@@ -1912,20 +1912,20 @@ known as an <dfn export id=concept-aborted-network-error>aborted network error</
1912
1912
<a>network error</a> . This
1913
1913
<a for=/>response</a> is referred to as the
1914
1914
<a>filtered response</a> 's associated
1915
- <dfn export id=concept-internal-response for=internal >internal response</dfn> .
1915
+ <dfn export id=concept-internal-response for="filtered response" >internal response</dfn> .
1916
1916
1917
1917
<p class="note no-backref"> The <a for=/>fetch</a> algorithm returns such a view to ensure APIs do
1918
1918
not accidentally leak information. If the information needs to be exposed for legacy reasons, e.g.,
1919
- to feed image data to a decoder, the associated <a for=internal >internal response</a> can be used,
1920
- which is only "accessible" to internal specification algorithms and is never a
1919
+ to feed image data to a decoder, the associated <a for="filtered response" >internal response</a> can
1920
+ be used, which is only "accessible" to internal specification algorithms and is never a
1921
1921
<a>filtered response</a> itself.
1922
1922
1923
1923
<p> A <dfn export id=concept-filtered-response-basic>basic filtered response</dfn> is a
1924
1924
<a>filtered response</a> whose
1925
1925
<a for=response>type</a> is "<code> basic</code> " and
1926
1926
<a for=response>header list</a> excludes any
1927
1927
<a for=/>headers</a> in
1928
- <a for=internal >internal response</a> 's
1928
+ <a for="filtered response" >internal response</a> 's
1929
1929
<a for=response>header list</a> whose
1930
1930
<a for=header>name</a> is a
1931
1931
<a>forbidden response-header name</a> .
@@ -1935,11 +1935,11 @@ which is only "accessible" to internal specification algorithms and is never a
1935
1935
<a for=response>type</a> is "<code> cors</code> " and
1936
1936
<a for=response>header list</a> excludes any
1937
1937
<a for=/>headers</a> in
1938
- <a for=internal >internal response</a> 's
1938
+ <a for="filtered response" >internal response</a> 's
1939
1939
<a for=response>header list</a> whose
1940
1940
<a for=header>name</a> is <em> not</em> a
1941
1941
<a>CORS-safelisted response-header name</a> , given
1942
- <a for=internal >internal response</a> 's
1942
+ <a for="filtered response" >internal response</a> 's
1943
1943
<a for=response>CORS-exposed header-name list</a> .
1944
1944
1945
1945
<p> An <dfn export id=concept-filtered-response-opaque>opaque filtered response</dfn> is a
@@ -1965,24 +1965,23 @@ is a <a>filtered response</a> whose
1965
1965
<a lt="opaque-redirect filtered response">opaque-redirect filtered responses</a> is harmless since
1966
1966
no redirects are followed.
1967
1967
1968
- <p> In other words, an <a>opaque filtered response</a>
1969
- and an
1970
- <a>opaque-redirect filtered response</a> are
1971
- nearly indistinguishable from a <a>network error</a> . When
1972
- introducing new APIs, do not use the <a for=internal>internal response</a>
1973
- for internal specification algorithms as that will leak information.
1968
+ <p> In other words, an <a>opaque filtered response</a> and an
1969
+ <a>opaque-redirect filtered response</a> are nearly indistinguishable from a <a>network error</a> .
1970
+ When introducing new APIs, do not use the <a for="filtered response">internal response</a> for
1971
+ internal specification algorithms as that will leak information.
1974
1972
1975
- <p> This also means that JavaScript APIs, such as <a attribute for=Response lt=ok><code>response.ok</code></a> ,
1976
- will return rather useless results.
1973
+ <p> This also means that JavaScript APIs, such as
1974
+ <a attribute for=Response lt=ok><code>response.ok</code></a> , will return rather useless results.
1977
1975
</div>
1978
1976
1979
1977
<p> To <dfn export for=response id=concept-response-clone>clone</dfn> a
1980
1978
<a for=/>response</a> <var> response</var> , run these steps:
1981
1979
1982
1980
<ol>
1983
- <li><p> If <var> response</var> is a <a>filtered response</a> , then return a new identical filtered
1984
- response whose <a lt="internal response" for=internal>internal response</a> is a
1985
- <a for=response>clone</a> of <var> response</var> 's <a for=internal>internal response</a> .
1981
+ <li><p> If <var> response</var> is a <a>filtered response</a> , then return a new identical
1982
+ <a>filtered response</a> whose <a for="filtered response">internal response</a> is a
1983
+ <a for=response>clone</a> of <var> response</var> 's
1984
+ <a for="filtered response">internal response</a> .
1986
1985
1987
1986
<li><p> Let <var> newResponse</var> be a copy of <var> response</var> , except for its
1988
1987
<a for=response>body</a> .
@@ -3059,10 +3058,9 @@ Cross-Origin-Resource-Policy = %s"same-origin" / %s"same-site" / %s"cross-or
3059
3058
3060
3059
<p class="note no-backref"> Only HTML's navigate algorithm uses this check with
3061
3060
<var> forNavigation</var> set to true, and it's always for nested navigations. Otherwise,
3062
- <var> response</var> is either the <a for=internal >internal response</a> of an
3061
+ <var> response</var> is either the <a for="filtered response" >internal response</a> of an
3063
3062
<a>opaque filtered response</a> or a <a for=/>response</a> which will be the
3064
- <a for=internal>internal response</a> of an
3065
- <a>opaque filtered response</a> . [[HTML]]
3063
+ <a for="filtered response">internal response</a> of an <a>opaque filtered response</a> . [[HTML]]
3066
3064
3067
3065
<p> To perform a <dfn>cross-origin resource policy internal check</dfn> , given an
3068
3066
<a for=url>origin</a> <var> origin</var> , an <a for=/>embedder policy value</a>
@@ -3550,10 +3548,9 @@ optionally with a <i>recursive flag</i>, run these steps:
3550
3548
</ol>
3551
3549
3552
3550
<li>
3553
- <p> Set <var> response</var> to the following
3554
- <a>filtered response</a> with <var> response</var> as its
3555
- <a for=internal>internal response</a> , depending on
3556
- <var> request</var> 's <a for=request>response tainting</a> :
3551
+ <p> Set <var> response</var> to the following <a>filtered response</a> with <var> response</var> as
3552
+ its <a for="filtered response">internal response</a> , depending on <var> request</var> 's
3553
+ <a for=request>response tainting</a> :
3557
3554
3558
3555
<dl class="switch compact">
3559
3556
<dt> "<code> basic</code> "
@@ -3566,8 +3563,8 @@ optionally with a <i>recursive flag</i>, run these steps:
3566
3563
</ol>
3567
3564
3568
3565
<li><p> Let <var> internalResponse</var> be <var> response</var> , if <var> response</var> is a
3569
- <a>network error</a> , and <var> response</var> 's
3570
- <a for=internal>internal response</a> otherwise.
3566
+ <a>network error</a> , and <var> response</var> 's <a for="filtered response">internal response</a>
3567
+ otherwise.
3571
3568
3572
3569
<li>
3573
3570
<p> If <var> internalResponse</var> 's <a for=response>URL list</a> <a for=list>is empty</a> , then
@@ -3845,7 +3842,7 @@ optional <i>CORS-preflight flag</i>, run these steps:
3845
3842
3846
3843
<li><p> Set <var> actualResponse</var> to <var> response</var> , if <var> response</var> is not a
3847
3844
<a>filtered response</a> , and to <var> response</var> 's
3848
- <a for=internal >internal response</a> otherwise.
3845
+ <a for="filtered response" >internal response</a> otherwise.
3849
3846
3850
3847
<li>
3851
3848
<p> If one of the following is true
@@ -3972,10 +3969,8 @@ optional <i>CORS-preflight flag</i>, run these steps:
3972
3969
<dd><p> Set <var> response</var> to a <a>network error</a> .
3973
3970
3974
3971
<dt> "<code> manual</code> "
3975
- <dd><p> Set <var> response</var> to an
3976
- <a>opaque-redirect filtered response</a>
3977
- whose <a for=internal>internal response</a> is
3978
- <var> actualResponse</var> .
3972
+ <dd><p> Set <var> response</var> to an <a>opaque-redirect filtered response</a> whose
3973
+ <a for="filtered response">internal response</a> is <var> actualResponse</var> .
3979
3974
3980
3975
<dt> "<code> follow</code> "
3981
3976
<dd><p> Set <var> response</var> to the result of performing <a>HTTP-redirect fetch</a> using
@@ -4001,7 +3996,7 @@ optional <i>CORS-preflight flag</i>, run these steps:
4001
3996
<ol>
4002
3997
<li><p> Let <var> actualResponse</var> be <var> response</var> , if <var> response</var> is not a
4003
3998
<a>filtered response</a> , and <var> response</var> 's
4004
- <a for=internal >internal response</a> otherwise.
3999
+ <a for="filtered response" >internal response</a> otherwise.
4005
4000
4006
4001
<li><p> If <var> actualResponse</var> 's <a for=response>location URL</a>
4007
4002
is null, then return <var> response</var> .
@@ -6966,12 +6961,10 @@ Developers have almost no control over
6966
6961
6967
6962
<h3 id=atomic-http-redirect-handling dfn class=no-num>Atomic HTTP redirect handling</h3>
6968
6963
6969
- <p> Redirects (a <a for=/>response</a> whose
6970
- <a for=response>status</a> or
6971
- <a for=internal>internal response</a> 's (if any)
6972
- <a for=response>status</a> is a <a>redirect status</a> ) are not exposed
6973
- to APIs. Exposing redirects might leak information not otherwise available through a cross-site
6974
- scripting attack.
6964
+ <p> Redirects (a <a for=/>response</a> whose <a for=response>status</a> or
6965
+ <a for="filtered response">internal response</a> 's (if any) <a for=response>status</a> is a
6966
+ <a>redirect status</a> ) are not exposed to APIs. Exposing redirects might leak information not
6967
+ otherwise available through a cross-site scripting attack.
6975
6968
6976
6969
<p id=example-xss-redirect class=example> A fetch to <code> https://example.org/auth</code> that includes a
6977
6970
<code> Cookie</code> marked <code> HttpOnly</code> could result in a redirect to
0 commit comments