Overview.html

<!DOCTYPE html><html lang="en-US"><meta charset="utf-8">
<title>Fetch Standard</title>
<link href="//www.whatwg.org/style/specification" rel="stylesheet">
<link href="//resources.whatwg.org/logo-fetch.svg" rel="icon">

<div class="head">

<p><a class="logo" href="//www.whatwg.org/"><img alt="WHATWG" height="100" src="//resources.whatwg.org/logo-fetch.svg" width="100"></a>
<h1 id="cors">Fetch</h1>
<h2 class="no-num no-toc" id="living-standard-—-last-updated-10-january-2014">Living Standard — Last Updated 10 January 2014</h2>

<dl>
 <dt>This Version:
 <dd><a href="//fetch.spec.whatwg.org/">http://fetch.spec.whatwg.org/</a>

 <dt>Participate:
 <dd>Send feedback to <a href="http://www.whatwg.org/mailing-list">whatwg@whatwg.org</a> or
  <a href="https://www.w3.org/Bugs/Public/enter_bug.cgi?product=WHATWG&amp;component=Fetch">file a bug</a>
  (<a href="https://www.w3.org/Bugs/Public/buglist.cgi?product=WHATWG&amp;component=Fetch&amp;resolution=---">open bugs</a>)
 <dd><a href="//wiki.whatwg.org/wiki/IRC">IRC: #whatwg on Freenode</a>

 <dt>Version History:
 <dd><a href="https://github.com/whatwg/fetch/commits">https://github.com/whatwg/fetch/commits</a>

 <dt>Editor:
 <dd><a href="http://annevankesteren.nl/">Anne van Kesteren</a>
  (<a href="http://www.mozilla.org/">Mozilla</a>)
  &lt;<a href="mailto:annevk@annevk.nl">annevk@annevk.nl</a>&gt;
</dl>

<script async="" src="//resources.whatwg.org/file-bug.js"></script>

<p class="copyright"><a href="http://creativecommons.org/publicdomain/zero/1.0/" rel="license"><img alt="CC0" src="http://i.creativecommons.org/p/zero/1.0/80x15.png"></a>
To the extent possible under law, the editor has waived all copyright and
related or neighboring rights to this work. In addition, as of
10 January 2014, the editor has made this specification available
under the
<a href="http://www.openwebfoundation.org/legal/the-owf-1-0-agreements/owfa-1-0" rel="license">Open Web Foundation Agreement Version 1.0</a>,
which is available at
http://www.openwebfoundation.org/legal/the-owf-1-0-agreements/owfa-1-0.

</div>



<h2 class="no-num no-toc" id="abstract">Abstract</h2>

<p>The Fetch standard defines the overall architecture for obtaining resources given a URL
and a set of parameters. This concept is named fetching.



<h2 class="no-num no-toc" id="table-of-contents">Table of Contents</h2>

<!--begin-toc-->
<ol class="toc">
 <li><a class="no-num" href="#goals">Goals</a></li>
 <li><a href="#conformance"><span class="secno">1 </span>Conformance</a></li>
 <li><a href="#terminology"><span class="secno">2 </span>Terminology</a>
  <ol class="toc">
   <li><a href="#http"><span class="secno">2.1 </span>HTTP</a></li>
   <li><a href="#requests"><span class="secno">2.2 </span>Requests</a></li>
   <li><a href="#responses"><span class="secno">2.3 </span>Responses</a></ol></li>
 <li><a href="#http-extensions"><span class="secno">3 </span>HTTP extensions</a>
  <ol class="toc">
   <li><a href="#http-origin-header"><span class="secno">3.1 </span>HTTP <code title="">Origin</code> header</a></li>
   <li><a href="#http-cors-protocol"><span class="secno">3.2 </span>HTTP CORS protocol</a>
    <ol class="toc">
     <li><a href="#general"><span class="secno">3.2.1 </span>General</a></li>
     <li><a href="#http-requests"><span class="secno">3.2.2 </span>HTTP requests</a></li>
     <li><a href="#http-responses"><span class="secno">3.2.3 </span>HTTP responses</a></li>
     <li><a href="#http-new-header-syntax"><span class="secno">3.2.4 </span>HTTP new header syntax</a></ol></ol></li>
 <li><a href="#fetching"><span class="secno">4 </span>Fetching</a>
  <ol class="toc">
   <li><a href="#basic-fetch"><span class="secno">4.1 </span>Basic fetch</a></li>
   <li><a href="#cors-fetch-with-preflight"><span class="secno">4.2 </span>CORS fetch with preflight</a></li>
   <li><a href="#cors-preflight-fetch"><span class="secno">4.3 </span>CORS preflight fetch</a></li>
   <li><a href="#cors-preflight-cache"><span class="secno">4.4 </span>CORS preflight cache</a></li>
   <li><a href="#cors-check"><span class="secno">4.5 </span>CORS check</a></ol></li>
 <li><a class="no-num" href="#html-fetch">HTML fetch</a></li>
 <li><a class="no-num" href="#references">References</a></li>
 <li><a class="no-num" href="#acknowledgments">Acknowledgments</a></ol>
<!--end-toc-->



<h2 class="no-num" id="goals">Goals</h2>

<p>To unify fetching across the web platform this specification supplants a number of algorithms and specifications:

<ul class="brief no-backref">
 <li>HTML Standard's <a href="#concept-legacy-fetch" title="concept-legacy-fetch">fetch</a> and
 <a href="#concept-legacy-potentially-cors-enabled-fetch" title="concept-legacy-potentially-cors-enabled-fetch">potentially CORS-enabled fetch</a>
 algorithms (now defined in terms of <a href="#concept-fetch" title="concept-fetch">fetch</a>)
 <a class="informative" href="#refsHTML">[HTML]</a>
 <li>CORS <a class="informative" href="#refsCORS">[CORS]</a>
 <li>HTTP `<code title="http-origin"><a href="#http-origin">Origin</a></code>` header semantics
 <a class="informative" href="#refsORIGIN">[ORIGIN]</a>
</ul>

<p>Unifying fetching provides consistent handling of:

<ul class="brief">
 <li>Different URL schemes
 <li>HTTP redirects
 <li>Cross-origin requests
</ul>

<p>In due course, it should also help clarify the semantics of CSP and provide a model to hook offline networking into.



<h2 id="conformance"><span class="secno">1 </span>Conformance</h2>

<p>All diagrams, examples, and notes in this specification are
non-normative, as are all sections explicitly marked non-normative.
Everything else in this specification is normative.

<p>The key words "MUST", "MUST NOT", "REQUIRED", <!--"SHALL", "SHALL
NOT",--> "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in the normative parts of this specification are to be
interpreted as described in RFC2119. For readability, these words do
not appear in all uppercase letters in this specification.
<a href="#refsRFC2119">[RFC2119]</a>



<h2 id="terminology"><span class="secno">2 </span>Terminology</h2>

<p>This specification uses terminology from the Encoding and URL Standards.
<a href="#refsENCODING">[ENCODING]</a>
<a href="#refsURL">[URL]</a>

<p>A <a class="external" href="http://encoding.spec.whatwg.org/#byte">byte</a> sequence with bytes in the range 0x00 to
0x7F is represented as a <a class="external" href="http://encoding.spec.whatwg.org/#utf-8">utf-8</a> encoded
<a class="external" href="http://encoding.spec.whatwg.org/#string">string</a> with code points in the range U+0000 to
U+007F. To avoid confusion with an actual string backticks are used.

<p class="example">"<code title="">true</code>" is a
<a class="external" href="http://encoding.spec.whatwg.org/#string">string</a>, while `<code title="">true</code>` is a
byte sequence.

<p>Comparing two byte sequences in a <dfn id="byte-case-insensitive">byte case-insensitive</dfn> manner means
comparing them exactly, byte for byte, except that the bytes in the range 0x41 to 0x5A are
considered to also match their corresponding byte in the range 0x61 to 0x7A.

<p>A <dfn id="case-insensitive-byte-sequence">case-insensitive byte sequence</dfn> is a byte sequence that when compared to
another byte sequence does so in a <a href="#byte-case-insensitive">byte case-insensitive</a> manner.

<p class="example">The
<a href="#case-insensitive-byte-sequence" title="case-insensitive byte sequence">case-insensitive byte sequences</a>
`<code title="">Content-Type</code>` and `<code title="">content-TYPE</code>` are equal.


<h3 id="http"><span class="secno">2.1 </span>HTTP</h3>

<p>While <a href="#concept-fetch" title="concept-fetch">fetching</a> encompasses more than just HTTP, it
borrows a number of concepts from HTTP and applies these to resources obtained via other
means (e.g. via <code title="">data</code> URL).

<p>A <dfn id="concept-method" title="concept-method">method</dfn> is a byte sequence.

<p>A <dfn id="concept-header" title="concept-header">header</dfn> consists of a
<dfn id="concept-header-name" title="concept-header-name">name</dfn> and <dfn id="concept-header-value" title="concept-header-value">value</dfn>.
A <a href="#concept-header-name" title="concept-header-name">name</a> is a
<a href="#case-insensitive-byte-sequence">case-insensitive byte sequence</a> and a
<a href="#concept-header-value" title="concept-header-value">value</a> is a byte sequence.

<p>A <dfn id="simple-method">simple method</dfn> is a <a href="#concept-method" title="concept-method">method</a> that is
`<code title="">GET</code>`, `<code title="">HEAD</code>`, or `<code title="">POST</code>`.

<p>A <dfn id="simple-header">simple header</dfn> is a <a href="#concept-header" title="concept-header">header</a> whose
<a href="#concept-header-name" title="concept-header-name">name</a> is `<code title="">Accept</code>`,
`<code title="">Accept-Language</code>`, or `<code title="">Content-Language</code>`, or whose
<a href="#concept-header-name" title="concept-header-name">name</a> is `<code title="">Content-Type</code>` and
<a href="#concept-header-value" title="concept-header-value">value</a>, <span class="XXX">once parsed,</span> is
`<code title="">application/x-www-form-urlencoded</code>`,
`<code title="">multipart/form-data</code>`,
or `<code title="">text/plain</code>`.

<p class="XXX">What we never resolved in CORS was whether only certain
parameters should be allowed and how exactly the MIME type parsing would work. Hopefully
<a href="http://mimesniff.spec.whatwg.org/#parse-a-mime-type">parsing MIME types</a> will
solve this.
<!-- example if people ask: "Content-Type: text/html;" -->

<p>To <dfn id="concept-header-parse" title="concept-header-parse">parse a header value</dfn> parse it per the ABNF and
return the <a href="#concept-header-value" title="concept-header-value">values</a> obtained for the given
<a href="#concept-header-name" title="concept-header-name">name</a>, and return failure if the
<a href="#concept-header-value" title="concept-header-value">value</a> did not match the ABNF.



<h3 id="requests"><span class="secno">2.2 </span>Requests</h3>

<p>The input to <a href="#concept-fetch" title="concept-fetch">fetch</a> is a
<dfn id="concept-request" title="concept-request">request</dfn>.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-method" title="concept-request-method">method</dfn>. Unless stated otherwise a
<a href="#concept-request" title="concept-request">request</a>'s
<a href="#concept-request-method" title="concept-request-method">method</a> is `<code title="">GET</code>`.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-url" title="concept-request-url">url</dfn> (a
<a class="external" href="http://url.spec.whatwg.org/#concept-parsed-url" title="concept-parsed-url">parsed URL</a>).

<p>A <a href="#concept-request" title="concept-request">request</a> has associated
<dfn id="concept-request-author-headers" title="concept-request-author-headers">author headers</dfn> and
<dfn id="concept-request-headers" title="concept-request-headers">headers</dfn>. Unless stated otherwise
<a href="#concept-request" title="concept-request">request</a>'s
<a href="#concept-request-author-headers" title="concept-request-author-headers">author headers</a>
and <a href="#concept-request-headers" title="concept-request-headers">headers</a> are empty lists of
<a href="#concept-header" title="concept-header">headers</a>.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-origin" title="concept-request-origin">origin</dfn>, and
<dfn id="force-origin-header-flag">force <code title="">Origin</code> header flag</dfn>. Unless stated otherwise a
<a href="#concept-request" title="concept-request">request</a>'s
<a href="#concept-request-origin" title="concept-request-origin">origin</a> is null and its
<a href="#force-origin-header-flag">force <code title="">Origin</code> header flag</a> is unset.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-referrer" title="concept-request-referrer">referrer</dfn>. Unless stated otherwise it is null.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-body" title="concept-request-body">body</dfn>. Unless stated otherwise a
<a href="#concept-request" title="concept-request">request</a>'s <a href="#concept-request-body" title="concept-request-body">body</a>
is null.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="synchronous-flag">synchronous flag</dfn>. Unless stated otherwise a
<a href="#concept-request" title="concept-request">request</a>'s <a href="#synchronous-flag">synchronous flag</a> is unset.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-mode" title="concept-request-mode">mode</dfn>, which is one of <i title="">same-origin</i>,
<i title="">tainted cross-origin</i>, and <i title="">CORS</i>. Unless stated otherwise,
<a href="#concept-request" title="concept-request">request</a>'s <a href="#concept-request-mode" title="concept-request-mode">mode</a>
is <i title="">tainted cross-origin</i>.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="force-preflight-flag">force preflight flag</dfn>. Unless stated otherwise, it is unset and only relevant
when <a href="#concept-request" title="concept-request">request</a>'s
<a href="#concept-request-mode" title="concept-request-mode">mode</a> is <i title="">CORS</i>.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-omit-credentials-mode" title="concept-request-omit-credentials-mode">omit credentials mode</dfn>, which is
one of <i title="">always</i>, <i title="">CORS</i>, and <i title="">never</i>.

<p class="XXX">I think we want the default to become <i title="">always</i>, but currently it
is <i title="">never</i>.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-use-url-credentials-flag" title="concept-request-use-url-credentials-flag">use URL credentials flag</dfn>.
Unless stated otherwise, it is unset.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-manual-redirect-flag" title="concept-request-manual-redirect-flag">manual redirect flag</dfn>. Unless stated
otherwise, it is unset.

<hr>

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-redirect-count" title="concept-request-redirect-count">redirect count</dfn>. Unless stated otherwise,
it is zero.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-response-tainting" title="concept-request-response-tainting">response tainting</dfn>, which is one of
<i title="">basic</i>, <i title="">CORS</i>, and <i title="">opaque</i>. Unless stated otherwise,
it is <i title="">basic</i>.

<p class="note no-backref">A <a href="#concept-request" title="concept-request">request</a>'s
<a href="#concept-request-redirect-count" title="concept-request-redirect-count">redirect count</a> and
<a href="#concept-request-response-tainting" title="concept-request-response-tainting">response tainting</a> are used as
bookkeeping details by the <a href="#concept-fetch" title="concept-fetch">fetch</a> algorithm.

<hr>

<p><a href="#concept-fetch" title="concept-fetch">Fetch</a> end points must enforce restrictions on a
<a href="#concept-request" title="concept-request">request</a>'s
<a href="#concept-request-method" title="concept-request-method">method</a> and
<a href="#concept-request-author-headers" title="concept-request-author-headers">author headers</a>.

<p>The <dfn id="concept-forbidden-methods" title="concept-forbidden-methods">forbidden methods</dfn> are
<a href="#concept-method" title="concept-method">methods</a> that are a <a href="#byte-case-insensitive">byte case-insensitive</a>
match for `<code title="">CONNECT</code>`, `<code title="">TRACE</code>`, and
`<code title="">TRACK</code>`. <a href="#refsHTTPVERBSEC">[HTTPVERBSEC]</a>

<p>The
<dfn id="concept-forbidden-author-header-names" title="concept-forbidden-author-header-names">forbidden author header names</dfn> are
all these <a href="#concept-header" title="concept-header">header</a>
<a href="#concept-header-name" title="concept-header-name">names</a>:

<ul class="brief">
 <li>`<code title="">Accept-Charset</code>`
 <li>`<code title="">Accept-Encoding</code>`
 <li>`<code title="">Access-Control-Request-Headers</code>`
 <li>`<code title="">Access-Control-Request-Method</code>`
 <li>`<code title="">Connection</code>`
 <li>`<code title="">Content-Length</code>`
 <li>`<code title="">Cookie</code>`
 <li>`<code title="">Cookie2</code>`
 <li>`<code title="">Date</code>`
 <li>`<code title="">DNT</code>`
 <li>`<code title="">Expect</code>`
 <li>`<code title="">Host</code>`
 <li>`<code title="">Keep-Alive</code>`
 <li>`<code title="http-origin"><a href="#http-origin">Origin</a></code>`
 <li>`<code title="">Referer</code>`
 <li>`<code title="">TE</code>`
 <li>`<code title="">Trailer</code>`
 <li>`<code title="">Transfer-Encoding</code>`
 <li>`<code title="">Upgrade</code>`
 <li>`<code title="">User-Agent</code>`
 <li>`<code title="">Via</code>`
</ul>

<p>… and <a href="#concept-header" title="concept-header">header</a>
<a href="#concept-header-name" title="concept-header-name">names</a> that start with `<code title="">Proxy-</code>`
or `<code title="">Sec-</code>` (including when it is just `<code title="">Proxy-</code>` or
`<code title="">Sec-</code>`).

<p class="note">These are forbidden so the user agent remains in full control over them.
<a href="#concept-header-name" title="concept-header-name">Names</a> starting with `<code title="">Sec-</code>` are
not allowed to be set to allow new <a href="#concept-header" title="concept-header">headers</a> to be minted
that are guaranteed not to come from <a href="#concept-fetch" title="concept-fetch">fetching</a> end points
that allow control over <a href="#concept-header" title="concept-header">headers</a> by authors, such as
<code class="external"><a href="http://xhr.spec.whatwg.org/#xmlhttprequest">XMLHttpRequest</a></code>.
<a class="informative" href="#refsXHR">[XHR]</a>



<h3 id="responses"><span class="secno">2.3 </span>Responses</h3>

<p>The result of <a href="#concept-fetch" title="concept-fetch">fetch</a> is a
<dfn id="concept-response" title="concept-response">response</dfn>. A <a href="#concept-response" title="concept-response">response</a>
evolves over time. That is, not all its fields are available straight away.

<p>A <a href="#concept-response" title="concept-response">response</a> has an associated
<dfn id="concept-response-type" title="concept-response-type">type</dfn> which is one of <i title="">default</i>,
<i title="">redirect</i>, and <i title="">error</i>. Unless stated otherwise, it is
<i title="">default</i>.

<p>A <a href="#concept-response" title="concept-response">response</a> can have an associated
<dfn id="concept-response-termination-reason" title="concept-response-termination-reason">termination reason</dfn> which is one of
<i title="">end-user abort</i>, <i title="">fatal</i>, and <i title="">timeout</i>.

<p>A <a href="#concept-response" title="concept-response">response</a> has an associated
<dfn id="concept-response-status" title="concept-response-status">status</dfn>,
<dfn id="concept-response-status-message" title="concept-response-status-message">status message</dfn>,
<dfn id="concept-response-location" title="concept-response-location">location</dfn>,
<dfn id="concept-response-headers" title="concept-response-headers">headers</dfn>, and a
<dfn id="concept-response-body" title="concept-response-body">body</dfn>.

<hr>

<p>Unless stated otherwise, a <a href="#concept-response" title="concept-response">response</a>'s
<a href="#concept-response-status" title="concept-response-status">status</a> is <code title="">200</code>,
<a href="#concept-response-status-message" title="concept-response-status-message">status message</a> is `<code title="">OK</code>`,
<a href="#concept-response-location" title="concept-response-location">location</a> is null,
<a href="#concept-response-headers" title="concept-response-headers">headers</a> is an empty list, and
<a href="#concept-response-body" title="concept-response-body">body</a> is null,

<p>A <a href="#concept-response" title="concept-response">response</a> whose
<a href="#concept-response-type" title="concept-response-type">type</a> is <i title="">error</i> is known as a
<dfn id="concept-network-error" title="concept-network-error">network error</dfn>.

<p>A <a href="#concept-network-error" title="concept-network-error">network error</a>'s
<a href="#concept-response-status" title="concept-response-status">status</a> is <code title="">0</code>,
<a href="#concept-response-status-message" title="concept-response-status-message">status message</a> is the empty byte sequence,
<a href="#concept-response-location" title="concept-response-location">location</a> is null,
<a href="#concept-response-headers" title="concept-response-headers">headers</a> is an empty list, and
<a href="#concept-response-body" title="concept-response-body">body</a> is null.

<p>A <a href="#concept-response" title="concept-response">response</a> whose
<a href="#concept-response-type" title="concept-response-type">type</a> is <i title="">redirect</i> is known as a
<dfn id="concept-redirect" title="concept-redirect">redirect</dfn>.

<hr>

<p>A <dfn id="concept-filtered-response" title="concept-filtered-response">filtered response</dfn> is a limited view on a
<a href="#concept-response" title="concept-response">response</a>. This
<a href="#concept-response" title="concept-response">response</a> is referred to as the
<a href="#concept-filtered-response" title="concept-filtered-response">filtered response</a>'s associated
<dfn id="concept-internal-response" title="concept-internal-response">internal response</dfn>.

<p class="note no-backref">The <a href="#concept-fetch" title="concept-fetch">fetch</a> algorithm returns
such a view to ensure APIs do not accidentally leak information. If the information is
required, e.g. to feed image data to a decoder, the associated
<a href="#concept-internal-response" title="concept-internal-response">internal response</a> can be used.

<p>A <dfn id="concept-filtered-response-basic" title="concept-filtered-response-basic">basic filtered response</dfn> is a
<a href="#concept-filtered-response" title="concept-filtered-response">filtered responses</a> whose
<a href="#concept-response-headers" title="concept-response-headers">response headers</a> exclude any
<a href="#concept-header" title="concept-header">headers</a> in
<a href="#concept-internal-response" title="concept-internal-response">internal response</a>'s
<a href="#concept-response-headers" title="concept-response-headers">response headers</a> whose
<a href="#concept-header-name" title="concept-header-name">name</a> is `<code title="">Set-Cookie</code>` or
`<code title="">Set-Cookie2</code>`.

<p>A <dfn id="concept-filtered-response-cors" title="concept-filtered-response-cors">CORS filtered responses</dfn> is a
<a href="#concept-filtered-response" title="concept-filtered-response">filtered responses</a> whose
<a href="#concept-response-headers" title="concept-response-headers">response headers</a> exclude all
<a href="#concept-header" title="concept-header">headers</a> in
<a href="#concept-internal-response" title="concept-internal-response">internal response</a>'s
<a href="#concept-response-headers" title="concept-response-headers">response headers</a>, except those whose
<a href="#concept-header-name" title="concept-header-name">name</a> is either one of
`<code title="">Cache-Control</code>`, `<code title="">Content-Language</code>`,
`<code title="">Content-Type</code>`, `<code title="">Expires</code>`,
`<code title="">Last-Modified</code>`, and `<code title="">Pragma</code>`, and except those
whose <a href="#concept-header-name" title="concept-header-name">name</a> is one of the values of the
<a href="#concept-header-parse" title="concept-header-parse">parsed</a>
<a href="#concept-header-value" title="concept-header-value">value</a> of the
<a href="#concept-header" title="concept-header">header</a> in
<a href="#concept-internal-response" title="concept-internal-response">internal response</a>'s
<a href="#concept-response-headers" title="concept-response-headers">response headers</a> whose
<a href="#concept-header-name" title="concept-header-name">name</a> is
`<code title="http-access-control-expose-headers"><a href="#http-access-control-expose-headers">Access-Control-Expose-Headers</a></code>`.

<p>An <dfn id="concept-filtered-response-opaque" title="concept-filtered-response-opaque">opaque filtered responses</dfn> is a
<a href="#concept-filtered-response" title="concept-filtered-response">filtered responses</a> whose
<a href="#concept-response-type" title="concept-response-type">type</a> is <i title="">error</i>,
<a href="#concept-response-status" title="concept-response-status">status</a> is <code title="">0</code>,
<a href="#concept-response-status-message" title="concept-response-status-message">status message</a> is the empty byte sequence,
<a href="#concept-response-location" title="concept-response-location">location</a> is null,
<a href="#concept-response-headers" title="concept-response-headers">headers</a> is an empty list, and
<a href="#concept-response-body" title="concept-response-body">body</a> is null.

<p class="note no-backref">In other words, an
<a href="#concept-filtered-response-opaque" title="concept-filtered-response-opaque">opaque filtered response</a> is
indistinguishable from a <a href="#concept-network-error" title="concept-network-error">network error</a>. When
introducing new APIs, do not use the
<a href="#concept-internal-response" title="concept-internal-response">internal response</a> as you will leak
information.



<h2 id="http-extensions"><span class="secno">3 </span>HTTP extensions</h2>

<h3 id="http-origin-header"><span class="secno">3.1 </span>HTTP <code title="">Origin</code> header</h3>

<p>The `<dfn id="http-origin" title="http-origin"><code>Origin</code></dfn>` request
<a href="#concept-header" title="concept-header">header</a> indicates where a
<a href="#concept-fetch" title="concept-fetch">fetch</a> originates from.

<p class="note">The `<code title="http-origin"><a href="#http-origin">Origin</a></code>` header is a stripped-down version
of the `<code title="http-referer">Referer</code>` [sic] header as to not reveal confidential
<a class="external" href="http://url.spec.whatwg.org/#concept-url-path" title="concept-url-path">path</a> information. It is used for
all <a href="#concept-basic-fetch" title="concept-basic-fetch">basic fetches</a> whose <i title="">CORS flag</i> is
set as well as <a href="#concept-fetch" title="concept-fetch">fetches</a> where
<a href="#concept-request" title="concept-request">request</a>'s
<a href="#concept-request-method" title="concept-request-method">method</a> is `<code title="">POST</code>`. Due to
compatibility constraints it is not included in all fetches.
<!-- Ian Hickson told me Adam Barth researched that -->

<p>Its <a href="#concept-header-value" title="concept-header-value">value</a> ABNF:

<pre>Origin                           = origin-or-null

origin-or-null                   = origin / %x6E.75.6C.6C ; "null", case-sensitive
origin                           = <a class="external" href="http://url.spec.whatwg.org/#concept-url-scheme" title="concept-url-scheme">scheme</a> "://" <a class="external" href="http://url.spec.whatwg.org/#concept-url-host" title="concept-url-host">host</a> [ ":" <a class="external" href="http://url.spec.whatwg.org/#concept-url-port" title="concept-url-port">port</a> ]</pre>

<p class="note">This replaces the syntax defined for the
`<code title="http-origin"><a href="#http-origin">Origin</a></code>` header by The Web Origin Concept. Unfortunately
that document cannot be updated to match reality without involving layers and layers of
bureaucracy. <a href="#refsORIGIN">[ORIGIN]</a>


<h3 id="http-cors-protocol"><span class="secno">3.2 </span>HTTP CORS protocol</h3>

<p>To allow sharing resources cross-origin and allow for more versatile HTTP requests than
possible with HTML's <code class="external"><a href="http://www.whatwg.org/specs/web-apps/current-work/multipage/forms.html#the-form-element">form</a></code> element, the platform has
a <dfn id="cors-protocol">CORS protocol</dfn> layered on top of HTTP. It allows resources to declare they
can be shared with resources residing on a different <span>origin</span>.

<p class="note">It needs to be an opt-in mechanism to prevent leaking data from resources
behind a firewall (intranets). Additionally, for credentialed HTTP requests it needs to be
opt-in to prevent leaking potentially-sensitive data.

<p>This section explains the <a href="#cors-protocol">CORS protocol</a> as it pertains to servers.
Requirements for user agents are part of the <a href="#concept-fetch" title="concept-fetch">fetch</a>
algorithm.

<h4 id="general"><span class="secno">3.2.1 </span>General</h4>

<p>The <a href="#cors-protocol">CORS protocol</a> consists of a set of headers that indicates whether a
particular resource can be shared cross-origin.

<p>For HTTP requests that are more involved than what is possible with HTML's
<code class="external"><a href="http://www.whatwg.org/specs/web-apps/current-work/multipage/forms.html#the-form-element">form</a></code> element, a <a href="#cors-preflight-fetch-0">CORS preflight fetch</a> is
performed, to ensure the resource understands the <a href="#cors-protocol">CORS protocol</a>.
<!-- XXX not an integrity check -->


<h4 id="http-requests"><span class="secno">3.2.2 </span>HTTP requests</h4>

<p>An HTTP request can be identified as pertaining in the <a href="#cors-protocol">CORS protocol</a> if it
includes an `<code title="http-origin"><a href="#http-origin">Origin</a></code>` header. This is named a
<dfn id="cors-request">CORS request</dfn>.

<p>An HTTP request can be identified as being a check to see if the
<a href="#cors-protocol">CORS protocol</a> is understood if it is a <a href="#cors-request">CORS request</a>, uses
`<code title="">OPTIONS</code>` as <a href="#concept-method" title="concept-method">method</a>, and includes
these <a href="#concept-header" title="concept-header">headers</a>:

<dl>
 <dt>`<dfn id="http-access-control-request-method" title="http-access-control-request-method"><code>Access-Control-Request-Method</code></dfn>`
 <dd><p>Indicates which <a href="#concept-method" title="concept-method">method</a> a future
 <a href="#cors-request">CORS request</a> to the same resource might use.

 <dt>`<dfn id="http-access-control-request-headers" title="http-access-control-request-headers"><code>Access-Control-Request-Headers</code></dfn>`
 <dd><p>Indicates which <a href="#concept-header" title="concept-header">headers</a> a future
 <a href="#cors-request">CORS request</a> to the same resource might use.
</dl>

<p>This is named a <dfn id="cors-preflight-request">CORS preflight request</dfn>.


<h4 id="http-responses"><span class="secno">3.2.3 </span>HTTP responses</h4>

<p>An HTTP response to a <a href="#cors-request">CORS request</a> can include the following
<a href="#concept-header" title="concept-header">headers</a>:

<dl>
 <dt>`<dfn id="http-access-control-allow-origin" title="http-access-control-allow-origin"><code>Access-Control-Allow-Origin</code></dfn>`
 <dd><p>Indicates whether a resource can be shared, via returning the literal
 <a href="#concept-header-value" title="concept-header-value">value</a> of the
 <code title="http-origin"><a href="#http-origin">Origin</a></code> request
 <a href="#concept-header" title="concept-header">header</a> (which can be `<code title="">null</code>`) or
 `<code title="">*</code>` in a response.

 <dt>`<dfn id="http-access-control-allow-credentials" title="http-access-control-allow-credentials"><code>Access-Control-Allow-Credentials</code></dfn>`
 <dd>
  <p>Indicates whether a resource can be shared when
  <a href="#concept-request" title="concept-request">request</a>'s
  <a href="#concept-request-omit-credentials-mode" title="concept-request-omit-credentials-mode">omit credentials mode</a> is
  <i title="">never</i>.

  <p class="note">For a <a href="#cors-preflight-request">CORS preflight request</a>,
  <a href="#concept-request" title="concept-request">request</a>'s
  <a href="#concept-request-omit-credentials-mode" title="concept-request-omit-credentials-mode">omit credentials mode</a> is always
  <i title="">never</i>, but for any subsequent
  <a href="#cors-request" title="CORS request">CORS requests</a> it might not be. Support therefore needs
  to be indicated as part of the HTTP response to the <a href="#cors-preflight-request">CORS preflight request</a>
  as well.
</dl>

<p>An HTTP response to a <a href="#cors-preflight-request">CORS preflight request</a> can include the following
<a href="#concept-header" title="concept-header">headers</a>:

<dl>
 <dt>`<dfn id="http-access-control-allow-methods" title="http-access-control-allow-methods"><code>Access-Control-Allow-Methods</code></dfn>`
 <dd>
  <p>Indicates which <a href="#concept-method" title="concept-method">methods</a> are supported by the
  resource for the purposes of the <a href="#cors-protocol">CORS protocol</a>.

  <p class="note">The `<code title="">Allow</code>` <a href="#concept-header" title="concept-header">header</a> is
  not relevant for the purposes of the <a href="#cors-protocol">CORS protocol</a>.

 <dt>`<dfn id="http-access-control-allow-headers" title="http-access-control-allow-headers"><code>Access-Control-Allow-Headers</code></dfn>`
 <dd><p>Indicates which <a href="#concept-header" title="concept-header">headers</a> are supported by the
 resource for the purposes of the <a href="#cors-protocol">CORS protocol</a>.

 <dt>`<dfn id="http-access-control-max-age" title="http-access-control-max-age"><code>Access-Control-Max-Age</code></dfn>`
 <dd><p>Indicates how long the information provided by the
 `<code title="http-access-control-allow-methods"><a href="#http-access-control-allow-methods">Access-Control-Allow-Methods</a></code>` and
 `<code title="http-access-control-allow-headers"><a href="#http-access-control-allow-headers">Access-Control-Allow-Headers</a></code>`
 <a href="#concept-header" title="concept-header">headers</a> can be cached.
</dl>

<p>An HTTP response to a <a href="#cors-request">CORS request</a> that is not a
<a href="#cors-preflight-request">CORS preflight request</a> can also include the following
<a href="#concept-header" title="concept-header">header</a>:

<dl>
 <dt>`<dfn id="http-access-control-expose-headers" title="http-access-control-expose-headers"><code>Access-Control-Expose-Headers</code></dfn>`
 <dd><p>Indicates which <a href="#concept-header" title="concept-header">headers</a> can be exposed as part
 of the HTTP response, via listing their <a href="#concept-header-name" title="concept-header-name">names</a>.
</dl>


<h4 id="http-new-header-syntax"><span class="secno">3.2.4 </span>HTTP new header syntax</h4>

<p>ABNF for the <a href="#concept-header-value" title="concept-header-value">values</a> of the
<a href="#concept-header" title="concept-header">headers</a> used by the <a href="#cors-protocol">CORS protocol</a>:

<pre>Access-Control-Request-Method    = <a class="external" href="http://tools.ietf.org/html/rfc2616/#section-5.1.1">Method</a>
Access-Control-Request-Headers   = #<a class="external" href="http://tools.ietf.org/html/rfc2616/#section-4.2">field-name</a>

Access-Control-Allow-Origin      = origin-or-null / "*"
Access-Control-Allow-Credentials = %x74.72.75.65 ; "true", case-sensitive
Access-Control-Expose-Headers    = #<a class="external" href="http://tools.ietf.org/html/rfc2616/#section-4.2">field-name</a>
Access-Control-Max-Age           = <a class="external" href="http://tools.ietf.org/html/rfc2616/#section-3.3.2">delta-seconds</a>
Access-Control-Allow-Methods     = #<a class="external" href="http://tools.ietf.org/html/rfc2616/#section-5.1.1">Method</a>
Access-Control-Allow-Headers     = #<a class="external" href="http://tools.ietf.org/html/rfc2616/#section-4.2">field-name</a></pre>



<h2 id="fetching"><span class="secno">4 </span>Fetching</h2>

<div class="note no-backref">
 <p>The algorithm below defines <a href="#concept-fetch" title="concept-fetch">fetching</a>. In broad
 strokes, it takes a <a href="#concept-request" title="concept-request">request</a> and outputs a
 <a href="#concept-response" title="concept-response">response</a>.

 <p>That is, it either returns a <a href="#concept-response" title="concept-response">response</a> if
 <a href="#concept-request" title="concept-request">request</a>'s <a href="#synchronous-flag">synchronous flag</a> is set, or it
 <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/webappapis.html#queue-a-task" title="queue a task">queues</a>
 <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/webappapis.html#concept-task" title="concept-task">tasks</a> annotated
 <a href="#process-response">process response</a>, <a href="#process-response-body">process response body</a>, and
 <a href="#process-response-end-of-file">process response end-of-file</a> for the
 <a href="#concept-response" title="concept-response">response</a> on the
 <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/webappapis.html#networking-task-source">networking task source</a>.

 <p>To capture uploads, if <a href="#concept-request" title="concept-request">request</a>'s
 <a href="#synchronous-flag">synchronous flag</a> is unset,
 <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/webappapis.html#concept-task" title="concept-task">tasks</a> annotated
 <a href="#process-request-body">process request body</a> and <a href="#process-request-end-of-file">process request end-of-file</a> for the
 <a href="#concept-request" title="concept-request">request</a> can be
 <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/webappapis.html#queue-a-task" title="queue a task">queued</a> on the
 <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/webappapis.html#networking-task-source">networking task source</a>.
</div>

<p>To perform a <dfn id="concept-fetch" title="concept-fetch">fetch</dfn> using <var title="">request</var>,
optionally with a <i title="">CORS flag</i>, run the steps below. An ongoing
<a href="#concept-fetch" title="concept-fetch">fetch</a> can be
<dfn id="concept-fetch-terminate" title="concept-fetch-terminate">terminated</dfn> with reason <var title="">reason</var>,
which must be one of <i title="">end-user abort</i>, <i title="">fatal</i>, or
<i title="">timeout</i>.

<p class="note no-backref">The <i title="">CORS flag</i> is an internal manner for handling
<a href="#concept-redirect" title="concept-redirect">redirects</a>. Only use the <var title="">request</var>
parameter in other standards.

<ol>
 <li><p>Modify <var title="">request</var>'s <a href="#concept-request-url" title="concept-request-url">url</a> per
 HTTP Strict Transport Security, if applicable. <a href="#refsHSTS">[HSTS]</a>

 <li><p>Let <var title="">url</var> be <var title="">request</var>'s
 <a href="#concept-request-url" title="concept-request-url">url</a>.

 <li><p>Let <var title="">origin</var> be <var title="">request</var>'s
 <a href="#concept-request-origin" title="concept-request-origin">origin</a>.

 <li><p>If <var title="">request</var>'s <a href="#synchronous-flag">synchronous flag</a> is unset and
 <a href="#concept-fetch" title="concept-fetch">fetch</a> is not invoked recursively, run the remaining steps asynchronously.

 <li>
  <p>Let <var title="">response</var> be the value corresponding to the first matching
  statement:

  <dl class="switch">
   <dt><var title="">url</var>'s <span>origin</span> is <var title="">origin</var> and the <i title="">CORS flag</i> is unset
   <dt><var title="">url</var>'s <a class="external" href="http://url.spec.whatwg.org/#concept-url-scheme" title="concept-url-scheme">scheme</a>
   is one of "<code title="">about</code>", "<code title="">blob</code>", and "<code title="">data</code>",
   and <var title="">request</var>'s <a href="#concept-request-redirect-count" title="concept-request-redirect-count">redirect count</a> is zero

   <dd><p>The result of performing a <a href="#concept-basic-fetch" title="concept-basic-fetch">basic fetch</a> using <var title="">request</var>.

   <dt><var title="">request</var>'s <a href="#concept-request-mode" title="concept-request-mode">mode</a> is
   "same-origin"

   <dd><p>A <a href="#concept-network-error" title="concept-network-error">network error</a>.

   <dt><var title="">request</var>'s <a href="#concept-request-mode" title="concept-request-mode">mode</a> is
   "tainted cross-origin"
   <dd>
    <p>Set <var title="">request</var>'s
    <a href="#concept-request-response-tainting" title="concept-request-response-tainting">response tainting</a> to
    <i title="">opaque</i>.
    <p>The result of performing a <a href="#concept-basic-fetch" title="concept-basic-fetch">basic fetch</a> using
    <var title="">request</var>.
    <!-- file URLs end up here as they are not same-origin typically. -->

   <dt><var title="">url</var>'s <span title="concept-url-scheme">scheme</span> is not one of
   "<code title="">http</code>" and "<code title="">https</code>"

   <dd><p>A <a href="#concept-network-error" title="concept-network-error">network error</a>.

   <dt><var title="">request</var>'s <a href="#force-preflight-flag">force preflight flag</a> is set
   <dt><var title="">request</var>'s <a href="#concept-request-method" title="concept-request-method">method</a> is not
   a <a href="#simple-method">simple method</a>
   <dt>A <a href="#concept-header" title="concept-header">header</a> in <var title="">request</var>'s
   <span title="concept-author-headers">author headers</span> is not a <a href="#simple-header">simple header</a>
   <dd>
    <p>Set <var title="">request</var>'s
    <a href="#concept-request-response-tainting" title="concept-request-response-tainting">response tainting</a> to
    <i title="">CORS</i>.
    <p>The result of performing a <a href="#cors-fetch-with-preflight-0">CORS fetch with preflight</a> using <var title="">request.

   </var><dt>Otherwise
   <dd>
    <p>Set <var title="">request</var>'s
    <a href="#concept-request-response-tainting" title="concept-request-response-tainting">response tainting</a> to
    <i title="">CORS</i>.
    <p>The result of performing a <a href="#concept-basic-fetch" title="concept-basic-fetch">basic fetch</a> using
    <var title="">request</var> with the <i title="">CORS flag</i> set.
  </dl>

 <li><p>If <a href="#concept-fetch" title="concept-fetch">fetch</a> is invoked recursively, return <var title="">response</var>.

 <li>
  <p>Set <var title="">response</var> to the following
  <a href="#concept-filtered-response" title="concept-filtered-response">filtered response</a> with
  <var title="">response</var> as its
  <a href="#concept-internal-response" title="concept-internal-response">internal response</a>, depending on
  <var title="">request</var>'s
  <a href="#concept-request-response-tainting" title="concept-request-response-tainting">response tainting</a>:

  <dl class="switch compact">
   <dt><i title="">basic</i>
   <dd><a href="#concept-filtered-response-basic" title="concept-filtered-response-basic">basic filtered response</a>
   <dt><i title="">CORS</i>
   <dd><a href="#concept-filtered-response-cors" title="concept-filtered-response-cors">CORS filtered response</a>
   <dt><i title="">opaque</i>
   <dd><a href="#concept-filtered-response-opaque" title="concept-filtered-response-opaque">opaque filtered response</a>
  </dl>

 <li><p>If <var title="">request</var>'s <a href="#synchronous-flag">synchronous flag</a> is set, wait for
 either <var title="">response</var> to have been fully transmitted or
 <var title="">response</var> to have a
 <a href="#concept-response-termination-reason" title="concept-response-termination-reason">termination reason</a>, and then
 return it.

 <li>
  <p>Otherwise, run these substeps:

  <ol>
   <li><p><a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/webappapis.html#queue-a-task" title="queue a task">Queue</a> a
   <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/webappapis.html#concept-task" title="concept-task">task</a> to
   <dfn id="process-response">process response</dfn> for <var title="">response</var>.

   <li><p>If <var title="">response</var> is a
   <a href="#concept-network-error" title="concept-network-error">network error</a>, terminate this algorithm.
   <span class="note">No point in continuing.</span>

   <li><p>Then, either once <var title="">response</var>'s
   <a href="#concept-response-body" title="concept-response-body">body</a> is at least one byte long or there is no
   <var title="">response</var>'s <a href="#concept-response-body" title="concept-response-body">body</a>,
   <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/webappapis.html#queue-a-task" title="queue a task">queue</a> a
   <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/webappapis.html#concept-task" title="concept-task">task</a> to
   <dfn id="process-response-body">process response body</dfn> for <var title="">response</var>. Keep
   <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/webappapis.html#queue-a-task" title="queue a task">queuing</a>
   <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/webappapis.html#concept-task" title="concept-task">tasks</a> to
   <a href="#process-response-body">process response body</a> for <var title="">response</var> every 50ms or for each
   byte of <var title="">response</var>'s <a href="#concept-response-body" title="concept-response-body">body</a>
   transmitted, whichever is <em>least</em> frequent, while <var title="">response</var> has
   no <a href="#concept-response-termination-reason" title="concept-response-termination-reason">termination reason</a>.

   <li>
    <p>Then, once <var title="">response</var>'s
    <a href="#concept-response-body" title="concept-response-body">body</a> is fully transmitted or has a
    <a href="#concept-response-termination-reason" title="concept-response-termination-reason">termination reason</a>,
    <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/webappapis.html#queue-a-task" title="queue a task">queue</a> a
    <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/webappapis.html#concept-task" title="concept-task">task</a> to
    <dfn id="process-response-end-of-file">process response end-of-file</dfn> for <var title="">response</var>

    <p class="note">This specification does not define what "fully transmitted" means.
    Ideally FTP/HTTP define this in detail, including when e.g.
    `<code title="">Content-Length</code>` is not supplied or is deemed faulty.
  </ol>

  <p>Use the <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/webappapis.html#networking-task-source">networking task source</a> for these
  <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/webappapis.html#concept-task" title="concept-task">tasks</a>.
</ol>


<h3 id="basic-fetch"><span class="secno">4.1 </span>Basic fetch</h3>

<p>To perform a <dfn id="concept-basic-fetch" title="concept-basic-fetch">basic fetch</dfn> using <var title="">request</var>, with an optional
<i title="">CORS flag</i> and <i title="">HTTP authentication flag</i>, switch on <var title="">request</var>'s
<a href="#concept-request-url" title="concept-request-url">url</a>'s
<a class="external" href="http://url.spec.whatwg.org/#concept-url-scheme" title="concept-url-scheme">scheme</a> and run the associated
steps:

<dl class="switch">
 <dt>"<code title="">about</code>"
 <dd>
  <p>If <var title="">request</var>'s <a href="#concept-request-url" title="concept-request-url">url</a>'s
  <a class="external" href="http://url.spec.whatwg.org/#concept-url-scheme-data" title="concept-url-scheme-data">scheme data</a> is
  "<code title="">blank</code>", return a <a href="#concept-response" title="concept-response">response</a> whose
  <a href="#concept-response-headers" title="concept-response-headers">headers</a> consist of a single
  <a href="#concept-header" title="concept-header">header</a> whose
  <a href="#concept-header-name" title="concept-header-name">name</a> is `<code title="">Content-Type</code>` and
  <a href="#concept-header-value" title="concept-header-value">value</a> is
  `<code title="">text/html;charset=utf-8</code>`, and
  <a href="#concept-response-body" title="concept-response-body">body</a> is the empty byte sequence.

  <!-- introduce about:unicorn
       http://html5.org/temp/unicorn.svg -->

  <p>Otherwise, return a <a href="#concept-network-error" title="concept-network-error">network error</a>.

  <p class="note no-backref"><a class="external" href="http://url.spec.whatwg.org/#concept-url" title="concept-url">URLs</a> such
  as "<code title="">about:config</code>" are handled during
  <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/history.html#navigate" title="navigate">navigation</a> and result in a
  <a href="#concept-network-error" title="concept-network-error">network error</a> in the context of
  <a href="#concept-fetch" title="concept-fetch">fetching</a>.

 <dt>"<code title="">blob</code>"
 <dd>
  <p class="XXX">It has been argued this should be handled outside of
  <a href="#concept-fetch" title="concept-fetch">fetching</a>.

 <dt>"<code title="">data</code>"
 <dd>
  <p>If <var title="">request</var>'s <a href="#concept-request-method" title="concept-request-method">method</a> is
  `<code title="">GET</code>` and
  <a href="http://simonsapin.github.com/data-urls/">obtaining a resource</a> from
  <var title="">request</var>'s <a href="#concept-request-url" title="concept-request-url">url</a> does not return
  failure, return a <a href="#concept-response" title="concept-response">response</a> whose
  <a href="#concept-response-headers" title="concept-response-headers">headers</a> consist of a single
  <a href="#concept-header" title="concept-header">header</a> whose
  <a href="#concept-header-name" title="concept-header-name">name</a> is `<code title="">Content-Type</code>` and
  <a href="#concept-header-value" title="concept-header-value">value</a> is the MIME type and parameters returned
  from <a href="http://simonsapin.github.com/data-urls/">obtaining a resource</a>, and
  <a href="#concept-response-body" title="concept-response-body">body</a> is the data returned from
  <a href="http://simonsapin.github.com/data-urls/">obtaining a resource</a>.
  <!-- XXX "obtaining a resource" needs a better reference -->

  <p>Otherwise, return a <a href="#concept-network-error" title="concept-network-error">network error</a>.

 <dt>"<code title="">file</code>"
 <dd>
  <p>For now, unfortunate as it is, <code title="">file</code>
  <a class="external" href="http://url.spec.whatwg.org/#concept-url" title="concept-url">URLs</a> are left as an exercise for the
  reader.

  <p>When in doubt, return a <a href="#concept-network-error" title="concept-network-error">network error</a>.

 <dt>"<code title="">ftp</code>"
 <dd>
  <p>Follow the requirements from FTP to retrieve a resource.

  <p class="XXX">Map the result to <a href="#concept-response" title="concept-response">response</a>.

 <dt>"<code title="">http</code>"
 <dt>"<code title="">https</code>"
 <dd>
  <p>Make an HTTP request following the requirements from HTTP and TLS as appropriate,
  with these additional constraints:

  <ol>
   <li>
    <p>Set the HTTP request method to <var title="">request</var>'s
    <a href="#concept-request-method" title="concept-request-method">method</a>.

    <p class="note no-backref"><a href="#concept-forbidden-methods" title="concept-forbidden-methods">Forbidden methods</a>
    are not supposed to reach this point.

   <li>
    <p>If <var title="">request</var>'s
    <a href="#concept-request-referrer" title="concept-request-referrer">referrer</a> is not null, include a
    `<code title="">Referer</code>` <a href="#concept-header" title="concept-header">header</a>
    whose <a href="#concept-header-value" title="concept-header-value">value</a> is <var title="">request</var>'s
    <a href="#concept-request-referrer" title="concept-request-referrer">referrer</a>.

    <p class="note no-backref">User agents are encouraged to provide the end user with
    options to always exclude `<code title="">Referer</code>`
    <a href="#concept-header" title="concept-header">headers</a> or have it expose less sensitive
    information.

   <li>
    <p>If <var title="">request</var>'s <a href="#force-origin-header-flag">force <code>Origin</code> header flag</a> is
    set, include an `<code title="">Origin</code>` <a href="#concept-header" title="concept-header">header</a>
    whose <a href="#concept-header-value" title="concept-header-value">value</a> is <var title="">request</var>'s
    <a href="#concept-request-origin" title="concept-request-origin">origin</a>,
    <span class="XXX">serialized to a byte sequence</span>.

   <li>
    <p>Include all of <var title="">request</var>'s
    <a href="#concept-request-headers" title="concept-request-headers">headers</a> and let them replace any
    <a href="#concept-header" title="concept-header">headers</a> with the same
    <a href="#concept-header-name" title="concept-header-name">name</a> already present in the HTTP request.

   <li>
    <p>Include all of <var title="">request</var>'s
    <a href="#concept-request-author-headers" title="concept-request-author-headers">author headers</a> as long as their
    <a href="#concept-header-name" title="concept-header-name">name</a> is <em>not</em> already present in the
    HTTP request.

    <p class="note no-backref"><a href="#concept-forbidden-author-header-names" title="concept-forbidden-author-header-names">Forbidden author header names</a>
    are not supposed to reach this point.

   <li>
    <p>If <var title="">request</var>'s
    <a href="#concept-request-omit-credentials-mode" title="concept-request-omit-credentials-mode">omit credentials mode</a> is
    <i title="">never</i> or <var title="">request</var>'s
    <a href="#concept-request-omit-credentials-mode" title="concept-request-omit-credentials-mode">omit credentials mode</a> is
    <i title="">CORS</i> and the <i title="">CORS flag</i> is unset, run these substeps:

    <ol>
     <li><p>Include `<code title="">Cookie</code>` headers associated with
     <var title="">request</var>'s <a href="#concept-request-url" title="concept-request-url">url</a>.
     <a href="#refsCOOKIES">[COOKIES]</a>

     <!-- http://wiki.whatwg.org/wiki/HTTP_Authentication -->
     <li><p>If there's an <b title="">authentication entry</b> for <var title="">request</var>'s
     <a href="#concept-request-url" title="concept-request-url">url</a> and either
     <var title="">request</var>'s <a href="#concept-request-use-url-credentials-flag" title="concept-request-use-url-credentials-flag">use URL credentials flag</a> is unset or
     <var title="">request</var>'s <a href="#concept-request-url" title="concept-request-url">url</a>
     does not include credentials, include the <code>Authorization</code> header from the
     <b title="">authentication entry</b>.
     <!-- XXX need to define "includes credentials" in URL as username != "" and password != null??
              need to define the cache concept -->

     <li><p>Otherwise, if <var title="">request</var>'s <a href="#concept-request-url" title="concept-request-url">url</a>
     includes credentials, and the <i title="">HTTP authentication flag</i> is set, include an
     <code>Authorization</code> header using those credentials.
     <!-- XXX ... -->
    </ol>

   <li>
    <p>If there's a <b title="">proxy authentication entry</b>, use it as appropriate.
    <a href="#refsHTTP">[HTTP]</a>

    <p class="note">This intentionally does not depend on <var title="">request</var>'s
    <a href="#concept-request-omit-credentials-mode" title="concept-request-omit-credentials-mode">omit credentials mode</a>.

   <li>
    <p>If <var title="">request</var>'s <a href="#concept-request-body" title="concept-request-body">body</a> is
    non-null, include it, and <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/webappapis.html#queue-a-task" title="queue a task">queue</a>
    a <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/webappapis.html#concept-task" title="concept-task">task</a> every 50ms or for each
    byte of <var title="">request</var>'s <a href="#concept-request-body" title="concept-request-body">body</a>
    transmitted, whichever is <em>least</em> request, to <dfn id="process-request-body">process request body</dfn>
    for <var title="">request</var>.

    <p>If included, when <var title="">request</var>'s
    <a href="#concept-request-body" title="concept-request-body">body</a> is fully transmitted (and the HTTP
    request has not been observably terminated yet),
    <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/webappapis.html#queue-a-task" title="queue a task">queue</a>
    a <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/webappapis.html#concept-task" title="concept-task">task</a> to
    <dfn id="process-request-end-of-file">process request end-of-file</dfn> for <var title="">request</var>.

    <p>Use the <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/webappapis.html#networking-task-source">networking task source</a>.
  </ol>

  <p>If the HTTP request is terminated before all headers from the resource are obtained,
  return a <a href="#concept-network-error" title="concept-network-error">network error</a>. If this is due to
  <a href="#concept-fetch" title="concept-fetch">fetch</a> being
  <a href="#concept-fetch-terminate" title="concept-fetch-terminate">terminated</a> with reason
  <var title="">reason</var>, set the return value's
  <a href="#concept-response-termination-reason" title="concept-response-termination-reason">termination reason</a> to
  <var title="">reason</var>.

  <p>Otherwise, when the headers from the resource are obtained, let
  <var title="">response</var> be a new <a href="#concept-response" title="concept-response">response</a> and set
  its fields appropriately.
  <!-- XXX do we need to spell this out? -->

  <p>If there are cookies to be set and either <var title="">request</var>'s
  <a href="#concept-request-omit-credentials-mode" title="concept-request-omit-credentials-mode">omit credentials mode</a> is
  <i title="">never</i>, or <var title="">request</var>'s
  <a href="#concept-request-omit-credentials-mode" title="concept-request-omit-credentials-mode">omit credentials mode</a> is
  <i title="">CORS</i> and the <i title="">CORS flag</i> is unset, run these steps:

  <ol>
   <li><p>Wait until ownership of the <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/webappapis.html#storage-mutex">storage mutex</a> can
   be taken by this instance of the <a href="#concept-fetch" title="concept-fetch">fetch</a> algorithm.

   <li><p>Take ownership of the <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/webappapis.html#storage-mutex">storage mutex</a>.

   <li>
    <p>Update the cookies. <a href="#refsCOOKIES">[COOKIES]</a>

    <p class="note">This is a fingerprinting vector.

   <li><p>Release the <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/webappapis.html#storage-mutex">storage mutex</a> so that it is once
   again free.
  </ol>

  <p>If the <i title="">CORS flag</i> is set and a <a href="#cors-check-0">CORS check</a> for
  <var title="">request</var> and <var title="">response</var> returns failure, return a
  <a href="#concept-network-error" title="concept-network-error">network error</a>.

  <p>If <var title="">response</var>'s <a href="#concept-response-status" title="concept-response-status">status</a> is
  304, run these steps:

  <ol class="XXX">
   <li><p>For responses that are a result of a user agent generated conditional request
   the user agent must act as if the server gave a <code>200 OK</code> response with the
   appropriate content. The user agent must allow <span>author request headers</span> to
   override automatic cache validation (e.g. <code>If-None-Match</code> or
   <code>If-Modified-Since</code>), in which case <code>304 Not Modified</code> responses
   must be passed through.
  </ol>

  <p>Otherwise, if
  <var title="">response</var>'s <a href="#concept-response-status" title="concept-response-status">status</a> is
  301, 302, 303, 307, or 308, run these steps:

  <ol>
   <li><p>If <var title="">response</var>'s
   <a href="#concept-response-headers" title="concept-response-headers">headers</a> do not contain a
   <a href="#concept-header" title="concept-header">header</a> whose
   <a href="#concept-header-name" title="concept-header-name">name</a> is `<code title="">Location</code>`, return
   <var title="">response</var>.

   <li><p>If <var title="">response</var>'s
   <a href="#concept-response-headers" title="concept-response-headers">headers</a> contain more than one
   <a href="#concept-header" title="concept-header">header</a> whose
   <a href="#concept-header-name" title="concept-header-name">name</a> is `<code title="">Location</code>`, return a
   <a href="#concept-network-error" title="concept-network-error">network error</a>.
   <!-- only Gecko does this; if removed add "first" below -->

   <li><p>Let <var title="">location</var> be the
   <a href="#concept-header-value" title="concept-header-value">value</a> of the
   <a href="#concept-header" title="concept-header">header</a> whose
   <a href="#concept-header-name" title="concept-header-name">name</a> is `<code title="">Location</code>` within
   <var title="">response</var>'s <a href="#concept-response-headers" title="concept-response-headers">headers</a>.

   <li><p>Let <var title="">parsed location</var> be the result of
   <a class="external" href="http://url.spec.whatwg.org/#concept-url-parser" title="concept-url-parser">parsing</a>
   <var title="">location</var> with <var title="">request</var>'s
   <a href="#concept-request-url" title="concept-request-url">url</a>.

   <li><p>If <var title="">parsed location</var> is failure, return a
   <a href="#concept-network-error" title="concept-network-error">network error</a>.

   <li><p>If <var title="">request</var>'s
   <a href="#concept-request-redirect-count" title="concept-request-redirect-count">redirect count</a> is twenty, return a
   <a href="#concept-network-error" title="concept-network-error">network error</a>.

   <li><p>Increase <var title="">request</var>'s
   <a href="#concept-request-redirect-count" title="concept-request-redirect-count">redirect count</a> by one.

   <li><p>Set <var title="">response</var>'s <a href="#concept-response-type" title="concept-response-type">type</a> to
   <i title="">redirect</i>.

   <li><p>Set <var title="">response</var>'s
   <a href="#concept-response-location" title="concept-response-location">location</a> to
   <var title="">parsed location</var>.

   <li>
    <p>If <var title="">request</var>'s
    <a href="#concept-request-manual-redirect-flag" title="concept-request-manual-redirect-flag">manual redirect flag</a> is unset,
    run these substeps:

    <ol>
     <li><p>If the <i title="">CORS flag</i> is set and <var title="">response</var>'s
     <a href="#concept-response-location" title="concept-response-location">location</a>'s <span>origin</span> is not
     <var title="">request</var>'s <a href="#concept-request-url" title="concept-request-url">url</a>'s
     <span>origin</span>, set <var title="">request</var>'s
     <a href="#concept-request-origin" title="concept-request-origin">origin</a> to a globally unique identifier.

     <li><p>If the <i title="">CORS flag</i> is set and <var title="">response</var>'s
     <a href="#concept-response-location" title="concept-response-location">location</a>'s
     <a class="external" href="http://url.spec.whatwg.org/#concept-url-username" title="concept-url-username">username</a> or
     <a class="external" href="http://url.spec.whatwg.org/#concept-url-password" title="concept-url-password">password</a> is non-null,
     return a <a href="#concept-network-error" title="concept-network-error">network error</a>.

     <li><p>Set <var title="">request</var>'s <a href="#concept-request-url" title="concept-request-url">url</a> to
     <var title="">response</var>'s <a href="#concept-response-location" title="concept-response-location">location</a>.

     <li><p>Return the result of performing a <a href="#concept-fetch" title="concept-fetch">fetch</a> using
     <var title="">request</var>, with the <i title="">CORS flag</i> set if set.
    </ol>
  </ol>

  <p>Otherwise, if
  <var title="">response</var>'s <a href="#concept-response-status" title="concept-response-status">status</a> is 401,
  run these steps:

  <ol>
   <li><p>If the <i title="">CORS flag</i> is set, return <var title="">response</var>.

   <li class="XXX"><p>Needs testing: multiple <code>WWW-Authenticate</code> headers,
   missing, parsing issues.

   <li>
    <p>If <var title="">request</var>'s
    <a href="#concept-request-use-url-credentials-flag" title="concept-request-use-url-credentials-flag">use URL credentials flag</a>
    is unset, or the <i title="">HTTP authentication flag</i> is set, run these substeps:

    <ol>
     <li><p>Prompt the end user for a username and password.

     <li><p>Set <var title="">request</var>'s <a href="#concept-request-url" title="concept-request-url">url</a>'s
     <a class="external" href="http://url.spec.whatwg.org/#concept-url-username" title="concept-url-username">username</a> and
     <a class="external" href="http://url.spec.whatwg.org/#concept-url-password" title="concept-url-password">password</a> to the given
     values.
     <!-- XXX sanitization? -->
    </ol>

   <li><p>Return the result of performing a <a href="#concept-basic-fetch" title="concept-basic-fetch">basic fetch</a> using
   <var title="">request</var>, with the <i title="">HTTP authentication flag</i> set.
  </ol>

  <p>Otherwise, if
  <var title="">response</var>'s <a href="#concept-response-status" title="concept-response-status">status</a> is 407,
  run these steps:

  <ol>
   <li class="XXX"><p>Needs testing: multiple <code>Proxy-Authenticate</code> headers,
   missing, parsing issues.

   <li>
    <p>Prompt the end user as appropriate and store the result as appropriate as a
    <b title="">proxy authentication entry</b>.
    <a href="#refsHTTP">[HTTP]</a>

    <p class="note">Remaining details surrounding proxy authentication are defined by HTTP.

   <li><p>Return the result of performing <a href="#concept-basic-fetch" title="concept-basic-fetch">basic fetch</a> using
   <var title="">request</var>.
  </ol>

  <p>If the <i title="">HTTP authentication flag</i> is set, create an <b title="">authentication entry</b> for
  <var title="">request</var>'s <a href="#concept-request-url" title="concept-request-url">url</a> and the given
  realm. <a href="#refsHTTPAUTH">[HTTPAUTH]</a>

  <p>Return <var title="">response</var>, but continue with the request and growing
  <var title="">response</var>'s <a href="#concept-response-body" title="concept-response-body">body</a>. If at any
  point <a href="#concept-fetch" title="concept-fetch">fetch</a> is
  <a href="#concept-fetch-terminate" title="concept-fetch-terminate">terminated</a> with reason
  <var title="">reason</var>, set <var title="">response</var>'s
  <a href="#concept-response-termination-reason" title="concept-response-termination-reason">termination reason</a> to
  <var title="">reason</var>. <span class="note">This modifies <var title="">response</var> after
  it has been returned. Logic in <a href="#concept-fetch" title="concept-fetch">fetch</a> takes care of the
  rest.</span>

 <dt>Otherwise
 <dd><p>Return a <a href="#concept-network-error" title="concept-network-error">network error</a>.
</dl>


<h3 id="cors-fetch-with-preflight"><span class="secno">4.2 </span>CORS fetch with preflight</h3>

<p>To perform a <dfn id="cors-fetch-with-preflight-0">CORS fetch with preflight</dfn> using <var title="">request</var>, run
these steps:

<ol>
 <li>
  <p>If

  <ul>
   <li>there is no <a href="#method-cache-match">method cache match</a> for
   <var title="">request</var>'s <a href="#concept-request-method" title="concept-request-method">method</a> using
   <var title="">request</var>, and
   <li>either <var title="">request</var>'s <a href="#concept-request-method" title="concept-request-method">method</a>
   is a not <a href="#simple-method">simple method</a> or <var title="">request</var>'s
   <a href="#force-preflight-flag">force preflight flag</a> is set, and
   <li>there is at least one <a href="#concept-header" title="concept-header">header</a>
   <a href="#concept-header-name" title="concept-header-name">name</a> in <var title="">request</var>'s
   <a href="#concept-request-author-headers" title="concept-request-author-headers">author headers</a> for which there is no
   <a href="#header-name-cache-match">header name cache match</a> using <var title="">request</var> and for which the
   <a href="#concept-header" title="concept-header">header</a> is not a <a href="#simple-header">simple header</a>
  </ul>

  <p>then run these substeps:

  <ol>
   <li><p>Let <var title="">response</var> be a <a href="#cors-preflight-fetch-0">CORS preflight fetch</a> using
   <var title="">request</var>.

   <li><p>If <var title="">response</var> is a <a href="#concept-network-error" title="concept-network-error">network error</a>, return
   <var title="">response</var>.
  </ol>

 <li><p>Set <var title="">request</var>'s
 <a href="#concept-request-manual-redirect-flag" title="concept-request-manual-redirect-flag">manual redirect flag</a>.

 <li><p>Let <var title="">response</var> be a <a href="#concept-basic-fetch" title="concept-basic-fetch">basic fetch</a> using
 <var title="">request</var> with the <i title="">CORS flag</i> set.

 <li><p>If <var title="">response</var> is a <a href="#concept-redirect" title="concept-redirect">redirect</a>, set its
 <a href="#concept-response-type" title="concept-response-type">type</a> to <i title="">error</i>.

 <li><p>If <var title="">response</var> is a <a href="#concept-network-error" title="concept-network-error">network error</a>,
 <a href="#cache-clear" title="cache-clear">clear</a> using <var title="">request</var>.

 <li><p>Return <var title="">response</var>.
</ol>


<h3 id="cors-preflight-fetch"><span class="secno">4.3 </span>CORS preflight fetch</h3>

<p>To perform a <dfn id="cors-preflight-fetch-0">CORS preflight fetch</dfn> using <var title="">request</var>, run these
steps:

<ol>
 <li><p>Let <var title="">preflight</var> be a new <a href="#concept-request" title="concept-request">request</a>.

 <li><p>Set <var title="">preflight</var>'s <a href="#concept-request-url" title="concept-request-url">url</a> to
 <var title="">request</var>'s <a href="#concept-request-url" title="concept-request-url">url</a>.

 <li><p>Set <var title="">preflight</var>'s <a href="#concept-request-origin" title="concept-request-origin">origin</a> to
 <var title="">request</var>'s <a href="#concept-request-origin" title="concept-request-origin">origin</a>.

 <li><p>Set <var title="">preflight</var>'s <a href="#concept-request-referrer" title="concept-request-referrer">referrer</a> to
 <var title="">request</var>'s <a href="#concept-request-referrer" title="concept-request-referrer">referrer</a>.

 <li><p>Set <var title="">preflight</var>'s <a href="#concept-request-method" title="concept-request-method">method</a> to
 `<code title="">OPTIONS</code>`.

 <li><p>Append a <a href="#concept-header" title="concept-header">header</a>
 <a href="#concept-header-name" title="concept-header-name">named</a>
 `<code title="http-access-control-request-method"><a href="#http-access-control-request-method">Access-Control-Request-Method</a></code>`
 with <a href="#concept-header-value" title="concept-header-value">value</a> <var title="">request</var>'s
 <a href="#concept-request-method" title="concept-request-method">method</a> to <var title="">preflight</var>'s
 <a href="#concept-request-headers" title="concept-request-headers">headers</a>.

 <li><p>Let <var title="">headers</var> be the <a href="#concept-header-name" title="concept-header-name">names</a>
 of <var title="">request</var>'s
 <a href="#concept-request-author-headers" title="concept-request-author-headers">author headers</a>, sorted
 lexicographically and <span class="XXX">byte lowercased</span>.

 <li><p>Let <var title="">header value</var> be the items in <var title="">headers</var>
 separated from each other by 0x2C 0x20.

 <li><p>Append a <a href="#concept-header" title="concept-header">header</a>
 <a href="#concept-header-name" title="concept-header-name">named</a>
 `<code title="http-access-control-request-headers"><a href="#http-access-control-request-headers">Access-Control-Request-Headers</a></code>`
 with <a href="#concept-header-value" title="concept-header-value">value</a> <var title="">header value</var> to
 <var title="">preflight</var>'s <a href="#concept-request-headers" title="concept-request-headers">headers</a>.

 <li><p>Set <var title="">preflight</var>'s
 <a href="#concept-request-manual-redirect-flag" title="concept-request-manual-redirect-flag">manual redirect flag</a>.

 <li><p>Let <var title="">response</var> be the result of performing a
 <a href="#concept-basic-fetch" title="concept-basic-fetch">basic fetch</a> using <var title="">preflight</var> with the <i title="">CORS flag</i>
 set.

 <li>
  <p>If <var title="">response</var>'s <a href="#concept-response-status" title="concept-response-status">status</a> is
  in the range 200 to 299, run these substeps:
  <!-- CORS said 200 here but nobody implemented that:
       http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0078.html -->

  <ol>
   <li><p>Let <var title="">methods</var> be the result of
   <a href="#concept-header-parse" title="concept-header-parse">parsing</a> all <var title="">response</var>'s
   <a href="#concept-response-headers" title="concept-response-headers">headers</a>'
   <a href="#concept-header-name" title="concept-header-name">named</a>
   `<code title="http-access-control-allow-methods"><a href="#http-access-control-allow-methods">Access-Control-Allow-Methods</a></code>`.

   <li><p>Let <var title="">header names</var> be the result of
   <a href="#concept-header-parse" title="concept-header-parse">parsing</a> all <var title="">response</var>'s
   <a href="#concept-response-headers" title="concept-response-headers">headers</a>'
   <a href="#concept-header-name" title="concept-header-name">named</a>
   `<code title="http-access-control-allow-headers"><a href="#http-access-control-allow-headers">Access-Control-Allow-Headers</a></code>`.

   <li><p>If either <var title="">methods</var> or <var title="">header names</var> is failure,
   return a <a href="#concept-network-error" title="concept-network-error">network error</a>.

   <li>
    <p>If <var title="">methods</var> is empty <var title="">request</var>'s
    <a href="#force-preflight-flag">force preflight flag</a> is set, append <var title="">request</var>'s
    <a href="#concept-request-method" title="concept-request-method">method</a> to <var title="">methods</var>.

    <p class="note">This ensures that a <a href="#cors-preflight-fetch-0">CORS preflight fetch</a> that happened
    solely because of <var title="">request</var>'s <a href="#force-preflight-flag">force preflight flag</a> is too.

   <li><p>If <var title="">request</var>'s <a href="#concept-request-method" title="concept-request-method">method</a>
   is not in <var title="">methods</var> and is not a <a href="#simple-method">simple method</a>, return
   failure.

   <li><p>If one of <var title="">request</var>'s
   <a href="#concept-request-headers" title="concept-request-headers">headers</a>'
   <a href="#concept-header-name" title="concept-header-name">names</a> is not in <var title="">header names</var> or
   its corresponding <a href="#concept-header" title="concept-header">header</a> is not a
   <a href="#simple-header">simple header</a>, return a <a href="#concept-network-error" title="concept-network-error">network error</a>.

   <li><p>Let <var title="">max-age</var> be the result of
   <a href="#concept-header-parse" title="concept-header-parse">parsing</a> all <var title="">response</var>'s
   <a href="#concept-response-headers" title="concept-response-headers">headers</a>'
   <a href="#concept-header-name" title="concept-header-name">named</a>
   `<code title="http-access-control-max-age"><a href="#http-access-control-max-age">Access-Control-Max-Age</a></code>`.

   <li><p>If <var title="">max-age</var> is failure, set <var title="">max-age</var> to zero.

   <li><p>If <var title="">max-age</var> is greater than an imposed limit on
   <a href="#cache-max-age" title="cache-max-age">max-age</a>, set <var title="">max-age</var> to the imposed
   limit.

   <li><p>If the user agent does not provide for a cache, return
   <var title="">response</var>.

   <li><p>For each method in <var title="">methods</var> for which there is a
   <a href="#method-cache-match">method cache match</a> using <var title="">request</var>, set matching entry's
   <a href="#cache-max-age" title="cache-max-age">max-age</a> to <var title="">max-age</var>.

   <li>
    <p>For each <var title="">method</var> in <var title="">methods</var> for which there is
    <em>no</em>  <a href="#method-cache-match">method cache match</a> using <var title="">request</var>, create a
    new entry in the <a href="#cors-preflight-cache-0">CORS preflight cache</a> as follows:

    <dl>
     <dt><a href="#cache-origin" title="cache-origin">origin</a>
     <dd><var title="">request</var>'s <a href="#concept-request-origin" title="concept-request-origin">origin</a>

     <dt><a href="#cache-url" title="cache-url">url</a>
     <dd><var title="">request</var>'s <a href="#concept-request-url" title="concept-request-url">url</a>

     <dt><a href="#cache-max-age" title="cache-max-age">max-age</a>
     <dd><var title="">max-age</var>

     <dt><a href="#cache-credentials" title="cache-credentials">credentials</a>
     <dd>False if <var title="">request</var>'s
     <a href="#concept-request-omit-credentials-mode" title="concept-request-omit-credentials-mode">omit credentials mode</a> is not
     <i title="">never</i>, and true otherwise

     <dt><a href="#cache-method" title="cache-method">method</a></dt>
     <dd><var title="">method</var>
    </dl>

   <li><p>For each header name in <var title="">header names</var> for which there is a
   <a href="#header-name-cache-match">header name cache match</a> using <var title="">request</var>, set
   matching entry's <a href="#cache-max-age" title="cache-max-age">max-age</a> to <var title="">max-age</var>.

   <li>
    <p>For each <var title="">header name</var> in <var title="">header names</var> for which
    there is <em>no</em> <a href="#header-name-cache-match">header name cache match</a> using
    <var title="">request</var>, create a new entry in the <a href="#cors-preflight-cache-0">CORS preflight cache</a>
    as follows:

    <dl>
     <dt><a href="#cache-origin" title="cache-origin">origin</a>
     <dd><var title="">request</var>'s <a href="#concept-request-origin" title="concept-request-origin">origin</a>

     <dt><a href="#cache-url" title="cache-url">url</a>
     <dd><var title="">request</var>'s <a href="#concept-request-url" title="concept-request-url">url</a>

     <dt><a href="#cache-max-age" title="cache-max-age">max-age</a>
     <dd><var title="">max-age</var>

     <dt><a href="#cache-credentials" title="cache-credentials">credentials</a>
     <dd>False if <var title="">request</var>'s
     <a href="#concept-request-omit-credentials-mode" title="concept-request-omit-credentials-mode">omit credentials mode</a> is not
     <i title="">never</i>, and true otherwise

     <dt><a href="#cache-header-name" title="cache-header-name">header name</a></dt>
     <dd><var title="">header name</var>
    </dl>

   <li><p>Return <var title="">response</var>.
  </ol>

 <li><p>Otherwise, return a <a href="#concept-network-error" title="concept-network-error">network error</a>.
</ol>


<h3 id="cors-preflight-cache"><span class="secno">4.4 </span>CORS preflight cache</h3>

<p>A <dfn id="cors-preflight-cache-0">CORS preflight cache</dfn> consists of a collection of entries where each
entry has these fields:
  <dfn id="cache-origin" title="cache-origin">origin</dfn>,
  <dfn id="cache-url" title="cache-url">url</dfn>,
  <dfn id="cache-max-age" title="cache-max-age">max-age</dfn>,
  <dfn id="cache-credentials" title="cache-credentials">credentials</dfn>,
  <dfn id="cache-method" title="cache-method">method</dfn>, and
  <dfn id="cache-header-name" title="cache-header-name">header name</dfn>.

<p>Entries must be removed after the seconds specified in the
<a href="#cache-max-age" title="cache-max-age">max-age</a> field have passed since storing the entry.
Entries may be removed before that moment arrives.

<p>To <dfn id="cache-clear" title="cache-clear">clear</dfn> entries using a <var title="">request</var>,
remove any entries in the <a href="#cors-preflight-cache-0">CORS preflight cache</a> whose
<a href="#cache-origin" title="cache-origin">origin</a> is <var title="">request</var>'s
<a href="#concept-request-origin" title="concept-request-origin">origin</a> and whose
<a href="#cache-url" title="cache-url">url</a> is <var title="">request</var>'s
<a href="#concept-request-url" title="concept-request-url">url</a>.

<p>There is a <dfn id="cache-match">cache match</dfn> for a <var title="">request</var> if
<a href="#cache-origin" title="cache-origin">origin</a> is <var title="">request</var>'s
<a href="#concept-request-origin" title="concept-request-origin">origin</a>, <a href="#cache-url" title="cache-url">url</a> is
<var title="">request</var>'s <a href="#concept-request-url" title="concept-request-url">url</a>, and either
<a href="#cache-credentials" title="cache-credentials">credentials</a> is false and <var title="">request</var>'s
<a href="#concept-request-omit-credentials-mode" title="concept-request-omit-credentials-mode">omit credentials mode</a> is not
<i title="">never</i> or
<a href="#cache-credentials" title="cache-credentials">credentials</a> is true and <var title="">request</var>'s
<a href="#concept-request-omit-credentials-mode" title="concept-request-omit-credentials-mode">omit credentials mode</a> is
<i title="">never</i>.

<p>There is a <dfn id="method-cache-match">method cache match</dfn> for a given method using <var title="">request</var>
when there is an entry in <a href="#cors-preflight-cache-0">CORS preflight cache</a> for which there is a
<a href="#cache-match">cache match</a> for <var title="">request</var> and its
<a href="#cache-method" title="cache-method">method</a> is the given method.

<p>There is a <dfn id="header-name-cache-match">header name cache match</dfn> for a given header name using <var title="">request</var>
when there is an entry in <a href="#cors-preflight-cache-0">CORS preflight cache</a> for which there is a
<a href="#cache-match">cache match</a> for <var title="">request</var> and its
<a href="#cache-header-name" title="cache-header-name">header name</a> is the given header name.


<h3 id="cors-check"><span class="secno">4.5 </span>CORS check</h3>

<p>To perform a <dfn id="cors-check-0">CORS check</dfn> for a <var title="">request</var> and
<var title="">response</var>, run these steps:

<ol>
 <li><p>If <var title="">response</var>'s <a href="#concept-response-headers" title="concept-response-headers">headers</a>
 contains zero or more than one <a href="#concept-header" title="concept-header">header</a> whose
 <a href="#concept-header-name" title="concept-header-name">name</a> is
 `<code title="http-access-control-allow-origin"><a href="#http-access-control-allow-origin">Access-Control-Allow-Origin</a></code>`, return
 failure.

 <li><p>Let <var title="">result</var> be the <a href="#concept-header-value" title="concept-header-value">value</a>
 of the <a href="#concept-header" title="concept-header">header</a> whose
 <a href="#concept-header-name" title="concept-header-name">name</a> is
 `<code title="http-access-control-allow-origin"><a href="#http-access-control-allow-origin">Access-Control-Allow-Origin</a></code>` within
 <var title="">response</var>'s <a href="#concept-response-headers" title="concept-response-headers">headers</a>.

 <li><p>If <var title="">request</var>'s
 <a href="#concept-request-omit-credentials-mode" title="concept-request-omit-credentials-mode">omit credentials mode</a> is not
 <i title="">never</i> and <var title="">result</var> is `<code title="">*</code>`, return success.

 <li><p>If <var title="">request</var>'s <a href="#concept-request-origin" title="concept-request-origin">origin</a>
 serialized to a byte sequence is not <var title="">result</var>, return failure.
 <!-- XXX serialized to a byte sequence -->

 <li><p>If <var title="">request</var>'s
 <a href="#concept-request-omit-credentials-mode" title="concept-request-omit-credentials-mode">omit credentials mode</a> is not
 <i title="">never</i>, return success.

 <li><p>If <var title="">response</var>'s <a href="#concept-response-headers" title="concept-response-headers">headers</a>
 contains zero or more than one <a href="#concept-header" title="concept-header">header</a> whose
 <a href="#concept-header-name" title="concept-header-name">name</a> is
 `<code title="http-access-control-allow-credentials"><a href="#http-access-control-allow-credentials">Access-Control-Allow-Credentials</a></code>`,
 return failure.

 <li><p>If the <a href="#concept-header-value" title="concept-header-value">value</a>
 of the <a href="#concept-header" title="concept-header">header</a> whose
 <a href="#concept-header-name" title="concept-header-name">name</a> is
 `<code title="http-access-control-allow-credentials"><a href="#http-access-control-allow-credentials">Access-Control-Allow-Credentials</a></code>`
 within <var title="">response</var>'s <a href="#concept-response-headers" title="concept-response-headers">headers</a> is
 `<code title="">true</code>`, return success.

 <li><p>Return failure.
</ol>



<h2 class="no-num" id="html-fetch">HTML fetch</h2>

<p>HTML defines two algorithms for obtaining resources. To ease transitioning towards this
specification, a mapping is defined between these "legacy" algorithms and
<a href="#concept-fetch" title="concept-fetch">fetch</a>.

<p>When a user agent is to <dfn id="concept-legacy-fetch" title="concept-legacy-fetch">fetch</dfn> a resource or
URL, optionally <strong>from</strong> an origin <i title="">origin</i>, optionally
<strong>using</strong> a specific <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/fetching-resources.html#referrer-source">referrer source</a>
<var title="">referrer source</var>, and optionally with any of a
<i title="">synchronous flag</i>, a <i>manual redirect flag</i>, a
<i>force same-origin flag</i>, and a <i>block cookies flag</i>, the following
steps must be run:

<p class="note">The <i>block cookies flag</i> is obsolete now.

 <!-- if invoked with the synchronous flag, make sure to release the storage mutex first -->

 <!-- synchronous flag is only to be used in algorithms that are themselves asynchronous! Only
 sync-XHR is allowed to make the mistake of screwing that up. :-P -->

 <!-- the force same-origin flag is for use in places where we'll be moving to CORS one day; when
 used, the algorithm must be invoked with a URL (not something else, like a POST request) whose
 origin is the same as the /origin/, which must also be present, and the algorithm must not be
 invoked with the manual redirect flag. -->

<ol>
  <li><p>If the <code class="external"><a href="http://dom.spec.whatwg.org/#document">Document</a></code> with which any
  <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/webappapis.html#concept-task" title="concept-task">tasks</a>
  <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/webappapis.html#queue-a-task" title="queue a task">queued</a> by this
  algorithm would be associated doesn't have an associated
  <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/browsers.html#browsing-context">browsing context</a>, then terminate these
  steps.

<!--(redundant with 'at a time convenient...' below)
  <li><p>Optionally, wait until the <code>Document</code> with which any <span
  title="concept-task">tasks</span> <span title="queue a task">queued</span> by this algorithm
  would be associated is <span title="active document">active</span>.</p></li>
-->

 <li><p>Let <var title="">req</var> be a new <a href="#concept-request" title="concept-request">request</a>.

 <li><p>If this algorithm was invoked with "from an origin", set  <var title="">req</var>'s
 <a href="#concept-request-origin" title="concept-request-origin">origin</a> to <var title="">origin</var>.

 <li><p>Set <var title="">req</var>'s <a href="#concept-request-referrer" title="concept-request-referrer">referrer</a> to
 the result of <a href="#determine-referrer" title="determine referrer">determining referrer</a> using
 <var title="">referrer source</var> (if given).

 <li><p>Set <var title="">req</var>'s <a href="#concept-request-mode" title="concept-request-mode">mode</a> to
 same-origin if the <i>force same-origin flag</i> is set, and to tainted cross-origin
 otherwise.

 <li><p>Set <var title="">req</var>'s
 <a href="#concept-request-manual-redirect-flag" title="concept-request-manual-redirect-flag">manual redirect flag</a> if
 <i>manual redirect flag</i> is set.

 <li><p>Set <var title="">req</var>'s <a href="#synchronous-flag">synchronous flag</a> if
 <i title="">synchronous flag</i> is set.

 <li><p><a href="#concept-fetch" title="concept-fetch">fetch</a> <var title="">req</var>.
</ol>


<p>When the user agent is required to perform a
<dfn id="concept-legacy-potentially-cors-enabled-fetch" title="concept-legacy-potentially-cors-enabled-fetch">potentially CORS-enabled fetch</dfn>
of an <var title="">URL</var> with a mode <var title="">mode</var> that is either
"No CORS", "Anonymous", or "Use Credentials", optionally using a
<a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/fetching-resources.html#referrer-source">referrer source</a>
<var title="">referrer source</var>, with an
<a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#origin">origin</a> <var title="">origin</var>, and with a
default origin behaviour <var title="">default</var> which is either "<i>taint</i>"
or "<i>fail</i>", it must run these steps:

<ol>
 <li><p>Let <var title="">req</var> be a new <a href="#concept-request" title="concept-request">request</a>.

 <li><p>Set <var title="">req</var>'s
 <a href="#concept-request-origin" title="concept-request-origin">origin</a> to <var title="">origin</var>.

 <li>
  <p>Set <var title="">req</var>'s <a href="#concept-request-mode" title="concept-request-mode">mode</a> to the value
  corresponding to the first matching statement:

  <dl class="switch">
   <dt><var title="">mode</var> is "No CORS" and <var title="">default</var> is "<i>fail</i>"
   <dd>same-origin

   <dt><var title="">mode</var> is "No CORS" and <var title="">default</var> is "<i>taint</i>"
   <dd>tainted cross-origin

   <dt>Otherwise
   <dd>CORS
  </dl>

 <li>
  <p>If <var title="">mode</var> is "Anonymous", set <var title="">req</var>'s
  <a href="#concept-request-omit-credentials-mode" title="concept-request-omit-credentials-mode">omit credentials mode</a> to
  <i title="">always</i>.
  <!-- XXX unset by default? -->
  <!-- nullify Origin / Referer too? -->

 <li><p>Set <var title="">req</var>'s
 <a href="#concept-request-referrer" title="concept-request-referrer">referrer</a> to the result of
 <a href="#determine-referrer" title="determine referrer">determining referrer</a> using
 <var title="">referrer source</var> (if given).

 <li><p><a href="#concept-fetch" title="concept-fetch">fetch</a> <var title="">req</var>.
</ol>

<p>To <dfn id="determine-referrer">determine referrer</dfn> optionally using a
<a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/fetching-resources.html#referrer-source">referrer source</a> <var title="">referrer source</var>,
within the context of either <a href="#concept-legacy-fetch" title="concept-legacy-fetch">fetch</a> or
<a href="#concept-legacy-potentially-cors-enabled-fetch" title="concept-legacy-potentially-cors-enabled-fetch">potentially CORS-enabled fetch</a>,
run these steps:

<ol>
 <li><p>If there is a specific <var title="">referrer source</var>, and it is a
 <a class="external" href="http://url.spec.whatwg.org/#concept-url" title="concept-url">URL</a>, return
 <var title="">referrer source</var>.

 <li>
  <p>Let <var title="">document</var> be the appropriate
  <code class="external"><a href="http://dom.spec.whatwg.org/#document">Document</a></code> as given by the following list:

  <dl class="switch">
   <dt>If there is a <var title="">referrer source</var>
   <dd><var title="">referrer source</var>.

   <dt>When <span title="navigate">navigating</span>
   <dd>The <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/browsers.html#active-document">active document</a> of the
   <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/history.html#source-browsing-context">source browsing context</a>.

   <dt>When fetching resources for an element
   <dd>The element's <a class="external" href="http://dom.spec.whatwg.org/#concept-node-document" title="concept-node-document">node document</a>.
  </dl>

 <li><p>While <var title="">document</var> is
 <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#an-iframe-srcdoc-document">an <code>iframe</code> <code>srcdoc</code> document</a>,
 set <var title="">document</var> to <var title="">document</var>'s
 <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/browsers.html#browsing-context">browsing context</a>'s
 <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/browsers.html#browsing-context-container">browsing context container</a>'s
 <code class="external"><a href="http://dom.spec.whatwg.org/#document">Document</a></code> instead.

 <li><p>If <var title="">document</var>'s
 <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#origin">origin</a> is not a scheme/host/port tuple, let
 <var title="">referrer</var> be null.

 <li><p>Otherwise, let <var title="">referrer</var> be
 <a class="external" href="http://www.whatwg.org/specs/web-apps/current-work/multipage/dom.html#the-document's-address">the document's address</a> of
 <var title="">document</var>.

 <li><p>If <var title="">referrer</var>'s
 <a class="external" href="http://url.spec.whatwg.org/#concept-url-scheme" title="concept-url-scheme">scheme</a> is
 about/data/javascript, set <var title="">referrer</var> to null.

 <li><p>Return <var title="">referrer</var>.
</ol>



<h2 class="no-num" id="references">References</h2>
<div id="anolis-references"><dl><dt id="refsCOOKIES">[COOKIES]
<dd><cite><a href="http://tools.ietf.org/html/rfc6265">HTTP State Management Mechanism</a></cite>, Adam Barth. IETF.

<dt id="refsCORS">[CORS]
<dd>(Non-normative) <cite><a href="http://www.w3.org/TR/cors/">CORS (obsolete)</a></cite>, Anne van Kesteren. W3C.

<dt id="refsENCODING">[ENCODING]
<dd><cite><a href="http://encoding.spec.whatwg.org/">Encoding</a></cite>, Anne van Kesteren. WHATWG.

<dt id="refsHSTS">[HSTS]
<dd><cite><a href="http://tools.ietf.org/html/rfc6797">HTTP Strict Transport Security</a></cite>, Jeff Hodges, Collin Jackson and Adam Barth. IETF.

<dt id="refsHTML">[HTML]
<dd>(Non-normative) <cite><a href="http://www.whatwg.org/specs/web-apps/current-work/multipage/">HTML</a></cite>, Ian Hickson. WHATWG.

<dt id="refsHTTP">[HTTP]
<dd><cite><a href="http://tools.ietf.org/html/rfc2616">Hypertext Transfer Protocol -- HTTP/1.1</a></cite>, Roy Fielding, James Gettys, Jeffrey Mogul et al.. IETF.

<dt id="refsHTTPAUTH">[HTTPAUTH]
<dd><cite><a href="http://tools.ietf.org/html/rfc2617">HTTP Authentication: Basic and Digest Access Authentication</a></cite>, J. Franks, Phillip Hallam-Baker, J. Hostetler et al.. IETF.

<dt id="refsHTTPVERBSEC">[HTTPVERBSEC]
<dd><cite><a href="http://www.kb.cert.org/vuls/id/867593">Multiple vendors' web servers enable HTTP TRACE method by default</a></cite>. US-CERT.

<dd><cite><a href="http://www.kb.cert.org/vuls/id/288308">Microsoft Internet Information Server (IIS) vulnerable to cross-site scripting via HTTP TRACK method</a></cite>. US-CERT.

<dd><cite><a href="http://www.kb.cert.org/vuls/id/150227">HTTP proxy default configurations allow arbitrary TCP connections</a></cite>. US-CERT.

<dt id="refsORIGIN">[ORIGIN]
<dd><cite><a href="http://tools.ietf.org/html/rfc6454">The Web Origin Concept</a></cite>, Adam Barth. IETF.

<dt id="refsRFC2119">[RFC2119]
<dd><cite><a href="http://tools.ietf.org/html/rfc2119">Key words for use in RFCs to Indicate Requirement Levels</a></cite>, Scott Bradner. IETF.

<dt id="refsURL">[URL]
<dd><cite><a href="http://url.spec.whatwg.org/">URL</a></cite>, Anne van Kesteren. WHATWG.

<dt id="refsXHR">[XHR]
<dd>(Non-normative) <cite><a href="http://xhr.spec.whatwg.org/">XMLHttpRequest</a></cite>, Anne van Kesteren. WHATWG.

</dl></div>



<h2 class="no-num" id="acknowledgments">Acknowledgments</h2>

<p>The editor would like to thank

Adam Barth,
Alexey Proskuryakov,
Arne Johannessen,
Arthur Barstow,
Benjamin Hawkes-Lewis,
Bert Bos,
Björn Höhrmann,
Boris Zbarsky,
Brad Hill,
Brad Porter,
Cameron McCormack,
Clement Pellerin,
Collin Jackson,
David Håsäther,
David Orchard,
Dean Jackson,
Eric Lawrence,
Frank Ellerman,
Frederick Hirsch,
Gavin Carothers,
Glenn Maynard,
Graham Klyne,
Hal Lockhart,
Hallvord R. M. Steen,
Henri Sivonen,
Ian Hickson,
Janusz Majnert,
Jesse M. Heines,
Jonas Sicking,
Julian Reschke,
Lachlan Hunt,
Lucas Gonze,
呂康豪 (Kang-Hao Lu),
Maciej Stachowiak,
Marc Silbey,
Marcos Caceres,
Mark Nottingham,
Mark S. Miller,
Martin Dürst,
Matt Oshry,
Matt Womer,
Mhano Harkness,
Michael Smith,
Mohamed Zergaoui,
Nikhil Marathe,
Nikunj Mehta,
Odin Hørthe Omdal,
Ondřej Žára,
Philip Jägenstedt,
R. Auburn,
Sharath Udupa,
Simon Pieters,
Sunava Dutta,
Surya Ismail,
Thomas Roessler,
Tyler Close,
Vladimir Dzhuvinov,
Wayne Carr, and
Zhenbin Xu

for being awesome.

<script id="head" src="http://www.whatwg.org/specs/web-apps/current-work/dfn.js"></script>