Overview.html

<!DOCTYPE html><html lang="en-US"><meta charset="utf-8">
<title>Fetch Standard</title>
<link href="//www.whatwg.org/style/specification" rel="stylesheet">
<link href="//resources.whatwg.org/logo-fetch.svg" rel="icon">

<div class="head">

<p><a class="logo" href="//www.whatwg.org/"><img alt="WHATWG" height="100" src="//resources.whatwg.org/logo-fetch.svg" width="100"></a>
<h1 id="cors">Fetch</h1>
<h2 class="no-num no-toc" id="living-standard-—-last-updated-2-may-2013">Living Standard — Last Updated 2 May 2013</h2>

<dl>
 <dt>This Version:
 <dd><a href="//fetch.spec.whatwg.org/">http://fetch.spec.whatwg.org/</a>

 <dt>Participate:
 <dd>Send feedback to <a href="http://www.whatwg.org/mailing-list">whatwg@whatwg.org</a> or
  <a href="https://www.w3.org/Bugs/Public/enter_bug.cgi?product=WHATWG&amp;component=Fetch">file a bug</a>
  (<a href="https://www.w3.org/Bugs/Public/buglist.cgi?product=WHATWG&amp;component=Fetch&amp;resolution=---">open bugs</a>)
 <dd><a href="//wiki.whatwg.org/wiki/IRC">IRC: #whatwg on Freenode</a>

 <dt>Version History:
 <dd><a href="https://github.com/whatwg/fetch/commits">https://github.com/whatwg/fetch/commits</a>

 <dt>Editor:
 <dd><a href="http://annevankesteren.nl/">Anne van Kesteren</a>
  (<a href="http://www.mozilla.org/">Mozilla</a>)
  &lt;<a href="mailto:annevk@annevk.nl">annevk@annevk.nl</a>&gt;
</dl>

<script async="" src="//resources.whatwg.org/file-bug.js"></script>

<p class="copyright"><a href="http://creativecommons.org/publicdomain/zero/1.0/" rel="license"><img alt="CC0" src="http://i.creativecommons.org/p/zero/1.0/80x15.png"></a>
To the extent possible under law, the editor has waived all copyright and
related or neighboring rights to this work. In addition, as of
2 May 2013, the editor has made this specification available
under the
<a href="http://www.openwebfoundation.org/legal/the-owf-1-0-agreements/owfa-1-0" rel="license">Open Web Foundation Agreement Version 1.0</a>,
which is available at
http://www.openwebfoundation.org/legal/the-owf-1-0-agreements/owfa-1-0.

</div>



<h2 class="no-num no-toc" id="abstract">Abstract</h2>

<p>The Fetch standard defines the overall architecture for obtaining resources given a URL
and a set of parameters. This concept is named fetching.



<h2 class="no-num no-toc" id="table-of-contents">Table of Contents</h2>

<!--begin-toc-->
<ol class="toc">
 <li><a class="no-num" href="#goals">Goals</a></li>
 <li><a class="no-num" href="#legacy">Legacy</a></li>
 <li><a href="#conformance"><span class="secno">1 </span>Conformance</a></li>
 <li><a href="#terminology"><span class="secno">2 </span>Terminology</a>
  <ol class="toc">
   <li><a href="#http"><span class="secno">2.1 </span>HTTP</a></li>
   <li><a href="#requests"><span class="secno">2.2 </span>Requests</a></li>
   <li><a href="#responses"><span class="secno">2.3 </span>Responses</a></ol></li>
 <li><a href="#cors-protocol"><span class="secno">3 </span>CORS protocol</a></li>
 <li><a href="#fetching"><span class="secno">4 </span>Fetching</a>
  <ol class="toc">
   <li><a href="#basic-fetch"><span class="secno">4.1 </span>Basic fetch</a></li>
   <li><a href="#cors-fetch-with-preflight"><span class="secno">4.2 </span>CORS fetch with preflight</a></li>
   <li><a href="#cors-preflight-fetch"><span class="secno">4.3 </span>CORS preflight fetch</a></li>
   <li><a href="#cors-preflight-cache"><span class="secno">4.4 </span>CORS preflight cache</a></li>
   <li><a href="#cors-check"><span class="secno">4.5 </span>CORS check</a></ol></li>
 <li><a href="#http-headers"><span class="secno">5 </span>HTTP headers</a></li>
 <li><a class="no-num" href="#references">References</a></li>
 <li><a class="no-num" href="#acknowledgments">Acknowledgments</a></ol>
<!--end-toc-->



<h2 class="no-num" id="goals">Goals</h2>

<p>To unify fetching across the web platform this specification supplants a number of algorithms and specifications:

<ul class="brief">
 <li>HTML Standard's fetch and potentially CORS-enabled fetch algorithms
 <li>CORS
 <li>HTTP <code title="">Origin</code> header semantics
</ul>

<p>Unifying fetching provides consistent handling of:

<ul class="brief">
 <li>Different URL schemes
 <li>HTTP redirects
 <li>Cross-origin requests
</ul>

<p>In due course, it should also help clarify the semantics of CSP and make provide a model to hook offline networking into.



<h2 class="no-num" id="legacy">Legacy</h2>

<p>HTML defines two algorithms. This maps these "legacy" algorithms to the new
<a href="#concept-fetch" title="concept-fetch">fetch</a>.

<p>When a user agent is to <dfn id="legacy-fetch" title="legacy-fetch">fetch</dfn> a resource or URL,
optionally <strong>from</strong> an origin <i title="">origin</i>, optionally
<strong>using</strong> a specific <span>referrer source</span> as an <i>override referrer source</i>,
and optionally with any of a <i title="">synchronous flag</i>, a <i>manual redirect flag</i>, a
<i>force same-origin flag</i>, and a <i>block cookies flag</i>, the following steps must be run:

<p class="note">The <i>block cookies flag</i> is obsolete now.

 <!-- if invoked with the synchronous flag, make sure to release the storage mutex first -->

 <!-- synchronous flag is only to be used in algorithms that are themselves asynchronous! Only
 sync-XHR is allowed to make the mistake of screwing that up. :-P -->

 <!-- the force same-origin flag is for use in places where we'll be moving to CORS one day; when
 used, the algorithm must be invoked with a URL (not something else, like a POST request) whose
 origin is the same as the /origin/, which must also be present, and the algorithm must not be
 invoked with the manual redirect flag. -->

<ol>
 <li><p>If there is a specific <i>override referrer source</i>, and it is a URL, then
  let <var title="">referrer</var> be the <i>override referrer source</i>.

 <li>
  <p>Otherwise, run these substeps:

  <ol>
   <li>
    <p>Let <var title="">document</var> be the appropriate <code>Document</code> as given by
    the following list:

    <dl class="switch">
     <dt>If there is a specific <i>override referrer source</i>
     <dd>The <i>override referrer source</i>.</dd>

     <dt>When <span title="navigate">navigating</span>
     <dd>The <span>active document</span> of the <span>source browsing context</span>.

     <dt>When fetching resources for an element
     <dd>The element's <span>node document</span>.
    </dl>

   <li><p>While <var title="">document</var> is
   <span>an <code>iframe</code> <code>srcdoc</code> document</span>, set
   <var title="">document</var> to
   <var title="">document</var>'s <span>browsing context</span>'s
   <span>browsing context container</span>'s <code>Document</code> instead.

   <li><p>If <var title="">document</var>'s <span>origin</span> is not a scheme/host/port tuple,
   then let <var title="">referrer</var> be null.

   <li><p>Otherwise, let <var title="">referrer</var> be <span>the document's address</span> of <var title="">document</var>.

   <li><p>If <var title="">referrer</var>'s <span title="concept-url-scheme">scheme</span> is
   about/data/javascript, set <var title="">referrer</var> to null.
  </ol>

 </li>

  <li><p>If the <code>Document</code> with which any <span title="concept-task">tasks</span>
  <span title="queue a task">queued</span> by this algorithm would be associated doesn't
  have an associated <span>browsing context</span>, then terminate these steps.

<!--(redundant with 'at a time convenient...' below)
  <li><p>Optionally, wait until the <code>Document</code> with which any <span
  title="concept-task">tasks</span> <span title="queue a task">queued</span> by this algorithm
  would be associated is <span title="active document">active</span>.</p></li>
-->

 <li><p>Let <var title="">req</var> be a new <a href="#concept-request" title="concept-request">request</a>.

 <li><p>If this algorithm was invoked with "from an origin", set  <var title="">req</var>'s
 <a href="#concept-request-origin" title="concept-request-origin">origin</a> to <var title="">origin</var>.

 <li><p>Set <var title="">req</var>'s <a href="#concept-request-referrer" title="concept-request-referrer">referrer</a> to
 <var title="">referrer</var>.

 <li><p>Set <var title="">req</var>'s <a href="#concept-request-mode" title="concept-request-mode">mode</a> to
 same-origin if the <i>force same-origin flag</i> is set, and to tainted cross-origin
 otherwise.

 <li><p>Set <var title="">req</var>'s
 <a href="#concept-request-manual-redirect-flag" title="concept-request-manual-redirect-flag">manual redirect flag</a> if
 <i>manual redirect flag</i> is set.

 <li><p>Set <var title="">req</var>'s <a href="#synchronous-flag">synchronous flag</a> if
 <i title="">synchronous flag</i> is set.

 <li><p><a href="#concept-fetch" title="concept-fetch">fetch</a> <var title="">req</var>.
</ol>


<p>When the user agent is required to perform a
<dfn id="legacy-potentially-cors-enabled-fetch" title="legacy-potentially-cors-enabled-fetch">potentially CORS-enabled fetch</dfn> of an
<var title="">URL</var> with a mode <var title="">mode</var> that is either
"No CORS", "Anonymous", or "Use Credentials", optionally using a <span>referrer source</span> <var title="">referrer source</var>, with an <span>origin</span> <var title="">origin</var>, and with a default origin behaviour
<var title="">default</var> which is either "<i>taint</i>" or "<i>fail</i>", it must run these steps:

<ol>
 <li><p>Let <var title="">req</var> be a new <a href="#concept-request" title="concept-request">request</a>.

 <li><p>Set <var title="">req</var>'s
 <a href="#concept-request-origin" title="concept-request-origin">origin</a> to <var title="">origin</var>.

 <li>
  <p>Set <var title="">req</var>'s <a href="#concept-request-mode" title="concept-request-mode">mode</a> to the value
  corresponding to the first matching statement:

  <dl class="switch">
   <dt><var title="">mode</var> is "No CORS" and <var title="">default</var> is "<i>fail</i>"
   <dd>same-origin

   <dt><var title="">mode</var> is "No CORS" and <var title="">default</var> is "<i>taint</i>"
   <dd>tainted cross-origin

   <dt>Otherwise
   <dd>CORS
  </dl>

 <li>
  <p>If <var title="">mode</var> is "Anonymous", set <var title="">req</var>'s
  <a href="#concept-request-omit-credentials-mode" title="concept-request-omit-credentials-mode">omit credentials mode</a> to
  <i title="">always</i>.
  <!-- XXX unset by default? -->
  <!-- nullify Origin / Referer too? -->

 <li class="XXX"><p>Determine <var title="">req</var>'s
 <a href="#concept-request-referrer" title="concept-request-referrer">referrer</a> as per <a href="#concept-fetch" title="concept-fetch">fetch</a>.

 <li><p><a href="#concept-fetch" title="concept-fetch">fetch</a> <var title="">req</var>.
</ol>



<h2 id="conformance"><span class="secno">1 </span>Conformance</h2>

<p>All diagrams, examples, and notes in this specification are
non-normative, as are all sections explicitly marked non-normative.
Everything else in this specification is normative.

<p>The key words "MUST", "MUST NOT", "REQUIRED", <!--"SHALL", "SHALL
NOT",--> "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in the normative parts of this specification are to be
interpreted as described in RFC2119. For readability, these words do
not appear in all uppercase letters in this specification.
<a href="#refsRFC2119">[RFC2119]</a>



<h2 id="terminology"><span class="secno">2 </span>Terminology</h2>

<p>This specification uses terminology from the Encoding and URL Standards.
<a href="#refsENCODING">[ENCODING]</a>
<a href="#refsURL">[URL]</a>


<p>A <dfn id="byte-string">byte string</dfn> is a <a class="external" href="http://encoding.spec.whatwg.org/#byte">byte</a> sequence
written down as a <a class="external" href="http://encoding.spec.whatwg.org/#string">string</a>. To avoid confusion with
an actual string quotation marks are omitted.

<p class="example">"<code title="">true</code>" is a
<a class="external" href="http://encoding.spec.whatwg.org/#string">string</a>, while <code title="">true</code> is a
<a href="#byte-string">byte string</a>.

<p>A <dfn id="case-insensitive-byte-string">case-insensitive byte string</dfn> is a <a href="#byte-string">byte string</a> that when
compared considers bytes in the range 0x41 to 0x5A to be a match for their corresponding
byte in the range 0x61 to 0x7A.

<p class="example">The
<a href="#case-insensitive-byte-string" title="case-insensitive byte string">case-insensitive byte strings</a>
<code title="">Content-Type</code> and <code title="">content-TYPE</code> are equal.


<h3 id="http"><span class="secno">2.1 </span>HTTP</h3>

<p>While <a href="#concept-fetch" title="concept-fetch">fetching</a> encompasses more than just HTTP, it
borrows a number of concepts from HTTP and applies these to resources obtained via other
means (e.g. via <code title="">data</code> URL).

<p>A <dfn id="concept-method" title="concept-method">method</dfn> is a <a href="#byte-string">byte string</a>.

<p>A <dfn id="concept-header" title="concept-header">header</dfn> consists of a
<dfn id="concept-header-name" title="concept-header-name">name</dfn> and <dfn id="concept-header-value" title="concept-header-value">value</dfn>.
A <a href="#concept-header-name" title="concept-header-name">name</a> is a
<a href="#case-insensitive-byte-string">case-insensitive byte string</a> and a
<a href="#concept-header-value" title="concept-header-value">value</a> is a <a href="#byte-string">byte string</a>.

<p>A <dfn id="simple-method">simple method</dfn> is a <a href="#concept-method" title="concept-method">method</a> that is
<code title="">GET</code>, <code title="">HEAD</code>, or <code title="">POST</code>.

<p>A <dfn id="simple-header">simple header</dfn> is a <a href="#concept-header" title="concept-header">header</a> whose
<a href="#concept-header-name" title="concept-header-name">name</a> is <code title="">Accept</code>,
<code title="">Accept-Language</code>, or <code title="">Content-Language</code>, or whose
<a href="#concept-header-name" title="concept-header-name">name</a> is <code title="">Content-Type</code> and
<a href="#concept-header-value" title="concept-header-value">value</a>, <span class="XXX">once parsed,</span> is
<code title="">application/x-www-form-urlencoded</code>,
<code title="">multipart/form-data</code>,
or <code title="">text/plain</code>.

<p class="XXX">What we never resolved in the old specification was whether only certain
parameters should be allowed and how exactly the MIME type parsing would work. Hopefully
<a href="http://mimesniff.spec.whatwg.org/#parse-a-mime-type">parsing MIME types</a> will
solve this.
<!-- example if people ask: "Content-Type: text/plain;" -->


<h3 id="requests"><span class="secno">2.2 </span>Requests</h3>

<p>The input to <a href="#concept-fetch" title="concept-fetch">fetch</a> is a
<dfn id="concept-request" title="concept-request">request</dfn>.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-method" title="concept-request-method">method</dfn>. Unless stated otherwise a
<a href="#concept-request" title="concept-request">request</a>'s
<a href="#concept-request-method" title="concept-request-method">method</a> is <code title="">GET</code>.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-url" title="concept-request-url">url</dfn> (a
<a class="external" href="http://url.spec.whatwg.org/#concept-parsed-url" title="concept-parsed-url">parsed URL</a>).

<p>A <a href="#concept-request" title="concept-request">request</a> has associated
<dfn id="concept-request-author-headers" title="concept-request-author-headers">author headers</dfn> and
<dfn id="concept-request-headers" title="concept-request-headers">headers</dfn>. Unless stated otherwise
<a href="#concept-request" title="concept-request">request</a>'s
<a href="#concept-request-author-headers" title="concept-request-author-headers">author headers</a>
and <a href="#concept-request-headers" title="concept-request-headers">headers</a> are empty lists of
<a href="#concept-header" title="concept-header">headers</a>.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-origin" title="concept-request-origin">origin</dfn>, and
<dfn id="force-origin-header-flag">force <code title="">Origin</code> header flag</dfn>. Unless stated otherwise a
<a href="#concept-request" title="concept-request">request</a>'s
<a href="#concept-request-origin" title="concept-request-origin">origin</a> is null and its
<a href="#force-origin-header-flag">force <code title="">Origin</code> header flag</a> is unset.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-referrer" title="concept-request-referrer">referrer</dfn>. Unless stated otherwise it is null.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-body" title="concept-request-body">body</dfn>. Unless stated otherwise a
<a href="#concept-request" title="concept-request">request</a>'s <a href="#concept-request-body" title="concept-request-body">body</a>
is null.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="synchronous-flag">synchronous flag</dfn>. Unless stated otherwise a
<a href="#concept-request" title="concept-request">request</a>'s <a href="#synchronous-flag">synchronous flag</a> is unset.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-mode" title="concept-request-mode">mode</dfn>, which is one of <i title="">same-origin</i>,
<i title="">tainted cross-origin</i>, and <i title="">CORS</i>. Unless stated otherwise,
<a href="#concept-request" title="concept-request">request</a>'s <a href="#concept-request-mode" title="concept-request-mode">mode</a>
is <i title="">tainted cross-origin</i>.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="force-preflight-flag">force preflight flag</dfn>. Unless stated otherwise, it is unset and only relevant
when <a href="#concept-request" title="concept-request">request</a>'s
<a href="#concept-request-mode" title="concept-request-mode">mode</a> is <i title="">CORS</i>.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-omit-credentials-mode" title="concept-request-omit-credentials-mode">omit credentials mode</dfn>, which is
one of <i title="">always</i>, <i title="">CORS</i>, and <i title="">never</i>.

<p class="XXX">I think we want the default to become <i title="">always</i>, but currently it
is <i title="">never</i>.

<p>A a<a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-use-url-credentials-flag" title="concept-request-use-url-credentials-flag">use URL credentials flag</dfn>.
Unless stated otherwise, it is unset.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-manual-redirect-flag" title="concept-request-manual-redirect-flag">manual redirect flag</dfn>. Unless stated
otherwise, it is unset.

<p>A <a href="#concept-request" title="concept-request">request</a> has an associated
<dfn id="concept-request-redirect-count" title="concept-request-redirect-count">redirect count</dfn>.
Unless stated otherwise a <a href="#concept-request" title="concept-request">request</a>'s
<a href="#concept-request-redirect-count" title="concept-request-redirect-count">redirect count</a> is zero.


<h3 id="responses"><span class="secno">2.3 </span>Responses</h3>

<p>The result of <a href="#concept-fetch" title="concept-fetch">fetch</a> is a
<dfn id="concept-response" title="concept-response">response</dfn>. A <a href="#concept-response" title="concept-response">response</a>
is build incrementally over time. All its fields are not necessarily available straight
away.

<p>A <a href="#concept-response" title="concept-response">response</a> has an associated
<dfn id="concept-response-type" title="concept-response-type">type</dfn> which is one of <i title="">default</i>,
<i title="">redirect</i>, and <i title="">error</i>. Unless stated otherwise, it is
<i title="">default</i>.

<p>A <a href="#concept-response" title="concept-response">response</a> has an associated
<dfn id="concept-response-status" title="concept-response-status">status</dfn>,
<dfn id="concept-response-status-message" title="concept-response-status-message">status message</dfn>,
<dfn id="concept-response-location" title="concept-response-location">location</dfn>,
<dfn id="concept-response-headers" title="concept-response-headers">headers</dfn>, and a
<dfn id="concept-response-body" title="concept-response-body">body</dfn>.

<p>A <a href="#concept-response" title="concept-response">response</a> is either <dfn id="cors-same-origin">CORS-same-origin</dfn> or
<dfn id="cors-cross-origin">CORS-cross-origin</dfn>. Unless otherwise indicated a
<a href="#concept-response" title="concept-response">response</a> is <a href="#cors-same-origin">CORS-same-origin</a>.

<p class="note">When introducing new APIs, unless there is a very good reason, only use
<a href="#concept-response" title="concept-response">responses</a> that are <a href="#cors-same-origin">CORS-same-origin</a> and
treat others as <a href="#concept-network-error" title="concept-network-error">network errors</a>. This distinction
is used today e.g. to allow <a href="#concept-response" title="concept-response">responses</a> from a different
<span>origin</span> not <a href="#concept-fetch" title="concept-fetch">fetched</a> using
<a href="#concept-request" title="concept-request">request</a>'s <a href="#concept-request-mode" title="concept-request-mode">mode</a>
<i title="">CORS</i> to still be displayed using the HTML <code title="">img</code> element, but
not have their <a href="#concept-response-body" title="concept-response-body">body</a> extracted using the HTML
<code title="">canvas</code> element.

<hr>

<p>Unless stated otherwise, a <a href="#concept-response" title="concept-response">response</a>'s
<a href="#concept-response-status" title="concept-response-status">status</a> is <code title="">200</code>,
<a href="#concept-response-status-message" title="concept-response-status-message">status message</a> is <code title="">OK</code>,
<a href="#concept-response-location" title="concept-response-location">location</a> is null,
<a href="#concept-response-headers" title="concept-response-headers">headers</a> is an empty list, and
<a href="#concept-response-body" title="concept-response-body">body</a> is null,

<p>A <a href="#concept-response" title="concept-response">response</a> whose
<a href="#concept-response-type" title="concept-response-type">type</a> is <i title="">error</i> is known as a
<dfn id="concept-network-error" title="concept-network-error">network error</dfn>.

<p>A <a href="#concept-network-error" title="concept-network-error">network error</a>'s
<a href="#concept-response-status" title="concept-response-status">status</a> is <code title="">0</code>,
<a href="#concept-response-status-message" title="concept-response-status-message">status message</a> is the empty <a href="#byte-string">byte string</a>,
<a href="#concept-response-location" title="concept-response-location">location</a> is null,
<a href="#concept-response-headers" title="concept-response-headers">headers</a> is an empty list, and
<a href="#concept-response-body" title="concept-response-body">body</a> is null,

<p>A <a href="#concept-response" title="concept-response">response</a> whose
<a href="#concept-response-type" title="concept-response-type">type</a> is <i title="">redirect</i> is known as a
<dfn id="concept-redirect" title="concept-redirect">redirect</dfn>.



<h2 id="cors-protocol"><span class="secno">3 </span><dfn>CORS protocol</dfn></h2>

<p>To prevent leaking data from resources behind a firewall (intranets), the platform has
a <a href="#cors-protocol">CORS protocol</a> layered on top of HTTP. It allows resources to declare they
can be shared with resources residing on a different <span>origin</span>.

<p>This section explains the <a href="#cors-protocol">CORS protocol</a> as it pertains to servers.
Requirements for user agents are integrated in the <a href="#concept-fetch" title="concept-fetch">fetch</a>
algorithm.

<p class="XXX">



<h2 id="fetching"><span class="secno">4 </span>Fetching</h2>

<p>To perform a <dfn id="concept-fetch" title="concept-fetch">fetch</dfn> using <var title="">request</var>,
optionally with a <i title="">CORS flag</i>, run these steps:

<p class="note">The <i title="">CORS flag</i> within the <a href="#concept-fetch" title="concept-fetch">fetch</a>
algorithm is used for handling <a href="#concept-redirect" title="concept-redirect">redirects</a>. When using
<a href="#concept-fetch" title="concept-fetch">fetch</a> externally only the <var title="">request</var>
parameter should be passed.

<ol>
 <li><p>Let <var title="">url</var> be <var title="">request</var>'s
 <a href="#concept-request-url" title="concept-request-url">url</a>.

 <li><p>Let <var title="">origin</var> be <var title="">request</var>'s
 <a href="#concept-request-origin" title="concept-request-origin">origin</a>.

 <li><p>If <var title="">request</var>'s <a href="#synchronous-flag">synchronous flag</a> is unset and
 <a href="#concept-fetch" title="concept-fetch">fetch</a> is not invoked recursively, run the remaining steps asynchronously.

 <li>
  <p>Let <var title="">response</var> be the value corresponding to the first matching
  statement:

  <dl class="switch">
   <dt><var title="">url</var>'s <span>origin</span> is <var title="">origin</var> and the <i title="">CORS flag</i> is unset
   <dt><var title="">url</var>'s <a class="external" href="http://url.spec.whatwg.org/#concept-url-scheme" title="concept-url-scheme">scheme</a>
   is one of "<code title="">about</code>", "<code title="">blob</code>", and "<code title="">data</code>",
   and <var title="">request</var>'s <a href="#concept-request-redirect-count" title="concept-request-redirect-count">redirect count</a> is zero

   <dd><p>The result of performing a <a href="#concept-basic-fetch" title="concept-basic-fetch">basic fetch</a> using <var title="">request</var>.

   <dt><var title="">request</var>'s <a href="#concept-request-mode" title="concept-request-mode">mode</a> is
   "same-origin"

   <dd><p>A <a href="#concept-network-error" title="concept-network-error">network error</a>.

   <dt><var title="">request</var>'s <a href="#concept-request-mode" title="concept-request-mode">mode</a> is
   "tainted cross-origin"
   <dd>
    <p>The result of performing a <a href="#concept-basic-fetch" title="concept-basic-fetch">basic fetch</a> using
    <var title="">request</var>, marked <a href="#cors-cross-origin">CORS-cross-origin</a>.
    <!-- file URLs end up here as they are not same-origin typically. -->

   <dt><var title="">url</var>'s <span title="concept-url-scheme">scheme</span> is not one of
   "<code title="">http</code>" and "<code title="">https</code>"

   <dd><p>A <a href="#concept-network-error" title="concept-network-error">network error</a>.

   <dt><var title="">request</var>'s <a href="#force-preflight-flag">force preflight flag</a> is set
   <dt><var title="">request</var>'s <a href="#concept-request-method" title="concept-request-method">method</a> is not
   a <a href="#simple-method">simple method</a>
   <dt>A <a href="#concept-header" title="concept-header">header</a> in <var title="">request</var>'s
   <span title="concept-author-headers">author headers</span> is not a <a href="#simple-header">simple header</a>
   <dd><p>The result of performing a <a href="#cors-fetch-with-preflight-0">CORS fetch with preflight</a> using <var title="">request.

   </var><dt>Otherwise
   <dd><p>The result of performing a <a href="#concept-basic-fetch" title="concept-basic-fetch">basic fetch</a> using
   <var title="">request</var> with the <i title="">CORS flag</i> set.
  </dl>

 <li><p>If <a href="#concept-fetch" title="concept-fetch">fetch</a> is invoked recursively, return <var title="">response</var>.

 <li><p>If <var title="">request</var>'s <a href="#synchronous-flag">synchronous flag</a> is set, wait for
 <var title="">response</var> to have been fully transmitted and then return it.

 <li><p>Keep <span>queueing</span> <span>tasks</span> on the
 <span>networking task source</span> until the <var title="">response</var> has been fully
 transmitted. If no transmission is taking place, <span>queue</span> at least one
 <span>task</span>.
</ol>


<h3 id="basic-fetch"><span class="secno">4.1 </span>Basic fetch</h3>

<p>To perform a <dfn id="concept-basic-fetch" title="concept-basic-fetch">basic fetch</dfn> using <var title="">request</var>, with an optional
<i title="">CORS flag</i> and <i title="">HTTP authentication flag</i>, switch on <var title="">request</var>'s
<a href="#concept-request-url" title="concept-request-url">url</a>'s
<a class="external" href="http://url.spec.whatwg.org/#concept-url-scheme" title="concept-url-scheme">scheme</a> and run the associated
steps:

<dl class="switch">
 <dt>"<code title="">about</code>"
 <dd>
  <p>If <var title="">request</var>'s <a href="#concept-request-url" title="concept-request-url">url</a>'s
  <a class="external" href="http://url.spec.whatwg.org/#concept-url-scheme-data" title="concept-url-scheme-data">scheme data</a> is
  "<code title="">blank</code>", return a <a href="#concept-response" title="concept-response">response</a> whose
  <a href="#concept-response-headers" title="concept-response-headers">headers</a> consist of a single
  <a href="#concept-header" title="concept-header">header</a> whose
  <a href="#concept-header-name" title="concept-header-name">name</a> is <code title="">Content-Type</code> and
  <a href="#concept-header-value" title="concept-header-value">value</a> is
  "<code title="">text/html;charset=utf-8</code>", and
  <a href="#concept-response-body" title="concept-response-body">body</a> is the empty string.

  <!-- introduce about:unicorn -->

  <p>Otherwise, return a <a href="#concept-network-error" title="concept-network-error">network error</a>.

 <dt>"<code title="">blob</code>"
 <dd>
  <p class="XXX">It has been argued this should be handled outside of
  <a href="#concept-fetch" title="concept-fetch">fetching</a>.

 <dt>"<code title="">data</code>"
 <dd>
  <p>If <var title="">request</var>'s <a href="#concept-request-method" title="concept-request-method">method</a> is
  <code title="">GET</code> and
  <a href="http://simonsapin.github.com/data-urls/">obtaining a resource</a> from
  <var title="">request</var>'s <a href="#concept-request-url" title="concept-request-url">url</a> does not return
  failure, return a <a href="#concept-response" title="concept-response">response</a> whose
  <a href="#concept-response-headers" title="concept-response-headers">headers</a> consist of a single
  <a href="#concept-header" title="concept-header">header</a> whose
  <a href="#concept-header-name" title="concept-header-name">name</a> is <code title="">Content-Type</code> and
  <a href="#concept-header-value" title="concept-header-value">value</a> is the MIME type and parameters returned
  from <a href="http://simonsapin.github.com/data-urls/">obtaining a resource</a>, and
  <a href="#concept-response-body" title="concept-response-body">body</a> is the data returned from
  <a href="http://simonsapin.github.com/data-urls/">obtaining a resource</a>.
  <!-- XXX "obtaining a resource" needs a better reference -->

  <p>Otherwise, return a <a href="#concept-network-error" title="concept-network-error">network error</a>.

 <dt>"<code title="">file</code>"
 <dd>
  <p>For now, unfortunate as it is, <code>file</code>
  <a class="external" href="http://url.spec.whatwg.org/#concept-url" title="concept-url">URLs</a> are left as an exercise for the
  reader.

  <p>When in doubt, return a <a href="#concept-network-error" title="concept-network-error">network error</a>.

 <dt>"<code title="">ftp</code>"
 <dd>
  <p>Follow the requirements from FTP to retrieve a resource.

  <p class="XXX">Map the result to <a href="#concept-response" title="concept-response">response</a>.

 <dt>"<code title="">http</code>"
 <dt>"<code title="">https</code>"
 <dd>
  <p>Set up an HTTP request following the requirements from HTTP and TLS as appropriate,
  with these additional constraints:

  <ol>
   <li>
    <p>If <var title="">request</var>'s
    <a href="#concept-request-referrer" title="concept-request-referrer">referrer</a> is not null, include a
    <code title="">Referer</code> <a href="#concept-header" title="concept-header">header</a>
    whose <a href="#concept-header-value" title="concept-header-value">value</a> is <var title="">request</var>'s
    <a href="#concept-request-referrer" title="concept-request-referrer">referrer</a>.

    <p class="note">User agents are encouraged to provide the end user with options to
    always exclude <code title="">Referer</code> <a href="#concept-header" title="concept-header">headers </a>
    or have it expose less sensitive information.

   <li>
    <p>If <var title="">request</var>'s <a href="#force-origin-header-flag">force <code>Origin</code> header flag</a> is
    set, include an <code title="">Origin</code> <a href="#concept-header" title="concept-header">header</a>
    whose <a href="#concept-header-value" title="concept-header-value">value</a> is <var title="">request</var>'s
    <a href="#concept-request-origin" title="concept-request-origin">origin</a>,
    <span class="XXX">serialized to bytes</span>.

   <li>
    <p>Include all of <var title="">request</var>'s
    <a href="#concept-request-headers" title="concept-request-headers">headers</a> and let them replace any
    <a href="#concept-header" title="concept-header">headers</a> with the same
    <a href="#concept-header-name" title="concept-header-name">name</a> already present in the HTTP request.

   <li>
    <p>Include all of <var title="">request</var>'s
    <a href="#concept-request-author-headers" title="concept-request-author-headers">author headers</a> as long as their
    <a href="#concept-header-name" title="concept-header-name">name</a> is <em>not</em> present in the
    HTTP request.

   <li>
    <p>If <var title="">request</var>'s
    <a href="#concept-request-omit-credentials-mode" title="concept-request-omit-credentials-mode">omit credentials mode</a> is
    <i title="">always</i> or <var title="">request</var>'s
    <a href="#concept-request-omit-credentials-mode" title="concept-request-omit-credentials-mode">omit credentials mode</a> is
    <i title="">CORS</i> and the <i title="">CORS flag</i> is unset, run these substeps:

    <ol>
     <li><p>Include <code title="">Cookie</code> headers associated with
     <var title="">request</var>'s <a href="#concept-request-url" title="concept-request-url">url</a>.
     <a href="#refsCOOKIES">[COOKIES]</a>

     <!-- http://wiki.whatwg.org/wiki/HTTP_Authentication -->
     <li><p>If there's an <b title="">authentication entry</b> for <var title="">request</var>'s
     <a href="#concept-request-url" title="concept-request-url">url</a> and either
     <var title="">request</var>'s <a href="#concept-request-use-url-credentials-flag" title="concept-request-use-url-credentials-flag">use URL credentials flag</a> is unset or
     <var title="">request</var>'s <a href="#concept-request-url" title="concept-request-url">url</a>
     does not include credentials, include the <code>Authorization</code> header from the
     <b title="">authentication entry</b>.
     <!-- XXX need to define "includes credentials" in URL as username != "" and password != null??
              need to define the cache concept -->

     <li><p>Otherwise, if <var title="">request</var>'s <a href="#concept-request-url" title="concept-request-url">url</a>
     includes credentials, and the <i title="">HTTP authentication flag</i> is set, include an
     <code>Authorization</code> header using those credentials.
     <!-- XXX ... -->
    </ol>

   <li>
    <p>If there's a <b title="">proxy authentication entry</b>, use it as appropriate.
    <a href="#refsHTTP">[HTTP]</a>

    <p class="note">This intentionally does not depend on <var title="">request</var>'s
    <a href="#concept-request-omit-credentials-mode" title="concept-request-omit-credentials-mode">omit credentials mode</a>.
  </ol>

  <p>If the HTTP request is terminated before all headers from the resource are obtained,
  return a <a href="#concept-network-error" title="concept-network-error">network error</a>.

  <p>Otherwise, when the headers from the resource are obtained, let
  <var title="">response</var> be a new <a href="#concept-response" title="concept-response">response</a> and set
  its fields appropriately. <span class="XXX">Need to spell this out. Whenever we do not
  include <code>Cookie</code> headers we also need to ignore <code>Set-Cookie</code>
  headers in the response.</span>

  <p>If the <i title="">CORS flag</i> is set and a <a href="#cors-check-0">CORS check</a> for
  <var title="">request</var> and <var title="">response</var> returns failure, return a
  <a href="#concept-network-error" title="concept-network-error">network error</a>.

  <p>If <var title="">response</var>'s <a href="#concept-response-status" title="concept-response-status">status</a> is
  301, 302, 303, 307, or 308, run these steps:

  <ol>
   <li><p>If <var title="">response</var>'s
   <a href="#concept-response-headers" title="concept-response-headers">headers</a> do not contain a
   <a href="#concept-header" title="concept-header">header</a> whose
   <a href="#concept-header-name" title="concept-header-name">name</a> is <code title="">Location</code>, return
   <var title="">response</var>.

   <li><p>If <var title="">response</var>'s
   <a href="#concept-response-headers" title="concept-response-headers">headers</a> contain more than one
   <a href="#concept-header" title="concept-header">header</a> whose
   <a href="#concept-header-name" title="concept-header-name">name</a> is <code title="">Location</code>, return a
   <a href="#concept-network-error" title="concept-network-error">network error</a>.
   <!-- only Gecko does this; if removed add "first" below -->

   <li><p>Let <var title="">location</var> be the
   <a href="#concept-header-value" title="concept-header-value">value</a> of the
   <a href="#concept-header" title="concept-header">header</a> whose
   <a href="#concept-header-name" title="concept-header-name">name</a> is <code title="">Location</code> within
   <var title="">response</var>'s <a href="#concept-response-headers" title="concept-response-headers">headers</a>.

   <li><p>Let <var title="">parsed location</var> be the result of
   <a class="external" href="http://url.spec.whatwg.org/#concept-url-parser" title="concept-url-parser">parsing</a>
   <var title="">location</var> with <var title="">request</var>'s
   <a href="#concept-request-url" title="concept-request-url">url</a>.

   <li><p>If <var title="">parsed location</var> is failure, return a
   <a href="#concept-network-error" title="concept-network-error">network error</a>.

   <li><p>If <var title="">request</var>'s
   <a href="#concept-request-redirect-count" title="concept-request-redirect-count">redirect count</a> is twenty, return a
   <a href="#concept-network-error" title="concept-network-error">network error</a>.

   <li><p>Increase <var title="">request</var>'s
   <a href="#concept-request-redirect-count" title="concept-request-redirect-count">redirect count</a> by one.

   <li><p>Set <var title="">response</var>'s <a href="#concept-response-type" title="concept-response-type">type</a> to
   <i title="">redirect</i>.

   <li><p>Set <var title="">response</var>'s
   <a href="#concept-response-location" title="concept-response-location">location</a> to
   <var title="">parsed location</var>.

   <li>
    <p>If <var title="">request</var>'s
    <a href="#concept-request-manual-redirect-flag" title="concept-request-manual-redirect-flag">manual redirect flag</a> is unset,
    run these substeps:

    <ol>
     <li><p>If <var title="">response</var>'s
     <a href="#concept-response-location" title="concept-response-location">location</a>'s <span>origin</span> is not
     <var title="">request</var>'s <a href="#concept-request-url" title="concept-request-url">url</a>'s
     <span>origin</span>, set <var title="">request</var>'s
     <a href="#concept-request-origin" title="concept-request-origin">origin</a> to a globally unique identifier.

     <li><p>If the <i title="">CORS flag</i> is set and <var title="">response</var>'s
     <a href="#concept-response-location" title="concept-response-location">location</a>'s
     <a class="external" href="http://url.spec.whatwg.org/#concept-url-username" title="concept-url-username">username</a> or
     <a class="external" href="http://url.spec.whatwg.org/#concept-url-password" title="concept-url-password">password</a> is non-null,
     return a <a href="#concept-network-error" title="concept-network-error">network error</a>.

     <li><p>Set <var title="">request</var>'s <a href="#concept-request-url" title="concept-request-url">url</a> to
     <var title="">response</var>'s <a href="#concept-response-location" title="concept-response-location">location</a>.

     <li><p>Return the result of performing a <a href="#concept-fetch" title="concept-fetch">fetch</a> using
     <var title="">request</var>, with the <i title="">CORS flag</i> set if set.
    </ol>
  </ol>

  <p>Otherwise, if
  <var title="">response</var>'s <a href="#concept-response-status" title="concept-response-status">status</a> is 401,
  run these steps:

  <ol>
   <li><p>If the <i title="">CORS flag</i> is set, return <var title="">response</var>.

   <li class="XXX"><p>Needs testing: multiple <code>WWW-Authenticate</code> headers,
   missing, parsing issues.

   <li>
    <p>If <var title="">request</var>'s
    <a href="#concept-request-use-url-credentials-flag" title="concept-request-use-url-credentials-flag">use URL credentials flag</a>
    is unset, or the <i title="">HTTP authentication flag</i> is set, run these substeps:

    <ol>
     <li><p>Prompt the end user for a username and password.

     <li><p>Set <var title="">request</var>'s <a href="#concept-request-url" title="concept-request-url">url</a>'s
     <a class="external" href="http://url.spec.whatwg.org/#concept-url-username" title="concept-url-username">username</a> and
     <a class="external" href="http://url.spec.whatwg.org/#concept-url-password" title="concept-url-password">password</a> to the given
     values.
     <!-- XXX sanitization? -->
    </ol>

   <li><p>Return the result of performing a <a href="#concept-basic-fetch" title="concept-basic-fetch">basic fetch</a> using
   <var title="">request</var>, with the <i title="">HTTP authentication flag</i> set.
  </ol>

  <p>Otherwise, if
  <var title="">response</var>'s <a href="#concept-response-status" title="concept-response-status">status</a> is 407,
  run these steps:

  <ol>
   <li class="XXX"><p>Needs testing: multiple <code>Proxy-Authenticate</code> headers,
   missing, parsing issues.

   <li>
    <p>Prompt the end user as appropriate and store the result as appropriate as a
    <b title="">proxy authentication entry</b>.
    <a href="#refsHTTP">[HTTP]</a>

    <p class="note">Remaining details surrounding proxy authentication are defined by HTTP.

   <li><p>Return the result of performing <a href="#concept-basic-fetch" title="concept-basic-fetch">basic fetch</a> using
   <var title="">request</var>.
  </ol>

  <p>If the <i title="">HTTP authentication flag</i> is set, create an <b title="">authentication entry</b> for
  <var title="">request</var>'s <a href="#concept-request-url" title="concept-request-url">url</a> and the given
  realm. <a href="#refsHTTPAUTH">[HTTPAUTH]</a>

  <p>Return <var title="">response</var>.

 <dt>Otherwise
 <dd><p>Return a <a href="#concept-network-error" title="concept-network-error">network error</a>.
</dl>


<h3 id="cors-fetch-with-preflight"><span class="secno">4.2 </span>CORS fetch with preflight</h3>

<p>To perform a <dfn id="cors-fetch-with-preflight-0">CORS fetch with preflight</dfn> using <var title="">request</var>, run
these steps:

<ol>
 <li>
  <p>If

  <ul>
   <li>there is no <a href="#method-cache-match">method cache match</a> for
   <var title="">request</var>'s <a href="#concept-request-method" title="concept-request-method">method</a> using
   <var title="">request</var>, and
   <li>either <var title="">request</var>'s <a href="#concept-request-method" title="concept-request-method">method</a>
   is a not <a href="#simple-method">simple method</a> or <var title="">request</var>'s
   <a href="#force-preflight-flag">force preflight flag</a> is set, and
   <li>there is at least one <a href="#concept-header" title="concept-header">header</a>
   <a href="#concept-header-name" title="concept-header-name">name</a> in <var title="">request</var>'s
   <a href="#concept-request-author-headers" title="concept-request-author-headers">author headers</a> for which there is no
   <a href="#header-name-cache-match">header name cache match</a> using <var title="">request</var> and for which the
   <a href="#concept-header" title="concept-header">header</a> is not a <a href="#simple-header">simple header</a>
  </ul>

  <p>then run these substeps:

  <ol>
   <li><p>Let <var title="">response</var> be a <a href="#cors-preflight-fetch-0">CORS preflight fetch</a> using
   <var title="">request</var>.

   <li><p>If <var title="">response</var> is a <a href="#concept-network-error" title="concept-network-error">network error</a>, return
   <var title="">response</var>.
  </ol>

 <li><p>Set <var title="">request</var>'s
 <a href="#concept-request-manual-redirect-flag" title="concept-request-manual-redirect-flag">manual redirect flag</a>.

 <li><p>Let <var title="">response</var> be a <a href="#concept-basic-fetch" title="concept-basic-fetch">basic fetch</a> using
 <var title="">request</var> with the <i title="">CORS flag</i> set.

 <li><p>If <var title="">response</var> is a <a href="#concept-redirect" title="concept-redirect">redirect</a>, set its
 <a href="#concept-response-type" title="concept-response-type">type</a> to <i title="">error</i>.

 <li><p>If <var title="">response</var> is a <a href="#concept-network-error" title="concept-network-error">network error</a>,
 <a href="#cache-clear" title="cache-clear">clear</a> using <var title="">request</var>.

 <li><p>Return <var title="">response</var>.
</ol>


<h3 id="cors-preflight-fetch"><span class="secno">4.3 </span>CORS preflight fetch</h3>

<p>To perform a <dfn id="cors-preflight-fetch-0">CORS preflight fetch</dfn> using <var title="">request</var>, run these
steps:

<ol>
 <li><p>Let <var title="">preflight</var> be a new <a href="#concept-request" title="concept-request">request</a>.

 <li><p>Set <var title="">preflight</var>'s <a href="#concept-request-url" title="concept-request-url">url</a> to
 <var title="">request</var>'s <a href="#concept-request-url" title="concept-request-url">url</a>.

 <li><p>Set <var title="">preflight</var>'s <a href="#concept-request-origin" title="concept-request-origin">origin</a> to
 <var title="">request</var>'s <a href="#concept-request-origin" title="concept-request-origin">origin</a>.

 <li><p>Set <var title="">preflight</var>'s <a href="#concept-request-referrer" title="concept-request-referrer">referrer</a> to
 <var title="">request</var>'s <a href="#concept-request-referrer" title="concept-request-referrer">referrer</a>.

 <li><p>Set <var title="">preflight</var>'s <a href="#concept-request-method" title="concept-request-method">method</a> to
 <code title="">OPTIONS</code>.

 <li><p>Append a <a href="#concept-header" title="concept-header">header</a>
 <a href="#concept-header-name" title="concept-header-name">named</a>
 <code title="">Access-Control-Request-Method</code> with
 <a href="#concept-header-value" title="concept-header-value">value</a> <var title="">request</var>'s
 <a href="#concept-request-method" title="concept-request-method">method</a> to <var title="">preflight</var>'s
 <a href="#concept-request-headers" title="concept-request-headers">headers</a>.

 <li><p>Let <var title="">headers</var> be the <a href="#concept-header-name" title="concept-header-name">names</a>
 of <var title="">request</var>'s
 <a href="#concept-request-author-headers" title="concept-request-author-headers">author headers</a>, sorted
 lexicographically and <span class="XXX">byte lowercased</span>.

 <li><p>Let <var title="">header value</var> be the items in <var title="">headers</var>
 separated from each other by 0x2C 0x20.

 <li><p>Append a <a href="#concept-header" title="concept-header">header</a>
 <a href="#concept-header-name" title="concept-header-name">named</a>
 <code title="">Access-Control-Request-Headers</code> with
 <a href="#concept-header-value" title="concept-header-value">value</a> <var title="">header value</var> to
 <var title="">preflight</var>'s <a href="#concept-request-headers" title="concept-request-headers">headers</a>.

 <li><p>Set <var title="">preflight</var>'s
 <a href="#concept-request-manual-redirect-flag" title="concept-request-manual-redirect-flag">manual redirect flag</a>.

 <li><p>Let <var title="">response</var> be the result of performing a
 <a href="#concept-basic-fetch" title="concept-basic-fetch">basic fetch</a> using <var title="">preflight</var> with the <i title="">CORS flag</i>
 set.

 <li>
  <p>If <var title="">response</var>'s <a href="#concept-response-status" title="concept-response-status">status</a> is
  in the range 200 to 299, run these substeps:
  <!-- CORS said 200 here but nobody implemented that:
       http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0078.html -->

  <ol>
   <li><p>Let <var title="">methods</var> be the result of
   <a href="#concept-header-parse" title="concept-header-parse">parsing</a> all <var title="">response</var>'s
   <a href="#concept-response-headers" title="concept-response-headers">headers</a>'
   <a href="#concept-header-name" title="concept-header-name">named</a> <code>Access-Control-Allow-Methods</code>.

   <li><p>Let <var title="">header names</var> be the result of
   <a href="#concept-header-parse" title="concept-header-parse">parsing</a> all <var title="">response</var>'s
   <a href="#concept-response-headers" title="concept-response-headers">headers</a>'
   <a href="#concept-header-name" title="concept-header-name">named</a> <code>Access-Control-Allow-Headers</code>.

   <li><p>If either <var title="">methods</var> or <var title="">header names</var> is failure,
   return a <a href="#concept-network-error" title="concept-network-error">network error</a>.

   <li>
    <p>If <var title="">methods</var> is empty <var title="">request</var>'s
    <a href="#force-preflight-flag">force preflight flag</a> is set, append <var title="">request</var>'s
    <a href="#concept-request-method" title="concept-request-method">method</a> to <var title="">methods</var>.

    <p class="note">This ensures that a <a href="#cors-preflight-fetch-0">CORS preflight fetch</a> that happened
    solely because of <var title="">request</var>'s <a href="#force-preflight-flag">force preflight flag</a> is too.

   <li><p>If <var title="">request</var>'s <a href="#concept-request-method" title="concept-request-method">method</a>
   is not in <var title="">methods</var> and is not a <a href="#simple-method">simple method</a>, return
   failure.

   <li><p>If one of <var title="">request</var>'s
   <a href="#concept-request-headers" title="concept-request-headers">headers</a>'
   <a href="#concept-header-name" title="concept-header-name">names</a> is not in <var title="">header names</var> or
   its corresponding <a href="#concept-header" title="concept-header">header</a> is not a
   <a href="#simple-header">simple header</a>, return a <a href="#concept-network-error" title="concept-network-error">network error</a>.

   <li><p>Let <var title="">max-age</var> be the result of
   <a href="#concept-header-parse" title="concept-header-parse">parsing</a> all <var title="">response</var>'s
   <a href="#concept-response-headers" title="concept-response-headers">headers</a>'
   <a href="#concept-header-name" title="concept-header-name">named</a> <code>Access-Control-Max-Age</code>.

   <li><p>If <var title="">max-age</var> is failure, set <var title="">max-age</var> to zero.

   <li><p>If <var title="">max-age</var> is greater than an imposed limit on
   <a href="#cache-max-age" title="cache-max-age">max-age</a>, set <var title="">max-age</var> to the imposed
   limit.

   <li><p>If the user agent does not provide for a cache, return
   <var title="">response</var>.

   <li><p>For each method in <var title="">methods</var> for which there is a
   <a href="#method-cache-match">method cache match</a> using <var title="">request</var>, set matching entry's
   <a href="#cache-max-age" title="cache-max-age">max-age</a> to <var title="">max-age</var>.

   <li>
    <p>For each <var title="">method</var> in <var title="">methods</var> for which there is
    <em>no</em>  <a href="#method-cache-match">method cache match</a> using <var title="">request</var>, create a
    new entry in the <a href="#cors-preflight-cache-0">CORS preflight cache</a> as follows:

    <dl>
     <dt><a href="#cache-origin" title="cache-origin">origin</a>
     <dd><var title="">request</var>'s <a href="#concept-request-origin" title="concept-request-origin">origin</a>

     <dt><a href="#cache-url" title="cache-url">url</a>
     <dd><var title="">request</var>'s <a href="#concept-request-url" title="concept-request-url">url</a>

     <dt><a href="#cache-max-age" title="cache-max-age">max-age</a>
     <dd><var title="">max-age</var>

     <dt><a href="#cache-credentials" title="cache-credentials">credentials</a>
     <dd>False if <var title="">request</var>'s
     <a href="#concept-request-omit-credentials-mode" title="concept-request-omit-credentials-mode">omit credentials mode</a> is not
     <i title="">never</i>, and true otherwise

     <dt><a href="#cache-method" title="cache-method">method</a></dt>
     <dd><var title="">method</var>
    </dl>

   <li><p>For each header name in <var title="">header names</var> for which there is a
   <a href="#header-name-cache-match">header name cache match</a> using <var title="">request</var>, set
   matching entry's <a href="#cache-max-age" title="cache-max-age">max-age</a> to <var title="">max-age</var>.

   <li>
    <p>For each <var title="">header name</var> in <var title="">header names</var> for which
    there is <em>no</em> <a href="#header-name-cache-match">header name cache match</a> using
    <var title="">request</var>, create a new entry in the <a href="#cors-preflight-cache-0">CORS preflight cache</a>
    as follows:

    <dl>
     <dt><a href="#cache-origin" title="cache-origin">origin</a>
     <dd><var title="">request</var>'s <a href="#concept-request-origin" title="concept-request-origin">origin</a>

     <dt><a href="#cache-url" title="cache-url">url</a>
     <dd><var title="">request</var>'s <a href="#concept-request-url" title="concept-request-url">url</a>

     <dt><a href="#cache-max-age" title="cache-max-age">max-age</a>
     <dd><var title="">max-age</var>

     <dt><a href="#cache-credentials" title="cache-credentials">credentials</a>
     <dd>False if <var title="">request</var>'s
     <a href="#concept-request-omit-credentials-mode" title="concept-request-omit-credentials-mode">omit credentials mode</a> is not
     <i title="">never</i>, and true otherwise

     <dt><a href="#cache-header-name" title="cache-header-name">header name</a></dt>
     <dd><var title="">header name</var>
    </dl>

   <li><p>Return <var title="">response</var>.
  </ol>

 <li><p>Otherwise, return a <a href="#concept-network-error" title="concept-network-error">network error</a>.
</ol>


<h3 id="cors-preflight-cache"><span class="secno">4.4 </span>CORS preflight cache</h3>

<p>A <dfn id="cors-preflight-cache-0">CORS preflight cache</dfn> consists of a collection of entries where each
entry has these fields:
  <dfn id="cache-origin" title="cache-origin">origin</dfn>,
  <dfn id="cache-url" title="cache-url">url</dfn>,
  <dfn id="cache-max-age" title="cache-max-age">max-age</dfn>,
  <dfn id="cache-credentials" title="cache-credentials">credentials</dfn>,
  <dfn id="cache-method" title="cache-method">method</dfn>, and
  <dfn id="cache-header-name" title="cache-header-name">header name</dfn>.

<p>Entries must be removed after the seconds specified in the
<a href="#cache-max-age" title="cache-max-age">max-age</a> field have passed since storing the entry.
Entries may be removed before that moment arrives.

<p>To <dfn id="cache-clear" title="cache-clear">clear</dfn> entries using a <var title="">request</var>,
remove any entries in the <a href="#cors-preflight-cache-0">CORS preflight cache</a> whose
<a href="#cache-origin" title="cache-origin">origin</a> is <var title="">request</var>'s
<a href="#concept-request-origin" title="concept-request-origin">origin</a> and whose
<a href="#cache-url" title="cache-url">url</a> is <var title="">request</var>'s
<a href="#concept-request-url" title="concept-request-url">url</a>.

<p>There is a <dfn id="cache-match">cache match</dfn> for a <var title="">request</var> if
<a href="#cache-origin" title="cache-origin">origin</a> is <var title="">request</var>'s
<a href="#concept-request-origin" title="concept-request-origin">origin</a>, <a href="#cache-url" title="cache-url">url</a> is
<var title="">request</var>'s <a href="#concept-request-url" title="concept-request-url">url</a>, and either
<a href="#cache-credentials" title="cache-credentials">credentials</a> is false and <var title="">request</var>'s
<a href="#concept-request-omit-credentials-mode" title="concept-request-omit-credentials-mode">omit credentials mode</a> is not
<i title="">never</i> or
<a href="#cache-credentials" title="cache-credentials">credentials</a> is true and <var title="">request</var>'s
<a href="#concept-request-omit-credentials-mode" title="concept-request-omit-credentials-mode">omit credentials mode</a> is
<i title="">never</i>.

<p>There is a <dfn id="method-cache-match">method cache match</dfn> for a given method using <var title="">request</var>
when there is an entry in <a href="#cors-preflight-cache-0">CORS preflight cache</a> for which there is a
<a href="#cache-match">cache match</a> for <var title="">request</var> and its
<a href="#cache-method" title="cache-method">method</a> is the given method.

<p>There is a <dfn id="header-name-cache-match">header name cache match</dfn> for a given header name using <var title="">request</var>
when there is an entry in <a href="#cors-preflight-cache-0">CORS preflight cache</a> for which there is a
<a href="#cache-match">cache match</a> for <var title="">request</var> and its
<a href="#cache-header-name" title="cache-header-name">header name</a> is the given header name.


<h3 id="cors-check"><span class="secno">4.5 </span>CORS check</h3>

<p>To perform a <dfn id="cors-check-0">CORS check</dfn> for a <var title="">request</var> and
<var title="">response</var>, run these steps:

<ol>
 <li><p>If <var title="">response</var>'s <a href="#concept-response-headers" title="concept-response-headers">headers</a>
 contains zero or more than one <a href="#concept-header" title="concept-header">header</a> whose
 <a href="#concept-header-name" title="concept-header-name">name</a> is <code>Access-Control-Allow-Origin</code>,
 return failure.

 <li><p>Let <var title="">result</var> be the <a href="#concept-header-value" title="concept-header-value">value</a>
 of the <a href="#concept-header" title="concept-header">header</a> whose
 <a href="#concept-header-name" title="concept-header-name">name</a> is <code>Access-Control-Allow-Origin</code>
 within <var title="">response</var>'s <a href="#concept-response-headers" title="concept-response-headers">headers</a>.

 <li><p>If <var title="">request</var>'s
 <a href="#concept-request-omit-credentials-mode" title="concept-request-omit-credentials-mode">omit credentials mode</a> is not
 <i title="">never</i> and <var title="">result</var> is <code title="">*</code>, return success.

 <li><p>If <var title="">request</var>'s <a href="#concept-request-origin" title="concept-request-origin">origin</a>
 serialized to bytes is not <var title="">result</var>, return failure.
 <!-- XXX serialized to bytes -->

 <li><p>If <var title="">request</var>'s
 <a href="#concept-request-omit-credentials-mode" title="concept-request-omit-credentials-mode">omit credentials mode</a> is not
 <i title="">never</i>, return success.

 <li><p>If <var title="">response</var>'s <a href="#concept-response-headers" title="concept-response-headers">headers</a>
 contains zero or more than one <a href="#concept-header" title="concept-header">header</a> whose
 <a href="#concept-header-name" title="concept-header-name">name</a> is <code>Access-Control-Allow-Credentials</code>,
 return failure.

 <li><p>If the <a href="#concept-header-value" title="concept-header-value">value</a>
 of the <a href="#concept-header" title="concept-header">header</a> whose
 <a href="#concept-header-name" title="concept-header-name">name</a> is <code>Access-Control-Allow-Origin</code>
 within <var title="">response</var>'s <a href="#concept-response-headers" title="concept-response-headers">headers</a> is
 <code title="">true</code>, return success.

 <li><p>Return failure.
</ol>



<h2 id="http-headers"><span class="secno">5 </span>HTTP headers</h2>

<p>To <dfn id="concept-header-parse" title="concept-header-parse">parse a header value</dfn> parse it per the ABNF
given below and return the <a href="#concept-header-value" title="concept-header-value">values</a> obtained for the
given <a href="#concept-header-name" title="concept-header-name">name</a>, and return failure if the
<a href="#concept-header-value" title="concept-header-value">value</a> did not match the ABNF.

<p>The <dfn id="http-origin" title="http-origin"><code>Origin</code></dfn> request
<a href="#concept-header" title="concept-header">header</a> indicates where a
<a href="#concept-fetch" title="concept-fetch">fetch</a> originates from.

<p class="note">The <code title="http-origin"><a href="#http-origin">Origin</a></code> header is a stripped-down version
of the <code title="http-referer">Referer</code> [sic] header as to not reveal confidential
<a class="external" href="http://url.spec.whatwg.org/#concept-url-path" title="concept-url-path">path</a> information. Due to
compatibility constraints it is not included in all fetches.
<!-- Ian Hickson told me Adam Barth researched that -->

<p>The remaining <a href="#concept-header" title="concept-header">headers</a> are used as part of
<a href="#concept-request" title="concept-request">requests</a> whose
<a href="#concept-request-mode" title="concept-request-mode">mode</a> is <i title="">CORS</i>.

<p>The
<dfn id="http-access-control-request-method" title="http-access-control-request-method"><code>Access-Control-Request-Method</code></dfn>
header indicates which method will be used during the later part of a
<a href="#cors-fetch-with-preflight-0">CORS fetch with preflight</a> as part of the
<a href="#cors-preflight-fetch-0">CORS preflight fetch</a>.

<p>The
<dfn id="http-access-control-request-headers" title="http-access-control-request-headers"><code>Access-Control-Request-Headers</code></dfn>
header indicates which headers will be used during the later part of a
<a href="#cors-fetch-with-preflight-0">CORS fetch with preflight</a> as part of the
<a href="#cors-preflight-fetch-0">CORS preflight fetch</a>.

<p>The
<dfn id="http-access-control-allow-origin" title="http-access-control-allow-origin"><code>Access-Control-Allow-Origin</code></dfn>
header indicates whether a resource can be shared based by returning the value of the
<code title="http-origin"><a href="#http-origin">Origin</a></code> request header,
<code title="">*</code>, or <code title="">null</code> in a response.

<p>The
<dfn id="http-access-control-allow-credentials" title="http-access-control-allow-credentials"><code>Access-Control-Allow-Credentials</code></dfn>
header indicates whether the response to a request can be exposed when the
<a href="#concept-request-omit-credentials-mode" title="concept-request-omit-credentials-mode">omit credentials mode</a> is
<i title="">never</i>. When part of the response to a
<a href="#cors-preflight-fetch-0">CORS preflight fetch</a> it indicates that the later part of
<a href="#cors-fetch-with-preflight-0">CORS fetch with preflight</a> can include <span>user credentials</span>.

<p>The
<dfn id="http-access-control-expose-headers" title="http-access-control-expose-headers"><code>Access-Control-Expose-Headers</code></dfn>
header indicates which headers are safe to expose in a response.

<p>The
<dfn id="http-access-control-max-age" title="http-access-control-max-age"><code>Access-Control-Max-Age</code></dfn> header
indicates how long the results of a <a href="#cors-preflight-fetch-0">CORS preflight fetch</a> can be cached in a
<a href="#cors-preflight-cache-0">CORS preflight cache</a>.

<p>The
<dfn id="http-access-control-allow-methods" title="http-access-control-allow-methods"><code>Access-Control-Allow-Methods</code></dfn>
header indicates, as part of the response to a <a href="#cors-preflight-fetch-0">CORS preflight fetch</a>, which
methods can be used during the later part of a <a href="#cors-fetch-with-preflight-0">CORS fetch with preflight</a>.

<p>The
<dfn id="http-access-control-allow-headers" title="http-access-control-allow-headers"><code>Access-Control-Allow-Headers</code></dfn>
header indicates, as part of the response to a <a href="#cors-preflight-fetch-0">CORS preflight fetch</a>, which
header field names can be used during the later part of a
<a href="#cors-fetch-with-preflight-0">CORS fetch with preflight</a>.

<pre>Origin                           = origin-or-null

Access-Control-Request-Method    = <a class="external" href="http://tools.ietf.org/html/rfc2616/#section-5.1.1">Method</a>
Access-Control-Request-Headers   = #<a class="external" href="http://tools.ietf.org/html/rfc2616/#section-4.2">field-name</a>

Access-Control-Allow-Origin      = origin-or-null / "*"
Access-Control-Allow-Credentials = %x74.72.75.65 ; "true", case-sensitive
Access-Control-Expose-Headers    = #<a class="external" href="http://tools.ietf.org/html/rfc2616/#section-4.2">field-name</a>
Access-Control-Max-Age           = <a class="external" href="http://tools.ietf.org/html/rfc2616/#section-3.3.2">delta-seconds</a>
Access-Control-Allow-Methods     = #<a class="external" href="http://tools.ietf.org/html/rfc2616/#section-5.1.1">Method</a>
Access-Control-Allow-Headers     = #<a class="external" href="http://tools.ietf.org/html/rfc2616/#section-4.2">field-name</a>

origin-or-null                   = origin / %x6E.75.6C.6C ; "null", case-sensitive
origin                           = <a class="external" href="http://url.spec.whatwg.org/#concept-url-scheme" title="concept-url-scheme">scheme</a> "://" <a class="external" href="http://url.spec.whatwg.org/#concept-url-host" title="concept-url-host">host</a> [ ":" <a class="external" href="http://url.spec.whatwg.org/#concept-url-port" title="concept-url-port">port</a> ]</pre>

<p class="note">The syntax for the <code title="">Origin</code> header here is an intentional
subset of what is defined in The Web Origin Concept. Unfortunately that document cannot be
updated to match reality without involving layers and layers of bureaucracy.
<a href="#refsORIGIN">[ORIGIN]</a>



<h2 class="no-num" id="references">References</h2>
<div id="anolis-references"><dl><dt id="refsCOOKIES">[COOKIES]
<dd><cite><a href="http://tools.ietf.org/html/rfc6265">HTTP State Management Mechanism</a></cite>, Adam Barth. IETF.

<dt id="refsENCODING">[ENCODING]
<dd><cite><a href="http://encoding.spec.whatwg.org/">Encoding Standard</a></cite>, Anne van Kesteren. WHATWG.

<dt id="refsHTTP">[HTTP]
<dd><cite><a href="http://tools.ietf.org/html/rfc2616">Hypertext Transfer Protocol -- HTTP/1.1</a></cite>, Roy Fielding, James Gettys, Jeffrey Mogul et al.. IETF.

<dt id="refsHTTPAUTH">[HTTPAUTH]
<dd><cite><a href="http://tools.ietf.org/html/rfc2617">HTTP Authentication: Basic and Digest Access Authentication</a></cite>, J. Franks, Phillip Hallam-Baker, J. Hostetler et al.. IETF.

<dt id="refsORIGIN">[ORIGIN]
<dd><cite><a href="http://tools.ietf.org/html/rfc6454">The Web Origin Concept</a></cite>, Adam Barth. IETF.

<dt id="refsRFC2119">[RFC2119]
<dd><cite><a href="http://tools.ietf.org/html/rfc2119">Key words for use in RFCs to Indicate Requirement Levels</a></cite>, Scott Bradner. IETF.

<dt id="refsURL">[URL]
<dd><cite><a href="http://url.spec.whatwg.org/">URL Standard</a></cite>, Anne van Kesteren. WHATWG.

</dl></div>



<h2 class="no-num" id="acknowledgments">Acknowledgments</h2>

<p>The editor would like to thank

Adam Barth,
Alexey Proskuryakov,
Arne Johannessen,
Arthur Barstow,
Benjamin Hawkes-Lewis,
Bert Bos,
Björn Höhrmann,
Boris Zbarsky,
Brad Hill,
Brad Porter,
Cameron McCormack,
Collin Jackson,
David Håsäther,
David Orchard,
Dean Jackson,
Eric Lawrence,
Frank Ellerman,
Frederick Hirsch,
Gavin Carothers,
Glenn Maynard,
Graham Klyne,
Hal Lockhart,
Henri Sivonen,
Ian Hickson,
Jesse M. Heines,
Jonas Sicking,
Julian Reschke,
Lachlan Hunt,
呂康豪 (Kang-Hao Lu),
Maciej Stachowiak,
Marc Silbey,
Marcos Caceres,
Mark Nottingham,
Mark S. Miller,
Martin Dürst,
Matt Oshry,
Matt Womer,
Mhano Harkness,
Michael Smith,
Mohamed Zergaoui,
Nikunj Mehta,
Odin Hørthe Omdal,
Philip Jägenstedt,
R. Auburn,
Sharath Udupa,
Simon Pieters,
Sunava Dutta,
Surya Ismail,
Thomas Roessler,
Tyler Close,
Vladimir Dzhuvinov,
Wayne Carr, and
Zhenbin Xu

for being awesome.

<script id="head" src="http://www.whatwg.org/specs/web-apps/current-work/dfn.js"></script>