p class="note no-backref">This section might be integrated into other standards, such as IDL.

<h4 id="readablestream"><span class="secno">3.9.1 </span>ReadableStream</h4>

<p>A <dfn id="concept-readablestream" title="concept-ReadableStream">ReadableStream</dfn> object represents a
<a class="external" data-anolis-spec="streams" href="https://streams.spec.whatwg.org/#rs-class" title="readablestream">stream of data</a>. In this section, we
define common operations for ReadableStream. <a href="#refsSTREAMS">[STREAMS]</a>

<p>To <dfn id="concept-enqueue-readablestream" title="concept-enqueue-ReadableStream">enqueue</dfn> <var>chunk</var> into a
<a href="#concept-readablestream"><code title="concept-ReadableStream">ReadableStream</code></a> object <var>stream</var>, run these steps:

<ol>
 <li><p>Call <a href="https://streams.spec.whatwg.org/#enqueue-in-readable-stream"><code class="external" data-anolis-spec="streams">EnqueueInReadableStream</code></a>(<var>stream</var>,
 <var>chunk</var>). Rethrow any exceptions.
</ol>

<p>To <dfn id="concept-close-readablestream" title="concept-close-ReadableStream">close</dfn> a
<a href="#concept-readablestream"><code title="concept-ReadableStream">ReadableStream</code></a> object <var>stream</var>, run these steps:

<ol>
 <li><p>Call <a href="https://streams.spec.whatwg.org/#close-readable-stream"><code class="external" data-anolis-spec="streams">CloseReadableStream</code></a>(<var>stream</var>).
 Rethrow any exceptions.
</ol>

<p>To <dfn id="concept-error-readablestream" title="concept-error-ReadableStream">error</dfn> a
<a href="#concept-readablestream"><code title="concept-ReadableStream">ReadableStream</code></a> object <var>stream</var> with given
<var>reason</var>, run these steps:

<ol>
 <li><p>Call <a href="https://streams.spec.whatwg.org/#error-readable-stream"><code class="external" data-anolis-spec="streams">ErrorReadableStream</code></a>(<var>stream</var>,
 <var>reason</var>). Rethrow any exceptions.
</ol>

<p>To <dfn id="concept-construct-readablestream" title="concept-construct-ReadableStream">construct</dfn> a
<a href="#concept-readablestream"><code title="concept-ReadableStream">ReadableStream</code></a> object with given <var>strategy</var>,
<var>pull</var> action and <var>cancel</var> action, all of which are optional, run these steps:

<ol>
 <li><p>Let <var>init</var> be a new object.

 <li><p>Set <var>init</var>["pull"] to a function that runs <var>pull</var> if
 <var>pull</var> is given.

 <li><p>Set <var>init</var>["cancel"] to a function that runs <var>cancel</var> if
 <var>cancel</var> is given.

 <li><p>Let <var>stream</var> be the result of calling the initial value of
 <a href="#concept-readablestream"><code title="concept-ReadableStream">ReadableStream</code></a> as constructor with
 <var>init</var> and <var>strategy</var> if given. Rethrow any exceptions.

 <li><p>Return <var>stream</var>.
</ol>

<p>To <dfn id="concept-construct-fixed-readablestream" title="concept-construct-fixed-ReadableStream">construct</dfn> a fixed
<a href="#concept-readablestream"><code title="concept-ReadableStream">ReadableStream</code></a> object with given <var>chunks</var>,
run these steps:

<ol>
 <li><p>Let <var>stream</var> be the result of
 <a href="#concept-construct-readablestream" title="concept-construct-ReadableStream">constructing</a> a
 <a href="#concept-readablestream"><code title="concept-ReadableStream">ReadableStream</code></a> object. Rethrow any exceptions.

 <li><p>For each <var>chunk</var> in <var>chunks</var>,
 <a href="#concept-enqueue-readablestream" title="concept-enqueue-ReadableStream">enqueue</a> <var>chunk</var> into
 <var>stream</var>. Rethrow any exceptions.

 <li><p><a href="#concept-close-readablestream" title="concept-close-ReadableStream">Close</a> <var>stream</var>. Rethrow any
 exceptions.

 <li>Return <var>stream</var>.
</ol>

<p>To <dfn id="concept-get-reader" title="concept-get-reader">get a reader</dfn> from a
<a href="#concept-readablestream"><code title="concept-ReadableStream">ReadableStream</code></a> object <var>stream</var>, run these steps:

<ol>
 <li><p>Let <var>reader</var> be the result of calling
 <a href="https://streams.spec.whatwg.org/#acquire-readable-stream-reader"><code class="external" data-anolis-spec="streams">AcquireReadableStreamReader</code></a>(<var>stream</var>).
 Rethrow any exceptions.

 <li><p>Return <var>reader</var>.
</ol>

<p>To <dfn id="concept-read-all-bytes-from-readablestream" title="concept-read-all-bytes-from-ReadableStream">read all bytes</dfn> from a
<a href="#concept-readablestream"><code title="concept-ReadableStream">ReadableStream</code></a> object with <var>reader</var>, run these
steps:

<ol>
 <li><p>Let <var>promise</var> be a new promise.

 <li><p>Let <var>bytes</var> be an empty byte sequence.

 <li>
 <p>Let <var>read</var> be the result of calling
 <a href="https://streams.spec.whatwg.org/#read-from-readable-stream-reader"><code class="external" data-anolis-spec="streams">ReadFromReadableStreamReader</code></a>(<var>reader</var>).

 <ul>
  <li><p>When <var>read</var> is fulfilled with an object whose <code title="">done</code>
  property is false and whose <code title="">value</code> property is a
  <code title="">Uint8Array</code> object, append the <code title="">value</code> property to
  <var>bytes</var> and run the above step again.

  <li><p>When <var>read</var> is fulfilled with an object whose <code title="">done</code>
  property is true, resolve <var>promise</var> with <var>bytes</var>.

  <li><p>When <var>read</var> is fulfilled with a value that matches with neither of the
  above patterns, reject <var>promise</var> with a <code title="">TypeError</code>.

  <li><p>When <var>read</var> is rejected with an error, reject <var>promise</var>
  with that error.
 </ul>

 <li><p>Return <var>promise</var>.
</ol>

<p class="note no-backref">Because the reader grants exclusive access, the actual mechanism of how
to read cannot be observed. Implementations could use more direct mechanism if convenient.

<p>To <dfn id="concept-tee-readablestream" title="concept-tee-ReadableStream">tee</dfn> a
<a href="#concept-readablestream"><code title="concept-ReadableStream">ReadableStream</code></a> object <var>stream</var>, run these steps:

<ol>
 <li><p>Return the result of calling
 <a href="https://streams.spec.whatwg.org/#tee-readable-stream"><code class="external" data-anolis-spec="streams">TeeReadableStream</code></a>(<var>stream</var>, true).
 Rethrow any exception.
</ol>

<p>An <dfn id="concept-empty-readablestream" title="concept-empty-ReadableStream">empty</dfn>
<a href="#concept-readablestream"><code title="concept-ReadableStream">ReadableStream</code></a> object is the result of
<a href="#concept-construct-fixed-readablestream" title="concept-construct-fixed-ReadableStream">constructing</a> a fixed
<a href="#concept-readablestream"><code title="concept-ReadableStream">ReadableStream</code></a> object with an empty list.

<p class="note no-backref">Constructing an <a href="#concept-empty-readablestream" title="concept-empty-ReadableStream">empty</a>
<a href="#concept-readablestream"><code title="concept-ReadableStream">ReadableStream</code></a> object will not throw an exception.

<p>A <a href="#concept-readablestream"><code title="concept-ReadableStream">ReadableStream</code></a> object <var>stream</var> is said to be
<dfn id="concept-readablestream-readable" title="concept-ReadableStream-readable">readable</dfn> if <var>stream</var>@[[state]] is
"readable".

<p>A <a href="#concept-readablestream"><code title="concept-ReadableStream">ReadableStream</code></a> object <var>stream</var> is said to be
<dfn id="concept-readablestream-closed" title="concept-ReadableStream-closed">closed</dfn> if <var>stream</var>@[[state]] is "closed".

<p>A <a href="#concept-readablestream"><code title="concept-ReadableStream">ReadableStream</code></a> object <var>stream</var> is said to be
<dfn id="concept-readablestream-errored" title="concept-ReadableStream-errored">errored</dfn> if <var>stream</var>@[[state]] is
"errored".

<p>A <a href="#concept-readablestream"><code title="concept-ReadableStream">ReadableStream</code></a> object <var>stream</var> is said to be
<dfn id="concept-readablestream-locked" title="concept-ReadableStream-locked">locked</dfn> if the result of calling
<a href="https://streams.spec.whatwg.org/#is-readable-stream-locked"><code class="external" data-anolis-spec="streams">IsReadableStreamLocked</code></a>(<var>stream</var>) is true.

<p>A <a href="#concept-readablestream"><code title="concept-ReadableStream">ReadableStream</code></a> object <var>stream</var> is said to
<dfn id="concept-readablestream-need-more-data" title="concept-ReadableStream-need-more-data">need more data</dfn> if the following conditions
hold:

<ul>
 <li><p><var>stream</var> is <a href="#concept-readablestream-readable" title="concept-ReadableStream-readable">readable</a>.

 <li><p>The result of calling
 <a href="https://streams.spec.whatwg.org/#get-readable-stream-desired-size"><code class="external" data-anolis-spec="streams">GetReadableStreamDesiredSize</code></a>(<var>stream</var>) is
 positive.
</ul>

<p>A <a href="#concept-readablestream"><code title="concept-ReadableStream">ReadableStream</code></a> object <var>stream</var> is said to be
<dfn id="concept-readablestream-disturbed" title="concept-ReadableStream-disturbed">disturbed</dfn> if the result of calling
<a href="https://streams.spec.whatwg.org/#is-readable-stream-disturbed"><code class="external" data-anolis-spec="streams">IsReadableStreamDisturbed</code></a>(<var>stream</var>) is true.



<h2 id="http-extensions"><span class="secno">4 </span>HTTP extensions</h2>

<h3 id="origin-header"><span class="secno">4.1 </span>`<code title="">Origin</code>` header</h3>

<p>The `<dfn id="http-origin" title="http-origin"><code>Origin</code></dfn>` request
<a href="#concept-header" title="concept-header">header</a> indicates where a
<a href="#concept-fetch" title="concept-fetch">fetch</a> originates from.

<p class="note no-backref">The `<a href="#http-origin"><code title="http-origin">Origin</code></a>` header is a version
of the `<code title="http-referer">Referer</code>` [sic] header that does not reveal a
<a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-path" title="concept-url-path">path</a>. It is used for
all <a href="#concept-http-fetch" title="concept-http-fetch">HTTP fetches</a> whose <i title="">CORS flag</i> is
set as well as those where <a href="#concept-request" title="concept-request">request</a>'s
<a href="#concept-request-method" title="concept-request-method">method</a> is `<code title="">POST</code>`. Due to
compatibility constraints it is not included in all
<a href="#concept-fetch" title="concept-fetch">fetches</a>.
<!-- Ian Hickson told me Adam Barth researched that -->

<p>Its <a href="#concept-header-value" title="concept-header-value">value</a> ABNF:

<pre>Origin                           = origin-or-null

origin-or-null                   = origin / %x6E.75.6C.6C ; "null", case-sensitive
origin                           = <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-scheme" title="concept-url-scheme">scheme</a> "://" <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-host" title="concept-url-host">host</a> [ ":" <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-port" title="concept-url-port">port</a> ]</pre>

<p class="note no-backref">This supplants the `<a href="#http-origin"><code title="http-origin">Origin</code></a>`
<a href="#concept-header" title="concept-header">header</a>.
<a class="informative" href="#refsORIGIN">[ORIGIN]</a>


<h3 id="http-cors-protocol"><span class="secno">4.2 </span>CORS protocol</h3>

<p>To allow sharing responses cross-origin and allow for more versatile
<a href="#concept-fetch" title="concept-fetch">fetches</a> than possible with HTML's
<a href="https://html.spec.whatwg.org/multipage/forms.html#the-form-element"><code class="external" data-anolis-spec="html">form</code></a> element, the <dfn id="cors-protocol">CORS protocol</dfn> exists. It is layered
on top of HTTP and allows responses to declare they can be shared with other
<a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/browsers.html#origin">origin</a>.

<p class="note">It needs to be an opt-in mechanism to prevent leaking data from responses behind a
firewall (intranets). Additionally, for <a href="#concept-request" title="concept-request">requests</a> including
<a href="#credentials">credentials</a> it needs to be opt-in to prevent leaking potentially-sensitive data.

<p>This section explains the <a href="#cors-protocol">CORS protocol</a> as it pertains to server developers.
Requirements for user agents are part of the <a href="#concept-fetch" title="concept-fetch">fetch</a> algorithm,
except for the <a href="#http-new-header-syntax">new HTTP header syntax</a>.


<h4 id="general"><span class="secno">4.2.1 </span>General</h4>

<p>The <a href="#cors-protocol">CORS protocol</a> consists of a set of headers that indicates whether a response can
be shared cross-origin.

<p>For <a href="#concept-request" title="concept-request">requests</a> that are more involved than what is possible with
HTML's <a href="https://html.spec.whatwg.org/multipage/forms.html#the-form-element"><code class="external" data-anolis-spec="html">form</code></a> element, a <a href="#cors-preflight-request">CORS-preflight request</a> is
performed, to ensure <a href="#concept-request" title="concept-request">request</a>'s
<a href="#concept-request-current-url" title="concept-request-current-url">current url</a> supports the <a href="#cors-protocol">CORS protocol</a>.


<h4 id="http-requests"><span class="secno">4.2.2 </span>HTTP requests</h4>

<p>A <dfn id="cors-request">CORS request</dfn> is an HTTP request that includes an
`<a href="#http-origin"><code title="http-origin">Origin</code></a>` header. It cannot be reliably identified as particpating in
the <a href="#cors-protocol">CORS protocol</a> as the `<a href="#http-origin"><code title="http-origin">Origin</code></a>` header is sometimes
included for other purposes too.

<p>A <dfn id="cors-preflight-request">CORS-preflight request</dfn> is a <a href="#cors-request">CORS request</a> that checks to see if the
<a href="#cors-protocol">CORS protocol</a> is understood. It uses `<code title="">OPTIONS</code>` as
<a href="#concept-method" title="concept-method">method</a> and includes these
<a href="#concept-header" title="concept-header">headers</a>:

<dl>
 <dt>`<dfn id="http-access-control-request-method" title="http-access-control-request-method"><code>Access-Control-Request-Method</code></dfn>`
 <dd><p>Indicates which <a href="#concept-method" title="concept-method">method</a> a future
 <a href="#cors-request">CORS request</a> to the same resource might use.

 <dt>`<dfn id="http-access-control-request-headers" title="http-access-control-request-headers"><code>Access-Control-Request-Headers</code></dfn>`
 <dd><p>Indicates which <a href="#concept-header" title="concept-header">headers</a> a future
 <a href="#cors-request">CORS request</a> to the same resource might use.
</dl>


<h4 id="http-responses"><span class="secno">4.2.3 </span>HTTP responses</h4>

<p>An HTTP response to a <a href="#cors-request">CORS request</a> can include the following
<a href="#concept-header" title="concept-header">headers</a>:

<dl>
 <dt>`<dfn id="http-access-control-allow-origin" title="http-access-control-allow-origin"><code>Access-Control-Allow-Origin</code></dfn>`
 <dd><p>Indicates whether the response can be shared, via returning the literal
 <a href="#concept-header-value" title="concept-header-value">value</a> of the
 `<a href="#http-origin"><code title="http-origin">Origin</code></a>` request <a href="#concept-header" title="concept-header">header</a>
 (which can be `<code title="">null</code>`) or `<code title="">*</code>` in a response.

 <dt>`<dfn id="http-access-control-allow-credentials" title="http-access-control-allow-credentials"><code>Access-Control-Allow-Credentials</code></dfn>`
 <dd>
  <p>Indicates whether the response can be shared when <a href="#concept-request" title="concept-request">request</a>'s
  <a href="#concept-request-credentials-mode" title="concept-request-credentials-mode">credentials mode</a> is
  "<code title="">include</code>".

  <p class="note">For a <a href="#cors-preflight-request">CORS-preflight request</a>,
  <a href="#concept-request" title="concept-request">request</a>'s
  <a href="#concept-request-credentials-mode" title="concept-request-credentials-mode">credentials mode</a> is always
  "<code title="">omit</code>", but for any subsequent
  <a href="#cors-request" title="CORS request">CORS requests</a> it might not be. Support therefore needs
  to be indicated as part of the HTTP response to the <a href="#cors-preflight-request">CORS-preflight request</a>
  as well.
</dl>

<p>An HTTP response to a <a href="#cors-preflight-request">CORS-preflight request</a> can include the following
<a href="#concept-header" title="concept-header">headers</a>:

<dl>
 <dt>`<dfn id="http-access-control-allow-methods" title="http-access-control-allow-methods"><code>Access-Control-Allow-Methods</code></dfn>`
 <dd>
  <p>Indicates which <a href="#concept-method" title="concept-method">methods</a> are supported by the
  <a href="#concept-response" title="concept-response">response</a>'s <a href="#concept-response-url" title="concept-response-url">url</a> for the
  purposes of the <a href="#cors-protocol">CORS protocol</a>.

  <p class="note">The `<code title="">Allow</code>` <a href="#concept-header" title="concept-header">header</a> is
  not relevant for the purposes of the <a href="#cors-protocol">CORS protocol</a>.

 <dt>`<dfn id="http-access-control-allow-headers" title="http-access-control-allow-headers"><code>Access-Control-Allow-Headers</code></dfn>`
 <dd><p>Indicates which <a href="#concept-header" title="concept-header">headers</a> are supported by the
 <a href="#concept-response" title="concept-response">response</a>'s <a href="#concept-response-url" title="concept-response-url">url</a> for the
 purposes of the <a href="#cors-protocol">CORS protocol</a>.

 <dt>`<dfn id="http-access-control-max-age" title="http-access-control-max-age"><code>Access-Control-Max-Age</code></dfn>`
 <dd><p>Indicates how long the information provided by the
 `<a href="#http-access-control-allow-methods"><code title="http-access-control-allow-methods">Access-Control-Allow-Methods</code></a>` and
 `<a href="#http-access-control-allow-headers"><code title="http-access-control-allow-headers">Access-Control-Allow-Headers</code></a>`
 <a href="#concept-header" title="concept-header">headers</a> can be cached.
</dl>

<p>An HTTP response to a <a href="#cors-request">CORS request</a> that is not a
<a href="#cors-preflight-request">CORS-preflight request</a> can also include the following
<a href="#concept-header" title="concept-header">header</a>:

<dl>
 <dt>`<dfn id="http-access-control-expose-headers" title="http-access-control-expose-headers"><code>Access-Control-Expose-Headers</code></dfn>`
 <dd><p>Indicates which <a href="#concept-header" title="concept-header">headers</a> can be exposed as part
 of the response by listing their <a href="#concept-header-name" title="concept-header-name">names</a>.
</dl>


<h4 id="http-new-header-syntax"><span class="secno">4.2.4 </span>HTTP new-header syntax</h4>

<p>ABNF for the <a href="#concept-header-value" title="concept-header-value">values</a> of the
<a href="#concept-header" title="concept-header">headers</a> used by the <a href="#cors-protocol">CORS protocol</a>:

<pre>Access-Control-Request-Method    = <a class="external" data-anolis-spec="http" href="https://tools.ietf.org/html/rfc7230#section-3.1.1">method</a>
Access-Control-Request-Headers   = #<a class="external" data-anolis-spec="http" href="https://tools.ietf.org/html/rfc7230#section-3.2">field-name</a>

wildcard                         = "*"
Access-Control-Allow-Origin      = origin-or-null / wildcard
Access-Control-Allow-Credentials = %x74.72.75.65 ; "true", case-sensitive
Access-Control-Expose-Headers    = #<a class="external" data-anolis-spec="http" href="https://tools.ietf.org/html/rfc7230#section-3.2">field-name</a> / wildcard
Access-Control-Max-Age           = <a class="external" data-anolis-spec="http-caching" href="https://tools.ietf.org/html/rfc7234#section-1.2.1">delta-seconds</a>
Access-Control-Allow-Methods     = #<a class="external" data-anolis-spec="http" href="https://tools.ietf.org/html/rfc7230#section-3.1.1">method</a> / wildcard
Access-Control-Allow-Headers     = #field-name-or-wildcard
field-name-or-wildcard           = <a class="external" data-anolis-spec="http" href="https://tools.ietf.org/html/rfc7230#section-3.2">field-name</a> / wildcard</pre>

<p class="note">The difference between the <code title="">Access-Control-Expose-Headers</code> and
<code title="">Access-Control-Allow-Headers</code> production is that the latter needs to be able to
handle `<code title="">*, Authorization</code>` as header value whereas the former does not.


<h4 id="cors-protocol-and-credentials"><span class="secno">4.2.5 </span>CORS protocol and credentials</h4>

<!-- non-normative -->

<p>When <a href="#concept-request" title="concept-request">request</a>'s
<a href="#concept-request-credentials-mode" title="concept-request-credentials-mode">credentials mode</a> is "<code>include</code>" it
has an impact on the functioning of the <a href="#cors-protocol">CORS protocol</a> other than including
<a href="#credentials">credentials</a> in the <a href="#concept-fetch" title="concept-fetch">fetch</a>.

<div class="example">
 <p>In the old days, <a href="https://xhr.spec.whatwg.org/#xmlhttprequest"><code class="external" data-anolis-spec="xhr">XMLHttpRequest</code></a> could be used to set
 <a href="#concept-request" title="concept-request">request</a>'s
 <a href="#concept-request-credentials-mode" title="concept-request-credentials-mode">credentials mode</a> to "<code>include</code>":

 <pre>var client = new XMLHttpRequest()
client.open("GET", "./")
client.withCredentials = true
/* … */</pre>

 <p>Nowadays, <code title="">fetch("./", { credentials:"include" }).then(/* … */)</code>
 suffices.
</div>

<p>A <a href="#concept-request" title="concept-request">request</a>'s
<a href="#concept-request-credentials-mode" title="concept-request-credentials-mode">credentials mode</a> is not necessarily observable
on the server; only when <a href="#credentials">credentials</a> exist for a
<a href="#concept-request" title="concept-request">request</a> can it be observed by virtue of the
<a href="#credentials">credentials</a> being included. Note that even so, a <a href="#cors-preflight-request">CORS-preflight request</a>
never includes <a href="#credentials">credentials</a>.

<p>The server developer therefore needs to decide whether or not responses "tainted" with
<a href="#credentials">credentials</a> can be shared. And also needs to decide if
<a href="#concept-request" title="concept-request">requests</a> necessitating a <a href="#cors-preflight-request">CORS-preflight request</a> can
include <a href="#credentials">credentials</a>. Generally speaking, both sharing responses and allowing requests
with <a href="#credentials">credentials</a> is rather unsafe, and extreme care has to be taken to avoid the
<a href="https://en.wikipedia.org/wiki/Confused_deputy_problem">confused deputy problem</a>.
<!-- Turn into a reference? Meh. -->

<p>To share responses with <a href="#credentials">credentials</a>, the
`<a href="#http-access-control-allow-origin"><code title="http-access-control-allow-origin">Access-Control-Allow-Origin</code></a>` and
`<a href="#http-access-control-allow-credentials"><code title="http-access-control-allow-credentials">Access-Control-Allow-Credentials</code></a>`
<a href="#concept-header" title="concept-header">headers</a> are important. The following table serves to illustrate
the various legal and illegal combinations for a request to <code>https://rabbit.invalid/</code>:

<table>
 <tr>
  <th>Request's credentials mode
  <th>`<code title="">Access-Control-Allow-Origin</code>`
  <th>`<code title="">Access-Control-Allow-Credentials</code>`
  <th>Shared?
  <th>Notes
 <tr>
  <td>"<code>omit</code>"
  <td>`<code>*</code>`
  <td>Omitted
  <td>✅
  <td>—
 <tr>
  <td>"<code>omit</code>"
  <td>`<code>*</code>`
  <td>`<code>true</code>`
  <td>✅
  <td>If credentials mode is not "<code>include</code>", then
  `<a href="#http-access-control-allow-credentials"><code title="http-access-control-allow-credentials">Access-Control-Allow-Credentials</code></a>` is
  ignored.
 <tr>
  <td>"<code>omit</code>"
  <td>`<code>https://rabbit.invalid/`</code></td>
  <td>Omitted
  <td>❌
  <td>A serialized origin has no trailing slash.
 <tr>
  <td>"<code>omit</code>"
  <td>`<code>https://rabbit.invalid`</code></td>
  <td>Omitted
  <td>✅
  <td>—
 <tr>
  <td>"<code>include</code>"
  <td>`<code>*</code>`
  <td>`<code>true</code>`
  <td>❌
  <td>If credentials mode is "<code>include</code>", then
  `<a href="#http-access-control-allow-origin"><code title="http-access-control-allow-origin">Access-Control-Allow-Origin</code></a>` cannot be
  `<code>*</code>`.
 <tr>
  <td>"<code>include</code>"
  <td>`<code>https://rabbit.invalid`</code></td>
  <td>`<code>true</code>`
  <td>✅
  <td>—
 <tr>
  <td>"<code>include</code>"
  <td>`<code>https://rabbit.invalid`</code></td>
  <td>`<code>True</code>`
  <td>❌
  <td>`<code>true</code>` is (byte) case-sensitive.
</table>

<p>Similarly, `<a href="#http-access-control-expose-headers"><code title="http-access-control-expose-headers">Access-Control-Expose-Headers</code></a>`,
`<a href="#http-access-control-allow-methods"><code title="http-access-control-allow-methods">Access-Control-Allow-Methods</code></a>`, and
`<a href="#http-access-control-allow-headers"><code title="http-access-control-allow-headers">Access-Control-Allow-Headers</code></a>` response
headers can only use `<code>*</code>` as value when <a href="#concept-request" title="concept-request">request</a>'s
<a href="#concept-request-credentials-mode" title="concept-request-credentials-mode">credentials mode</a> is not "<code>include</code>".


<h4 id="cors-protocol-examples"><span class="secno">4.2.6 </span>Examples</h4>

<div class="example">
 <p>A script at <code>https://foo.invalid/</code> wants to fetch some data from
 <code>https://bar.invalid/</code>. (Neither <a href="#credentials">credentials</a> nor response header access is
 important.)

 <pre id="unicorn">var url = "https://bar.invalid/api?key=730d67a37d7f3d802e96396d00280768773813fbe726d116944d814422fc1a45&amp;data=about:unicorn";
fetch(url).then(success, failure)</pre>

 <p>This will use the <a href="#cors-protocol">CORS protocol</a>, though this is entirely transparent to the
 developer from <code>foo.invalid</code>. As part of the <a href="#cors-protocol">CORS protocol</a>, the user agent
 will include the `<a href="#http-origin"><code title="http-origin">Origin</code></a>` header in the request:

 <pre>Origin: https://foo.invalid</pre>

 <p>Upon receiving a response from <code>bar.com</code>, the user agent will verify the
 `<a href="#http-access-control-allow-origin"><code title="http-access-control-allow-origin">Access-Control-Allow-Origin</code></a>` response header.
 If its value is either `<code>https://foo.invalid</code>` or `<code>*</code>`, the user agent will
 invoke the <code>success</code> callback. If it has any other value, or is simply missing, the user
 agent will invoke the <code>failure</code> callback.
</div>

<div class="example">
 <p>The developer of <code>foo.invalid</code> is back, and now wants to fetch some data from
 <code>bar.invalid</code> while also accessing a response header.

 <pre>fetch(url).then(response =&gt; {
  var hsts = response.headers.get("strict-transport-security"),
      csp = response.headers.get("content-security-policy")
  log(hsts, csp)
})</pre>

 <p><code>bar.invalid</code> provides a correct
 `<a href="#http-access-control-allow-origin"><code title="http-access-control-allow-origin">Access-Control-Allow-Origin</code></a>` response header
 per the earlier example. The values of <code>hsts</code> and <code>csp</code> will depend on the
 `<a href="#http-access-control-expose-headers"><code title="http-access-control-expose-headers">Access-Control-Expose-Headers</code></a>` response
 header. For example, if the response included the following headers

 <pre>Content-Security-Policy: default-src 'self'
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
Access-Control-Expose-Headers: Content-Security-Policy</pre>

 <p>then <code>hsts</code> would be null and <code>csp</code> would be
 "<code>default-src 'self'</code>", even though the response did include both headers. This is
 because <code>bar.invalid</code> needs to explicitly share each header by listing their names in
 the `<a href="#http-access-control-expose-headers"><code title="http-access-control-expose-headers">Access-Control-Expose-Headers</code></a>` response
 header.

 <p>Alternatively, if <code>bar.invalid</code> wanted to share all its response headers, for
 requests that do not include <a href="#credentials">credentials</a>, it could use `<code>*</code>` as value for
 the `<a href="#http-access-control-expose-headers"><code title="http-access-control-expose-headers">Access-Control-Expose-Headers</code></a>` response
 header. If the request would have included <a href="#credentials">credentials</a>, the response header names
 would have to be listed explicitly and `<code>*</code>` could not be used.
</div>

<div class="example">
 <p>The developer of <code>foo.invalid</code> returns, now fetching some data from
 <code>bar.invalid</code> while including <a href="#credentials">credentials</a>. This time around the
 <a href="#cors-protocol">CORS protocol</a> is no longer transparent to the developer as <a href="#credentials">credentials</a>
 require an explicit opt-in:

 <pre>fetch(url, { credentials:"include" }).then(success, failure)</pre>

 <p>This also makes any `<code title="">Set-Cookie</code>` response headers <code>bar.invalid</code>
 includes fully functional (they are ignored otherwise).

 <p>The user agent will make sure to include any relevant <a href="#credentials">credentials</a> in the request.
 It will also put stricter requirements on the response. Not only will <code>bar.invalid</code> be
 required to list `<code>https://foo.invalid</code>` as value for
 `<a href="#http-access-control-allow-origin"><code title="http-access-control-allow-origin">Access-Control-Allow-Origin</code></a>` (`<code>*</code>`
 is not allowed when <a href="#credentials">credentials</a> are involved), the
 `<a href="#http-access-control-allow-credentials"><code title="http-access-control-allow-credentials">Access-Control-Allow-Credentials</code></a>` has to
 be present too:

 <pre>Access-Control-Allow-Origin: https://foo.invalid
Access-Control-Allow-Credentials: true</pre>

 <p>If the response does not include those two headers with those values, the <code>failure</code>
 callback will be invoked and any `<code title="">Set-Cookie</code>` response headers will end up being
 ignored.
</div>


<h3 id="x-content-type-options-header"><span class="secno">4.3 </span>`<code title="">X-Content-Type-Options</code>` header</h3>

<p>The
`<dfn id="http-x-content-type-options" title="http-x-content-type-options"><code>X-Content-Type-Options</code></dfn>`
response <a href="#concept-header" title="concept-header">header</a> can be used to require checking of a
<a href="#concept-response" title="concept-response">response</a>'s `<code title="">Content-Type</code>`
<a href="#concept-header" title="concept-header">header</a> against the
<a href="#concept-request-type" title="concept-request-type">type</a> of a
<a href="#concept-request" title="concept-request">request</a>.

<p>Its <a href="#concept-header-value" title="concept-header-value">value</a> ABNF:

<pre>X-Content-Type-Options           = "nosniff" ; case-insensitive</pre>

<h4 id="should-response-to-request-be-blocked-due-to-nosniff?"><span class="secno">4.3.1 </span><dfn title="should response to request be blocked due to nosniff">Should
<var>response</var> to <var>request</var> be blocked due to nosniff?</dfn></h4>

<p>Run these steps:

<ol>
 <li><p>If <var>response</var>'s
 <a href="#concept-response-header-list" title="concept-response-header-list">header list</a> has no
 <a href="#concept-header" title="concept-header">header</a> whose
 <a href="#concept-header-name" title="concept-header-name">name</a> is
 `<a href="#http-x-content-type-options"><code title="http-x-content-type-options">X-Content-Type-Options</code></a>`, return
 <b title="">allowed</b>.

 <li><p>Let <var>nosniff</var> be the result of
 <a href="#concept-header-parse" title="concept-header-parse">parsing</a> the <em>first</em>
 <a href="#concept-header" title="concept-header">header</a> whose
 <a href="#concept-header-name" title="concept-header-name">name</a> is
 `<a href="#http-x-content-type-options"><code title="http-x-content-type-options">X-Content-Type-Options</code></a>` in
 <var>response</var>'s <a href="#concept-response-header-list" title="concept-response-header-list">header list</a>.

 <li><p>If <var>nosniff</var> is failure, return <b title="">allowed</b>.

 <li><p>Let <var>MIMEType</var> be the result of
 <a href="#concept-header-extract-mime-type" title="concept-header-extract-mime-type">extracting a MIME type</a> from
 <var>response</var>'s <a href="#concept-response-header-list" title="concept-response-header-list">header list</a>.

 <li><p>Let <var>type</var> be <var>request</var>'s
 <a href="#concept-request-type" title="concept-request-type">type</a>.

 <li><p class="XXX">"<code title="">audio</code>", "<code title="">video</code>" ...

 <li><p>If <var>type</var> is "<code title="">image</code>", and
 <var>MIMEType</var> (ignoring parameters) is <em>not</em> an
 <a class="XXX" href="https://www.w3.org/Bugs/Public/show_bug.cgi?id=28398">image MIME type</a>,
 return <b title="">blocked</b>.

 <li><p>If <var>type</var> is "<code title="">font</code>" and
 <var>MIMEType</var> (ignoring parameters) is <em>not</em> a
 <a class="XXX" href="https://lists.w3.org/Archives/Public/www-style/2015Apr/0027.html">font MIME type</a>,
 return <b title="">blocked</b>.

 <li><p>If <var>type</var> is "<code title="">script</code>", and <var>MIMEType</var>
 (ignoring parameters) is <em>not</em> a <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/scripting.html#javascript-mime-type">JavaScript MIME type</a>,
 return <b title="">blocked</b>.

 <li><p>If <var>type</var> is "<code title="">style</code>" and
 <var>MIMEType</var> (ignoring parameters) is <em>not</em>
 `<code title="">text/css</code>`, return <b title="">blocked</b>.

 <li><p>If <var>type</var> is "<code title="">track</code>" and
 <var>MIMEType</var> (ignoring parameters) is <em>not</em>
 `<code title="">text/vtt</code>`, return <b title="">blocked</b>.

 <li><p>Return <b title="">allowed</b>.
</ol>


<h2 id="fetching"><span class="secno">5 </span>Fetching</h2>

<div class="note no-backref">
 <p>The algorithm below defines <a href="#concept-fetch" title="concept-fetch">fetching</a>. In broad
 strokes, it takes a <a href="#concept-request" title="concept-request">request</a> and outputs a
 <a href="#concept-response" title="concept-response">response</a>.

 <p>That is, it either returns a <a href="#concept-response" title="concept-response">response</a> if
 <a href="#concept-request" title="concept-request">request</a>'s <a href="#synchronous-flag">synchronous flag</a> is set, or it
 <a href="#queue-a-fetch-task" title="queue a fetch task">queues tasks</a> annotated
 <a href="#process-response">process response</a>, and <a href="#process-response-end-of-body">process response end-of-body</a> for the
 <a href="#concept-response" title="concept-response">response</a>.

 <p>To capture uploads, if <a href="#concept-request" title="concept-request">request</a>'s
 <a href="#synchronous-flag">synchronous flag</a> is unset,
 <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-task" title="concept-task">tasks</a> annotated
 <a href="#process-request-body">process request body</a> and <a href="#process-request-end-of-body">process request end-of-body</a> for the
 <a href="#concept-request" title="concept-request">request</a> can be
 <a href="#queue-a-fetch-task" title="queue a fetch task">queued</a>.
</div>

<p>To perform a <dfn id="concept-fetch" title="concept-fetch">fetch</dfn> using <var>request</var>, run
the steps below. An ongoing <a href="#concept-fetch" title="concept-fetch">fetch</a> can be
<dfn id="concept-fetch-terminate" title="concept-fetch-terminate">terminated</dfn> with reason <var>reason</var>,
which must be <i title="">end-user abort</i>, <i title="">fatal</i>, <i title="">timeout</i>, or
<i title="">garbage collection</i>.

<p>The user agent may be asked to <dfn id="concept-fetch-suspend" title="concept-fetch-suspend">suspend</dfn> the ongoing fetch.
The user agent may either accept or ignore the suspension request. The suspended fetch can be
<dfn id="concept-fetch-resume" title="concept-fetch-resume">resumed</dfn>. The user agent should ignore the suspension request
if the ongoing fetch is updating the response in the HTTP cache for the request.

<p class="note no-backref">The user agent does not update the entry in the HTTP cache for a
<a href="#concept-request" title="concept-request">request</a> if request's cache mode is "no-store" or a
`<code>Cache-Control: no-store</code>` header appears in the response.
<a href="#refsHTTP">[HTTP]</a>

<ol>
 <li><p>If <var>request</var>'s <a href="#concept-request-window" title="concept-request-window">window</a> is
 "<code>client</code>", set <var>request</var>'s
 <a href="#concept-request-window" title="concept-request-window">window</a> to <var>request</var>'s
 <a href="#concept-request-client" title="concept-request-client">client</a>, if <var>request</var>'s
 <a href="#concept-request-client" title="concept-request-client">client</a>'s
 <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-global" title="concept-settings-object-global">global object</a> is a
 <a href="https://html.spec.whatwg.org/multipage/browsers.html#window"><code class="external" data-anolis-spec="html">Window</code></a> object, and to "<code>no-window</code>"
 otherwise.

 <li><p>If <var>request</var>'s <a href="#concept-request-origin" title="concept-request-origin">origin</a> is
 "<code>client</code>", set <var>request</var>'s
 <a href="#concept-request-origin" title="concept-request-origin">origin</a> to  <var>request</var>'s
 <a href="#concept-request-client" title="concept-request-client">client</a>'s <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/browsers.html#origin">origin</a>.

 <li>
  <p>If <var>request</var>'s <a href="#concept-request-header-list" title="concept-request-header-list">header list</a> does not
  contain a <a href="#concept-header" title="concept-header">header</a> whose
  <a href="#concept-header-name" title="concept-header-name">name</a> is `<code title="">Accept</code>`, run these substeps:

  <ol>
   <li><p>Let <var>value</var> be `<code title="">*/*</code>`.

   <li><p>If <var>request</var> is a <a href="#navigation-request">navigation request</a>, a user agent should set
   <var>value</var> to
   `<code title="">text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8</code>`.

   <li>
    <p>Otherwise, a user agent should set <var>value</var> to the first matching statement, if any,
    switching on <var>request</var>'s <a href="#concept-request-type" title="concept-request-type">type</a>:
    <!-- https://github.com/whatwg/fetch/issues/43#issuecomment-97909717 -->

    <dl class="switch">
     <dt>"<code title="">image</code>"
     <dd>`<code title="">image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5</code>`

     <dt>"<code title="">style</code>"
     <dd>`<code title="">text/css,*/*;q=0.1</code>`
    </dl>

   <li><p><a href="#concept-header-list-append" title="concept-header-list-append">Append</a>
   `<code title="http-accept">Accept</code>`/<var>value</var> to <var>request</var>'s
   <a href="#concept-request-header-list" title="concept-request-header-list">header list</a>.
  </ol>

 <li><p>If <var>request</var>'s <a href="#concept-request-header-list" title="concept-request-header-list">header list</a> does not
 contain a <a href="#concept-header" title="concept-header">header</a> whose
 <a href="#concept-header-name" title="concept-header-name">name</a> is
 `<code title="http-accept-language">Accept-Language</code>`, user agents should
 <a href="#concept-header-list-append" title="concept-header-list-append">append</a>
 `<code>Accept-Language</code>`/an appropriate <a href="#concept-header-value" title="concept-header-value">value</a>
 to <var>request</var>'s <a href="#concept-request-header-list" title="concept-request-header-list">header list</a>.

 <li>
  <p>If <var>request</var>'s <a href="#concept-request-priority" title="concept-request-priority">priority</a> is
  null, use <var>request</var>'s
  <a href="#concept-request-initiator" title="concept-request-initiator">initiator</a>,
  <a href="#concept-request-type" title="concept-request-type">type</a>, and
  <a href="#concept-request-destination" title="concept-request-destination">destination</a>
  appropriately in setting it to a user-agent-defined object.

  <p class="note">The user-agent-defined object could encompass stream weight and dependency
  for HTTP/2, and equivalent information used to prioritize dispatch and processing of
  HTTP/1 fetches.


 <li>
  <p>If <var>request</var> is a <a href="#navigation-request">navigation request</a>, a user agent should, for each
  <a href="#concept-header" title="concept-header">header</a> <a href="#concept-header-name" title="concept-header-name">name</a>
  (<var>hint-name</var>) in the first column of the following table, if <var>hint-name</var>
  is not in <var>request</var>'s <a href="#concept-request-header-list" title="concept-request-header-list">header list</a>,
  <a href="#concept-header-list-append" title="concept-header-list-append">append</a>
  <var>hint-name</var>/<var>hint-value</var> given in the same row on the second column, to
  <var>request</var>'s <a href="#concept-request-header-list" title="concept-request-header-list">header list</a>.

  <table>
   <tr>
    <th><span title="hint-name">hint-name</span>
    <th><span title="hint-value">hint-value</span>
   <tr>
    <td>`<code title="http-dpr">dpr</code>`
    <td>a suitable <a href="http://httpwg.org/http-extensions/client-hints.html#dpr">dpr value</a>
   <tr>
    <td>`<code title="http-save-data">save-data</code>`
    <td>a suitable <a href="http://httpwg.org/http-extensions/client-hints.html#save-data">save-data value</a>
   <tr>
    <td>`<code title="http-viewport-width">viewport-width</code>`
    <td>a suitable <a href="http://httpwg.org/http-extensions/client-hints.html#viewport-width">viewport-width value</a>
  </table>

 <li>
  <p>If <var>request</var> is a <a href="#subresource-request">subresource request</a>, run these substeps:

  <ol>
   <li>
    <p>If the <var>request</var>'s <a href="#concept-client-hints-list" title="concept-client-hints-list">client hints list</a> is
    not empty, then run these substeps for each <var>hint-name</var> in the list:

    <ol>
     <li>
      <p>Set <var>value</var> to the first matching statement, if any, switching on
      <var>hint-name</var>:

      <dl class="switch">
       <dt>"<code title="">dpr</code>"
       <dd>a suitable <a href="http://httpwg.org/http-extensions/client-hints.html#dpr">dpr value</a>
       <dt>"<code title="">save-data</code>"
       <dd>a suitable <a href="http://httpwg.org/http-extensions/client-hints.html#save-data">save-data value</a>
       <dt>"<code title="">viewport-width</code>"
       <dd>a suitable <a href="http://httpwg.org/http-extensions/client-hints.html#viewport-width">viewport-width value</a>
       <dt>"<code title="">width</code>"
       <dd>a suitable <a href="http://httpwg.org/http-extensions/client-hints.html#width">width value</a>
      </dl>

     <li><p><a href="#concept-header-list-append" title="concept-header-list-append">Append</a>
     <var>hint-name</var>/<var>value</var> to <var>request</var>'s
     <a href="#concept-request-header-list" title="concept-request-header-list">header list</a>.
    </ol>

   <li><p>Let <var>record</var> be a new
   <a href="#concept-fetch-record" title="concept-fetch-record">fetch record</a> consisting of
   <var>request</var> and this instance of the
   <a href="#concept-fetch" title="concept-fetch">fetch</a> algorithm.

   <li><p>Append <var>record</var> to <var>request</var>'s
   <a href="#concept-request-client" title="concept-request-client">client</a>'s
   <a href="#concept-fetch-group" title="concept-fetch-group">fetch group</a> list of
   <a href="#concept-fetch-record" title="concept-fetch-record">fetch records</a>.
  </ol>

 <li><p>Return the result of performing a <a href="#concept-main-fetch" title="concept-main-fetch">main fetch</a>
 using <var>request</var>.
</ol>


<h3 id="main-fetch"><span class="secno">5.1 </span>Main fetch</h3>

<p>To perform a <dfn id="concept-main-fetch" title="concept-main-fetch">main fetch</dfn> using <var>request</var>, optionally
with a <i title="">CORS flag</i> and <i title="">recursive flag</i>, run these steps:

<p class="note">The <i title="">recursive flag</i> is set when
<a href="#concept-main-fetch" title="concept-main-fetch">main fetch</a> is invoked recursively. The
<i title="">CORS flag</i> is a bookkeeping detail for handling redirects.

<ol>
 <li><p>Let <var>response</var> be null.

 <li><p>If <var>request</var>'s <a href="#local-urls-only-flag">local-URLs-only flag</a> is set and
 <var>request</var>'s <a href="#concept-request-current-url" title="concept-request-current-url">current url</a> is
 not <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#is-local" title="is local">local</a>, set
 <var>response</var> to a <a href="#concept-network-error" title="concept-network-error">network error</a>.

 <li><p>Execute <a href="https://w3c.github.io/webappsec-csp/#report-for-request">Report Content Security Policy violations for <var>request</var></a>.
 <a href="#refsCSP">[CSP]</a>

 <li><p><a href="https://w3c.github.io/webappsec-upgrade-insecure-requests/#upgrade-request">Upgrade <var>request</var> to a potentially secure URL, if appropriate</a>.
 <a href="#refsUPGRADE">[UPGRADE]</a>

 <li><p>If
 <a href="#block-bad-port" title="block bad port">should fetching <var>request</var> be blocked due to a bad port</a>,
 <a href="https://w3c.github.io/webappsec-mixed-content/#should-block-fetch">should fetching <var>request</var> be blocked as mixed content</a>,
 or
 <a href="https://w3c.github.io/webappsec-csp/#should-block-request">should fetching <var>request</var> be blocked by Content Security Policy</a>
 returns <b title="">blocked</b>, set <var>response</var> to a
 <a href="#concept-network-error" title="concept-network-error">network error</a>.
 <a href="#refsMIX">[MIX]</a>
 <a href="#refsCSP">[CSP]</a>

 <li><p>If <var>request</var>'s <a href="#concept-request-referrer-policy" title="concept-request-referrer-policy">referrer policy</a>
 is the empty string and <var>request</var>'s
 <a href="#concept-request-client" title="concept-request-client">client</a> is non-null, then set <var>request</var>'s
 <a href="#concept-request-referrer-policy" title="concept-request-referrer-policy">referrer policy</a> to <var>request</var>'s
 <a href="#concept-request-client" title="concept-request-client">client</a>'s
 <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/webappapis.html#environment-settings-object" title="environment settings object">referrer policy</a>.
 <a href="#refsREFERRER">[REFERRER]</a>
 <!-- We use "environment settings object" here because the HTML Standard does not have a definition
      for the referrer policy concept that is associated with it. -->

 <li>
  <p>If <var>request</var>'s <a href="#concept-request-referrer-policy" title="concept-request-referrer-policy">referrer policy</a>
  is the empty string, then set <var>request</var>'s
  <a href="#concept-request-referrer-policy" title="concept-request-referrer-policy">referrer policy</a> to
  "<code>no-referrer-when-downgrade</code>".

  <p class="note no-backref">We use "<code>no-referrer-when-downgrade</code>" because it is the
  historical default.

 <li>
  <p>If <var>request</var>'s <a href="#concept-request-referrer" title="concept-request-referrer">referrer</a>
  is not "<code>no-referrer</code>", set <var>request</var>'s
  <a href="#concept-request-referrer" title="concept-request-referrer">referrer</a> to the result of invoking
  <a href="https://w3c.github.io/webappsec-referrer-policy/#determine-requests-referrer">determine <var>request</var>'s referrer</a>.
  <a href="#refsREFERRER">[REFERRER]</a>

  <p class="note no-backref">As stated in <cite>Referrer Policy</cite>, user agents can
  provide the end user with options to override <var>request</var>'s
  <a href="#concept-request-referrer" title="concept-request-referrer">referrer</a> to "<code>no-referrer</code>" or
  have it expose less sensitive information.

 <li>
  <p>Set <var>request</var>'s <a href="#concept-request-current-url" title="concept-request-current-url">current url</a>'s
  <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-scheme" title="concept-url-scheme">scheme</a> to "<code title="">https</code>" if
  all of the following conditions are true:

  <ul class="brief">
   <li><var>request</var>'s <a href="#concept-request-current-url" title="concept-request-current-url">current url</a>'s
   <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-scheme" title="concept-url-scheme">scheme</a> is "<code title="">http</code>"
   <li><var>request</var>'s <a href="#concept-request-current-url" title="concept-request-current-url">current url</a>'s
   <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-host" title="concept-url-host">host</a> is a
   <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-domain" title="concept-domain">domain</a>
   <li>Matching <var>request</var>'s <a href="#concept-request-current-url" title="concept-request-current-url">current url</a>'s
   <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-host" title="concept-url-host">host</a> per
   <a href="https://tools.ietf.org/html/rfc6797#section-8.2">Known HSTS Host Domain Name Matching</a>
   results in either a superdomain match with an asserted <code title="">includeSubDomains</code>
   directive or a congruent match (with or without an asserted <code title="">includeSubDomains</code>
   directive) <a href="#refsHSTS">[HSTS]</a>
  </ul>
 <!-- Per Mike West HSTS happens "probably after" Referrer -->

 <li><p>If <var>request</var>'s <a href="#synchronous-flag">synchronous flag</a> is unset and
 <i title="">recursive flag</i> is unset, run the remaining steps
 <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/infrastructure.html#in-parallel">in parallel</a>.

 <li>
  <p>If <var>response</var> is null, set <var>response</var> to the value
  corresponding to the first matching statement:

  <dl class="switch">
   <dt><var>request</var>'s
   <a href="#concept-request-current-url" title="concept-request-current-url">current url</a>'s
   <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-origin" title="concept-url-origin">origin</a> is
   <var>request</var>'s <a href="#concept-request-origin" title="concept-request-origin">origin</a> and the
   <i title="">CORS flag</i> is unset
   <dt><var>request</var>'s
   <a href="#concept-request-current-url" title="concept-request-current-url">current url</a>'s
   <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-scheme" title="concept-url-scheme">scheme</a> is
   "<code title="">data</code>" and <var>request</var>'s
   <a href="#same-origin-data-url-flag">same-origin data-URL flag</a> is set
   <dt><var>request</var>'s
   <a href="#concept-request-current-url" title="concept-request-current-url">current url</a>'s
   <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-scheme" title="concept-url-scheme">scheme</a> is
   "<code title="">about</code>"
   <dt><var>request</var>'s <a href="#concept-request-mode" title="concept-request-mode">mode</a> is
   "<code title="">navigate</code>" or "<code title="">websocket</code>"

   <dd><p>The result of performing a <a href="#concept-basic-fetch" title="concept-basic-fetch">basic fetch</a> using <var>request</var>.

   <dt><var>request</var>'s <a href="#concept-request-mode" title="concept-request-mode">mode</a> is
   "<code title="">same-origin</code>"

   <dd><p>A <a href="#concept-network-error" title="concept-network-error">network error</a>.

   <dt><var>request</var>'s <a href="#concept-request-mode" title="concept-request-mode">mode</a> is
   "<code title="">no-cors</code>"
   <dd>
    <p>Set <var>request</var>'s
    <a href="#concept-request-response-tainting" title="concept-request-response-tainting">response tainting</a> to
    "<code title="">opaque</code>".
    <p>The result of performing a <a href="#concept-basic-fetch" title="concept-basic-fetch">basic fetch</a> using
    <var>request</var>.
    <!-- file URLs end up here as they are not same-origin typically. -->

   <dt><var>request</var>'s <a href="#concept-request-current-url" title="concept-request-current-url">current url</a>'s
   <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-scheme" title="concept-url-scheme">scheme</a> is <em>not</em> an
   <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#http-scheme">HTTP(S) scheme</a>

   <dd><p>A <a href="#concept-network-error" title="concept-network-error">network error</a>.

   <dt><var>request</var>'s <a href="#use-cors-preflight-flag">use-CORS-preflight flag</a> is set
   <dt><var>request</var>'s <a href="#unsafe-request-flag">unsafe-request flag</a> is set and either <var>request</var>'s
   <a href="#concept-request-method" title="concept-request-method">method</a> is not a <a href="#cors-safelisted-method">CORS-safelisted method</a> or
   a <a href="#concept-header" title="concept-header">header</a> in <var>request</var>'s
   <a href="#concept-header-list" title="concept-header-list">header list</a> is not a
   <a href="#cors-safelisted-request-header">CORS-safelisted request-header</a>
   <dd>
    <p>Set <var>request</var>'s
    <a href="#concept-request-response-tainting" title="concept-request-response-tainting">response tainting</a> to
    "<code title="">cors</code>" and <var>request</var>'s
    <a href="#concept-request-redirect-mode" title="concept-request-redirect-mode">redirect mode</a> to
    "<code title="">error</code>".
    <p>The result of performing an <a href="#concept-http-fetch" title="concept-http-fetch">HTTP fetch</a> using
    <var>request</var> with the <i title="">CORS flag</i> and
    <i title="">CORS-preflight flag</i> set. If the result is a
    <a href="#concept-network-error" title="concept-network-error">network error</a>,
    <a href="#concept-cache-clear" title="concept-cache-clear">clear cache entries</a> using
    <var>request</var>.

   <dt>Otherwise
   <dd>
    <p>Set <var>request</var>'s
    <a href="#concept-request-response-tainting" title="concept-request-response-tainting">response tainting</a> to
    "<code title="">cors</code>".
    <p>The result of performing an <a href="#concept-http-fetch" title="concept-http-fetch">HTTP fetch</a> using
    <var>request</var> with the <i title="">CORS flag</i> set.
  </dl>

 <li><p>If the <i>recursive flag</i> is set, return <var>response</var>.

 <li>
  <p>If <var>response</var> is not a <a href="#concept-network-error" title="concept-network-error">network error</a> and
  <var>response</var> is not a <a href="#concept-filtered-response" title="concept-filtered-response">filtered response</a>, then
  run these substeps:

  <ol>
   <li>
    <p>If <var>request</var>'s
    <a href="#concept-request-response-tainting" title="concept-request-response-tainting">response tainting</a> is
    "<code title="">cors</code>", then run these substeps:

    <ol>
     <li><p>Let <var>headerNames</var> be the result of
     <a href="#concept-header-parse" title="concept-header-parse">parsing</a>
     `<a href="#http-access-control-expose-headers"><code title="http-access-control-expose-headers">Access-Control-Expose-Headers</code></a>` in
     <var>response</var>'s <a href="#concept-response-header-list" title="concept-response-header-list">header list</a>.

     <li><p>If <var>headerNames</var> is `<code title="">*</code>` and <var>request</var>'s
     <a href="#concept-request-credentials-mode" title="concept-request-credentials-mode">credentials mode</a> is not
     "<code>include</code>", then set <var>response</var>'s
     <a href="#concept-response-cors-exposed-header-name-list" title="concept-response-cors-exposed-header-name-list">CORS-exposed header-name list</a>
     to all unique <a href="#concept-header" title="concept-header">header</a>
     <a href="#concept-header-name" title="concept-header-name">names</a> in <var>response</var>'s
     <a href="#concept-response-header-list" title="concept-response-header-list">header list</a>.

     <li><p>Otherwise, if <var>headerNames</var> is <em>not</em> `<code title="">*</code>`, then set
     <var>response</var>'s
     <a href="#concept-response-cors-exposed-header-name-list" title="concept-response-cors-exposed-header-name-list">CORS-exposed header-name list</a>
     to <var>headerNames</var>.
    </ol>

   <li>
    <p>Set <var>response</var> to the following
    <a href="#concept-filtered-response" title="concept-filtered-response">filtered response</a> with <var>response</var> as its
    <a href="#concept-internal-response" title="concept-internal-response">internal response</a>, depending on
    <var>request</var>'s <a href="#concept-request-response-tainting" title="concept-request-response-tainting">response tainting</a>:

    <dl class="switch compact">
     <dt>"<code title="">basic</code>"
     <dd><a href="#concept-filtered-response-basic" title="concept-filtered-response-basic">basic filtered response</a>
     <dt>"<code title="">cors</code>"
     <dd><a href="#concept-filtered-response-cors" title="concept-filtered-response-cors">CORS filtered response</a>
     <dt>"<code title="">opaque</code>"
     <dd><a href="#concept-filtered-response-opaque" title="concept-filtered-response-opaque">opaque filtered response</a>
    </dl>
  </ol>

 <li><p>Let <var>internalResponse</var> be <var>response</var>, if <var>response</var> is a
 <a href="#concept-network-error" title="concept-network-error">network error</a>, and <var>response</var>'s
 <a href="#concept-internal-response" title="concept-internal-response">internal response</a> otherwise.

 <li>
  <p>If <var>internalResponse</var>'s <a href="#concept-response-url-list" title="concept-response-url-list">url list</a> is
  empty, then set it to a copy of <var>request</var>'s
  <a href="#concept-request-url-list" title="concept-request-url-list">url list</a>.

  <p class="note">A <a href="#concept-response" title="concept-response">response</a>'s
  <a href="#concept-response-url-list" title="concept-response-url-list">url list</a> will typically be empty at this point,
  unless it came from a service worker, in which case it will only be empty if it was created
  through <a href="#dom-response"><code title="dom-response">new Response()</code></a>.
 <!-- If you are ever tempted to move this around, carefully consider responses from about URLs,
      blob URLs, service workers, HTTP cache, HTTP network, etc. -->

 <li>
  <p>If <var>response</var> is not a <a href="#concept-network-error" title="concept-network-error">network error</a> and any
  of the following algorithms returns <b title="">blocked</b>, then set <var>response</var> and
  <var>internalResponse</var> to a <a href="#concept-network-error" title="concept-network-error">network error</a>:

  <ul class="brief">
   <li><a href="https://w3c.github.io/webappsec-mixed-content/#should-block-response">should <var>internalResponse</var> to <var>request</var> be blocked as mixed content</a>
   <a href="#refsMIX">[MIX]</a>
   <li><a href="https://w3c.github.io/webappsec-csp/#should-block-response">should <var>internalResponse</var> to <var>request</var> be blocked by Content Security Policy</a>
   <a href="#refsCSP">[CSP]</a>
   <li><a href="#should-response-to-request-be-blocked-due-to-mime-type?" title="should response to request be blocked due to mime type">should <var>internalResponse</var> to <var>request</var> be blocked due to its MIME type</a>
   <li><a href="#should-response-to-request-be-blocked-due-to-nosniff?" title="should response to request be blocked due to nosniff">should <var>internalResponse</var> to <var>request</var> be blocked due to nosniff</a>
  </ul>

 <li>
  <p>If <var>response</var> is not a <a href="#concept-network-error" title="concept-network-error">network error</a> and
  either <var>request</var>'s <a href="#concept-request-method" title="concept-request-method">method</a> is
  `<code title="">HEAD</code>` or `<code title="">CONNECT</code>`, or <var>internalResponse</var>'s
  <a href="#concept-response-status" title="concept-response-status">status</a> is a <a href="#null-body-status">null body status</a>,
  set <var>internalResponse</var>'s <a href="#concept-response-body" title="concept-response-body">body</a> to
  null and disregard any enqueuing toward it (if any).

  <p class="note">This standardizes the error handling for servers that violate HTTP.

 <li>
  <p>If <var>response</var> is not a <a href="#concept-network-error" title="concept-network-error">network error</a> and
  <var>request</var>'s <a href="#concept-request-integrity-metadata" title="concept-request-integrity-metadata">integrity metadata</a> is
  not the empty string, run these substeps:

  <ol>
   <li><p><a href="#concept-body-wait" title="concept-body-wait">Wait</a> for <var>response</var>'s
   <a href="#concept-response-body" title="concept-response-body">body</a>.

   <li><p>If <var>response</var> does not have a
   <a href="#concept-response-termination-reason" title="concept-response-termination-reason">termination reason</a> and
   <var>response</var> does not
   <a href="https://w3c.github.io/webappsec-subresource-integrity/#does-response-match-metadatalist">match</a>
   <var>request</var>'s <a href="#concept-request-integrity-metadata" title="concept-request-integrity-metadata">integrity metadata</a>,
   set <var>response</var> and <var>internalResponse</var> to a
   <a href="#concept-network-error" title="concept-network-error">network error</a>.
   <a href="#refsSRI">[SRI]</a>
  </ol>

  <p class="note">This operates on <var>response</var> as this algorithm is not supposed to observe
  <var>internalResponse</var>. That would allow an attacker to use hashes as an oracle.

 <li>
  <p>If <var>request</var>'s <a href="#synchronous-flag">synchronous flag</a> is set,
  <a href="#concept-body-wait" title="concept-body-wait">wait</a> for <var>internalResponse</var>'s
  <a href="#concept-response-body" title="concept-response-body">body</a>, and then return <var>response</var>.

  <p class="note no-backref">This terminates <a href="#concept-fetch" title="concept-fetch">fetch</a>.

 <li>
  <p>If <var>request</var>'s <a href="#concept-request-current-url" title="concept-request-current-url">current url</a>'s
  <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-scheme" title="concept-url-scheme">scheme</a> is an
  <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#http-scheme">HTTP(S) scheme</a>, then run these substeps:

  <ol>
   <li><p>If <var>request</var>'s <a href="#concept-request-body" title="concept-request-body">body</a> is
   <a href="#concept-body-done" title="concept-body-done">done</a>, <a href="#queue-a-fetch-request-done-task">queue a fetch-request-done task</a> for
   <var>request</var>.

   <li><p>Otherwise, <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/infrastructure.html#in-parallel">in parallel</a>,
   <a href="#concept-body-wait" title="concept-body-wait">wait</a> for <var>request</var>'s
   <a href="#concept-request-body" title="concept-request-body">body</a>, and then
   <a href="#queue-a-fetch-request-done-task">queue a fetch-request-done task</a> for <var>request</var>.
  </ol>

 <li><p><a href="#queue-a-fetch-task">Queue a fetch task</a> on <var>request</var> to
 <a href="#process-response">process response</a> for <var>response</var>.

 <li><p><a href="#concept-body-wait" title="concept-body-wait">Wait</a> for <var>internalResponse</var>'s
 <a href="#concept-response-body" title="concept-response-body">body</a>.

 <li><p>Set <var>request</var>'s <a href="#done-flag">done flag</a>.

 <li><p><a href="#queue-a-fetch-task">Queue a fetch task</a> on <var>request</var> to
 <a href="#process-response-end-of-body">process response end-of-body</a> for <var>response</var>.
</ol>


<h3 id="basic-fetch"><span class="secno">5.2 </span>Basic fetch</h3>

<p>To perform a <dfn id="concept-basic-fetch" title="concept-basic-fetch">basic fetch</dfn> using
<var>request</var>, switch on <var>request</var>'s
<a href="#concept-request-current-url" title="concept-request-current-url">current url</a>'s
<a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-scheme" title="concept-url-scheme">scheme</a>, and run the associated
steps:

<dl class="switch">
 <dt>"<code title="">about</code>"
 <dd>
  <p>If <var>request</var>'s
  <a href="#concept-request-current-url" title="concept-request-current-url">current url</a>'s
  <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#non-relative-flag">non-relative flag</a> is set and
  <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-path" title="concept-url-path">path</a> contains a single string
  "<code title="">blank</code>", return a <a href="#concept-response" title="concept-response">response</a> whose
  <a href="#concept-response-header-list" title="concept-response-header-list">header list</a> consist of a single
  <a href="#concept-header" title="concept-header">header</a> whose
  <a href="#concept-header-name" title="concept-header-name">name</a> is `<code title="">Content-Type</code>` and
  <a href="#concept-header-value" title="concept-header-value">value</a> is
  `<code title="">text/html;charset=utf-8</code>`,
  <a href="#concept-response-body" title="concept-response-body">body</a> is the empty byte sequence, and
  <a href="#concept-response-https-state" title="concept-response-https-state">HTTPS state</a> is <var>request</var>'s
  <a href="#concept-request-client" title="concept-request-client">client</a>'s <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/webappapis.html#https-state">HTTPS state</a>
  if <var>request</var>'s <a href="#concept-request-client" title="concept-request-client">client</a> is non-null.

  <p>Otherwise, return a <a href="#concept-network-error" title="concept-network-error">network error</a>.

  <p class="note no-backref"><a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url" title="concept-url">URLs</a> such
  as "<code title="">about:config</code>" are handled during
  <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/browsers.html#navigate" title="navigate">navigation</a> and result in a
  <a href="#concept-network-error" title="concept-network-error">network error</a> in the context of
  <a href="#concept-fetch" title="concept-fetch">fetching</a>.

 <dt>"<code title="">blob</code>"
 <dd>
  <ol>
   <li><p>Let <var>blob</var> be <var>request</var>'s
   <a href="#concept-request-current-url" title="concept-request-current-url">current url</a>'s
   <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-object" title="concept-url-object">object</a>.

   <li><p>If <var>request</var>'s <a href="#concept-request-method" title="concept-request-method">method</a> is <em>not</em>
   `<code title="">GET</code>` or <var>blob</var> is null, return a
   <a href="#concept-network-error" title="concept-network-error">network error</a>.

   <li><p>Let <var>response</var> be a new
   <a href="#concept-response" title="concept-response">response</a>.

   <li><p><a href="#concept-header-list-append" title="concept-header-list-append">Append</a>
   `<code title="">Content-Length</code>`/<var>blob</var>'s
   <a href="https://w3c.github.io/FileAPI/#dfn-size"><code class="external" data-anolis-spec="fileapi" title="dom-Blob-size">size</code></a> attribute value to
   <var>response</var>'s
   <a href="#concept-response-header-list" title="concept-response-header-list">header list</a>.

   <li><p><a href="#concept-header-list-append" title="concept-header-list-append">Append</a>
   `<code title="">Content-Type</code>`/<var>blob</var>'s
   <a href="https://w3c.github.io/FileAPI/#dfn-type"><code class="external" data-anolis-spec="fileapi" title="dom-Blob-type">type</code></a> attribute value to
   <var>response</var>'s
   <a href="#concept-response-header-list" title="concept-response-header-list">header list</a>.

   <li><p>Set <var>response</var>'s
   <a href="#concept-response-https-state" title="concept-response-https-state">HTTPS state</a> to <var>request</var>'s
   <a href="#concept-request-client" title="concept-request-client">client</a>'s <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/webappapis.html#https-state">HTTPS state</a>
   if <var>request</var>'s <a href="#concept-request-client" title="concept-request-client">client</a> is non-null.

   <li><p>Set <var>response</var>'s <a href="#concept-response-body" title="concept-response-body">body</a> to
   the result of performing the <a class="external" data-anolis-spec="fileapi" href="https://w3c.github.io/FileAPI/#readOperation">read operation</a> on
   <var>blob</var>.
   <!-- This takes care of setting length, transmitted, and error flag as well -->

   <li><p>Return <var>response</var>.
  </ol>

 <dt>"<code title="">data</code>"
 <dd>
  <p>If <var>request</var>'s <a href="#concept-request-method" title="concept-request-method">method</a> is
  `<code title="">GET</code>` and
  <a href="https://simonsapin.github.io/data-urls/">obtaining a resource</a> from
  <var>request</var>'s <a href="#concept-request-current-url" title="concept-request-current-url">current url</a>
  does not return failure, return a <a href="#concept-response" title="concept-response">response</a> whose
  <a href="#concept-response-header-list" title="concept-response-header-list">header list</a> consist of a single
  <a href="#concept-header" title="concept-header">header</a> whose
  <a href="#concept-header-name" title="concept-header-name">name</a> is `<code title="">Content-Type</code>` and
  <a href="#concept-header-value" title="concept-header-value">value</a> is the MIME type and parameters returned
  from <a href="https://simonsapin.github.io/data-urls/">obtaining a resource</a>,
  <a href="#concept-response-body" title="concept-response-body">body</a> is the data returned from
  <a href="https://simonsapin.github.io/data-urls/">obtaining a resource</a>, and
  <a href="#concept-response-https-state" title="concept-response-https-state">HTTPS state</a> is <var>request</var>'s
  <a href="#concept-request-client" title="concept-request-client">client</a>'s <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/webappapis.html#https-state">HTTPS state</a>
  if <var>request</var>'s <a href="#concept-request-client" title="concept-request-client">client</a> is non-null.
  <a href="#refsDATAURL">[DATAURL]</a>
  <!-- XXX "obtaining a resource" needs a better reference -->

  <p>Otherwise, return a <a href="#concept-network-error" title="concept-network-error">network error</a>.

 <dt>"<code title="">file</code>"
 <dt>"<code title="">ftp</code>"
 <dd>
  <p>For now, unfortunate as it is, <code title="">file</code> and <code title="">ftp</code>
  <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url" title="concept-url">URLs</a> are left as an exercise for the
  reader.

  <p>When in doubt, return a <a href="#concept-network-error" title="concept-network-error">network error</a>.

 <dt>"<code title="">filesystem</code>"</dt> <!-- flag below also applies to "indexeddb" -->
 <dd>
  <p>If <var>request</var>'s <a href="#sandboxed-storage-area-urls-flag">sandboxed-storage-area-URLs flag</a> is set,
  return a <a href="#concept-network-error" title="concept-network-error">network error</a>.

  <p class="XXX">Otherwise, … this scheme still needs to be defined.

 <dt><a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#http-scheme">HTTP(S) scheme</a>
 <dd>
  <p>Return the result of performing an <a href="#concept-http-fetch" title="concept-http-fetch">HTTP fetch</a>
  using <var>request</var>.

 <dt>Otherwise
 <dd><p>Return a <a href="#concept-network-error" title="concept-network-error">network error</a>.
</dl>


<h3 id="http-fetch"><span class="secno">5.3 </span>HTTP fetch</h3>

<p>To perform an <dfn id="concept-http-fetch" title="concept-http-fetch">HTTP fetch</dfn> using
<var>request</var> with an optional <i title="">CORS flag</i>,
<i title="">CORS-preflight flag</i>, and <i title="">authentication-fetch flag</i>, run these
steps:

<p class="note no-backref">The <i title="">CORS flag</i> is still a bookkeeping detail. The
<i title="">CORS-preflight flag</i> and <i title="">authentication-fetch flag</i> are too. The
former indicates a <a href="#cors-preflight-request">CORS-preflight request</a> is required and the latter
indicates an attempt to authenticate.

<ol>
 <li><p>Let <var>response</var> be null.

 <li><p>Let <var>actualResponse</var> be null.

 <li>
  <p>If <var>request</var>'s <a href="#skip-service-worker-flag">skip-service-worker flag</a> is unset and
  either <var>request</var>'s <a href="#concept-request-client" title="concept-request-client">client</a> is
  null or <var>request</var>'s <a href="#concept-request-client" title="concept-request-client">client</a>'s
  <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-global" title="concept-settings-object-global">global object</a> is not a
  <a href="https://slightlyoff.github.io/ServiceWorker/spec/service_worker/#service-worker-global-scope-interface"><code class="external" data-anolis-spec="sw">ServiceWorkerGlobalScope</code></a> object, run these substeps:
  <a href="#refsHTML">[HTML]</a>
  <a href="#refsSW">[SW]</a>

  <ol>
   <li>
    <p>Set <var>response</var> to the result of invoking
    <a class="external" data-anolis-spec="sw" href="https://slightlyoff.github.io/ServiceWorker/spec/service_worker/#on-fetch-request-algorithm">handle fetch</a> for <var>request</var>.
    <a href="#refsSW">[SW]</a>

    <p><a href="#read-a-request" title="Read a request">Read <var>request</var></a>.

   <li><p>Set <var>actualResponse</var> to <var>response</var>, if <var>response</var> is not a
   <a href="#concept-filtered-response" title="concept-filtered-response">filtered response</a>, and to <var>response</var>'s
   <a href="#concept-internal-response" title="concept-internal-response">internal response</a> otherwise.

   <li>
    <p>If one of the following conditions is true, return a
    <a href="#concept-network-error" title="concept-network-error">network error</a>:

    <ul class="brief">
     <li><var>response</var>'s
     <a href="#concept-response-type" title="concept-response-type">type</a> is "<code title="">error</code>".

     <li><var>request</var>'s <a href="#concept-request-mode" title="concept-request-mode">mode</a> is not
     "<code title="">no-cors</code>" and <var>response</var>'s
     <a href="#concept-response-type" title="concept-response-type">type</a> is "<code title="">opaque</code>".

     <li><var>request</var>'s <a href="#concept-request-redirect-mode" title="concept-request-redirect-mode">redirect mode</a> is not
     "<code title="">manual</code>" and <var>response</var>'s
     <a href="#concept-response-type" title="concept-response-type">type</a> is "<code title="">opaqueredirect</code>".

     <li><var>request</var>'s <a href="#concept-request-redirect-mode" title="concept-request-redirect-mode">redirect mode</a> is not
     "<code title="">follow</code>" and <var>response</var>'s
     <a href="#concept-response-url-list" title="concept-response-url-list">url list</a> has more than one item.
    </ul>

   <li><p>Execute
   <a href="https://w3c.github.io/webappsec-csp/#set-response-csp-list">set <var>response</var>'s CSP list</a>
   on <var>actualResponse</var>. <a href="#refsCSP">[CSP]</a>
  </ol>

 <li>
  <p>Let <var>credentials flag</var> be set if one of

  <ul class="brief">
   <li><var>request</var>'s <a href="#concept-request-credentials-mode" title="concept-request-credentials-mode">credentials mode</a> is
   "<code title="">include</code>"
   <li><var>request</var>'s  <a href="#concept-request-credentials-mode" title="concept-request-credentials-mode">credentials mode</a> is
   "<code title="">same-origin</code>" and <var>request</var>'s
   <a href="#concept-request-response-tainting" title="concept-request-response-tainting">response tainting</a> is
   "<code title="">basic</code>"
  </ul>

  <p>is true, and unset otherwise.

 <li>
  <p>If <var>response</var> is null, run these substeps:

  <ol>
   <li>
    <p>If the <i title="">CORS-preflight flag</i> is set and one of these conditions is true:

    <ul>
     <li>There is no <a href="#concept-cache-match-method" title="concept-cache-match-method">method cache match</a> for
     <var>request</var>'s <a href="#concept-request-method" title="concept-request-method">method</a> using <var>request</var>,
     and either <var>request</var>'s <a href="#concept-request-method" title="concept-request-method">method</a> is a not a
     <a href="#cors-safelisted-method">CORS-safelisted method</a> or <var>request</var>'s
     <a href="#use-cors-preflight-flag">use-CORS-preflight flag</a> is set.

     <li>There is at least one <a href="#concept-header" title="concept-header">header</a> in
     <var>request</var>'s <a href="#concept-request-header-list" title="concept-request-header-list">header list</a>
     for whose <a href="#concept-header-name" title="concept-header-name">name</a> there is no
     <a href="#concept-cache-match-header" title="concept-cache-match-header">header-name cache match</a> using
     <var>request</var> and which is not a <a href="#cors-safelisted-request-header">CORS-safelisted request-header</a>.
    </ul>

    <p>Then run these subsubsteps:

    <ol>
     <li><p>Let <var>preflightResponse</var> be the result of performing a
     <a href="#cors-preflight-fetch-0">CORS-preflight fetch</a> using <var>request</var>.

     <li><p>If <var>preflightResponse</var> is a
     <a href="#concept-network-error" title="concept-network-error">network error</a>, return
     <var>preflightResponse</var>.
    </ol>

    <p class="note no-backref">This step checks the
    <a href="#concept-cache" title="concept-cache">CORS-preflight cache</a> and if there is no suitable entry it
    performs a <a href="#cors-preflight-fetch-0">CORS-preflight fetch</a> which, if successful, populates the cache. The
    purpose of the <a href="#cors-preflight-fetch-0">CORS-preflight fetch</a> is to ensure the
    <a href="#concept-fetch" title="concept-fetch">fetched</a> resource is familiar with the
    <a href="#cors-protocol">CORS protocol</a>. The cache is there to minimize the number of
    <a href="#cors-preflight-fetch-0" title="CORS-preflight fetch">CORS-preflight fetches</a>.

   <li>
    <p>Set <var>request</var>'s <a href="#skip-service-worker-flag">skip-service-worker flag</a>.

    <p class="note no-backref">There might be redirects. Alternatively,
    <var>request</var>'s <a href="#concept-request-window" title="concept-request-window">window</a> is an
    <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/webappapis.html#environment-settings-object">environment settings object</a> and the
    <i title="">CORS flag</i> is unset.

   <li><p>Set <var>response</var> and <var>actualResponse</var> to the result of performing an
   <a href="#concept-http-network-or-cache-fetch" title="concept-http-network-or-cache-fetch">HTTP-network-or-cache fetch</a>
   using <var>request</var> with <var>credentials flag</var> if set and
   <i title="">authentication-fetch flag</i> if set.

   <li>
    <p>If the <i title="">CORS flag</i> is set and a
    <a href="#concept-cors-check" title="concept-cors-check">CORS check</a> for <var>request</var> and
    <var>response</var> returns failure, return a
    <a href="#concept-network-error" title="concept-network-error">network error</a>.

    <p class="note">There is no need to apply this to a
    <a href="#concept-response" title="concept-response">response</a> from a service worker.
  </ol>

 <li>
  <p>Switch on <var>actualResponse</var>'s <a href="#concept-response-status" title="concept-response-status">status</a>:

  <dl class="switch">
   <dt><a href="#redirect-status">redirect status</a>
   <dd>
    <ol>
     <li>
      <p>If <var>actualResponse</var>'s <a href="#concept-response-status" title="concept-response-status">status</a> is not
      <code>303</code>, <var>request</var>'s <a href="#concept-request-body" title="concept-request-body">body</a> is not
      <a href="#concept-body-done" title="concept-body-done">done</a>, and the
      <a href="#concept-connection" title="concept-connection">connection</a> uses HTTP/2, then user agents may, and are
      even encouraged to, transmit an <code>RST_STREAM</code> frame.

      <p class="note"><code>303</code> is excluded as certain communities ascribe special status to
      it.

     <li><p>Let <var>location</var> be the result of <a href="#concept-header-parse" title="concept-header-parse">parsing</a>
     `<code title="">Location</code>` in <var>actualResponse</var>'s
     <a href="#concept-response-header-list" title="concept-response-header-list">header list</a>.

     <li><p>If <var>location</var> is a <a href="#concept-header-value" title="concept-header-value">value</a>, then set
     <var>location</var> to the result of
     <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-parser" title="concept-url-parser">parsing</a> <var>location</var> with
     <var>actualResponse</var>'s <a href="#concept-response-url" title="concept-response-url">url</a>.

     <li><p>Set <var>actualResponse</var>'s
     <a href="#concept-response-location-url" title="concept-response-location-url">location URL</a> to <var>location</var>.

     <li>
      <p>Switch on <var>request</var>'s
      <a href="#concept-request-redirect-mode" title="concept-request-redirect-mode">redirect mode</a>:

      <dl class="switch">
       <dt>"<code title="">error</code>"
       <dd><p>Set <var>response</var> to a <a href="#concept-network-error" title="concept-network-error">network error</a>.

       <dt>"<code title="">manual</code>"
       <dd><p>Set <var>response</var> to an
       <a href="#concept-filtered-response-opaque-redirect" title="concept-filtered-response-opaque-redirect">opaque-redirect filtered response</a>
       whose <a href="#concept-internal-response" title="concept-internal-response">internal response</a> is
       <var>actualResponse</var>.

       <dt>"<code title="">follow</code>"
       <dd><p>Set <var>response</var> to the result of performing
       <a href="#concept-http-redirect-fetch" title="concept-http-redirect-fetch">HTTP-redirect fetch</a> using <var>request</var> and
       <var>response</var>, with the <i>CORS flag</i> set if set.
      </dl>
      <!-- not resetting actualResponse since it's no longer used anyway -->
    </ol>

   <dt><code title="">401</code>
   <dd>
    <ol>
     <li>
      <p>If one of the following conditions is true, return <var>response</var>:

      <ul class="brief">
       <li>The <i title="">CORS flag</i> is set.
       <li>The <var>credentials flag</var> is unset.
       <li><var>request</var>'s <a href="#concept-request-window" title="concept-request-window">window</a> is
       "<code>no-window</code>".
      </ul>

     <li class="XXX"><p>Needs testing: multiple `<code>WWW-Authenticate</code>` headers,
     missing, parsing issues.

     <li>
      <p>If <var>request</var>'s
      <a href="#concept-request-use-url-credentials-flag" title="concept-request-use-url-credentials-flag">use-URL-credentials flag</a>
      is unset, or the <i title="">authentication-fetch flag</i> is set, run these substeps:

      <ol>
       <li><p>Let <var>username</var> and <var>password</var> be the result of
       prompting the end user for a username and password, respectively, in
       <var>request</var>'s <a href="#concept-request-window" title="concept-request-window">window</a>.

       <li><p><a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#set-the-username">Set the username</a> given
       <var>request</var>'s
       <a href="#concept-request-current-url" title="concept-request-current-url">current url</a> and
       <var>username</var>.

       <li><p><a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#set-the-password">Set the password</a> given
       <var>request</var>'s
       <a href="#concept-request-current-url" title="concept-request-current-url">current url</a> and
       <var>password</var>.
      </ol>

     <li><p>Return the result of performing an
     <a href="#concept-http-fetch" title="concept-http-fetch">HTTP fetch</a> using <var>request</var>, with
     the <i title="">authentication-fetch flag</i> set.
     <!-- cannot invoke >HTTP-network-or-cache fetch< as that would not come back here -->
    </ol>

   <dt><code title="">407</code>
   <dd>
    <ol>
     <li><p>If <var>request</var>'s <a href="#concept-request-window" title="concept-request-window">window</a>
     is "<code>no-window</code>", return a
     <a href="#concept-network-error" title="concept-network-error">network error</a>.

     <li class="XXX"><p>Needs testing: multiple `<code>Proxy-Authenticate</code>` headers,
     missing, parsing issues.

     <li>
      <p>Prompt the end user as appropriate in <var>request</var>'s
      <a href="#concept-request-window" title="concept-request-window">window</a> and store the result as a
      <a href="#proxy-authentication-entry">proxy-authentication entry</a>.
      <a href="#refsHTTP">[HTTP]</a>

      <p class="note">Remaining details surrounding proxy authentication are defined by HTTP.

     <li><p>Return the result of performing an
     <a href="#concept-http-fetch" title="concept-http-fetch">HTTP fetch</a> using <var>request</var>.
     <!-- cannot invoke >HTTP-network-or-cache fetch< as that would not come back here -->
    </ol>

   <dt>Otherwise
   <dd><p>Do nothing.
  </dl>

 <li><p>If the <i title="">authentication-fetch flag</i> is set, create an
 <a href="#authentication-entry">authentication entry</a> for <var>request</var> and the given realm.

 <li><p>Return <var>response</var>. <span class="note no-backref">Typically
 <var>actualResponse</var>'s <a href="#concept-response-body" title="concept-response-body">body</a>'s
 <a href="#concept-body-stream" title="concept-body-stream">stream</a> is still being enqueued to after returning.</span>
</ol>


<h3 id="http-redirect-fetch"><span class="secno">5.4 </span>HTTP-redirect fetch</h3>

<p class="note no-backref">This algorithm will be used by <cite>HTML</cite>'s "navigate" algorithm
in addition to <a href="#concept-http-fetch" title="concept-http-fetch">HTTP fetch</a> above.
<a href="#refsHTML">[HTML]</a>

<p>To perform an <dfn id="concept-http-redirect-fetch" title="concept-http-redirect-fetch">HTTP-redirect fetch</dfn> using
<var>request</var> and <var>response</var>, with an optional <i>CORS flag</i>, run these steps:

<ol>
 <li><p>Let <var>actualResponse</var> be <var>response</var>, if <var>response</var> is not a
 <a href="#concept-filtered-response" title="concept-filtered-response">filtered response</a>, and <var>response</var>'s
 <a href="#concept-internal-response" title="concept-internal-response">internal response</a> otherwise.

 <li><p>If <var>actualResponse</var>'s <a href="#concept-response-location-url" title="concept-response-location-url">location URL</a>
 is null, then return <var>response</var>.

 <li><p>If <var>actualResponse</var>'s <a href="#concept-response-location-url" title="concept-response-location-url">location URL</a>
 is failure, then return a <a href="#concept-network-error" title="concept-network-error">network error</a>.
 <!-- only Gecko does this; and even that is currently more complicated -->

 <li><p>If <var>actualResponse</var>'s
 <a href="#concept-response-location-url" title="concept-response-location-url">location URL</a>'s
 <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-scheme" title="concept-url-scheme">scheme</a> is <em>not</em> an
 <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#http-scheme">HTTP(S) scheme</a>, then return a
 <a href="#concept-network-error" title="concept-network-error">network error</a>.

 <li><p>If <var>request</var>'s <a href="#concept-request-redirect-count" title="concept-request-redirect-count">redirect count</a> is
 twenty, return a <a href="#concept-network-error" title="concept-network-error">network error</a>.

 <li><p>Increase <var>request</var>'s
 <a href="#concept-request-redirect-count" title="concept-request-redirect-count">redirect count</a> by one.

 <li><p>Unset <var title="">request</var>'s <a href="#same-origin-data-url-flag">same-origin data-URL flag</a>.

 <li><p>If <var>request</var>'s <a href="#concept-request-mode" title="concept-request-mode">mode</a> is "<code>cors</code>",
 <var>request</var>'s <a href="#concept-request-origin" title="concept-request-origin">origin</a> is <em>not</em>
 <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/browsers.html#same-origin">same origin</a> with <var>actualResponse</var>'s
 <a href="#concept-response-location-url" title="concept-response-location-url">location URL</a>'s
 <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-origin" title="concept-url-origin">origin</a>, and <var>actualResponse</var>'s
 <a href="#concept-response-location-url" title="concept-response-location-url">location URL</a>
 <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#include-credentials" title="include credentials">includes credentials</a>, then return a
 <a href="#concept-network-error" title="concept-network-error">network error</a>.

 <li>
  <p>If the <i>CORS flag</i> is set and <var>actualResponse</var>'s
  <a href="#concept-response-location-url" title="concept-response-location-url">location URL</a>
  <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#include-credentials" title="include credentials">includes credentials</a>, then return a
  <a href="#concept-network-error" title="concept-network-error">network error</a>.

  <p class="note">This catches a cross-origin resource redirecting to a same-origin URL.

 <li><p>If the <i>CORS flag</i> is set and <var>actualResponse</var>'s
 <a href="#concept-response-location-url" title="concept-response-location-url">location URL</a>'s
 <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-origin" title="concept-url-origin">origin</a> is <em>not</em>
 <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/browsers.html#same-origin">same origin</a> with <var>request</var>'s
 <a href="#concept-request-current-url" title="concept-request-current-url">current url</a>'s
 <span data-analis-spec="url" title="concept-url-origin">origin</span>, set <var>request</var>'s
 <a href="#concept-request-origin" title="concept-request-origin">origin</a> to a globally unique identifier.

 <li><p>If either <var>actualResponse</var>'s <a href="#concept-response-status" title="concept-response-status">status</a> is
 <code title="">301</code> or <code title="">302</code> and <var>request</var>'s
 <a href="#concept-request-method" title="concept-request-method">method</a> is `<code title="">POST</code>`, or
 <var>actualResponse</var>'s <a href="#concept-response-status" title="concept-response-status">status</a> is
 <code title="">303</code>, set <var>request</var>'s <a href="#concept-request-method" title="concept-request-method">method</a>
 to `<code title="">GET</code>` and <var>request</var>'s <a href="#concept-request-body" title="concept-request-body">body</a>
 to null.

 <li><p>Append <var>actualResponse</var>'s
 <a href="#concept-response-location-url" title="concept-response-location-url">location URL</a> to <var>request</var>'s
 <a href="#concept-request-url-list" title="concept-request-url-list">url list</a>.

 <li><p>Invoke
 <a href="https://w3c.github.io/webappsec-referrer-policy/#set-requests-referrer-policy-on-redirect">set <var>request</var>'s referrer policy on redirect</a>
 on <var>request</var> and <var>actualResponse</var>. <a href="#refsREFERRER">[REFERRER]</a>

 <li>
  <p>Return the result of performing a <a href="#concept-main-fetch" title="concept-main-fetch">main fetch</a> using
  <var>request</var>, with the <i>CORS flag</i> set if set, and the <i>recursive flag</i> set.

  <p class="note no-backref">This has to invoke <a href="#concept-main-fetch" title="concept-main-fetch">main fetch</a> to
  get <a href="#concept-request-response-tainting" title="concept-request-response-tainting">response tainting</a> correct.
</ol>


<h3 id="http-network-or-cache-fetch"><span class="secno">5.5 </span>HTTP-network-or-cache fetch</h3>

<p>To perform an
<dfn id="concept-http-network-or-cache-fetch" title="concept-http-network-or-cache-fetch">HTTP-network-or-cache fetch</dfn> using
<var>request</var> with an optional <i title="">credentials flag</i> and
<i title="">authentication-fetch flag</i>, run these steps:

<p class="note">The <i title="">authentication-fetch flag</i> is still a bookkeeping detail.
The <i title="">credentials flag</i> is one too.

<ol>
 <li>
  <p>Let <var>httpRequest</var> be <var>request</var> if
  <var>request</var>'s <a href="#concept-request-window" title="concept-request-window">window</a> is "<code>no-window</code>"
  and <var>request</var>'s <a href="#concept-request-redirect-mode" title="concept-request-redirect-mode">redirect mode</a> is
  "<code>error</code>", and the result of <a href="#concept-request-clone" title="concept-request-clone">cloning</a>
  <var>request</var> otherwise.

  <p class="note no-backref">A <var>request</var> is typically cloned as it needs to be possible to
  add <a href="#concept-header" title="concept-header">headers</a> and read its
  <a href="#concept-request-body" title="concept-request-body">body</a> without affecting <var>request</var>. As
  <var>request</var> is reused with redirects, authentication, and proxy authentication.

 <li><p>Let <var>contentLengthValue</var> be null.

 <li><p>If <var>httpRequest</var>'s <a href="#concept-request-body" title="concept-request-body">body</a> is null and
 <var>httpRequest</var>'s <a href="#concept-request-method" title="concept-request-method">method</a> is
 `<code title="">POST</code>` or `<code title="">PUT</code>`, then set <var>contentLengthValue</var> to
 `<code title="">0</code>`.
 <!-- https://chromium.googlesource.com/chromium/src/+/master/net/http/http_network_transaction.cc#982 -->

 <li><p>If <var>httpRequest</var>'s <a href="#concept-request-body" title="concept-request-body">body</a> is
 non-null, set <var>contentLengthValue</var> to <var>httpRequest</var>'s
 <a href="#concept-request-body" title="concept-request-body">body</a>'s
 <a href="#concept-body-total-bytes" title="concept-body-total-bytes">total bytes</a>,
 <a class="external" data-anolis-spec="encoding" href="https://encoding.spec.whatwg.org/#utf-8-encode" title="utf-8 encode">utf-8 encoded</a>.
 <!-- XXX with streams we don't always know the length and so need to do chunked here -->

 <li><p>If <var>contentLengthValue</var> is non-null,
 <a href="#concept-header-list-append" title="concept-header-list-append">append</a>
 `<code title="">Content-Length</code>`/<var>contentLengthValue</var> to
 <var>httpRequest</var>'s
 <a href="#concept-request-header-list" title="concept-request-header-list">header list</a>.

 <li><p>If <var>httpRequest</var>'s <a href="#concept-request-referrer" title="concept-request-referrer">referrer</a> is a
 <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url" title="concept-url">URL</a>, then
 <a href="#concept-header-list-append" title="concept-header-list-append">append</a>
 `<code title="">Referer</code>`/<var>httpRequest</var>'s
 <a href="#concept-request-referrer" title="concept-request-referrer">referrer</a>,
 <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-serializer" title="concept-url-serializer">serialized</a> and
 <a class="external" data-anolis-spec="encoding" href="https://encoding.spec.whatwg.org/#utf-8-encode" title="utf-8 encode">utf-8 encoded</a>, to
 <var>httpRequest</var>'s <a href="#concept-request-header-list" title="concept-request-header-list">header list</a>.
 <!-- XXX ideally we have an easier way to convert something ASCII-safe into bytes
          concept-as-bytes -->

 <li><p>If <var>httpRequest</var>'s <a href="#omit-origin-header-flag">omit-<code>Origin</code>-header flag</a> is
 unset, <a href="#concept-header-list-append" title="concept-header-list-append">append</a>
 `<code title="">Origin</code>`/<var>httpRequest</var>'s
 <a href="#concept-request-origin" title="concept-request-origin">origin</a>,
 <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/browsers.html#ascii-serialisation-of-an-origin" title="ASCII serialization of an origin">serialized</a>
 and <a class="external" data-anolis-spec="encoding" href="https://encoding.spec.whatwg.org/#utf-8-encode" title="utf-8 encode">utf-8 encoded</a>, to
 <var>httpRequest</var>'s
 <a href="#concept-request-header-list" title="concept-request-header-list">header list</a>.
 <!-- XXX concept-as-bytes -->

 <li><p>If <var>httpRequest</var>'s <a href="#concept-request-header-list" title="concept-request-header-list">header list</a> does
 <em>not</em> contain a <a href="#concept-header" title="concept-header">header</a> whose
 <a href="#concept-header-name" title="concept-header-name">name</a> is `<code title="http-user-agent">User-Agent</code>`,
 user agents should <a href="#concept-header-list-append" title="concept-header-list-append">append</a>
 `<code title="http-user-agent">User-Agent</code>`/<a href="#default-user-agent-value">default `<code>User-Agent</code>` value</a>
 to <var>httpRequest</var>'s <a href="#concept-request-header-list" title="concept-request-header-list">header list</a>.

 <li><p>If <var>httpRequest</var>'s <a href="#concept-request-cache-mode" title="concept-request-cache-mode">cache mode</a> is
 "<code title="">default</code>" and <var>httpRequest</var>'s
 <a href="#concept-request-header-list" title="concept-request-header-list">header list</a> contains a
 <a href="#concept-header" title="concept-header">header</a> <span title="concept-header-named">named</span>
 `<code title="">If-Modified-Since</code>`,
 `<code title="">If-None-Match</code>`,
 `<code title="">If-Unmodified-Since</code>`,
 `<code title="">If-Match</code>`, or
 `<code title="">If-Range</code>`, set <var>httpRequest</var>'s
 <a href="#concept-request-cache-mode" title="concept-request-cache-mode">cache mode</a> to "<code title="">no-store</code>".

 <li><p>If <var>httpRequest</var>'s <a href="#concept-request-cache-mode" title="concept-request-cache-mode">cache mode</a> is
 "<code title="">no-cache</code>" and <var>httpRequest</var>'s
 <a href="#concept-request-header-list" title="concept-request-header-list">header list</a> does <em>not</em> contain a
 <a href="#concept-header" title="concept-header">header</a> whose <a href="#concept-header-name" title="concept-header-name">name</a> is
 `<code title="http-cache-control">Cache-Control</code>`,
 <a href="#concept-header-list-append" title="concept-header-list-append">append</a>
 `<code title="http-cache-control">Cache-Control</code>`/`<code title="">max-age=0</code>` to
 <var>httpRequest</var>'s <a href="#concept-request-header-list" title="concept-request-header-list">header list</a>.

 <li>
  <p>If <var>httpRequest</var>'s <a href="#concept-request-cache-mode" title="concept-request-cache-mode">cache mode</a> is
  "<code title="">no-store</code>" or "<code title="">reload</code>", run these substeps:

  <ol>
   <li><p>If <var>httpRequest</var>'s <a href="#concept-request-header-list" title="concept-request-header-list">header list</a>
   does <em>not</em> contain a <a href="#concept-header" title="concept-header">header</a> whose
   <a href="#concept-header-name" title="concept-header-name">name</a> is `<code title="http-pragma">Pragma</code>`,
   <a href="#concept-header-list-append" title="concept-header-list-append">append</a>
   `<code title="http-pragma">Pragma</code>`/`<code title="">no-cache</code>` to <var>httpRequest</var>'s
   <a href="#concept-request-header-list" title="concept-request-header-list">header list</a>.

   <li><p>If <var>httpRequest</var>'s <a href="#concept-request-header-list" title="concept-request-header-list">header list</a>
   does <em>not</em> contain a <a href="#concept-header" title="concept-header">header</a> whose
   <a href="#concept-header-name" title="concept-header-name">name</a> is
   `<code title="http-cache-control">Cache-Control</code>`,
   <a href="#concept-header-list-append" title="concept-header-list-append">append</a>
   `<code title="http-cache-control">Cache-Control</code>`/`<code title="">no-cache</code>` to
   <var>httpRequest</var>'s <a href="#concept-request-header-list" title="concept-request-header-list">header list</a>.
   <!-- Technically this only applies to HTTP/1.1 and up -->
  </ol>

 <li>
  <p>Modify <var>httpRequest</var>'s
  <a href="#concept-request-header-list" title="concept-request-header-list">header list</a> per HTTP.

  <p class="note no-backref">It would be great if we could make this more normative
  somehow. At this point <a href="#concept-header" title="concept-header">headers</a> such as
  `<code title="http-accept-encoding">Accept-Encoding</code>`,
  `<code title="http-connection">Connection</code>`,
  `<code title="http-dnt">DNT</code>`, and
  `<code title="http-host">Host</code>`,
  are to be <a href="#concept-header-list-append" title="concept-header-list-append">appended</a> if necessary.

  <p>`<code title="http-accept">Accept</code>`,
  `<code title="http-accept-charset">Accept-Charset</code>`, and
  `<code title="http-accept-language">Accept-Language</code>` must not be included at this point.

  <p class="note no-backref">`<code title="http-accept">Accept</code>` and
  `<code title="http-accept-language">Accept-Language</code>` are already included (unless
  <a href="#dom-global-fetch"><code title="dom-global-fetch">fetch()</code></a> is used, which does not include the latter by
  default), and `<code title="http-accept-charset">Accept-Charset</code>` is a waste of bytes. See
  <a href="#http-header-layer-division">HTTP header layer division</a> for more details.

 <li>
  <p>If <var>credentials flag</var> is set, run these substeps:

  <ol>
   <li>
    <p>If the user agent is not configured to block cookies for <var>httpRequest</var> (see
    <a href="https://tools.ietf.org/html/rfc6265#section-7">section 7</a> of
    <a href="#refsCOOKIES">[COOKIES]</a>), then run these substeps:

    <ol>
     <li><p>Let <var>cookies</var> be the result of running the "cookie-string" algorithm (see
     <a href="https://tools.ietf.org/html/rfc6265#section-5.4">section 5.4</a> of
     <a href="#refsCOOKIES">[COOKIES]</a>) with the user agent's cookie store and
     <var>httpRequest</var>'s <a href="#concept-request-current-url" title="concept-request-current-url">current url</a>.

     <li>If <var>cookies</var> is not the empty string, append
     `<code title="http-cookies">Cookie</code>`/<var>cookies</var> to <var>httpRequest</var>'s
     <a href="#concept-request-header-list" title="concept-request-header-list">header list</a>.
    </ol>

   <li><p>If <var>httpRequest</var>'s <a href="#concept-request-header-list" title="concept-request-header-list">header list</a>
   contains a <a href="#concept-header" title="concept-header">header</a> whose
   <a href="#concept-header-name" title="concept-header-name">name</a> is
   `<code title="http-authorization">Authorization</code>`, terminate these substeps.

   <!-- https://wiki.whatwg.org/wiki/HTTP_Authentication -->
   <li><p>Let <var>authorizationValue</var> be null.

   <li><p>If there's an <a href="#authentication-entry">authentication entry</a> for <var>httpRequest</var>
   and either <var>httpRequest</var>'s
   <a href="#concept-request-use-url-credentials-flag" title="concept-request-use-url-credentials-flag">use-URL-credentials flag</a> is
   unset or <var>httpRequest</var>'s
   <a href="#concept-request-current-url" title="concept-request-current-url">current url</a> does not
   <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#include-credentials">include credentials</a>, set
   <var>authorizationValue</var> to <a href="#authentication-entry">authentication entry</a>.
   <!-- need to define the cache concept -->

   <li><p>Otherwise, if <var>httpRequest</var>'s
   <a href="#concept-request-current-url" title="concept-request-current-url">current url</a> does
   <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#include-credentials">include credentials</a> and the
   <i title="">authentication-fetch flag</i> is set, set
   <var>authorizationValue</var> to <var>httpRequest</var>'s
   <a href="#concept-request-current-url" title="concept-request-current-url">current url</a>,
   <span class="XXX">converted to an `<code title="">Authorization</code>` value</span>.

   <li><p>If <var>authorizationValue</var> is non-null,
   <a href="#concept-header-list-append" title="concept-header-list-append">append</a>
   `<code title="">Authorization</code>`/<var>authorizationValue</var> to
   <var>httpRequest</var>'s
   <a href="#concept-request-header-list" title="concept-request-header-list">header list</a>.
  </ol>

 <li>
  <p>If there's a <a href="#proxy-authentication-entry">proxy-authentication entry</a>, use it as appropriate.

  <p class="note no-backref">This intentionally does not depend on
  <var>httpRequest</var>'s
  <a href="#concept-request-credentials-mode" title="concept-request-credentials-mode">credentials mode</a>.

 <li><p>Let <var>response</var> be null.

 <li>
  <p>If <var>httpRequest</var>'s
  <a href="#concept-request-cache-mode" title="concept-request-cache-mode">cache mode</a> is neither
  "<code title="">no-store</code>" nor "<code title="">reload</code>", and there is a <em>complete</em>
  <a href="#concept-response" title="concept-response">response</a> in the HTTP cache for
  <var>httpRequest</var> run these substeps:
  <!-- XXX xref "HTTP cache" -->

  <ol>
   <li>
    <p>If <var>httpRequest</var>'s <a href="#concept-request-cache-mode" title="concept-request-cache-mode">cache mode</a> is
    "<code title="">force-cache</code>" or "<code title="">only-if-cached</code>", then set
    <var>response</var> to the <a href="#concept-response" title="concept-response">response</a> in the HTTP cache for
    <var>httpRequest</var>.

    <p class="note">As mandated by HTTP, this still takes the `<code title="http-vary">Vary</code>`
    <a href="#concept-header" title="concept-header">header</a> into account.

   <li><p>Otherwise, if <var>httpRequest</var>'s
   <a href="#concept-request-cache-mode" title="concept-request-cache-mode">cache mode</a> is "<code title="">default</code>" and the
   <a href="#concept-response" title="concept-response">response</a> in the HTTP cache for <var>httpRequest</var> does
   not require revalidation, then set <var>response</var> to that
   <a href="#concept-response" title="concept-response">response</a>.
   <!-- XXX xref "revalidation" -->

   <li><p>Otherwise, if <var>httpRequest</var>'s
   <a href="#concept-request-cache-mode" title="concept-request-cache-mode">cache mode</a> is either "<code title="">default</code>"
   or "<code title="">no-cache</code>", modify <var>httpRequest</var>'s
   <a href="#concept-request-header-list" title="concept-request-header-list">header list</a> with revalidation
   <a href="#concept-header" title="concept-header">headers</a>.
   <!-- XXX modify, revalidation headers -->
  </ol>

 <li><p>Otherwise, if <var>httpRequest</var>'s
 <a href="#concept-request-cache-mode" title="concept-request-cache-mode">cache mode</a> is either
 "<code title="">default</code>" or "<code title="">force-cache</code>", and there is a
 <em>partial</em> <a href="#concept-response" title="concept-response">response</a> in the HTTP cache for
 <var>httpRequest</var>, modify <var>httpRequest</var>'s
 <a href="#concept-request-header-list" title="concept-request-header-list">header list</a> with resume
 <a href="#concept-header" title="concept-header">headers</a>.
 <!-- XXX xref partial, modify, resume headers -->

 <li>
  <p>If <var>response</var> is null, run these substeps:

  <ol>
   <li><p>If <var>httpRequest</var>'s <a href="#concept-request-cache-mode" title="concept-request-cache-mode">cache mode</a> is
   "<code title="">only-if-cached</code>", then return a
   <a href="#concept-network-error" title="concept-network-error">network error</a>.

   <li><p>Set <var>response</var> to the result of making an
   <a href="#concept-http-network-fetch" title="concept-http-network-fetch">HTTP-network fetch</a> using <var>httpRequest</var>
   with the <i title="">credentials flag</i> set if set.
  </ol>

 <li>
  <p>If <var>response</var>'s <a href="#concept-status" title="status">status</a> is <code>304</code> and
  <var>httpRequest</var>'s <a href="#concept-request-cache-mode" title="concept-request-cache-mode">cache mode</a> is either
  "<code title="">default</code>" or "<code title="">no-cache</code>", run these substeps:

  <ol>
   <li><p>Set <var>cachedResponse</var> to the result of selecting a stored
   <a href="#concept-response" title="concept-response">response</a> from the HTTP cache using <var>httpRequest</var>, as
   per the
   "<a href="https://tools.ietf.org/html/rfc7234#section-4.3.4">Freshening Stored Responses upon Validation</a>"
   chapter of <cite>HTTP Caching</cite>. <a href="#refsHTTP">[HTTP]</a>

   <li><p>If <var>cachedResponse</var> is null (i.e., one cannot be selected), return a
   <a href="#concept-network-error" title="concept-network-error">network error</a>.

   <li><p>Update <var>cachedResponse</var>'s <a href="#concept-header-list" title="concept-header-list">header list</a>
   using <var>response</var>'s <a href="#concept-header-list" title="concept-header-list">header list</a>, as per the
   "<a href="https://tools.ietf.org/html/rfc7234#section-4.3.4">Freshening Stored Responses upon Validation</a>"
   chapter of <cite>HTTP Caching</cite>. <a href="#refsHTTP">[HTTP]</a>

   <li>
    <p>Set <var>response</var> to the <var>cachedResponse</var>.

    <p class="note no-backref">This changes <var>response</var> entirely, including its
    <a href="#concept-response-status" title="concept-response-status">status</a> which is most likely <code>200</code> now.
  </ol>

 <li><p>Return <var>response</var>. <span class="note no-backref">Typically
 <var>response</var>'s <a href="#concept-response-body" title="concept-response-body">body</a>'s
 <a href="#concept-body-stream" title="concept-body-stream">stream</a> is still being enqueued to after returning.</span>
</ol>


<h3 id="http-network-fetch"><span class="secno">5.6 </span>HTTP-network fetch</h3>

<p>To perform an <dfn id="concept-http-network-fetch" title="concept-http-network-fetch">HTTP-network fetch</dfn> using
<var>request</var> with an optional <i title="">credentials flag</i>, run these steps:

<ol>
 <li><p>Let <var>credentials</var> be true if <i title="">credentials flag</i> is set, and false
 otherwise.

 <li>
  <p>Switch on <var>request</var>'s <a href="#concept-request-mode" title="concept-request-mode">mode</a>:

  <dl>
   <dt>"<code title="">websocket</code>"
   <dd><p>Let <var>connection</var> be the result of
   <a href="#concept-websocket-connection-obtain" title="concept-websocket-connection-obtain">obtaining a WebSocket connection</a>, given
   <var>request</var>'s <a href="#concept-request-current-url" title="concept-request-current-url">current url</a>.

   <dt>Otherwise
   <dd><p>Let <var>connection</var> be the result of
   <a href="#concept-connection-obtain" title="concept-connection-obtain">obtaining a connection</a>, given <var>request</var>'s
   <a href="#concept-request-current-url" title="concept-request-current-url">current url</a>'s
   <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-origin" title="concept-url-origin">origin</a> and <var>credentials</var>.
  </dl>

 <li><p>If <var>connection</var> is failure, return a
 <a href="#concept-network-error" title="concept-network-error">network error</a>.

 <li>
  <p>Let <var>response</var> be the result of making an HTTP request over <var>connection</var>
  using <var>request</var>, following the relevant requirements from HTTP, and waiting until all the
  <a href="#concept-header" title="concept-header">headers</a> are transmitted or
  <a href="#concept-fetch" title="concept-fetch">fetch</a> is being
  <a href="#concept-fetch-terminate" title="concept-fetch-terminate">terminated</a> with reason
  <var>reason</var>. If <a href="#concept-fetch" title="concept-fetch">fetch</a> is being
  <a href="#concept-fetch-terminate" title="concept-fetch-terminate">terminated</a>, set <var>response</var>'s
  <a href="#concept-response-termination-reason" title="concept-response-termination-reason">termination reason</a> to
  <var>reason</var>.
  <a href="#refsHTTP">[HTTP]</a>

  <p>If the HTTP request results in a TLS client certificate dialog, run these substeps:

  <ol>
   <li><p>If <var>request</var>'s <a href="#concept-request-window" title="concept-request-window">window</a>
   is an <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/webappapis.html#environment-settings-object">environment settings object</a>, make the dialog
   available in <var>request</var>'s
   <a href="#concept-request-window" title="concept-request-window">window</a>.

   <li><p>Otherwise, return a <a href="#concept-network-error" title="concept-network-error">network error</a>.
  </ol>

  <p>If <var>response</var> was retrieved over HTTPS, set its
  <a href="#concept-response-https-state" title="concept-response-https-state">HTTPS state</a> to either
  "<code title="">deprecated</code>" or "<code title="">modern</code>".
  <a href="#refsTLS">[TLS]</a>

  <p class="note no-backref">The exact determination here is up to user agents for the
  time being. User agents are strongly encouraged to only succeed HTTPS connections with
  strong security properties and return
  <a href="#concept-network-error" title="concept-network-error">network errors</a> otherwise. Using the
  "<code title="">deprecated</code>" state value ought to be a temporary and last resort kind
  of option.

  <p><a href="#read-a-request" title="Read a request">Read <var>request</var></a>.

 <li>
  <p>Let <var>strategy</var> be an object. The user agent may choose any object.

  <p class="note no-backref"><var>strategy</var> is used to control the queuing strategy of
  <var>stream</var> constructed below.

 <li><p>Let <var>pull</var> be an action that <a href="#concept-fetch-resume" title="concept-fetch-resume">resumes</a> the
 ongoing fetch if it is <a href="#concept-fetch-suspend" title="concept-fetch-suspend">suspended</a>.

 <li><p>Let <var>cancel</var> be an action that
 <a href="#concept-fetch-terminate" title="concept-fetch-terminate">terminates</a> the ongoing fetch with reason
 <i title="">end-user abort</i>.

 <li>
  <p>Let <var>stream</var> be the result of
  <a href="#concept-construct-readablestream" title="concept-construct-ReadableStream">constructing</a> a
  <a href="#concept-readablestream"><code title="concept-ReadableStream">ReadableStream</code></a> object with <var>strategy</var>,
  <var>pull</var> and <var>cancel</var>.
  <p class="note no-backref">This construction operation will not throw an exception.

 <li><p>Set <var>response</var>'s <a href="#concept-response-body" title="concept-response-body">body</a> to a new
 <a href="#concept-body" title="concept-body">body</a> whose <a href="#concept-body-stream" title="concept-body-stream">stream</a> is
 <var>stream</var>.

 <li>
  <p><a href="#concept-header-list-delete" title="concept-header-list-delete">Delete</a>
  `<code title="">Content-Encoding</code>` from <var>response</var>'s
  <a href="#concept-response-header-list" title="concept-response-header-list">header list</a> if one of the following
  conditions is true:

  <ul class="brief">
   <li><a href="#concept-header-parse" title="concept-header-parse">Parsing</a>
   `<code title="">Content-Encoding</code>` in <var>response</var>'s
   <a href="#concept-response-header-list" title="concept-response-header-list">header list</a> returns
   `<code title="">gzip</code>` and <a href="#concept-header-parse" title="concept-header-parse">parsing</a>
   `<code title="">Content-Type</code>` in <var>response</var>'s
   <a href="#concept-response-header-list" title="concept-response-header-list">header list</a> returns
   `<code title="">application/gzip</code>`, `<code title="">application/x-gunzip</code>`, or
   `<code title="">application/x-gzip</code>`.
   <li><a href="#concept-header-parse" title="concept-header-parse">Parsing</a>
   `<code title="">Content-Encoding</code>` in <var>response</var>'s
   <a href="#concept-response-header-list" title="concept-response-header-list">header list</a> returns
   `<code title="">compress</code>` and <a href="#concept-header-parse" title="concept-header-parse">parsing</a>
   `<code title="">Content-Type</code>` in <var>response</var>'s
   <a href="#concept-response-header-list" title="concept-response-header-list">header list</a> returns
   `<code title="">application/compress</code>` or
   `<code title="">application/x-compress</code>.
  </ul>

  <p class="note">This deals with broken Apache configurations. Ideally HTTP would define
  this.
  <!-- https://wiki.whatwg.org/wiki/HTTP -->

  <p class="XXX">Gecko
  <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1030660">bug 1030660</a> looks
  into whether this quirk can be removed.

 <li><p>Execute
 <a href="https://w3c.github.io/webappsec-csp/#set-response-csp-list">set <var>response</var>'s CSP list</a>
 on <var>response</var>. <a href="#refsCSP">[CSP]</a>

 <li><p>If <var>response</var> is not a
 <a href="#concept-network-error" title="concept-network-error">network error</a> and <var>request</var>'s
 <a href="#concept-request-cache-mode" title="concept-request-cache-mode">cache mode</a> is not "<code title="">no-store</code>",
 update <var>response</var> in the HTTP cache for <var>request</var>.
 <!-- XXX xref HTTP cache -->

 <li>
  <p>If <var>credentials flag</var> is set and the user agent is not configured to block cookies for
  <var>request</var> (see <a href="https://tools.ietf.org/html/rfc6265#section-7">section 7</a> of
  <a href="#refsCOOKIES">[COOKIES]</a>), then run the "set-cookie-string" parsing algorithm (see
  <a href="https://tools.ietf.org/html/rfc6265#section-5.2">section 5.2</a> of
  <a href="#refsCOOKIES">[COOKIES]</a>) on the <a href="#concept-header-value" title="concept-header-value">value</a>
  of each <var>header</var> <a href="#concept-header-name" title="concept-header-name">named</a> `<code title="">Set-Cookie</code>`
  in <var>response</var>'s <a href="#concept-response-header-list" title="concept-response-header-list">header list</a>, if any, and
  <var>request</var>'s <span title="concept-response-current-url">current url</span>.

  <p class="note">This is a fingerprinting vector.

 <li>
  <p>Run these substeps <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/infrastructure.html#in-parallel">in parallel</a>:

  <ol>
   <li><p>If <var>response</var>'s <a href="#concept-response-body" title="concept-response-body">body</a> is
   non-null, set <var>response</var>'s <a href="#concept-response-body" title="concept-response-body">body</a>'s
   <a href="#concept-body-total-bytes" title="concept-body-total-bytes">total bytes</a> to <var>response</var>'s
   <a href="#concept-response-body" title="concept-response-body">body</a>'s payload body length.
   <!-- XXX xref payload body -->

   <li>
    <p>Whenever one or more bytes are transmitted, let <var>bytes</var> be the
    transmitted bytes and run these subsubsteps:

    <ol>
     <li><p>Increase <var>response</var>'s
     <a href="#concept-response-body" title="concept-response-body">body</a>'s
     <a href="#concept-body-transmitted" title="concept-body-transmitted">transmitted bytes</a> with <var>bytes</var>'
     length.

     <li><p>Let <var>codings</var> be the result of
     <a href="#concept-header-parse" title="concept-header-parse">parsing</a> `<code title="">Content-Encoding</code>`
     in <var>response</var>'s
     <a href="#concept-response-header-list" title="concept-response-header-list">header list</a>.

     <li>
      <p>Set <var>bytes</var> to the result of <a href="#handle-content-codings" title="handle content codings">handling
      content codings</a> given <var>codings</var> and <var>bytes</var>.

      <p class="note no-backref">This makes the `<code title="">Content-Length</code>`
      <a href="#concept-header" title="concept-header">header</a> unreliable to the extent that it was reliable
      to begin with.

     <li>
      <p><a href="#concept-enqueue-readablestream" title="concept-enqueue-ReadableStream">Enqueue</a> a <code>Uint8Array</code>
      object wrapping an <code>ArrayBuffer</code> containing <var>bytes</var> to <var>stream</var>.
      If that threw an exception, <a href="#concept-fetch-terminate" title="concept-fetch-terminate">terminate</a> the ongoing
      fetch with <i>fatal</i>, <a href="#concept-error-readablestream" title="concept-error-ReadableStream">error</a>
      <var>stream</var> with that exception and abort these subsubsteps.

     <li><p>If <var>stream</var> doesn't <a href="#concept-readablestream-need-more-data" title="concept-ReadableStream-need-more-data">need more
     data</a> and <var>request</var>'s <a href="#synchronous-flag">synchronous flag</a> is unset, ask the user agent
     to <a href="#concept-fetch-suspend" title="concept-fetch-suspend">suspend</a> the ongoing fetch.
    </ol>

   <li><p>If at any point the bytes transmission is done normally and <var>stream</var> is
   <a href="#concept-readablestream-readable" title="concept-ReadableStream-readable">readable</a>,
   <a href="#concept-close-readablestream" title="concept-close-ReadableStream">close</a> <var>stream</var>.

   <li>
    <p>If at any point <a href="#concept-fetch" title="concept-fetch">fetch</a> is
    <a href="#concept-fetch-terminate" title="concept-fetch-terminate">terminated</a> with reason <var>reason</var>,
    run these subsubsteps:

    <ol>
     <li><p>Set <var>response</var>'s <a href="#concept-response-termination-reason" title="concept-response-termination-reason">termination
     reason</a> to <var>reason</var>.

     <li><p>If <var>stream</var> is <a href="#concept-readablestream-readable" title="concept-ReadableStream-readable">readable</a>,
     <a href="#concept-error-readablestream" title="concept-error-ReadableStream">error</a> <var>stream</var> with a
     <code>TypeError</code>.
    </ol>
  </ol>

  <p class="note no-backref">These are run <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/infrastructure.html#in-parallel">in parallel</a>
  as at this point it is unclear whether <var>response</var>'s
  <a href="#concept-response-body" title="concept-response-body">body</a> is relevant (<var>response</var>
  might be a redirect).

 <li><p>Return <var>response</var>. <span class="note no-backref">Typically
 <var>response</var>'s <a href="#concept-response-body" title="concept-response-body">body</a>'s
 <a href="#concept-body-stream" title="concept-body-stream">stream</a> is still being enqueued to after returning.</span>
</ol>


<h3 id="cors-preflight-fetch"><span class="secno">5.7 </span>CORS-preflight fetch</h3>

<p class="note no-backref">This is effectively the user agent implementation of the check to see if
the <a href="#cors-protocol">CORS protocol</a> is understood. The so-called <a href="#cors-preflight-request">CORS-preflight request</a>. If
successful it populates the <a href="#concept-cache" title="concept-cache">CORS-preflight cache</a> to minimize the
number of these <a href="#cors-preflight-fetch-0" title="CORS-preflight fetch">fetches</a>.

<p>To perform a <dfn id="cors-preflight-fetch-0">CORS-preflight fetch</dfn> using <var>request</var>, run these
steps:

<ol>
 <li><p>Let <var>preflight</var> be a new <a href="#concept-request" title="concept-request">request</a>
 whose <a href="#concept-request-method" title="concept-request-method">method</a> is `<code title="">OPTIONS</code>`,
 <a href="#concept-request-url" title="concept-request-url">url</a> is <var>request</var>'s
 <a href="#concept-request-current-url" title="concept-request-current-url">current url</a>,
 <a href="#concept-request-initiator" title="concept-request-initiator">initiator</a> is <var>request</var>'s
 <a href="#concept-request-initiator" title="concept-request-initiator">initiator</a>,
 <a href="#concept-request-type" title="concept-request-type">type</a> is <var>request</var>'s
 <a href="#concept-request-type" title="concept-request-type">type</a>,
 <a href="#concept-request-destination" title="concept-request-destination">destination</a> is <var>request</var>'s
 <a href="#concept-request-destination" title="concept-request-destination">destination</a>,
 <a href="#concept-request-origin" title="concept-request-origin">origin</a> is <var>request</var>'s
 <a href="#concept-request-origin" title="concept-request-origin">origin</a>,
 <a href="#concept-request-referrer" title="concept-request-referrer">referrer</a> is <var>request</var>'s
 <a href="#concept-request-referrer" title="concept-request-referrer">referrer</a>, and
 <a href="#concept-request-referrer-policy" title="concept-request-referrer-policy">referrer policy</a> is
 <var>request</var>'s
 <a href="#concept-request-referrer-policy" title="concept-request-referrer-policy">referrer policy</a>.

 <li><p><a href="#concept-header-list-set" title="concept-header-list-set">Set</a>
 `<a href="#http-access-control-request-method"><code title="http-access-control-request-method">Access-Control-Request-Method</code></a>` to
 <var>request</var>'s <a href="#concept-request-method" title="concept-request-method">method</a> in
 <var>preflight</var>'s <a href="#concept-request-header-list" title="concept-request-header-list">header list</a>.

 <li><p>Let <var>headers</var> be the <a href="#concept-header-name" title="concept-header-name">names</a> of
 <var>request</var>'s <a href="#concept-request-header-list" title="concept-request-header-list">header list</a>'s
 <a href="#concept-header" title="concept-header">headers</a>, excluding
 <a href="#cors-safelisted-request-header" title="cors-safelisted request-header">CORS-safelisted request-headers</a> and duplicates,
 sorted lexicographically, and <a href="#byte-lowercase" title="byte-lowercase">byte-lowercased</a>.

 <li><p>Let <var>value</var> be the items in <var>headers</var> separated from each other by 0x2C.

 <li><p><a href="#concept-header-list-set" title="concept-header-list-set">Set</a>
 `<a href="#http-access-control-request-headers"><code title="http-access-control-request-headers">Access-Control-Request-Headers</code></a>`
 to <var>value</var> in
 <var>preflight</var>'s <a href="#concept-request-header-list" title="concept-request-header-list">header list</a>.

 <li><p>Let <var>response</var> be the result of performing an
 <a href="#concept-http-network-or-cache-fetch" title="concept-http-network-or-cache-fetch">HTTP-network-or-cache fetch</a> using
 <var>preflight</var>.

 <li>
  <p>If a <a href="#concept-cors-check" title="concept-cors-check">CORS check</a> for <var>request</var>
  and <var>response</var> returns success and <var>response</var>'s
  <a href="#concept-response-status" title="concept-response-status">status</a> is an <a href="#ok-status">ok status</a>, run these
  substeps:
  <!-- CORS said 200 here but nobody implemented that:
       https://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0078.html -->

  <p class="note no-backref">The <a href="#concept-cors-check" title="concept-cors-check">CORS check</a> is done
  on <var>request</var> rather than <var>preflight</var> to ensure the correct
  <a href="#concept-request-credentials-mode" title="concept-request-credentials-mode">credentials mode</a> is used.

  <ol>
   <li><p>Let <var>methods</var> be the result of
   <a href="#concept-header-parse" title="concept-header-parse">parsing</a>
   `<a href="#http-access-control-allow-methods"><code title="http-access-control-allow-methods">Access-Control-Allow-Methods</code></a>` in
   <var>response</var>'s
   <a href="#concept-response-header-list" title="concept-response-header-list">header list</a>.

   <li><p>If <var>methods</var> is `<code>*</code>`, then set <var>methods</var> to a new list
   containing `<code>*</code>`.

   <li><p>Let <var>headerNames</var> be the result of
   <a href="#concept-header-parse" title="concept-header-parse">parsing</a>
   `<a href="#http-access-control-allow-headers"><code title="http-access-control-allow-headers">Access-Control-Allow-Headers</code></a>` in
   <var>response</var>'s
   <a href="#concept-response-header-list" title="concept-response-header-list">header list</a>.

   <li><p>If either <var>methods</var> or <var>headerNames</var> is failure,
   return a <a href="#concept-network-error" title="concept-network-error">network error</a>.

   <li><p>If <var>methods</var> or <var>headerNames</var> contains `<code>*</code>`, and
   <var>request</var>'s <a href="#concept-request-credentials-mode" title="concept-request-credentials-mode">credentials mode</a> is
   "<code>include</code>", then return a <a href="#concept-network-error" title="concept-network-error">network error</a>.

   <li>
    <p>If <var>methods</var> is null and <var>request</var>'s <a href="#use-cors-preflight-flag">use-CORS-preflight flag</a>
    is set, then set <var>methods</var> to a new list containing <var>request</var>'s
    <a href="#concept-request-method" title="concept-request-method">method</a>.

    <p class="note no-backref">This ensures that a <a href="#cors-preflight-fetch-0">CORS-preflight fetch</a> that
    happened due to <var>request</var>'s <a href="#use-cors-preflight-flag">use-CORS-preflight flag</a> being set is
    <a href="#concept-cache" title="concept-cache">cached</a>.

   <li><p>If <var>request</var>'s <a href="#concept-request-method" title="concept-request-method">method</a> is not in
   <var>methods</var>, is not a <a href="#cors-safelisted-method">CORS-safelisted method</a>, and <var>methods</var> does
   <em>not</em> contain `<code>*</code>`, then return a
   <a href="#concept-network-error" title="concept-network-error">network error</a>.

   <li><p>If one of <var>request</var>'s
   <a href="#concept-request-header-list" title="concept-request-header-list">header list</a>'s
   <a href="#concept-header-name" title="concept-header-name">names</a> is a
   <a href="#cors-non-wildcard-request-header-name">CORS non-wildcard request-header name</a> and is not in <var>headerNames</var>, then
   return a <a href="#concept-network-error" title="concept-network-error">network error</a>.

   <li><p>If one of <var>request</var>'s
   <a href="#concept-request-header-list" title="concept-request-header-list">header list</a>'
   <a href="#concept-header-name" title="concept-header-name">names</a> is not in <var>headerNames</var>, its corresponding
   <a href="#concept-header" title="concept-header">header</a> is not a <a href="#cors-safelisted-request-header">CORS-safelisted request-header</a>,
   and <var>headerNames</var> does <em>not</em> contain `<code>*</code>`, then return a
   <a href="#concept-network-error" title="concept-network-error">network error</a>.

   <li><p>Let <var>max-age</var> be the result of
   <a href="#concept-header-parse" title="concept-header-parse">parsing</a>
   `<a href="#http-access-control-max-age"><code title="http-access-control-max-age">Access-Control-Max-Age</code></a>` in
   <var>response</var>'s
   <a href="#concept-response-header-list" title="concept-response-header-list">header list</a>.

   <li><p>If <var>max-age</var> is failure or null, then set <var>max-age</var> to zero.

   <li><p>If <var>max-age</var> is greater than an imposed limit on
   <a href="#concept-cache-max-age" title="concept-cache-max-age">max-age</a>, then set <var>max-age</var> to the imposed
   limit.

   <li><p>If the user agent does not provide for a <a href="#concept-cache" title="concept-cache">cache</a>, then
   return <var>response</var>.

   <li><p>For each <var>method</var> in <var>methods</var> for which there is
   a <a href="#concept-cache-match-method" title="concept-cache-match-method">method cache match</a> using
   <var>request</var>, set matching entry's
   <a href="#concept-cache-max-age" title="concept-cache-max-age">max-age</a> to <var>max-age</var>.

   <li><p>For each <var>method</var> in <var>methods</var> for which there is <em>no</em>
   <a href="#concept-cache-match-method" title="concept-cache-match-method">method cache match</a> using <var>request</var>,
   <a href="#concept-cache-create-entry" title="concept-cache-create-entry">create a new entry</a> with <var>request</var>,
   <var>max-age</var>, <var>method</var>, and null.

   <li><p>For each <var>headerName</var> in <var>headerNames</var> for which
   there is a <a href="#concept-cache-match-header" title="concept-cache-match-header">header-name cache match</a> using
   <var>request</var>, set matching entry's
   <a href="#concept-cache-max-age" title="concept-cache-max-age">max-age</a> to <var>max-age</var>.

   <li><p>For each <var>headerName</var> in <var>headerNames</var> for which there is <em>no</em>
   <a href="#concept-cache-match-header" title="concept-cache-match-header">header-name cache match</a> using <var>request</var>,
   <a href="#concept-cache-create-entry" title="concept-cache-create-entry">create a new entry</a> with <var>request</var>,
   <var>max-age</var>, null, and <var>headerName</var>.

   <li><p>Return <var>response</var>.
  </ol>

 <li><p>Otherwise, return a <a href="#concept-network-error" title="concept-network-error">network error</a>.
</ol>


<h3 id="cors-preflight-cache"><span class="secno">5.8 </span>CORS-preflight cache</h3>

<p>A <dfn id="concept-cache" title="concept-cache">CORS-preflight cache</dfn> consists of a collection of
entries where each entry has these fields:

<ul class="brief">
 <li><dfn id="concept-cache-origin" title="concept-cache-origin">origin</dfn> (an <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/browsers.html#origin">origin</a>)
 <li><dfn id="concept-cache-url" title="concept-cache-url">url</dfn> (a
 <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url" title="concept-url">URL</a>)
 <li><dfn id="concept-cache-max-age" title="concept-cache-max-age">max-age</dfn> (a number of seconds)
 <li><dfn id="concept-cache-credentials" title="concept-cache-credentials">credentials</dfn> (a boolean)
 <li><dfn id="concept-cache-method" title="concept-cache-method">method</dfn> (null, `<code>*</code>`, or a
 <a href="#concept-method" title="concept-method">method</a>)
 <li><dfn id="concept-cache-header-name" title="concept-cache-header-name">header name</dfn> (null, `<code>*</code>`, or a
 <a href="#concept-header" title="concept-header">header</a> <a href="#concept-header-name" title="concept-header-name">name</a>)
</ul>

<p>Entries must be removed after the seconds specified in the
<a href="#concept-cache-max-age" title="concept-cache-max-age">max-age</a> field have passed since storing the entry.
Entries may be removed before that moment arrives.

<p>To <dfn id="concept-cache-create-entry" title="concept-cache-create-entry">create a new entry</dfn> in the
<a href="#concept-cache" title="concept-cache">CORS-preflight cache</a>, given <var>request</var>, <var>max-age</var>,
<var>method</var>, and <var>headerName</var>, do so as follows:

<dl>
 <dt><a href="#concept-cache-origin" title="concept-cache-origin">origin</a>
 <dd><var>request</var>'s <a href="#concept-request-origin" title="concept-request-origin">origin</a>

 <dt><a href="#concept-cache-url" title="concept-cache-url">url</a>
 <dd><var>request</var>'s <a href="#concept-request-current-url" title="concept-request-current-url">current url</a>

 <dt><a href="#concept-cache-max-age" title="concept-cache-max-age">max-age</a>
 <dd><var>max-age</var>

 <dt><a href="#concept-cache-credentials" title="concept-cache-credentials">credentials</a>
 <dd>True if <var>request</var>'s
 <a href="#concept-request-credentials-mode" title="concept-request-credentials-mode">credentials mode</a> is
 "<code title="">include</code>", and false otherwise

 <dt><a href="#concept-cache-method" title="concept-cache-method">method</a></dt>
 <dd><var>method</var>

 <dt><a href="#concept-cache-header-name" title="concept-cache-header-name">header name</a></dt>
 <dd><var>headerName</var>
</dl>

<p>To <dfn id="concept-cache-clear" title="concept-cache-clear">clear cache entries</dfn>, given a
<var>request</var>, remove any entries in the
<a href="#concept-cache" title="concept-cache">CORS-preflight cache</a> whose
<a href="#concept-cache-origin" title="concept-cache-origin">origin</a> is <var>request</var>'s
<a href="#concept-request-origin" title="concept-request-origin">origin</a> and whose
<a href="#concept-cache-url" title="concept-cache-url">url</a> is <var>request</var>'s
<a href="#concept-request-current-url" title="concept-request-current-url">current url</a>.

<p>There is a <dfn id="concept-cache-match" title="concept-cache-match">cache match</dfn> for
<var>request</var> if <a href="#concept-cache-origin" title="concept-cache-origin">origin</a> is
<var>request</var>'s <a href="#concept-request-origin" title="concept-request-origin">origin</a>,
<a href="#concept-cache-url" title="concept-cache-url">url</a> is <var>request</var>'s
<a href="#concept-request-current-url" title="concept-request-current-url">current url</a>, and one of

<ul class="brief">
 <li><a href="#concept-cache-credentials" title="concept-cache-credentials">credentials</a> is true
 <li><a href="#concept-cache-credentials" title="concept-cache-credentials">credentials</a> is false and <var>request</var>'s
 <a href="#concept-request-credentials-mode" title="concept-request-credentials-mode">credentials mode</a> is <em>not</em>
 "<code title="">include</code>"
</ul>

<p>is true.

<p>There is a <dfn id="concept-cache-match-method" title="concept-cache-match-method">method cache match</dfn> for
<var>method</var> using <var>request</var> when there is an entry in
<a href="#concept-cache" title="concept-cache">CORS-preflight cache</a> for which there is a
<a href="#concept-cache-match" title="concept-cache-match">cache match</a> for <var>request</var> and its
<a href="#concept-cache-method" title="concept-cache-method">method</a> is <var>method</var> or `<code>*</code>`.

<p>There is a <dfn id="concept-cache-match-header" title="concept-cache-match-header">header-name cache match</dfn> for
<var>headerName</var> using <var>request</var> when there is an entry in
<a href="#concept-cache" title="concept-cache">CORS-preflight cache</a> for which there is a
<a href="#concept-cache-match" title="concept-cache-match">cache match</a> for <var>request</var> and one of

<ul class="brief">
 <li><a href="#concept-cache-header-name" title="concept-cache-header-name">header name</a> is <var>headerName</var>
 <li><a href="#concept-cache-header-name" title="concept-cache-header-name">header name</a> is `<code>*</code>` and
 <var>headerName</var> is <em>not</em> a <a href="#cors-non-wildcard-request-header-name">CORS non-wildcard request-header name</a>
</ul>

<p>is true.


<h3 id="cors-check"><span class="secno">5.9 </span>CORS check</h3>

<p>To perform a <dfn id="concept-cors-check" title="concept-cors-check">CORS check</dfn> for a
<var>request</var> and <var>response</var>, run these steps:

<ol>
 <li><p>Let <var>origin</var> be the result of
 <a href="#concept-header-parse" title="concept-header-parse">parsing</a>
 `<a href="#http-access-control-allow-origin"><code title="http-access-control-allow-origin">Access-Control-Allow-Origin</code></a>` in
 <var>response</var>'s <a href="#concept-response-header-list" title="concept-response-header-list">header list</a>.

 <li>
  <p>If <var>origin</var> is null or failure, return failure.

  <p class="note">Null is not `<code title="">null</code>`.

 <li><p>If <var>request</var>'s
 <a href="#concept-request-credentials-mode" title="concept-request-credentials-mode">credentials mode</a> is not
 "<code title="">include</code>" and <var>origin</var> is `<code title="">*</code>`, return success.

 <li><p>If <var>request</var>'s <a href="#concept-request-origin" title="concept-request-origin">origin</a>,
 <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/browsers.html#ascii-serialisation-of-an-origin" title="ASCII serialization of an origin">serialized</a>
 and <a class="external" data-anolis-spec="encoding" href="https://encoding.spec.whatwg.org/#utf-8-encode" title="utf-8 encode">utf-8 encoded</a>, is not
 <var>origin</var>, return failure.
 <!-- XXX concept-as-bytes -->

 <li><p>If <var>request</var>'s
 <a href="#concept-request-credentials-mode" title="concept-request-credentials-mode">credentials mode</a> is not
 "<code title="">include</code>", return success.

 <li><p>Let <var>credentials</var> be the result of
 <a href="#concept-header-parse" title="concept-header-parse">parsing</a>
 `<a href="#http-access-control-allow-credentials"><code title="http-access-control-allow-credentials">Access-Control-Allow-Credentials</code></a>`
 in <var>response</var>'s
 <a href="#concept-response-header-list" title="concept-response-header-list">header list</a>.

 <li>
  <p>If <var>credentials</var> is `<code title="">true</code>`, return success.

  <p class="XXX">It has been suggested to check for <var>origin</var> not being
  `<code title="">null</code>` here as that would be equal to allowing credentials and
  `<code title="">*</code>` which is also forbidden.

 <li><p>Return failure.
</ol>



<h2 id="fetch-api"><span class="secno">6 </span>Fetch API</h2>

<p class="no-backref">The <a href="#dom-global-fetch"><code title="dom-global-fetch">fetch()</code></a> method is relatively
low-level API for <a href="#concept-fetch" title="concept-fetch">fetching</a> resources. It covers slightly
more ground than <a href="https://xhr.spec.whatwg.org/#xmlhttprequest"><code class="external" data-anolis-spec="xhr">XMLHttpRequest</code></a>, although it is
currently lacking when it comes to request progression (not response progression).

<div class="example no-backref">
 <p>The <a href="#dom-global-fetch"><code title="dom-global-fetch">fetch()</code></a> method makes it quite straightforward
 to <a href="#concept-fetch" title="concept-fetch">fetch</a> a resource and extract its contents as a
 <a href="https://w3c.github.io/FileAPI/#blob"><code class="external" data-anolis-spec="fileapi">Blob</code></a>:

 <pre>fetch("/music/pk/altes-kamuffel.flac")
  .then(res =&gt; res.blob()).then(playBlob)</pre>

 <p>If you just care to log a particular response header:

 <pre>fetch("/", {method:"HEAD"})
  .then(res =&gt; log(res.headers.get("strict-transport-security")))</pre>

 <p>If you want to check a particular response header and then process the response of a
 cross-origin resources:

 <pre>fetch("https://pk.example/berlin-calling.json", {mode:"cors"})
  .then(res =&gt; {
    if(res.headers.get("content-type") &amp;&amp;
       res.headers.get("content-type").toLowerCase().indexOf("application/json") &gt;= 0) {
      return res.json()
    } else {
      throw new TypeError()
    }
  }).then(processJSON)</pre>

 <p>If you want to work with URL query parameters:

 <pre>var url = new URL("https://geo.example.org/api"),
    params = {lat:35.696233, long:139.570431}
Object.keys(params).forEach(key =&gt; url.searchParams.append(key, params[key]))
fetch(url).then(/* … */)</pre>

 <p>If you want to receive the body data progressively:

 <pre>function consume(reader) {
  var total = 0
  return pump()
  function pump() {
    return reader.read().then(({done, value}) =&gt; {
      if (done) {
        return
      }
      total += value.byteLength
      log(`received ${value.byteLength} bytes (${total} bytes in total)`)
      return pump()
    })
  }
}

fetch("/music/pk/altes-kamuffel.flac")
  .then(res =&gt; consume(res.body.getReader()))
  .then(() =&gt; log("consumed the entire body without keeping the whole thing in memory!"))
  .catch(e =&gt; log("something went wrong: " + e))</pre>
</div>


<h3 id="headers-class"><span class="secno">6.1 </span>Headers class</h3>

<pre class="idl">typedef (<a href="#headers">Headers</a> or sequence&lt;sequence&lt;ByteString&gt;&gt; or OpenEndedDictionary&lt;ByteString&gt;) <dfn id="headersinit">HeadersInit</dfn>;</pre>

<div class="XXX">
 <p>OpenEndedDictionary&lt;T&gt; is a future IDL construct. Expect it to be used as such:

 <pre>var meta = { "Content-Type": "text/xml", "Breaking-Bad": "&lt;3" }
new Headers(meta)</pre>

 <p>See <a href="https://github.com/whatwg/fetch/issues/164">issue #164</a> for discussion.
</div>

<pre class="idl">[<a href="#dom-headers" title="dom-Headers">Constructor</a>(optional <a href="#headersinit">HeadersInit</a> <var>init</var>),
 Exposed=(Window,Worker)]
interface <dfn id="headers">Headers</dfn> {
  void <a href="#dom-headers-append" title="dom-Headers-append">append</a>(ByteString <var>name</var>, ByteString <var>value</var>);
  void <a href="#dom-headers-delete" title="dom-Headers-delete">delete</a>(ByteString <var>name</var>);
  ByteString? <a href="#dom-headers-get" title="dom-Headers-get">get</a>(ByteString <var>name</var>);
  boolean <a href="#dom-headers-has" title="dom-Headers-has">has</a>(ByteString <var>name</var>);
  void <a href="#dom-headers-set" title="dom-Headers-set">set</a>(ByteString <var>name</var>, ByteString <var>value</var>);
  iterable&lt;ByteString, ByteString&gt;;
};</pre>

<p>A <a href="#headers"><code>Headers</code></a> object has an associated
<dfn id="concept-headers-header-list" title="concept-Headers-header-list">header list</dfn> (a
<a href="#concept-header-list" title="concept-header-list">header list</a>), which is initially empty.

<p>A <a href="#headers"><code>Headers</code></a> object also has an associated
<dfn id="concept-headers-guard" title="concept-Headers-guard">guard</dfn>, which is
"<code title="">immutable</code>",
"<code title="">request</code>",
"<code title="">request-no-cors</code>",
"<code title="">response</code>" or
"<code title="">none</code>".

<p class="note no-backref">"<code title="">immutable</code>" exists for service workers.
<a href="#refsSW">[SW]</a>

<p>To <dfn id="concept-headers-append" title="concept-Headers-append">append</dfn> a
<a href="#concept-header-name" title="concept-header-name">name</a>/<a href="#concept-header-value" title="concept-header-value">value</a>
(<var>name</var>/<var>value</var>) pair to a
<a href="#headers"><code>Headers</code></a> object (<var>headers</var>), run these steps:

<ol>
 <li><p><a href="#concept-header-value-normalize" title="concept-header-value-normalize">Normalize</a>
 <var>value</var>.

 <li><p>If <var>name</var> is not a <a href="#concept-header-name" title="concept-header-name">name</a> or
 <var>value</var> is not a <a href="#concept-header-value" title="concept-header-value">value</a>,
 <a class="external" data-anolis-spec="webidl" href="https://heycam.github.io/webidl/#dfn-throw">throw</a> a <code title="">TypeError</code>.

 <li><p>If <a href="#concept-headers-guard" title="concept-Headers-guard">guard</a> is "<code title="">immutable</code>",
 <a class="external" data-anolis-spec="webidl" href="https://heycam.github.io/webidl/#dfn-throw">throw</a> a <code title="">TypeError</code>.

 <li><p>Otherwise, if <a href="#concept-headers-guard" title="concept-Headers-guard">guard</a> is
 "<code title="">request</code>" and <var>name</var> is a <a href="#forbidden-header-name">forbidden header name</a>,
 return.

 <li><p>Otherwise, if <a href="#concept-headers-guard" title="concept-Headers-guard">guard</a> is
 "<code title="">request-no-cors</code>" and <var>name</var>/<var>value</var> is not a
 <a href="#cors-safelisted-request-header">CORS-safelisted request-header</a>, return.

 <li><p>Otherwise, if <a href="#concept-headers-guard" title="concept-Headers-guard">guard</a> is
 "<code title="">response</code>" and <var>name</var> is a
 <a href="#forbidden-response-header-name">forbidden response-header name</a>, return.

 <li><p><a href="#concept-header-list-append" title="concept-header-list-append">Append</a>
 <var>name</var>/<var>value</var> to
 <a href="#concept-headers-header-list" title="concept-Headers-header-list">header list</a>.
</ol>

<p>To <dfn id="concept-headers-fill" title="concept-Headers-fill">fill</dfn> a <a href="#headers"><code>Headers</code></a> object
(<var>headers</var>) with a given object (<var>object</var>), run these steps:

<ol>
 <li>
  <p>If <var>object</var> is a <a href="#headers"><code>Headers</code></a> object, copy its
  <a href="#concept-headers-header-list" title="concept-Headers-header-list">header list</a> as
  <var>headerListCopy</var> and then for each <var>header</var> in
  <var>headerListCopy</var>, retaining order,
  <a href="#concept-headers-append" title="concept-Headers-append">append</a>
  <var>header</var>'s <a href="#concept-header-name" title="concept-header-name">name</a>/<var>header</var>'s <a href="#concept-header-value" title="concept-header-value">value</a>
  to <var>headers</var>. Rethrow any exception.

  <p class="note">Once <code title="">Headers.prototype[Symbol.iterator]</code> is defined this
  special casing will no longer be needed.

 <li>
  <p>Otherwise, if <var>object</var> is a sequence, then for each
  <var>header</var> in <var>object</var>, run these substeps:

  <ol>
   <li><p>If <var>header</var> does not contain exactly two items,
   <a class="external" data-anolis-spec="webidl" href="https://heycam.github.io/webidl/#dfn-throw">throw</a> a <code title="">TypeError</code>.

   <li><p><a href="#concept-headers-append" title="concept-Headers-append">Append</a>
   <var>header</var>'s first item/<var>header</var>'s second item to
   <var>headers</var>. Rethrow any exception.
  </ol>

 <li>
  <p>Otherwise, if <var>object</var> is an open-ended dictionary, then for each
  <var>header</var> in <var>object</var>, run these substeps:

  <ol>
   <li><p>Set <var>header</var>'s key to <var>header</var>'s key,
   <a class="external" data-anolis-spec="webidl" href="https://heycam.github.io/webidl/#es-ByteString" title="es-ByteString">converted to ByteString</a>.
   Rethrow any exception.

   <li><p><a href="#concept-headers-append" title="concept-Headers-append">Append</a>
   <var>header</var>'s key/<var>header</var>'s value to
   <var>headers</var>. Rethrow any exception.
  </ol>
</ol>

<p>The <dfn id="dom-headers" title="dom-Headers"><code>Headers(<var>init</var>)</code></dfn> constructor,
when invoked, must run these steps:

<ol>
 <li><p>Let <var>headers</var> be a new <a href="#headers"><code>Headers</code></a> object whose
 <a href="#concept-headers-guard" title="concept-Headers-guard">guard</a> is "<code title="">none</code>".

 <li><p>If <var>init</var> is given, <a href="#concept-headers-fill" title="concept-Headers-fill">fill</a>
 <var>headers</var> with <var>init</var>. Rethrow any exception.

 <li><p>Return <var>headers</var>.
</ol>

<p>The
<dfn id="dom-headers-append" title="dom-Headers-append"><code>append(<var>name</var>, <var>value</var>)</code></dfn>
method, when invoked, must <a href="#concept-headers-append" title="concept-Headers-append">append</a>
<var>name</var>/<var>value</var> to the
<a class="external" data-anolis-spec="dom" href="https://dom.spec.whatwg.org/#context-object">context object</a> and rethrow any exception.

<p>The <dfn id="dom-headers-delete" title="dom-Headers-delete"><code>delete(<var>name</var>)</code></dfn>
method, when invoked, must run these steps:

<ol>
 <li><p>If <var>name</var> is not a <a href="#concept-header-name" title="concept-header-name">name</a>,
 <a class="external" data-anolis-spec="webidl" href="https://heycam.github.io/webidl/#dfn-throw">throw</a> a <code title="">TypeError</code>.

 <li><p>If <a href="#concept-headers-guard" title="concept-Headers-guard">guard</a> is "<code title="">immutable</code>",
 <a class="external" data-anolis-spec="webidl" href="https://heycam.github.io/webidl/#dfn-throw">throw</a> a <code title="">TypeError</code>.

 <li><p>Otherwise, if <a href="#concept-headers-guard" title="concept-Headers-guard">guard</a> is
 "<code title="">request</code>" and <var>name</var> is a <a href="#forbidden-header-name">forbidden header name</a>,
 return.

 <li><p>Otherwise, if <a href="#concept-headers-guard" title="concept-Headers-guard">guard</a> is
 "<code title="">request-no-cors</code>" and <var>name</var>/`<code title="">invalid</code>` is
 not a <a href="#cors-safelisted-request-header">CORS-safelisted request-header</a>, return.

 <li><p>Otherwise, if <a href="#concept-headers-guard" title="concept-Headers-guard">guard</a> is
 "<code title="">response</code>" and <var>name</var> is a
 <a href="#forbidden-response-header-name">forbidden response-header name</a>, return.

 <li><p><a href="#concept-header-list-delete" title="concept-header-list-delete">Delete</a> <var>name</var> from
 <a href="#concept-headers-header-list" title="concept-Headers-header-list">header list</a>.
</ol>

<p>The <dfn id="dom-headers-get" title="dom-Headers-get"><code>get(<var>name</var>)</code></dfn> method, when
invoked, must run these steps:

<ol>
 <li><p>If <var>name</var> is not a <a href="#concept-header-name" title="concept-header-name">name</a>,
 <a class="external" data-anolis-spec="webidl" href="https://heycam.github.io/webidl/#dfn-throw">throw</a> a <code title="">TypeError</code>.

 <li><p>If there is <em>no</em> <a href="#concept-header" title="concept-header">header</a> in
 <a href="#concept-headers-header-list" title="concept-Headers-header-list">header list</a> whose
 <a href="#concept-header-name" title="concept-header-name">name</a> is <var>name</var>, return null.

 <li><p>Return the <a href="#concept-header-value-combined" title="concept-header-value-combined">combined value</a> given
 <var>name</var> and <a href="#concept-headers-header-list" title="concept-Headers-header-list">header list</a>.
</ol>

<p>The <dfn id="dom-headers-has" title="dom-Headers-has"><code>has(<var>name</var>)</code></dfn> method,
when invoked, must run these steps:

<ol>
 <li><p>If <var>name</var> is not a <a href="#concept-header-name" title="concept-header-name">name</a>,
 <a class="external" data-anolis-spec="webidl" href="https://heycam.github.io/webidl/#dfn-throw">throw</a> a <code title="">TypeError</code>.

 <li><p>Return true if there is a <a href="#concept-header" title="concept-header">header</a> in
 <a href="#concept-headers-header-list" title="concept-Headers-header-list">header list</a> whose
 <a href="#concept-header-name" title="concept-header-name">name</a> is <var>name</var>, and false
 otherwise.
</ol>

<p>The
<dfn id="dom-headers-set" title="dom-Headers-set"><code>set(<var>name</var>, <var>value</var>)</code></dfn>
method, when invoked, must run these steps:

<ol>
 <li><p><a href="#concept-header-value-normalize" title="concept-header-value-normalize">Normalize</a>
 <var>value</var>.

 <li><p>If <var>name</var> is not a <a href="#concept-header-name" title="concept-header-name">name</a> or
 <var>value</var> is not a <a href="#concept-header-value" title="concept-header-value">value</a>,
 <a class="external" data-anolis-spec="webidl" href="https://heycam.github.io/webidl/#dfn-throw">throw</a> a <code title="">TypeError</code>.

 <li><p>If <a href="#concept-headers-guard" title="concept-Headers-guard">guard</a> is "<code title="">immutable</code>",
 <a class="external" data-anolis-spec="webidl" href="https://heycam.github.io/webidl/#dfn-throw">throw</a> a <code title="">TypeError</code>.

 <li><p>Otherwise, if <a href="#concept-headers-guard" title="concept-Headers-guard">guard</a> is
 "<code title="">request</code>" and <var>name</var> is a <a href="#forbidden-header-name">forbidden header name</a>,
 return.

 <li><p>Otherwise, if <a href="#concept-headers-guard" title="concept-Headers-guard">guard</a> is
 "<code title="">request-no-cors</code>" and <var>name</var>/<var>value</var> is not a
 <a href="#cors-safelisted-request-header">CORS-safelisted request-header</a>, return.

 <li><p>Otherwise, if <a href="#concept-headers-guard" title="concept-Headers-guard">guard</a> is
 "<code title="">response</code>" and <var>name</var> is a
 <a href="#forbidden-response-header-name">forbidden response-header name</a>, return.

 <li><p><a href="#concept-header-list-set" title="concept-header-list-set">Set</a>
 <var>name</var>/<var>value</var> in
 <a href="#concept-headers-header-list" title="concept-Headers-header-list">header list</a>.
</ol>

<p>The <a class="external" data-anolis-spec="webidl" href="https://heycam.github.io/webidl/#dfn-value-pairs-to-iterate-over">value pairs to iterate over</a> are the return value of
running <a href="#concept-header-list-sort-and-combine" title="concept-header-list-sort-and-combine">sort and combine</a> with the
<a href="#concept-headers-header-list" title="concept-Headers-header-list">header list</a>.


<h3 id="body-mixin"><span class="secno">6.2 </span>Body mixin</h3>

<pre class="idl">typedef (<a class="external" data-anolis-spec="fileapi" href="https://w3c.github.io/FileAPI/#blob">Blob</a> or BufferSource or <a class="external" data-anolis-spec="xhr" href="https://xhr.spec.whatwg.org/#formdata">FormData</a> or <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#urlsearchparams">URLSearchParams</a> or USVString) <dfn id="bodyinit">BodyInit</dfn>;
typedef (<a href="#bodyinit">BodyInit</a> or <a href="#concept-readablestream" title="concept-ReadableStream">ReadableStream</a>) <dfn id="responsebodyinit">ResponseBodyInit</dfn>;</pre>

<p>To <dfn id="concept-bodyinit-extract" title="concept-BodyInit-extract">extract</dfn> a <a href="#concept-body" title="concept-body">body</a> and a
`<code title="">Content-Type</code>` <a href="#concept-header-value" title="concept-header-value">value</a> from
<var>object</var>, run these steps:

<ol>
 <li><p>Let <var>stream</var> be the result of
 <a href="#concept-construct-readablestream" title="concept-construct-ReadableStream">constructing</a> a
 <a href="#concept-readablestream"><code title="concept-ReadableStream">ReadableStream</code></a> object.

 <li><p>Let <var>Content-Type</var> be null.
 <li><p>Let <var>action</var> be null.

 <li>
  <p>Switch on <var>object</var>'s type:

  <dl class="switch">
   <dt><a href="https://w3c.github.io/FileAPI/#blob"><code class="external" data-anolis-spec="fileapi">Blob</code></a>
   <dd>
    <p>Set <var>action</var> to an action that reads <var>object</var>.

    <p>If <var>object</var>'s <a href="https://w3c.github.io/FileAPI/#dfn-type"><code class="external" data-anolis-spec="fileapi" title="dom-Blob-type">type</code></a>
    attribute is not the empty byte sequence, set <var>Content-Type</var> to its value.

   <dt><code title="">BufferSource</code>
   <dd>
    <p><a href="#concept-enqueue-readablestream" title="concept-enqueue-ReadableStream">Enqueue</a> a <code>Uint8Array</code> object
    wrapping an <code>ArrayBuffer</code> containing a copy of the bytes held by <var>object</var>
    to <var>stream</var> and <a href="#concept-close-readablestream" title="concept-close-ReadableStream">close</a>
    <var>stream</var>. If that threw an exception,
    <a href="#concept-error-readablestream" title="concept-error-ReadableStream">error</a> <var>stream</var> with that exception.

   <dt><a href="https://xhr.spec.whatwg.org/#formdata"><code class="external" data-anolis-spec="xhr">FormData</code></a>
   <dd>
    <p>Set <var>action</var> to an action that runs the
    <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/forms.html#multipart/form-data-encoding-algorithm"><code>multipart/form-data</code> encoding algorithm</a>,
    with <var>object</var> as <var>form data set</var> and with
    <a class="external" data-anolis-spec="encoding" href="https://encoding.spec.whatwg.org/#utf-8">utf-8</a> as the explicit character encoding.
    <!-- need to provide explicit character encoding because otherwise the encoding of the
         document is used -->

    <p>Set <var>Content-Type</var> to `<code title="">multipart/form-data;boundary=</code>`,
    followed by the
    <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/forms.html#multipart/form-data-boundary-string"><code>multipart/form-data</code> boundary string</a>
    generated by the
    <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/forms.html#multipart/form-data-encoding-algorithm"><code>multipart/form-data</code> encoding algorithm</a>.

   <dt><a href="https://url.spec.whatwg.org/#urlsearchparams"><code class="external" data-anolis-spec="url">URLSearchParams</code></a>
   <dd>
    <p>Set <var>action</var> to an action that runs the
    <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-urlencoded-serializer" title="concept-urlencoded-serializer"><code>application/x-www-form-urlencoded</code>
    serializer</a> with <var>object</var>'s
    <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-urlsearchparams-list" title="concept-URLSearchParams-list">list</a>.
    <!-- utf-8 implied -->

    <p>Set <var>Content-Type</var> to
    `<code title="">application/x-www-form-urlencoded;charset=UTF-8</code>`.

   <dt><code title="">USVString</code>
   <dd>
    <p>Set <var>action</var> to an action that runs
    <a class="external" data-anolis-spec="encoding" href="https://encoding.spec.whatwg.org/#utf-8-encode">utf-8 encode</a> on <var>object</var>.

    <p>Set <var>Content-Type</var> to `<code title="">text/plain;charset=UTF-8</code>`.

   <dt><a href="#concept-readablestream"><code title="concept-ReadableStream">ReadableStream</code></a>
   <dd><p>Set <var>stream</var> to <var>object</var>.
  </dl>

 <li>
  <p>If <var>action</var> is non-null, run <var>action</var> <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/infrastructure.html#in-parallel">in
  parallel</a>:
  <ol>
   <li><p>Whenever one or more bytes are available, let <var>bytes</var> be the bytes and
   <a href="#concept-enqueue-readablestream" title="concept-enqueue-ReadableStream">enqueue</a> a <code>Uint8Array</code> object
   wrapping an <code>ArrayBuffer</code> containing <var>bytes</var> to <var>stream</var>. If
   creating the <code>ArrayBuffer</code> threw an exception,
   <a href="#concept-error-readablestream" title="concept-error-ReadableStream">error</a> <var>stream</var> with that exception
   and cancel running <var>action</var>.

   <li><p>When running <var>action</var> is done,
   <a href="#concept-close-readablestream" title="concept-close-ReadableStream">close</a> <var>stream</var>.
  </ol>

 <li><p>Let <var>body</var> be a <a href="#concept-body" title="concept-body">body</a> whose
 <a href="#concept-body-stream" title="concept-body-stream">stream</a> is <var>stream</var>.

 <li><p>Return <var>body</var> and <var>Content-Type</var>.
</ol>


<pre class="idl">[NoInterfaceObject,
 Exposed=(Window,Worker)]
interface <dfn id="body">Body</dfn> {
  readonly attribute boolean <a href="#dom-body-bodyused" title="dom-Body-bodyUsed">bodyUsed</a>;
  [NewObject] Promise&lt;ArrayBuffer&gt; <a href="#dom-body-arraybuffer" title="dom-Body-arrayBuffer">arrayBuffer</a>();
  [NewObject] Promise&lt;<a class="external" data-anolis-spec="fileapi" href="https://w3c.github.io/FileAPI/#blob">Blob</a>&gt; <a href="#dom-body-blob" title="dom-Body-blob">blob</a>();
  [NewObject] Promise&lt;<a class="external" data-anolis-spec="xhr" href="https://xhr.spec.whatwg.org/#formdata">FormData</a>&gt; <a href="#dom-body-formdata" title="dom-Body-formData">formData</a>();
  [NewObject] Promise&lt;any&gt; <a href="#dom-body-json" title="dom-Body-json">json</a>();
  [NewObject] Promise&lt;USVString&gt; <a href="#dom-body-text" title="dom-Body-text">text</a>();
};</pre>

<p class="note">Formats you would not want a network layer to be dependent upon, such as
HTML, will likely not be exposed here. Rather, an HTML parser API might accept a stream in
due course.
<!-- https://lists.w3.org/Archives/Public/public-whatwg-archive/2014Jun/thread.html#msg72 -->

<p>Objects implementing the <a href="#body"><code>Body</code></a> mixin gain an associated
<dfn id="concept-body-body" title="concept-Body-body">body</dfn> (null or a <a href="#concept-body" title="concept-body">body</a>) and
a <dfn id="concept-body-mime-type" title="concept-Body-MIME-type">MIME type</dfn> (initially the empty byte sequence).

<p>An object implementing the <a href="#body"><code>Body</code></a> mixin is said to be
<dfn id="concept-body-disturbed" title="concept-Body-disturbed">disturbed</dfn> if <a href="#concept-body-body" title="concept-Body-body">body</a> is
non-null and its <a href="#concept-body-stream" title="concept-body-stream">stream</a> is
<a href="#concept-readablestream-disturbed" title="concept-ReadableStream-disturbed">disturbed</a>.

<p>An object implementing the <a href="#body"><code>Body</code></a> mixin is said to be
<dfn id="concept-body-locked" title="concept-Body-locked">locked</dfn> if <a href="#concept-body-body" title="concept-Body-body">body</a> is
non-null and its <a href="#concept-body-stream" title="concept-body-stream">stream</a> is
<a href="#concept-readablestream-locked" title="concept-ReadableStream-locked">locked</a>.

<p>The <dfn id="dom-body-bodyused" title="dom-Body-bodyUsed"><code>bodyUsed</code></dfn> attribute's getter must
return true if <a href="#concept-body-disturbed" title="concept-Body-disturbed">disturbed</a>, and false otherwise.

<p>Objects implementing the <a href="#body"><code>Body</code></a> mixin also have an associated
<dfn id="concept-body-package-data" title="concept-Body-package-data">package data</dfn> algorithm, given
<var>bytes</var>, a <var>type</var> and a <var>MIME type</var>, switches on <var>type</var>, and
runs the associated steps:

<dl class="switch">
 <dt><i title="">ArrayBuffer</i>
 <dd><p>Return an <code>ArrayBuffer</code> whose contents are <var>bytes</var>. Rethrow any
 exceptions.

 <dt><i title="">Blob</i>
 <dd><p>Return a <a href="https://w3c.github.io/FileAPI/#blob"><code class="external" data-anolis-spec="fileapi">Blob</code></a> whose contents are
 <var>bytes</var> and <a href="https://w3c.github.io/FileAPI/#dfn-type"><code class="external" data-anolis-spec="fileapi" title="dom-Blob-type">type</code></a>
 is <var>MIME type</var>.

 <dt><i title="">FormData</i>
 <dd>
  <p>If <var>MIME type</var> (ignoring parameters) is `<code>multipart/form-data</code>`,
  run these substeps:

  <ol>
   <li><p>Parse <var>bytes</var>, using the value of the
   `<code title="">boundary</code>` parameter from <var>MIME type</var> and
   <a class="external" data-anolis-spec="encoding" href="https://encoding.spec.whatwg.org/#utf-8">utf-8</a> as encoding, per the rules set forth
   in <cite>Returning Values from Forms: multipart/form-data</cite>.
   <a href="#refsRFC2388">[RFC2388]</a>

   <li><p>If that fails for some reason, <a class="external" data-anolis-spec="webidl" href="https://heycam.github.io/webidl/#dfn-throw">throw</a> a
   <code title="">TypeError</code>.

   <li><p>Return a new <a href="https://xhr.spec.whatwg.org/#formdata"><code class="external" data-anolis-spec="xhr">FormData</code></a> object, appending each entry,
   resulting from the parsing operation, to
   <a class="external" data-anolis-spec="xhr" href="https://xhr.spec.whatwg.org/#concept-formdata-entry" title="concept-FormData-entry">entries</a>.
  </ol>

  <p class="XXX">The above is a rough approximation of what is required for
  `<code>multipart/form-data</code>`, a more detailed parsing specification is to be
  written. Volunteers welcome.

  <p>Otherwise, if <var>MIME type</var> (ignoring parameters) is
  `<code>application/x-www-form-urlencoded</code>`, run these substeps:

  <ol>
   <li><p>Let <var>entries</var> be the result of
   <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-urlencoded-parser" title="concept-urlencoded-parser">parsing</a> <var>bytes</var>.

   <li><p>If <var>entries</var> is failure, <a class="external" data-anolis-spec="webidl" href="https://heycam.github.io/webidl/#dfn-throw">throw</a> a
   <code title="">TypeError</code>.

   <li><p>Return a new <a href="https://xhr.spec.whatwg.org/#formdata"><code class="external" data-anolis-spec="xhr">FormData</code></a> object whose
   <a class="external" data-anolis-spec="xhr" href="https://xhr.spec.whatwg.org/#concept-formdata-entry" title="concept-FormData-entry">entries</a> are <var>entries</var>.
  </ol>

  <p>Otherwise, <a class="external" data-anolis-spec="webidl" href="https://heycam.github.io/webidl/#dfn-throw">throw</a> a <code title="">TypeError</code>.

 <dt><i title="">JSON</i>
 <dd>
  <p>Return the result of invoking the initial value of the <code title="">parse</code> property of
  the <code title="">JSON</code> object with the result of running
  <a class="external" data-anolis-spec="encoding" href="https://encoding.spec.whatwg.org/#utf-8-decode">utf-8 decode</a> on <var>bytes</var> as argument.
  Rethrow any exceptions.

 <dt><i title="">text</i>
 <dd><p>Return the result of running <a class="external" data-anolis-spec="encoding" href="https://encoding.spec.whatwg.org/#utf-8-decode">utf-8 decode</a> on
 <var>bytes</var>.
</dl>

<p>Objects implementing the <a href="#body"><code>Body</code></a> mixin also have an associated
<dfn id="concept-body-consume-body" title="concept-Body-consume-body">consume body</dfn> algorithm, given a <var>type</var>,
runs these steps:

<ol>
 <li><p>If this object is <a href="#concept-body-disturbed" title="concept-Body-disturbed">disturbed</a>
 or <a href="#concept-body-locked" title="concept-Body-locked">locked</a>, return a new promise rejected with a
 <code>TypeError</code>.

 <li><p>Let <var>stream</var> be <a href="#concept-body-body" title="concept-Body-body">body</a>'s
 <a href="#concept-body-stream" title="concept-body-stream">stream</a> if <a href="#concept-body-body" title="concept-Body-body">body</a> is
 non-null, or an <a href="#concept-empty-readablestream" title="concept-empty-ReadableStream">empty</a>
 <a href="#concept-readablestream"><code title="concept-ReadableStream">ReadableStream</code></a> object otherwise.

 <li><p>Let <var>reader</var> be the result of <a href="#concept-get-reader" title="concept-get-reader">getting
 a reader</a> from <var>stream</var>. If that threw an exception, return a new promise rejected
 with that exception.

 <li><p>Let <var>promise</var> be the result of
 <a href="#concept-read-all-bytes-from-readablestream" title="concept-read-all-bytes-from-ReadableStream">reading all bytes</a> from
 <var>stream</var> with <var>reader</var>.

 <li><p>Return the result of transforming <var>promise</var> by a fulfillment handler that
 returns the result of the <a href="#concept-body-package-data" title="concept-body-package-data">package data</a> algorithm
 with its first argument, <var>type</var> and this object's
 <a href="#concept-body-mime-type" title="concept-body-mime-type">MIME type</a>.
 <!-- XXX IDL really needs to define "transforming". For now it is defined in
          https://www.w3.org/2001/tag/doc/promises-guide -->
</ol>

<p>The <dfn id="dom-body-arraybuffer" title="dom-Body-arrayBuffer"><code>arrayBuffer()</code></dfn>
method, when invoked, must return the result of running
<a href="#concept-body-consume-body" title="concept-Body-consume-body">consume body</a> with <i title="">ArrayBuffer</i>.

<p>The <dfn id="dom-body-blob" title="dom-Body-blob"><code>blob()</code></dfn> method, when
invoked, must return the result of running
<a href="#concept-body-consume-body" title="concept-Body-consume-body">consume body</a> with <i title="">Blob</i>.

<p>The <dfn id="dom-body-formdata" title="dom-Body-formData"><code>formData()</code></dfn> method,
when invoked, must return the result of running
<a href="#concept-body-consume-body" title="concept-Body-consume-body">consume body</a> with <i title="">FormData</i>.

<p>The <dfn id="dom-body-json" title="dom-Body-json"><code>json()</code></dfn> method, when
invoked, must return the result of running
<a href="#concept-body-consume-body" title="concept-Body-consume-body">consume body</a> with <i title="">JSON</i>.

<p>The <dfn id="dom-body-text" title="dom-Body-text"><code>text()</code></dfn> method, when
invoked, must return the result of running
<a href="#concept-body-consume-body" title="concept-Body-consume-body">consume body</a> with <i title="">text</i>.


<h3 id="request-class"><span class="secno">6.3 </span>Request class</h3>

<!-- No client member, see
  https://github.com/slightlyoff/ServiceWorker/issues/318
  https://github.com/slightlyoff/ServiceWorker/issues/575 -->

<pre class="idl">typedef (<a href="#request">Request</a> or USVString) <dfn id="requestinfo">RequestInfo</dfn>;

[<a href="#dom-request" title="dom-Request">Constructor</a>(<a href="#requestinfo">RequestInfo</a> <var>input</var>, optional <a href="#requestinit">RequestInit</a> <var>init</var>),
 Exposed=(Window,Worker)]
interface <dfn id="request">Request</dfn> {
  readonly attribute ByteString <a href="#dom-request-method" title="dom-Request-method">method</a>;
  readonly attribute USVString <a href="#dom-request-url" title="dom-Request-url">url</a>;
  [SameObject] readonly attribute <a href="#headers">Headers</a> <a href="#dom-request-headers" title="dom-Request-headers">headers</a>;

  readonly attribute <a href="#requesttype">RequestType</a> <a href="#dom-request-type" title="dom-Request-type">type</a>;
  readonly attribute <a href="#requestdestination">RequestDestination</a> <a href="#dom-request-destination" title="dom-Request-destination">destination</a>;
  readonly attribute USVString <a href="#dom-request-referrer" title="dom-Request-referrer">referrer</a>;
  readonly attribute <a href="#referrerpolicy">ReferrerPolicy</a> <a href="#dom-request-referrerpolicy" title="dom-Request-referrerPolicy">referrerPolicy</a>;
  readonly attribute <a href="#requestmode">RequestMode</a> <a href="#dom-request-mode" title="dom-Request-mode">mode</a>;
  readonly attribute <a href="#requestcredentials">RequestCredentials</a> <a href="#dom-request-credentials" title="dom-Request-credentials">credentials</a>;
  readonly attribute <a href="#requestcache">RequestCache</a> <a href="#dom-request-cache" title="dom-Request-cache">cache</a>;
  readonly attribute <a href="#requestredirect">RequestRedirect</a> <a href="#dom-request-redirect" title="dom-Request-redirect">redirect</a>;
  readonly attribute DOMString <a href="#dom-request-integrity" title="dom-Request-integrity">integrity</a>;

  [NewObject] <a href="#request">Request</a> <a href="#dom-request-clone" title="dom-Request-clone">clone</a>();
};
<a href="#request">Request</a> implements <a href="#body">Body</a>;

<!--
  Careful: defaults can only be set in prose, otherwise the Request() constructor
           algorithm breaks down.
-->dictionary <dfn id="requestinit">RequestInit</dfn> {
  ByteString method;
  <a href="#headersinit">HeadersInit</a> headers;
  <a href="#bodyinit">BodyInit</a>? body;
  USVString referrer;
  <a href="#referrerpolicy">ReferrerPolicy</a> referrerPolicy;
  <a href="#requestmode">RequestMode</a> mode;
  <a href="#requestcredentials">RequestCredentials</a> credentials;
  <a href="#requestcache">RequestCache</a> cache;
  <a href="#requestredirect">RequestRedirect</a> redirect;
  DOMString integrity;
  any window; // can only be set to null
};

enum <dfn id="requesttype">RequestType</dfn> { "", "audio", "font", "image", "script", "style", "track", "video" };
enum <dfn id="requestdestination">RequestDestination</dfn> { "", "document", "embed", "font", "image", "manifest", "media", "object", "report", "script", "serviceworker", "sharedworker", "style",  "worker", "xslt" };
enum <dfn id="requestmode">RequestMode</dfn> { "navigate", "same-origin", "no-cors", "cors" };
enum <dfn id="requestcredentials">RequestCredentials</dfn> { "omit", "same-origin", "include" };
enum <dfn id="requestcache">RequestCache</dfn> { "default", "no-store", "reload", "no-cache", "force-cache", "only-if-cached" };
enum <dfn id="requestredirect">RequestRedirect</dfn> { "follow", "error", "manual" };</pre>

<p class="note no-backref">"<code>serviceworker</code>" is omitted from
<a href="#requestdestination"><code>RequestDestination</code></a> as it cannot be observed from JavaScript. Implementations
will still need to support it as a
<a href="#concept-request-destination" title="concept-request-destination">destination</a>. "<code title="">websocket</code>" is
omitted from <a href="#requestmode"><code>RequestMode</code></a> as it cannot be used nor observed from JavaScript.

<p>A <a href="#request"><code>Request</code></a> object has an associated <dfn id="concept-request-request" title="concept-Request-request">request</dfn>
(a <a href="#concept-request" title="concept-request">request</a>).

<p>A <a href="#request"><code>Request</code></a> object also has an associated <a href="#headers"><code>Headers</code></a> object which
is itself associated with <a href="#concept-request-request" title="concept-Request-request">request</a>'s
<a href="#concept-request-header-list" title="concept-request-header-list">header list</a>.

<p>A <a href="#request"><code>Request</code></a> object's <a href="#concept-body-body" title="concept-Body-body">body</a> is its
<a href="#concept-request-request" title="concept-Request-request">request</a>'s
<a href="#concept-request-body" title="concept-request-body">body</a>.

<hr>

<p>The
<dfn id="dom-request" title="dom-Request"><code>Request(<var>input</var>, <var>init</var>)</code></dfn>
constructor must run these steps:

<ol>
 <li><p>If <var>input</var> is a <a href="#request"><code>Request</code></a> object and it is
 <a href="#concept-body-disturbed" title="concept-Body-disturbed">disturbed</a> or
 <a href="#concept-body-locked" title="concept-Body-locked">locked</a>, <a class="external" data-anolis-spec="webidl" href="https://heycam.github.io/webidl/#dfn-throw">throw</a> a
 <code title="">TypeError</code>.

 <li><p>Let <var>request</var> be <var>input</var>'s
 <a href="#concept-request-request" title="concept-Request-request">request</a>, if <var>input</var> is a
 <a href="#request"><code>Request</code></a> object, and a new <a href="#concept-request" title="concept-request">request</a>
 otherwise.

 <li><p>Let <var>origin</var> be <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/webappapis.html#entry-settings-object">entry settings object</a>'s
 <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/browsers.html#origin">origin</a>.

 <li><p>Let <var>window</var> be "<code>client</code>".

 <li><p>If <var>request</var>'s <a href="#concept-request-window" title="concept-request-window">window</a> is
 an <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/webappapis.html#environment-settings-object">environment settings object</a> and its
 <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/browsers.html#origin">origin</a> is <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/browsers.html#same-origin">same origin</a> with
 <var>origin</var>, set <var>window</var> to <var>request</var>'s
 <a href="#concept-request-window" title="concept-request-window">window</a>.

 <li><p>If <var>init</var>'s <code title="">window</code> member is present and it is
 not null, <a class="external" data-anolis-spec="webidl" href="https://heycam.github.io/webidl/#dfn-throw">throw</a> a <code title="">TypeError</code>.

 <li><p>If <var>init</var>'s <code title="">window</code> member is present, set
 <var>window</var> to "<code>no-window</code>".

 <li><p>Set <var>request</var> to a new <a href="#concept-request" title="concept-request">request</a>
 whose <a href="#concept-request-url" title="concept-request-url">url</a> is <var>request</var>'s
 <a href="#concept-request-current-url" title="concept-request-current-url">current url</a>,
 <a href="#concept-request-method" title="concept-request-method">method</a> is <var>request</var>'s
 <a href="#concept-request-method" title="concept-request-method">method</a>,
 <a href="#concept-request-header-list" title="concept-request-header-list">header list</a> is a copy of
 <var>request</var>'s <a href="#concept-request-header-list" title="concept-request-header-list">header list</a>,
 <a href="#unsafe-request-flag">unsafe-request flag</a> is set,
 <a href="#concept-request-client" title="concept-request-client">client</a> is
 <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/webappapis.html#entry-settings-object">entry settings object</a>,
 <a href="#concept-request-window" title="concept-request-window">window</a> is <var>window</var>,
 <a href="#concept-request-origin" title="concept-request-origin">origin</a> is "<code>client</code>",
 <a href="#omit-origin-header-flag">omit-<code>Origin</code>-header flag</a> is <var>request</var>'s
 <a href="#omit-origin-header-flag">omit-<code>Origin</code>-header flag</a>,
 <a href="#same-origin-data-url-flag">same-origin data-URL flag</a> is set,
 <a href="#concept-request-referrer" title="concept-request-referrer">referrer</a> is <var>request</var>'s
 <a href="#concept-request-referrer" title="concept-request-referrer">referrer</a>,
 <a href="#concept-request-referrer-policy" title="concept-request-referrer-policy">referrer policy</a> is
 <var>request</var>'s
 <a href="#concept-request-referrer-policy" title="concept-request-referrer-policy">referrer policy</a>,
 <a href="#concept-request-mode" title="concept-request-mode">mode</a> is <var>request</var>'s
 <a href="#concept-request-mode" title="concept-request-mode">mode</a>,
 <a href="#concept-request-credentials-mode" title="concept-request-credentials-mode">credentials mode</a> is
 <var>request</var>'s
 <a href="#concept-request-credentials-mode" title="concept-request-credentials-mode">credentials mode</a>,
 <a href="#concept-request-cache-mode" title="concept-request-cache-mode">cache mode</a> is
 <var>request</var>'s
 <a href="#concept-request-cache-mode" title="concept-request-cache-mode">cache mode</a>,
 <a href="#concept-request-redirect-mode" title="concept-request-redirect-mode">redirect mode</a> is
 <var>request</var>'s
 <a href="#concept-request-redirect-mode" title="concept-request-redirect-mode">redirect mode</a>, and
 <a href="#concept-request-integrity-metadata" title="concept-request-integrity-metadata">integrity metadata</a> is
 <var>request</var>'s
 <a href="#concept-request-integrity-metadata" title="concept-request-integrity-metadata">integrity metadata</a>.

 <li><p>Let <var>fallbackMode</var> be null.

 <li><p>Let <var>fallbackCredentials</var> be null.

 <li><p>Let <var>baseURL</var> be
 <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/webappapis.html#entry-settings-object">entry settings object</a>'s
 <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/webappapis.html#api-base-url">API base URL</a>.

 <li>
  <p>If <var>input</var> is a string, run these substeps:

  <ol>
   <li><p>Let <var>parsedURL</var> be the result of
   <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-parser" title="concept-url-parser">parsing</a>
   <var>input</var> with <var>baseURL</var>.

   <li><p>If <var>parsedURL</var> is failure,
   <a class="external" data-anolis-spec="webidl" href="https://heycam.github.io/webidl/#dfn-throw">throw</a> a <code title="">TypeError</code>.

   <li><p>If <var>parsedURL</var>
   <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#include-credentials" title="include credentials">includes credentials</a>,
   <a class="external" data-anolis-spec="webidl" href="https://heycam.github.io/webidl/#dfn-throw">throw</a> a <code title="">TypeError</code>.

   <li><p>Set <var>request</var>'s <a href="#concept-request-url" title="concept-request-url">url</a> to
   <var>parsedURL</var> and replace <var>request</var>'s
   <a href="#concept-request-url-list" title="concept-request-url-list">url list</a> single
   <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url" title="concept-url">URL</a> with a copy of
   <var>parsedURL</var>.

   <li><p>Set <var>fallbackMode</var> to "<code title="">cors</code>".

   <li><p>Set <var>fallbackCredentials</var> to "<code title="">omit</code>".
  </ol>

 <li>
  <p>If any of <var>init</var>'s members are present, run these substeps:

  <ol>
   <li><p>If <var>request</var>'s <a href="#concept-request-mode" title="concept-request-mode">mode</a> is
   "<code title="">navigate</code>", <a class="external" data-anolis-spec="webidl" href="https://heycam.github.io/webidl/#dfn-throw">throw</a> a
   <code title="">TypeError</code>.

   <li><p>Unset <var>request</var>'s <a href="#omit-origin-header-flag">omit-<code>Origin</code>-header flag</a>.

   <li><p>Set <var>request</var>'s <a href="#concept-request-referrer" title="concept-request-referrer">referrer</a> to
   "<code>client</code>"

   <li><p>Set <var>request</var>'s
   <a href="#concept-request-referrer-policy" title="concept-request-referrer-policy">referrer policy</a> to the empty string.
  </ol>

  <p class="note">This is done to ensure that when a service worker "redirects" a request, .e.g.,
  from an image in a cross-origin stylesheet, and makes modifications, it no longer appears to come
  from the original source (i.e., the cross-origin stylesheet), but instead from the service worker
  that "redirected" the request. This is important as the original source might not even be able to
  generate the same kind of requests as the service worker. Services that trust the original source
  could therefore be exploited were this not done, although that is somewhat farfetched.

 <li>
  <p>If <var>init</var>'s <code>referrer</code> member is present, run these
  substeps:

  <ol>
   <li><p>Let <var>referrer</var> be <var>init</var>'s <code>referrer</code>
   member.

   <li><p>If <var>referrer</var> is the empty string, set <var>request</var>'s
   <a href="#concept-request-referrer" title="concept-request-referrer">referrer</a> to "<code>no-referrer</code>" and
   terminate these substeps.

   <li><p>Let <var>parsedReferrer</var> be the result of
   <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-parser" title="concept-url-parser">parsing</a>
   <var>referrer</var> with <var>baseURL</var>.

   <li><p>If <var>parsedReferrer</var> is failure,
   <a class="external" data-anolis-spec="webidl" href="https://heycam.github.io/webidl/#dfn-throw">throw</a> a <code title="">TypeError</code>.

   <li><p>If <var>parsedReferrer</var>'s
   <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#non-relative-flag">non-relative flag</a> is set,
   <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-scheme" title="concept-url-scheme">scheme</a> is
   "<code>about</code>", and
   <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-path" title="concept-url-path">path</a> contains a single string
   "<code>client</code>", set <var>request</var>'s
   <a href="#concept-request-referrer" title="concept-request-referrer">referrer</a> to "<code>client</code>" and
   terminate these substeps.

   <li><p>If <var>parsedReferrer</var>'s
   <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-origin" title="concept-url-origin">origin</a> is not
   <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/browsers.html#same-origin">same origin</a> with <var>origin</var>,
   <a class="external" data-anolis-spec="webidl" href="https://heycam.github.io/webidl/#dfn-throw">throw</a> a <code title="">TypeError</code>.

   <li><p>Set <var>request</var>'s
   <a href="#concept-request-referrer" title="concept-request-referrer">referrer</a> to <var>parsedReferrer</var>.
  </ol>

 <li><p>If <var>init</var>'s <code title="">referrerPolicy</code> member is present, set
 <var>request</var>'s
 <a href="#concept-request-referrer-policy" title="concept-request-referrer-policy">referrer policy</a> to it.

 <li><p>Let <var>mode</var> be <var>init</var>'s <code title="">mode</code>
 member if it is present, and <var>fallbackMode</var> otherwise.

 <li><p>If <var>mode</var> is "<code title="">navigate</code>",
 <a class="external" data-anolis-spec="webidl" href="https://heycam.github.io/webidl/#dfn-throw">throw</a> a <code title="">TypeError</code>.

 <li><p>If <var>mode</var> is non-null, set <var>request</var>'s
 <a href="#concept-request-mode" title="concept-request-mode">mode</a> to <var>mode</var>.

 <li><p>Let <var>credentials</var> be <var>init</var>'s
 <code title="">credentials</code> member if it is present, and
 <var>fallbackCredentials</var> otherwise.

 <li><p>If <var>credentials</var> is non-null, set <var>request</var>'s
 <a href="#concept-request-credentials-mode" title="concept-request-credentials-mode">credentials mode</a> to
 <var>credentials</var>.

 <li><p>If <var>init</var>'s <code title="">cache</code> member is present, set
 <var>request</var>'s <a href="#concept-request-cache-mode" title="concept-request-cache-mode">cache mode</a> to
 it.

 <li><p>If <var>request</var>'s <a href="#concept-request-cache-mode" title="concept-request-cache-mode">cache mode</a> is
 "<code title="">only-if-cached</code>" and <var>request</var>'s
 <a href="#concept-request-mode" title="concept-request-mode">mode</a> is <em>not</em> "<code title="">same-origin</code>", then
 <a class="external" data-anolis-spec="webidl" href="https://heycam.github.io/webidl/#dfn-throw">throw</a> a <code title="">TypeError</code>.

 <li><p>If <var>init</var>'s <code title="">redirect</code> member is present, set
 <var>request</var>'s <a href="#concept-request-redirect-mode" title="concept-request-redirect-mode">redirect mode</a>
 to it.

 <li><p>If <var>init</var>'s <code title="">integrity</code> member is present, set
 <var>request</var>'s
 <a href="#concept-request-integrity-metadata" title="concept-request-integrity-metadata">integrity metadata</a> to it.

 <li>
  <p>If <var>init</var>'s <code title="">method</code> member is present, let
  <var>method</var> be it and run these substeps:

  <ol>
   <li><p>If <var>method</var> is not a <a href="#concept-method" title="concept-method">method</a> or
   <var>method</var> is a <a href="#forbidden-method">forbidden method</a>,
   <a class="external" data-anolis-spec="webidl" href="https://heycam.github.io/webidl/#dfn-throw">throw</a> a <code title="">TypeError</code>.

   <li><p><a href="#concept-method-normalize" title="concept-method-normalize">Normalize</a> <var>method</var>.

   <li><p>Set <var>request</var>'s <a href="#concept-request-method" title="concept-request-method">method</a>
   to <var>method</var>.
  </ol>

 <li><p>Let <var>r</var> be a new <a href="#request"><code>Request</code></a> object associated with
 <var>request</var> and a new <a href="#headers"><code>Headers</code></a> object whose
 <a href="#concept-headers-guard" title="concept-Headers-guard">guard</a> is "<code title="">request</code>".

 <li><p>Let <var>headers</var> be a copy of <var>r</var>'s
 <a href="#headers"><code>Headers</code></a> object.
 <!-- it might contain a header that is no longer allowed per the mode change -->

 <li><p>If <var>init</var>'s <code title="">headers</code> member is present, set
 <var>headers</var> to <var>init</var>'s <code title="">headers</code> member.

 <li><p>Empty <var>r</var>'s <a href="#concept-request-request" title="concept-Request-request">request</a>'s
 <a href="#concept-request-header-list" title="concept-request-header-list">header list</a>.

 <li>
  <p>If <var>r</var>'s <a href="#concept-request-request" title="concept-Request-request">request</a>'s
  <a href="#concept-request-mode" title="concept-request-mode">mode</a> is "<code title="">no-cors</code>", run these
  substeps:

  <ol>
   <li><p>If <var>r</var>'s <a href="#concept-request-request" title="concept-Request-request">request</a>'s
   <a href="#concept-request-method" title="concept-request-method">method</a> is not a <a href="#cors-safelisted-method">CORS-safelisted method</a>,
   <a class="external" data-anolis-spec="webidl" href="https://heycam.github.io/webidl/#dfn-throw">throw</a> a <code title="">TypeError</code>.

   <li><p>If <var>request</var>'s
   <a href="#concept-request-integrity-metadata" title="concept-request-integrity-metadata">integrity metadata</a> is not
   the empty string, <a class="external" data-anolis-spec="webidl" href="https://heycam.github.io/webidl/#dfn-throw">throw</a> a
   <code title="">TypeError</code>.

   <li><p>Set <var>r</var>'s <a href="#headers"><code>Headers</code></a> object's
   <a href="#concept-headers-guard" title="concept-Headers-guard">guard</a> to "<code title="">request-no-cors</code>".
  </ol>

 <li><p><a href="#concept-headers-fill" title="concept-Headers-fill">Fill</a> <var>r</var>'s
 <a href="#headers"><code>Headers</code></a> object with <var>headers</var>. Rethrow any exceptions.

 <li><p>Let <var>inputBody</var> be <var>input</var>'s
 <a href="#concept-request-request" title="concept-Request-request">request</a>'s <a href="#concept-request-body" title="concept-request-body">body</a>
 if <var>input</var> is a <a href="#request"><code>Request</code></a> object, and null otherwise.

 <li><p>If either <var>init</var>'s <code title="">body</code> member is present and is non-null or
 <var>inputBody</var> is non-null, and <var>request</var>'s
 <a href="#concept-request-method" title="concept-request-method">method</a> is `<code title="">GET</code>` or
 `<code title="">HEAD</code>`, <a class="external" data-anolis-spec="webidl" href="https://heycam.github.io/webidl/#dfn-throw">throw</a> a
 <code title="">TypeError</code>.

 <li>
  <p>If <var>init</var>'s <code title="">body</code> member is present and is non-null, run these
  substeps:

  <ol>
   <li><p>Let <var>Content-Type</var> be null.

   <li><p>Set <var>inputBody</var> and <var>Content-Type</var> to the result of
   <a href="#concept-bodyinit-extract" title="concept-BodyInit-extract">extracting</a> <var>init</var>'s
   <code title="">body</code> member. Rethrow any exceptions.

   <li><p>If <var>Content-Type</var> is non-null and <var>r</var>'s
   <a href="#concept-request-request" title="concept-Request-request">request</a>'s
   <a href="#concept-request-header-list" title="concept-request-header-list">header list</a> contains no
   <a href="#concept-header" title="concept-header">header</a> <a href="#concept-header-name" title="concept-header-name">named</a>
   `<code title="">Content-Type</code>`, <a href="#concept-headers-append" title="concept-Headers-append">append</a>
   `<code title="">Content-Type</code>`/<var>Content-Type</var> to <var>r</var>'s
   <a href="#headers"><code>Headers</code></a> object. Rethrow any exception.
  </ol>

 <li><p>Set <var>r</var>'s <a href="#concept-request-request" title="concept-Request-request">request</a>'s
 <a href="#concept-request-body" title="concept-request-body">body</a> to <var>inputBody</var>.
 <!-- Any steps after this must not throw. -->

 <li><p>Set <var>r</var>'s <a href="#concept-body-mime-type" title="concept-Body-MIME-type">MIME type</a> to
 the result of <a href="#concept-header-extract-mime-type" title="concept-header-extract-MIME-type">extracting a MIME type</a>
 from <var>r</var>'s <a href="#concept-request-request" title="concept-Request-request">request</a>'s
 <a href="#concept-request-header-list" title="concept-request-header-list">header list</a>.

 <li>
  <p>If <var>input</var> is a <a href="#request"><code>Request</code></a> object and
  <var>input</var>'s <a href="#concept-request-request" title="concept-Request-request">request</a>'s
  <a href="#concept-request-body" title="concept-request-body">body</a> is non-null, run these substeps:

  <ol>
   <li><p>Let <var>dummyStream</var> be an <a href="#concept-empty-readablestream" title="concept-empty-ReadableStream">empty</a>
   <a href="#concept-readablestream"><code title="concept-ReadableStream">ReadableStream</code></a> object.

   <li><p>Set <var>input</var>'s <a href="#concept-request-request" title="concept-Request-request">request</a>'s
   <a href="#concept-request-body" title="concept-request-body">body</a> to a new <a href="#concept-body" title="concept-body">body</a> whose
   <a href="#concept-body-stream" title="concept-body-stream">stream</a> is <var>dummyStream</var>.

   <li>
    <p>Let <var>reader</var> be the result of <a href="#concept-get-reader" title="concept-get-reader">getting a reader</a>
    from <var>dummyStream</var>.
    <p class="note no-backref">This operation will not throw an exception.

   <li>
    <p><a href="#concept-read-all-bytes-from-readablestream" title="concept-read-all-bytes-from-ReadableStream">Read all bytes</a> from
    <var>dummyStream</var> with <var>reader</var>.
    <p class="note no-backref">This operation makes <var>dummyStream</var> disturbed.
  </ol>

  <p class="note no-backref">These substeps are meant to produce the observable equivalent of
  "piping" <var>input</var>'s <a href="#concept-body-body" title="concept-Body-body">body</a>'s
  <a href="#concept-body-stream" title="concept-body-stream">stream</a> into <var>r</var>. That is, <var>input</var> is
  left with a <a href="#concept-body" title="concept-body">body</a> with a
  <a href="#concept-readablestream"><code title="concept-ReadableStream">ReadableStream</code></a> object that is
  <a href="#concept-readablestream-disturbed" title="concept-ReadableStream-disturbed">disturbed</a> and
  <a href="#concept-readablestream-locked" title="concept-ReadableStream-locked">locked</a>, while the data readable from
  <var>r</var>'s <a href="#concept-body-body" title="concept-Body-body">body</a>'s
  <a href="#concept-body-stream" title="concept-body-stream">stream</a> is now equal to what used to be <var>input</var>'s,
  if <var>input</var>'s original <a href="#concept-body-body" title="concept-Body-body">body</a> is non-null.

 <li><p>Return <var>r</var>.
</ol>

<p>The <dfn id="dom-request-method" title="dom-Request-method"><code>method</code></dfn> attribute's getter must
return <a href="#concept-request-request" title="concept-Request-request">request</a>'s
<a href="#concept-request-method" title="concept-request-method">method</a>.

<p>The <dfn id="dom-request-url" title="dom-Request-url"><code>url</code></dfn> attribute's getter must
return <a href="#concept-request-request" title="concept-Request-request">request</a>'s
<a href="#concept-request-url" title="concept-request-url">url</a>,
<a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-serializer" title="concept-url-serializer">serialized</a>.

<p>The <dfn id="dom-request-headers" title="dom-Request-headers"><code>headers</code></dfn> attribute's getter must
return the associated <a href="#headers"><code>Headers</code></a> object.

<p>The <dfn id="dom-request-type" title="dom-Request-type"><code>type</code></dfn> attribute's getter must return
<a href="#concept-request-request" title="concept-Request-request">request</a>'s
<a href="#concept-request-type" title="concept-Request-type">type</a>.

<p>The <dfn id="dom-request-destination" title="dom-Request-destination"><code>destination</code></dfn> attribute's
getter must return <a href="#concept-request-request" title="concept-Request-request">request</a>'s
<a href="#concept-request-destination" title="concept-Request-destination">destination</a>.

<p>The <dfn id="dom-request-referrer" title="dom-Request-referrer"><code>referrer</code></dfn> attribute's getter must
return the empty string if <a href="#concept-request-request" title="concept-Request-request">request</a>'s
<a href="#concept-request-referrer" title="concept-Request-referrer">referrer</a> is "<code>no-referrer</code>",
"<code title="">about:client</code>" if <a href="#concept-request-request" title="concept-Request-request">request</a>'s
<a href="#concept-request-referrer" title="concept-Request-referrer">referrer</a> is "<code>client</code>", and
<a href="#concept-request-request" title="concept-Request-request">request</a>'s
<a href="#concept-request-referrer" title="concept-Request-referrer">referrer</a>,
<a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-serializer" title="concept-url-serializer">serialized</a>, otherwise.

<p>The <dfn id="dom-request-referrerpolicy" title="dom-Request-referrerPolicy"><code>referrerPolicy</code></dfn> attribute's
getter must return <a href="#concept-request-request" title="concept-Request-request">request</a>'s
<a href="#concept-request-referrer-policy" title="concept-Request-referrer-policy">referrer policy</a>.

<p>The <dfn id="dom-request-mode" title="dom-Request-mode"><code>mode</code></dfn> attribute's getter must return
<a href="#concept-request-request" title="concept-Request-request">request</a>'s <a href="#concept-request-mode" title="concept-request-mode">mode</a>.

<p>The <dfn id="dom-request-credentials" title="dom-Request-credentials"><code>credentials</code></dfn> attribute's
getter must return <a href="#concept-request-request" title="concept-Request-request">request</a>'s
<a href="#concept-request-credentials-mode" title="concept-request-credentials-mode">credentials mode</a>.

<p>The <dfn id="dom-request-cache" title="dom-Request-cache"><code>cache</code></dfn> attribute's getter must
return <a href="#concept-request-request" title="concept-Request-request">request</a>'s
<a href="#concept-request-cache-mode" title="concept-request-cache-mode">cache mode</a>.

<p>The <dfn id="dom-request-redirect" title="dom-Request-redirect"><code>redirect</code></dfn> attribute's getter must
return <a href="#concept-request-request" title="concept-Request-request">request</a>'s
<a href="#concept-request-redirect-mode" title="concept-request-redirect-mode">redirect mode</a>.

<p>The <dfn id="dom-request-integrity" title="dom-Request-integrity"><code>integrity</code></dfn> attribute's getter
must return <a href="#concept-request-request" title="concept-Request-request">request</a>'s
<a href="#concept-request-integrity-metadata" title="concept-request-integrity-metadata">integrity metadata</a>.

<hr>

<p>The <dfn id="dom-request-clone" title="dom-Request-clone"><code>clone()</code></dfn> method, when invoked, must
run these steps:

<ol>
 <li><p>If this <a href="#request"><code>Request</code></a> object is <a href="#concept-body-disturbed" title="concept-Body-disturbed">disturbed</a>
 or <a href="#concept-body-locked" title="concept-Body-locked">locked</a>,
 <a class="external" data-anolis-spec="webidl" href="https://heycam.github.io/webidl/#dfn-throw">throw</a> a <code title="">TypeError</code>.

 <li><p>Return a new <a href="#request"><code>Request</code></a> object associated with the result of
 <a href="#concept-request-clone" title="concept-request-clone">cloning</a>
 <a href="#concept-request-request" title="concept-Request-request">request</a> and a new <a href="#headers"><code>Headers</code></a> object whose
 <a href="#concept-headers-guard" title="concept-Headers-guard">guard</a> is
 <a class="external" data-anolis-spec="dom" href="https://dom.spec.whatwg.org/#context-object">context object</a>'s <a href="#headers"><code>Headers</code></a>'
 <a href="#concept-headers-guard" title="concept-Headers-guard">guard</a>.
</ol>


<h3 id="response-class"><span class="secno">6.4 </span>Response class</h3>

<pre class="idl">[<a href="#dom-response" title="dom-Response">Constructor</a>(optional <a href="#responsebodyinit">ResponseBodyInit</a>? <var>body</var> = null, optional <a href="#responseinit">ResponseInit</a> <var>init</var>),
 Exposed=(Window,Worker)]
interface <dfn id="response">Response</dfn> {
  [NewObject] static <a href="#response">Response</a> <a href="#dom-response-error" title="dom-Response-error">error</a>();
  [NewObject] static <a href="#response">Response</a> <a href="#dom-response-redirect" title="dom-Response-redirect">redirect</a>(USVString <var>url</var>, optional unsigned short <var>status</var> = 302);

  readonly attribute <a href="#responsetype">ResponseType</a> <a href="#dom-response-type" title="dom-Response-type">type</a>;

  readonly attribute USVString <a href="#dom-response-url" title="dom-Response-url">url</a>;
  readonly attribute boolean <a href="#dom-response-redirected" title="dom-Response-redirected">redirected</a>;
  readonly attribute unsigned short <a href="#dom-response-status" title="dom-Response-status">status</a>;
  readonly attribute boolean <a href="#dom-response-ok" title="dom-Response-ok">ok</a>;
  readonly attribute ByteString <a href="#dom-response-statustext" title="dom-Response-statusText">statusText</a>;
  [SameObject] readonly attribute <a href="#headers">Headers</a> <a href="#dom-response-headers" title="dom-Response-headers">headers</a>;
  readonly attribute <a href="#concept-readablestream" title="concept-ReadableStream">ReadableStream</a>? <a href="#dom-response-body" title="dom-Response-body">body</a>;

  [NewObject] <a href="#response">Response</a> <a href="#dom-response-clone" title="dom-Response-clone">clone</a>();
};
<a href="#response">Response</a> implements <a href="#body">Body</a>;

dictionary <dfn id="responseinit">ResponseInit</dfn> {
  unsigned short status = 200;
  ByteString statusText = "OK";
  <a href="#headersinit">HeadersInit</a> headers;
};

enum <dfn id="responsetype">ResponseType</dfn> { "basic", "cors", "default", "error", "opaque", "opaqueredirect" };</pre>

<p>A <a href="#response"><code>Response</code></a> object has an associated
<dfn id="concept-response-response" title="concept-Response-response">response</dfn> (a
<a href="#concept-response" title="concept-response">response</a>).

<p>A <a href="#response"><code>Response</code></a> object also has an associated <a href="#headers"><code>Headers</code></a> object which
is itself associated with <a href="#concept-response-response" title="concept-Response-response">response</a>'s
<a href="#concept-response-header-list" title="concept-response-header-list">header list</a>.

<p>A <a href="#response"><code>Response</code></a> object's <a href="#concept-body-body" title="concept-Body-body">body</a> is its
<a href="#concept-response-response" title="concept-Response-response">response</a>'s <a href="#concept-response-body" title="concept-response-body">body</a>.

<p>The
<dfn id="dom-response" title="dom-Response"><code>Response(<var>body</var>, <var>init</var>)</code></dfn>
constructor, when invoked, must run these steps:

<ol>
 <li><p>If <var>init</var>'s <code title="">status</code> member is not in the range
 <code>200</code> to <code>599</code>, inclusive, <a class="external" data-anolis-spec="webidl" href="https://heycam.github.io/webidl/#dfn-throw">throw</a> a
 <code title="">RangeError</code>.

 <li><p>If <var>init</var>'s <code title="">statusText</code> member does not match the
 <a class="external" data-anolis-spec="http" href="https://tools.ietf.org/html/rfc7230#section-3.1.2">reason-phrase</a> token production,
 <a class="external" data-anolis-spec="webidl" href="https://heycam.github.io/webidl/#dfn-throw">throw</a> a <code title="">TypeError</code>.

 <li><p>Let <var>r</var> be a new <a href="#response"><code>Response</code></a> object, associated with a
 new <a href="#concept-response" title="concept-response">response</a> and a new <a href="#headers"><code>Headers</code></a> object
 whose <a href="#concept-headers-guard" title="concept-Headers-guard">guard</a> is "<code title="">response</code>".

 <li><p>Set <var>r</var>'s <a href="#concept-response-response" title="concept-Response-response">response</a>'s
 <a href="#concept-response-status" title="concept-response-status">status</a> to <var>init</var>'s
 <code title="">status</code> member.

 <li><p>Set <var>r</var>'s <a href="#concept-response-response" title="concept-Response-response">response</a>'s
 <a href="#concept-response-status-message" title="concept-response-status-message">status message</a> to
 <var>init</var>'s <code title="">statusText</code> member.

 <li>
  <p>If <var>init</var>'s <code title="">headers</code> member is present, run these
  substeps:

  <ol>
   <li><p>Empty <var>r</var>'s
   <a href="#concept-response-response" title="concept-Response-response">response</a>'s
   <a href="#concept-response-header-list" title="concept-response-header-list">header list</a>.

   <li><p><a href="#concept-headers-fill" title="concept-Headers-fill">Fill</a> <var>r</var>'s
   <a href="#headers"><code>Headers</code></a> object with <var>init</var>'s <code title="">headers</code>
   member. Rethrow any exceptions.
  </ol>

 <li>
  <p>If <var>body</var> is non-null, run these substeps:

  <ol>
   <li>
    <p>If <var>init</var>'s <code title="">status</code> member is a
    <a href="#null-body-status">null body status</a>, <a class="external" data-anolis-spec="webidl" href="https://heycam.github.io/webidl/#dfn-throw">throw</a> a
    <code title="">TypeError</code>.

    <p class="note no-backref"><code title="">101</code> is included in
    <a href="#null-body-status">null body status</a> due to its use elsewhere. It does not affect this step.

   <li><p>Let <var>Content-Type</var> be null.

   <li><p>Set <var>r</var>'s <a href="#concept-response-response" title="concept-Response-response">response</a>'s
   <a href="#concept-response-body" title="concept-response-body">body</a> and <var>Content-Type</var> to the result of
   <a href="#concept-bodyinit-extract" title="concept-BodyInit-extract">extracting</a> <var>body</var>. Rethrow any exceptions.

   <li><p>If <var>Content-Type</var> is non-null and <var>r</var>'s
   <a href="#concept-response-response" title="concept-Response-response">response</a>'s
   <a href="#concept-response-header-list" title="concept-response-header-list">header list</a> contains no
   <a href="#concept-header" title="concept-header">header</a> <a href="#concept-header-name" title="concept-header-name">named</a>
   `<code title="">Content-Type</code>`, <a href="#concept-header-list-append" title="concept-header-list-append">append</a>
   `<code title="">Content-Type</code>`/<var>Content-Type</var> to
   <var>r</var>'s <a href="#concept-response-response" title="concept-Response-response">response</a>'s
   <a href="#concept-response-header-list" title="concept-response-header-list">header list</a>.
  </ol>

 <li><p>Set <var>r</var>'s <a href="#concept-body-mime-type" title="concept-Body-MIME-type">MIME type</a> to
 the result of <a href="#concept-header-extract-mime-type" title="concept-header-extract-MIME-type">extracting a MIME type</a>
 from <var>r</var>'s <a href="#concept-response-response" title="concept-Response-response">response</a>'s
 <a href="#concept-response-header-list" title="concept-response-header-list">header list</a>.

 <li><p>Set <var>r</var>'s <a href="#concept-response-response" title="concept-Response-response">response</a>'s
 <a href="#concept-response-https-state" title="concept-response-https-state">HTTPS state</a> to
 <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/webappapis.html#entry-settings-object">entry settings object</a>'s
 <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/webappapis.html#https-state">HTTPS state</a>.

 <li><p>Return <var>r</var>.
</ol>

<p>The static <dfn id="dom-response-error" title="dom-Response-error"><code>error()</code></dfn> method, when
invoked, must return a new <a href="#response"><code>Response</code></a> object, associated with a new
<a href="#concept-network-error" title="concept-network-error">network error</a> and a new <a href="#headers"><code>Headers</code></a>
object whose <a href="#concept-headers-guard" title="concept-Headers-guard">guard</a> is
"<code title="">immutable</code>".

<p>The static
<dfn id="dom-response-redirect" title="dom-Response-redirect"><code>redirect(<var>url</var>, <var>status</var>)</code></dfn>
method, when invoked, must run these steps:

<ol>
 <li><p>Let <var>parsedURL</var> be the result of
 <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-parser" title="concept-url-parser">parsing</a>
 <var>url</var> with <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/webappapis.html#entry-settings-object">entry settings object</a>'s
 <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/webappapis.html#api-base-url">API base URL</a>.

 <li><p>If <var>parsedURL</var> is failure,
 <a class="external" data-anolis-spec="webidl" href="https://heycam.github.io/webidl/#dfn-throw">throw</a> a <code title="">TypeError</code>.

 <li><p>If <var>status</var> is not a <a href="#redirect-status">redirect status</a>,
 <a class="external" data-anolis-spec="webidl" href="https://heycam.github.io/webidl/#dfn-throw">throw</a> a <code title="">RangeError</code>.

 <li><p>Let <var>r</var> be a new <a href="#response"><code>Response</code></a> object, associated with a
 new <a href="#concept-response" title="concept-response">response</a> and a new <a href="#headers"><code>Headers</code></a> object
 whose <a href="#concept-headers-guard" title="concept-Headers-guard">guard</a> is "<code title="">immutable</code>".

 <li><p>Set <var>r</var>'s <a href="#concept-response-response" title="concept-Response-response">response</a>'s
 <a href="#concept-response-status" title="concept-response-status">status</a> to <var>status</var>.

 <li><p><a href="#concept-header-list-set" title="concept-header-list-set">Set</a> `<code title="">Location</code>` to
 <var>parsedURL</var>,
 <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-serializer" title="concept-url-serializer">serialized</a> and
 <a class="external" data-anolis-spec="encoding" href="https://encoding.spec.whatwg.org/#utf-8-encode" title="utf-8 encode">utf-8 encoded</a>, in
 <var>r</var>'s <a href="#concept-response-response" title="concept-Response-response">response</a>'s
 <a href="#concept-response-header-list" title="concept-response-header-list">header list</a>.

 <li><p>Return <var>r</var>.
</ol>

<p>The <dfn id="dom-response-type" title="dom-Response-type"><code>type</code></dfn> attribute's getter must return
<a href="#concept-response-response" title="concept-Response-response">response</a>'s
<a href="#concept-response-type" title="concept-response-type">type</a>.

<p>The <dfn id="dom-response-url" title="dom-Response-url"><code>url</code></dfn> attribute's getter must return
the empty string if <a href="#concept-response-response" title="concept-Response-response">response</a>'s
<a href="#concept-response-url" title="concept-response-url">url</a> is null and
<a href="#concept-response-response" title="concept-Response-response">response</a>'s
<a href="#concept-response-url" title="concept-response-url">url</a>,
<a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-serializer" title="concept-url-serializer">serialized</a> with the
<i title="">exclude-fragment flag</i> set, otherwise.
<a href="#refsURL">[URL]</a>

<p>The <dfn id="dom-response-redirected" title="dom-Response-redirected"><code>redirected</code></dfn> attribute's getter must
return true if <a href="#concept-response-response" title="concept-Response-response">response</a>'s
<a href="#concept-response-url-list" title="concept-response-url-list">url list</a> has more than one item, and false otherwise.

<p class="note">To filter out <a href="#concept-response" title="concept-response">responses</a> that are the result of a
redirect, do this directly through the API, e.g., <code>fetch(url, { redirect:"error" })</code>.
This way a potentially unsafe <a href="#concept-response" title="concept-response">response</a> cannot accidentally leak.

<p>The <dfn id="dom-response-status" title="dom-Response-status"><code>status</code></dfn> attribute's getter must
return <a href="#concept-response-response" title="concept-Response-response">response</a>'s
<a href="#concept-response-status" title="concept-response-status">status</a>.

<p>The <dfn id="dom-response-ok" title="dom-Response-ok"><code>ok</code></dfn> attribute's getter must
return true if <a href="#concept-response-response" title="concept-Response-response">response</a>'s
<a href="#concept-response-status" title="concept-response-status">status</a> is an <a href="#ok-status">ok status</a>, and false otherwise.

<p>The <dfn id="dom-response-statustext" title="dom-Response-statusText"><code>statusText</code></dfn> attribute's getter
must return <a href="#concept-response-response" title="concept-Response-response">response</a>'s
<a href="#concept-response-status-message" title="concept-response-status-message">status message</a>.

<p>The <dfn id="dom-response-headers" title="dom-Response-headers"><code>headers</code></dfn> attribute's getter must
return the associated <a href="#headers"><code>Headers</code></a> object.

<p>The <dfn id="dom-response-body" title="dom-Response-body"><code>body</code></dfn> attribute's getter must return null if
the associated <a href="#concept-body-body" title="concept-Body-body">body</a> is null and the associated
<a href="#concept-body-body" title="concept-Body-body">body</a>'s <a href="#concept-body-stream" title="concept-body-stream">stream</a> otherwise.

<hr>

<p>The <dfn id="dom-response-clone" title="dom-Response-clone"><code>clone()</code></dfn> method, when invoked, must
run these steps:

<ol>
 <li><p>If this <a href="#response"><code>Response</code></a> object is <a href="#concept-body-disturbed" title="concept-Body-disturbed">disturbed</a>
 or <a href="#concept-body-locked" title="concept-Body-locked">locked</a>,
 <a class="external" data-anolis-spec="webidl" href="https://heycam.github.io/webidl/#dfn-throw">throw</a> a <code title="">TypeError</code>.

 <li><p>Return a new <a href="#response"><code>Response</code></a> object associated with the result of
 <a href="#concept-response-clone" title="concept-response-clone">cloning</a>
 <a href="#concept-response-response" title="concept-Response-response">response</a> and a new <a href="#headers"><code>Headers</code></a> object whose
 <a href="#concept-headers-guard" title="concept-Headers-guard">guard</a> is
 <a class="external" data-anolis-spec="dom" href="https://dom.spec.whatwg.org/#context-object">context object</a>'s <a href="#headers"><code>Headers</code></a>'
 <a href="#concept-headers-guard" title="concept-Headers-guard">guard</a>.
</ol>


<h3 id="structured-cloning-of-headers,-request,-and-response-objects"><span class="secno">6.5 </span>Structured cloning of <a href="#headers"><code>Headers</code></a>, <a href="#request"><code>Request</code></a>, and <a href="#response"><code>Response</code></a> objects</h3>

<p class="note">Unlikely to happen anytime soon due to difficulty of cloning promises and
streams. See <a href="https://github.com/slightlyoff/ServiceWorker/issues/313">SW #313</a>
for details.


<h3 id="fetch-method"><span class="secno">6.6 </span>Fetch method</h3>

<pre class="idl">partial interface <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/webappapis.html#windoworworkerglobalscope">WindowOrWorkerGlobalScope</a> {
  [NewObject] Promise&lt;<a href="#response">Response</a>&gt; <a href="#dom-global-fetch" title="dom-global-fetch">fetch</a>(<a href="#requestinfo">RequestInfo</a> <var>input</var>, optional <a href="#requestinit">RequestInit</a> <var>init</var>);
};</pre>

<p>The
<dfn id="dom-global-fetch" title="dom-global-fetch"><code>fetch(<var>input</var>, <var>init</var>)</code></dfn>
method, must run these steps:

<ol>
 <li><p>Let <var>p</var> be a new promise.

 <li><p>Let <var>request</var> be the associated
 <a href="#concept-request" title="concept-request">request</a> of the result of invoking the initial value of
 <a href="#dom-request"><code title="dom-Request">Request</code></a> as constructor with <var>input</var> and
 <var>init</var> as arguments. If this throws an exception, reject
 <var>p</var> with it and return <var>p</var>.

 <li>
  <p>Run the following <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/infrastructure.html#in-parallel">in parallel</a>:

  <p><a href="#concept-fetch" title="concept-fetch">Fetch</a> <var>request</var>.

  <p>To <a href="#process-response">process response</a> for <var>response</var>, run these substeps:

  <ol>
   <li><p>If <var>response</var>'s <a href="#concept-response-type" title="concept-response-type">type</a> is
   "<code title="">error</code>", reject <var>p</var> with a <code title="">TypeError</code> and terminate
   these substeps.

   <li><p>Resolve <var>p</var> with a new <a href="#response"><code>Response</code></a> object associated with
   <var>response</var> and a new <a href="#headers"><code>Headers</code></a> object whose
   <a href="#concept-headers-guard" title="concept-Headers-guard">guard</a> is "<code title="">immutable</code>".
  </ol>

 <li><p>Return <var>p</var>.
</ol>


<h3 id="garbage-collection"><span class="secno">6.7 </span>Garbage collection</h3>

<p>The user agent may <a href="#concept-fetch-terminate" title="concept-fetch-terminate">terminate</a> an ongoing fetch with
reason <i title="">garbage collection</i> if that termination is not observable through script.

<p class="note no-backref">"Observable through script" means observable through
<a href="#dom-global-fetch"><code title="dom-global-fetch">fetch()</code></a>'s arguments and return value. Other ways, such as
communicating with the server through a side-channel are not included.

<p class="note no-backref">The server being able to observe garbage collection has precedent, e.g.,
with <code>WebSocket</code> and <code>XMLHttpRequest</code> objects.

<div class="example no-backref">
 <p>The user agent can terminate the fetch because the termination cannot be observed.
 <pre>fetch("https://www.example.com/")</pre>

 <p>The user agent cannot terminate the fetch because the termination can be observed through
 the promise.
 <pre>window.promise = fetch("https://www.example.com/")</pre>

 <p>The user agent can terminate the fetch because the associated body is not observable.
 <pre>window.promise = fetch("https://www.example.com/").then(res =&gt; res.headers)</pre>

 <p>The user agent can terminate the fetch because the termination cannot be observed.
 <pre>fetch("https://www.example.com/").then(res =&gt; res.body.getReader().closed)</pre>

 <p>The user agent cannot terminate the fetch because one can observe the termination by registering
 a handler for the promise object.
 <pre>window.promise = fetch("https://www.example.com/")
  .then(res =&gt; res.body.getReader().closed)</pre>

 <p>The user agent cannot terminate the fetch as termination would be observable via the registered
 handler.
 <pre>fetch("https://www.example.com/")
  .then(res =&gt; {
    res.body.getReader().closed.then(() =&gt; console.log("stream closed!"))
  })</pre>
</div>



<h2 id="websocket-protocol"><span class="secno">7 </span>WebSocket protocol alterations</h2>

<div class="note">
 <p>This section replaces part of the WebSocket protocol opening handshake client requirement to
 integrate it with algorithms defined in Fetch. This way CSP, cookies, HSTS, and other Fetch-related
 protocols are handled in a single location. Ideally the RFC would be updated with this language,
 but it is never that easy. The WebSocket API, defined in the HTML Standard, has been updated to use
 this language. <a href="#refsWSP">[WSP]</a> <a href="#refsHTML">[HTML]</a>

 <p>The way this works is by replacing The WebSocket Protocol's "establish a WebSocket connection"
 algorithm with a new one that integrates with Fetch. "Establish a WebSocket connection" consists of
 three algorithms: setting up a connection, creating and transmiting a handshake request, and
 validating the handshake response. That layering is different from Fetch, which first creates a
 handshake, then sets up a connection and transmits the handshake, and finally validates the
 response. Keep that in mind while reading these alterations.
</div>


<h3 id="websocket-connections"><span class="secno">7.1 </span>Connections</h3>

<p>To <dfn id="concept-websocket-connection-obtain" title="concept-websocket-connection-obtain">obtain a WebSocket connection</dfn>, given a
<var>url</var>, run these steps:

<ol>
 <li><p>Let <var>host</var> be <var>url</var>'s
 <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-host" title="concept-url-host">host</a>.

 <li><p>Let <var>port</var> be <var>url</var>'s
 <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-port" title="concept-url-port">port</a>.

 <li><p>Let <var>secure</var> be false, if <var>url</var>'s
 <span title="concept-url-scheme">scheme</span> is "<code title="">http</code>", and true otherwise.

 <li><p>Follow the requirements stated in step 2 to 5, inclusive, of the first set of steps in
 <a href="http://tools.ietf.org/html/rfc6455#section-4.1">section 4.1</a> of The WebSocket Protocol
 to establish a <span title="concept-websocket-connection">WebSocket connection</span>.
 <a href="#refsWSP">[WSP]</a>

 <li><p>If that established a connection, return it, and return failure otherwise.
</ol>

<p class="note">Although structured a little differently, carrying different properties, and
therefore not shareable, a WebSocket connection is very close to identical to an "ordinary"
<a href="#concept-connection" title="concept-connection">connection</a>.


<h3 id="websocket-opening-handshake"><span class="secno">7.2 </span>Opening handshake</h3>

<p>To <dfn id="concept-websocket-establish" title="concept-websocket-establish">establish a WebSocket connection</dfn>, given a
<var>url</var>, <var>protocols</var>, and <var>client</var>, run these steps:

<ol>
 <li>
  <p>Let <var>requestURL</var> be a copy of <var>url</var>, with its
  <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-scheme" title="concept-url-scheme">scheme</a> set to
  "<code title="">http</code>", if <var>url</var>'s
  <a class="external" data-anolis-spec="url" href="https://url.spec.whatwg.org/#concept-url-scheme" title="concept-url-scheme">scheme</a> is "<code title="">ws</code>", and
  to "<code title="">https</code>" otherwise.

  <p class="note no-backref">This change of scheme is essential to integrate well with
  <a href="#concept-fetch" title="concept-fetch">fetching</a>. E.g., HSTS would not work without it. There is no real
  reason for WebSocket to have distinct schemes, it's a legacy artefact.
  <a href="#refsHSTS">[HSTS]</a>

 <li><p>Let <var>request</var> be a new <a href="#concept-request" title="concept-request">request</a>, whose
 <a href="#concept-request-url" title="concept-request-url">url</a> is <var>url</var>,
 <a href="#concept-request-client" title="concept-request-client">client</a> is <var>client</var>,
 <a href="#skip-service-worker-flag">skip-service-worker flag</a> is set,
 <a href="#synchronous-flag">synchronous flag</a> is set,
 <a href="#concept-request-mode" title="concept-request-mode">mode</a> is "<code title="">websocket</code>",
 <a href="#concept-request-credentials-mode" title="concept-request-credentials-mode">credentials mode</a> is
 "<code title="">include</code>",
 <span title="concept-cache-mode">cache mode</span> is "<code title="">no-store</code>", and
 <a href="#concept-request-redirect-mode" title="concept-request-redirect-mode">redirect mode</a> is "<code title="">error</code>".

 <li><p><a href="#concept-header-list-append" title="concept-header-list-append">Append</a>
 `<code title="http-upgrade">Upgrade</code>`/`<code title="">websocket</code>` to
 <var>request</var>'s <a href="#concept-request-header-list" title="concept-request-header-list">header list</a>.

 <li><p><a href="#concept-header-list-append" title="concept-header-list-append">Append</a>
 `<code title="http-connection">Connection</code>`/`<code title="">Upgrade</code>` to
 <var>request</var>'s <a href="#concept-request-header-list" title="concept-request-header-list">header list</a>.

 <li>
  <p>Let <var>keyValue</var> be a nonce consisting of a randomly selected 16-byte value that has
  been base64-encoded (see <a href="https://tools.ietf.org/html/rfc4648#section-4">section 4</a> of
  <a href="#refsRFC4648">[RFC4648]</a>).

  <p class="example">If the randomly selected value was the byte sequence 0x01 0x02 0x03 0x04 0x05
  0x06 0x07 0x08 0x09 0x0a 0x0b 0x0c 0x0d 0x0e 0x0f 0x10, <var>keyValue</var> would be
  `<code title="">AQIDBAUGBwgJCgsMDQ4PEC==</code>`.

 <li><p><a href="#concept-header-list-append" title="concept-header-list-append">Append</a>
 `<code title="http-sec-websocket-key">Sec-WebSocket-Key</code>`/<var>keyValue</var> to
 <var>request</var>'s <a href="#concept-request-header-list" title="concept-request-header-list">header list</a>.

 <li><p><a href="#concept-header-list-append" title="concept-header-list-append">Append</a>
 `<code title="http-sec-websocket-version">Sec-WebSocket-Version</code>`/`<code title="">13</code>` to
 <var>request</var>'s <a href="#concept-request-header-list" title="concept-request-header-list">header list</a>.

 <li><p>For each <var>protocol</var> in <var>protocols</var>,
 <a href="#concept-header-list-combine" title="concept-header-list-combine">combine</a>
 `<code title="http-sec-websocket-protocol">Sec-WebSocket-Protocol</code>`/<var>protocol</var> in
 <var>request</var>'s <a href="#concept-request-header-list" title="concept-request-header-list">header list</a>.

 <li>
  <p>Let <var>permessageDeflate</var> be a user-agent defined
  "<code title="">permessage-deflate</code>" extension <a href="#concept-header" title="concept-header">header</a>
  <a href="#concept-header-value" title="concept-header-value">value</a>. <a href="#refsWSP">[WSP]</a>

  <p class="example">`<code title="">permessage-deflate; client_max_window_bits</code>`

 <li><p><a href="#concept-header-list-append" title="concept-header-list-append">Append</a>
 `<code title="http-sec-websocket-extensions">Sec-WebSocket-Extensions</code>`/<var>permessageDeflate</var>
 to <var>request</var>'s <a href="#concept-request-header-list" title="concept-request-header-list">header list</a>.

 <li><p>Let <var>response</var> be the result of <a href="#concept-fetch" title="concept-fetch">fetching</a>
 <var>request</var>.

 <li><p>If <var>response</var> is a <a href="#concept-network-error" title="concept-network-error">network error</a> or its
 <a href="#concept-response-status" title="concept-response-status">status</a> is not <code title="">101</code>,
 <a href="#fail-the-websocket-connection">fail the WebSocket connection</a>.

 <li>
  <p>If <var>protocols</var> is not the empty list and
  <a href="#concept-header-parse" title="concept-header-parse">parsing</a>
  `<code title="http-sec-websocket-protocol">Sec-WebSocket-Protocol</code>` in <var>response</var>'s
  <a href="#concept-request-header-list" title="concept-request-header-list">header list</a> results in null, failure, or the empty
  byte sequence, <a href="#fail-the-websocket-connection">fail the WebSocket connection</a>.

  <p class="note">This is different from the check on this header defined by The WebSocket Protocol.
  That only covers a subprotocol not requested by the client. This covers a subprotocol requested by
  the client, but not acknowledged by the server.

 <li><p>Follow the requirements stated step 2 to step 6, inclusive, of the last set of steps in
 <a href="http://tools.ietf.org/html/rfc6455#section-4.1">section 4.1</a> of The WebSocket Protocol
 to validate <var>response</var>. This either results in <a href="#fail-the-websocket-connection">fail the WebSocket connection</a>
 or <a href="#the-websocket-connection-is-established">the WebSocket connection is established</a>.
</ol>

<p><dfn id="fail-the-websocket-connection">Fail the WebSocket connection</dfn> and <dfn id="the-websocket-connection-is-established">the WebSocket connection is established</dfn>
are defined by The WebSocket Protocol. <a href="#refsWSP">[WSP]</a>

<p class="warning">The reason redirects are not followed, HTTP authentication will not function, and
this handshake is generally restricted is because that could introduce serious security problems in
a web browser context. For example, consider a host with a WebSocket server at one path and an open
HTTP redirector at another. Suddenly, any script that can be given a particular WebSocket URL can be
tricked into communicating to (and potentially sharing secrets with) any host on the internet, even
if the script checks that the URL has the right hostname.
<!-- https://www.ietf.org/mail-archive/web/hybi/current/msg06951.html -->



<h2 class="no-num" id="background-reading">Background reading</h2>

<p><em>This section and its subsections are informative only.</em>

<h3 class="no-num" id="http-header-layer-division"><dfn>HTTP header layer division</dfn></h3>

<p>For the purposes of fetching, there is an API layer (HTML's
<code title="">img</code>, CSS' <code title="">background-image</code>), early fetch layer,
service worker layer, and network &amp; cache layer.
`<code title="http-accept">Accept</code>` and
`<code title="http-accept-language">Accept-Language</code>` are set in the early fetch layer
(typically by the user agent). Most other headers controlled by the user agent, such as
`<code title="http-accept-encoding">Accept-Encoding</code>`,
`<code title="http-host">Host</code>`, and `<code title="http-referer">Referer</code>`, are
set in the network &amp; cache layer. Developers can set headers either at the API layer
or in the service worker layer (typically through a <a href="#request"><code>Request</code></a> object).
Developers have almost no control over
<a href="#forbidden-header-name" title="forbidden header name">forbidden headers</a>, but can control
`<code title="http-accept">Accept</code>` and have the means to constrain and omit
`<code title="http-referer">Referer</code>` for instance.


<h3 class="no-num" id="atomic-http-redirect-handling"><dfn>Atomic HTTP redirect handling</dfn></h3>

<p>Redirects (a <a href="#concept-response" title="concept-response">response</a> whose
<a href="#concept-response-status" title="concept-response-status">status</a> or
<a href="#concept-internal-response" title="concept-internal-response">internal response</a>'s (if any)
<a href="#concept-response-status" title="concept-response-status">status</a> is a <a href="#redirect-status">redirect status</a>) are not exposed
to APIs. Exposing redirects might leak information not otherwise available through a cross-site
scripting attack.

<p class="example">A fetch to <code>https://example.org/auth</code> that includes a
<code title="">Cookie</code> marked <code title="">HttpOnly</code> could result in a redirect to
<code>https://other-origin.invalid/4af955781ea1c84a3b11</code>. This new URL contains a
secret. If we expose redirects that secret would be available through a cross-site
scripting attack.


<h3 class="no-num" id="basic-safe-cors-protocol-setup">Basic safe CORS protocol setup</h3>

<p>For resources where data is protected through IP authentication or a firewall
(unfortunately relatively common still), using the <a href="#cors-protocol">CORS protocol</a> is
<strong>unsafe</strong>. (This is the reason why the <a href="#cors-protocol">CORS protocol</a> had to be
invented.)

<p>However, otherwise using the following <a href="#concept-header" title="concept-header">header</a> is
<strong>safe</strong>:

<pre>Access-Control-Allow-Origin: *</pre>

<p>Even if a resource exposes additional information based on cookie or HTTP
authentication, using the above <a href="#concept-header" title="concept-header">header</a> will not reveal
it. It will share the resource with APIs such as
<a href="https://xhr.spec.whatwg.org/#xmlhttprequest"><code class="external" data-anolis-spec="xhr">XMLHttpRequest</code></a>, much like it is already shared with
<code title="">curl</code> and <code title="">wget</code>.

<p>Thus in other words, if a resource cannot be accessed from a random device connected to
the web using <code title="">curl</code> and <code title="">wget</code> the aforementioned
<a href="#concept-header" title="concept-header">header</a> is not to be included. If it can be accessed
however, it is perfectly fine to do so.


<h3 class="no-num" id="cors-protocol-and-http-caches">CORS protocol and HTTP caches</h3>

<p>If <a href="#cors-protocol">CORS protocol</a> requirements are more complicated than setting
`<a href="#http-access-control-allow-origin"><code title="http-access-control-allow-origin">Access-Control-Allow-Origin</code></a>` to
<code title="">*</code> or a static <a class="external" data-anolis-spec="html" href="https://html.spec.whatwg.org/multipage/browsers.html#origin">origin</a>,
`<code title="">Vary</code>` is to be used.
<a href="#refsHTML">[HTML]</a>
<a href="#refsHTTP">[HTTP]</a>

<pre class="example">Vary: Origin</pre>



<h2 class="no-num" id="references">References</h2>
<div id="anolis-references"><dl><dt id="refsABNF">[ABNF]
<dd><cite><a href="http://tools.ietf.org/html/rfc5234">Augmented BNF for Syntax Specifications: ABNF</a></cite>, D. Crocker and P. Overell. IETF.

<dt id="refsCLIENT-HINTS">[CLIENT-HINTS]
<dd><cite><a href="https://tools.ietf.org/html/draft-ietf-httpbis-client-hints">HTTP Client Hints</a></cite>, Ilya Grigorik. IETF.

<dt id="refsCOOKIES">[COOKIES]
<dd><cite><a href="https://tools.ietf.org/html/rfc6265">HTTP State Management Mechanism</a></cite>, Adam Barth. IETF.

<dt id="refsCORS">[CORS]
<dd>(Non-normative) <cite><a href="https://www.w3.org/TR/cors/">CORS (obsolete)</a></cite>, Anne van Kesteren. W3C.

<dt id="refsCSP">[CSP]
<dd><cite><a href="https://w3c.github.io/webappsec-csp/">Content Security Policy</a></cite>, Mike West, Adam Barth and Dan Veditz. W3C.

<dt id="refsDATAURL">[DATAURL]
<dd><cite><a href="https://simonsapin.github.io/data-urls/">The data URL scheme</a></cite>, Simon Sapin.

<dt id="refsENCODING">[ENCODING]
<dd><cite><a href="https://encoding.spec.whatwg.org/">Encoding</a></cite>, Anne van Kesteren. WHATWG.

<dt id="refsHSTS">[HSTS]
<dd><cite><a href="https://tools.ietf.org/html/rfc6797">HTTP Strict Transport Security</a></cite>, Jeff Hodges, Collin Jackson and Adam Barth. IETF.

<dt id="refsHTML">[HTML]
<dd><cite><a href="https://html.spec.whatwg.org/multipage/">HTML</a></cite>, Ian Hickson. WHATWG.

<dt id="refsHTTP">[HTTP]
<dd><cite><a href="https://tools.ietf.org/html/rfc7230">Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing</a></cite>, Roy Fielding and Julian Reschke. IETF.

<dd><cite><a href="https://tools.ietf.org/html/rfc7231">Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content</a></cite>, Roy Fielding and Julian Reschke. IETF.

<dd><cite><a href="https://tools.ietf.org/html/rfc7232">Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests</a></cite>, Roy Fielding and Julian Reschke. IETF.

<dd><cite><a href="https://tools.ietf.org/html/rfc7234">Hypertext Transfer Protocol (HTTP/1.1): Caching</a></cite>, Roy Fielding and Julian Reschke. IETF.

<dd><cite><a href="https://tools.ietf.org/html/rfc7235">Hypertext Transfer Protocol (HTTP/1.1): Authentication</a></cite>, Roy Fielding and Julian Reschke. IETF.

<dt id="refsHTTPVERBSEC">[HTTPVERBSEC]
<dd>(Non-normative) <cite><a href="https://www.kb.cert.org/vuls/id/867593">Multiple vendors' web servers enable HTTP TRACE method by default</a></cite>. US-CERT.

<dd>(Non-normative) <cite><a href="https://www.kb.cert.org/vuls/id/288308">Microsoft Internet Information Server (IIS) vulnerable to cross-site scripting via HTTP TRACK method</a></cite>. US-CERT.

<dd>(Non-normative) <cite><a href="https://www.kb.cert.org/vuls/id/150227">HTTP proxy default configurations allow arbitrary TCP connections</a></cite>. US-CERT.

<dt id="refsMIX">[MIX]
<dd><cite><a href="https://w3c.github.io/webappsec-mixed-content/">Mixed Content</a></cite>, Mike West. W3C.

<dt id="refsORIGIN">[ORIGIN]
<dd>(Non-normative) <cite><a href="https://tools.ietf.org/html/rfc6454">The Web Origin Concept</a></cite>, Adam Barth. IETF.

<dt id="refsREFERRER">[REFERRER]
<dd><cite><a href="https://w3c.github.io/webappsec-referrer-policy/">Referrer Policy</a></cite>, Jochen Eisinger and Emily Stark. W3C.

<dt id="refsRFC2119">[RFC2119]
<dd><cite><a href="https://tools.ietf.org/html/rfc2119">Key words for use in RFCs to Indicate Requirement Levels</a></cite>, Scott Bradner. IETF.

<dt id="refsRFC2388">[RFC2388]
<dd><cite><a href="https://tools.ietf.org/html/rfc2388">Returning Values from Forms: multipart/form-data</a></cite>, L. Masinter. IETF.

<dt id="refsRFC4648">[RFC4648]
<dd><cite><a href="https://tools.ietf.org/html/rfc4648">The Base16, Base32, and Base64 Data Encodings</a></cite>, S. Josefsson. IETF.

<dt id="refsSRI">[SRI]
<dd><cite><a href="https://w3c.github.io/webappsec-subresource-integrity/">Subresource Integrity</a></cite>, Devdatta Akhawe, Francois Marier, Frederik Braun et al.. W3C.

<dt id="refsSTREAMS">[STREAMS]
<dd><cite><a href="https://streams.spec.whatwg.org/">Streams</a></cite>, Domenic Denicola and Takeshi Yoshino. WHATWG.

<dt id="refsSW">[SW]
<dd><cite><a href="https://slightlyoff.github.io/ServiceWorker/spec/service_worker/">Service Workers</a></cite>, Alex Russell and Jungkee Song. W3C.

<dt id="refsTLS">[TLS]
<dd><cite><a href="https://tools.ietf.org/html/rfc5246">The Transport Layer Security (TLS) Protocol Version 1.2</a></cite>, T. Dierks and E. Rescorla. IETF.

<dt id="refsUPGRADE">[UPGRADE]
<dd><cite><a href="https://w3c.github.io/webappsec-upgrade-insecure-requests/">Upgrade Insecure Requests</a></cite>, Mike West. W3C.

<dt id="refsURL">[URL]
<dd><cite><a href="https://url.spec.whatwg.org/">URL</a></cite>, Anne van Kesteren. WHATWG.

<dt id="refsWEBIDL">[WEBIDL]
<dd><cite><a href="https://heycam.github.io/webidl/">Web IDL</a></cite>, Cameron McCormack. W3C.

<dt id="refsWSP">[WSP]
<dd><cite><a href="https://tools.ietf.org/html/rfc6455">The WebSocket Protocol</a></cite>, I. Fette and A. Melnikov. IETF.

<dd><cite><a href="https://tools.ietf.org/html/rfc7692">Compression Extensions for WebSocket</a></cite>, T. Yoshino. IETF.

<dt id="refsXHR">[XHR]
<dd>(Non-normative) <cite><a href="https://xhr.spec.whatwg.org/">XMLHttpRequest</a></cite>, Anne van Kesteren. WHATWG.

</dl></div>



<h2 class="no-num" id="acknowledgments">Acknowledgments</h2>

<p>Thanks to
Adam Barth,
Adam Lavin,
Alexey Proskuryakov,
Andrew Sutherland,
Ángel González,
Anssi Kostiainen,
Arkadiusz Michalski,
Arne Johannessen,
Arthur Barstow,
Axel Rauschmayer,
Ben Kelly,
Benjamin Hawkes-Lewis,
Bert Bos,
Björn Höhrmann,
Boris Zbarsky,
Brad Hill,
Brad Porter,
Bryan Smith,
Caitlin Potter,
Cameron McCormack,
Clement Pellerin,
Collin Jackson,
Daniel Robertson,
Daniel Veditz,
David Håsäther,
David Orchard,
Domenic Denicola,
Dean Jackson,
Doug Turner,
Ehsan Akhgari,
Emily Stark,
Eric Lawrence,
Frank Ellerman,
Frederick Hirsch,
Gavin Carothers,
Glenn Maynard,
Graham Klyne,
Hal Lockhart,
Hallvord R. M. Steen,
Henri Sivonen,
Hiroshige Hayashizaki,
Honza Bambas,
Ian Hickson,
Ilya Grigorik,
Jake Archibald<!-- technically B.J. Archibald -->,
James Graham,
Janusz Majnert,
Jeff Carpenter,
Jeff Hodges,
Jeffrey Yasskin,
Jesse M. Heines,
Jochen Eisinger,
Jonas Sicking,
Jonathan Kingston,
Jonathan Watt,
최종찬 (Jongchan Choi),
Jörn Zaefferer,
Josh Matthews,
Julian Krispel-Samsel,
Julian Reschke,
송정기 (Jungkee Song),
Jussi Kalliokoski,
Jxck,
Keith Yeung,
Kenji Baheux,
Lachlan Hunt,
Liam Brummitt,
Louis Ryan,
Lucas Gonze,
呂康豪 (Kang-Hao Lu),
Maciej Stachowiak,
Manfred Stock,
Manish Goregaokar,
Marc Silbey,
Marcos Caceres,
Marijn Kruisselbrink,
Mark Nottingham,
Mark S. Miller,
Martin Dürst,
Matt Andrews,
Matt Falkenhagen,
Matt Oshry,
Matt Womer,
Mhano Harkness,
Michael Kohler,
Michael™ Smith,
Mike West,
Mohamed Zergaoui,
Ms2ger,
Nikhil Marathe,
Nikki Bee,
Nikunj Mehta,
Odin Hørthe Omdal,
Ondřej Žára,
Philip Jägenstedt,
R. Auburn,
Ryan Sleevi,
Rory Hewitt,
Sébastien Cevey,
Shao-xuan Kang,
Sharath Udupa,
Shivakumar Jagalur Matt,
Simon Pieters,
Srirama Chandra Sekhar Mogali,
Steven Salat,
Sunava Dutta,
Surya Ismail,
吉野剛史 (Takeshi Yoshino),
Thomas Roessler,
Thomas Wisniewski,
Tobie Langel,
Tomás Aparicio,
保呂毅 (Tsuyoshi Horo),
Tyler Close,
Vignesh Shanmugam,
Vladimir Dzhuvinov,
Wayne Carr,
Xabier Rodríguez,
Yoav Weiss,
Youenn Fablet,
平野裕 (Yutaka Hirano), and
Zhenbin Xu
for being awesome.

<p>This standard is written by
<a href="https://annevankesteren.nl/" lang="nl">Anne van Kesteren</a>
(<a href="https://www.mozilla.org/">Mozilla</a>,
<a href="mailto:annevk@annevk.nl">annevk@annevk.nl</a>).

<p>Per <a href="https://creativecommons.org/publicdomain/zero/1.0/" rel="license">CC0</a>, to
the extent possible under law, the editor has waived all copyright and related or
neighboring rights to this work.