From 13174f5aa903ea7a8dbddb6210f7f7f269893905 Mon Sep 17 00:00:00 2001 From: Ari Chivukula Date: Tue, 3 May 2022 14:12:11 -0400 Subject: [PATCH 01/21] Prevent cross-origin sensitive header probind See https://github.com/WICG/client-hints-infrastructure/issues/100 --- fetch.bs | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) diff --git a/fetch.bs b/fetch.bs index 9a608b842..e22d0f43e 100644 --- a/fetch.bs +++ b/fetch.bs @@ -2864,6 +2864,73 @@ run these steps:
  • Return allowed. +

    Prevent sensitive header +size probing + +Note: The goal of this algorithm is to prevent cross-origin requests from probing the size of sensitive headers +(`Authorization` or `Cookie`) by adding headers +to cross-site requests until the total size of all HTTP request headers exceeds the server side limit. In order +for this approach to succeed, servers should not set a HTTP request headers size limit below 8KB. + +

    Run these steps: + +

      +
    1. If the request isn't cross-origin, return. + +

    2. Let sensitiveHeaderList be the result of filtering header list to include only + headers with a header name of `Authorization`, + `Cookie`, or `Sensitive-Header-Truncated`. + +

    3. While the serialized size of sensitiveHeaderList is greater than 4KB: + +

        +
      1. If the header `Authorization` is present in + sensitiveHeaderList and `Cookie` is not present or the + value of `Authorization` is larger than the value of + `Cookie`. + +

          +
        1. delete `Authorization` from + sensitiveHeaderList. + +

        2. set `Sensitive-Header-Truncated` in + sensitiveHeaderList to the value ?1. +

        + +
      2. Else if the header `Cookie` is present in + sensitiveHeaderList and `Authorization` is not present or the + value of `Cookie` is larger than the value of + `Authorization`. + +

          +
        1. delete `Cookie` from + sensitiveHeaderList. + +

        2. set `Sensitive-Header-Truncated` in + sensitiveHeaderList to the value ?1. +

        +
      + +
    4. Let nonSensitiveHeaderList be the result of filtering header list to include + only headers not in sensitiveHeaderList + +

    5. While the serialized size of nonSensitiveHeaderList is greater than 4KB: + +

        +
      1. Let nameOfLargestHeader be the name of the largest serialized header in + nonSensitiveHeaderList except `Non-Sensitive-Header-Truncated`. + +

      2. delete nameOfLargestHeader from nonSensitiveHeaderList. + +

      3. set `Non-Sensitive-Header-Truncated` in + nonSensitiveHeaderList to the value ?1. +

      + +
    6. Let newHeaderList be the result of taking sensitiveHeaderList and running + sort and combine with nonSensitiveHeaderList. + +

    7. Overwrite header list with newHeaderList. +

    HTTP extensions

    From f19bd98c6a9c7ecdeabb57eefbe59a905ec58810 Mon Sep 17 00:00:00 2001 From: Ari Chivukula Date: Tue, 3 May 2022 14:14:18 -0400 Subject: [PATCH 02/21] Update fetch.bs --- fetch.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fetch.bs b/fetch.bs index e22d0f43e..b5eda6294 100644 --- a/fetch.bs +++ b/fetch.bs @@ -2865,7 +2865,7 @@ run these steps:

    Prevent sensitive header -size probing +size probing

    Note: The goal of this algorithm is to prevent cross-origin requests from probing the size of sensitive headers (`Authorization` or `Cookie`) by adding headers From 12f8f733db6a9b8f0bf25762739a08441b08cf32 Mon Sep 17 00:00:00 2001 From: Ari Chivukula Date: Tue, 31 May 2022 10:23:45 -0400 Subject: [PATCH 03/21] Update fetch.bs --- fetch.bs | 61 ++++++++++---------------------------------------------- 1 file changed, 11 insertions(+), 50 deletions(-) diff --git a/fetch.bs b/fetch.bs index b5eda6294..0804236a1 100644 --- a/fetch.bs +++ b/fetch.bs @@ -2864,72 +2864,33 @@ run these steps:
  • Return allowed. -

    Prevent sensitive header -size probing

    +

    +Prevent sensitive header size probing

    Note: The goal of this algorithm is to prevent cross-origin requests from probing the size of sensitive headers (`Authorization` or `Cookie`) by adding headers to cross-site requests until the total size of all HTTP request headers exceeds the server side limit. In order for this approach to succeed, servers should not set a HTTP request headers size limit below 8KB. -

    Run these steps: +

    Run these steps on the provided request:

      -
    1. If the request isn't cross-origin, return. +

    2. If request's origin is same origin with request's + current URL's origin, return. -

    3. Let sensitiveHeaderList be the result of filtering header list to include only - headers with a header name of `Authorization`, - `Cookie`, or `Sensitive-Header-Truncated`. - -

    4. While the serialized size of sensitiveHeaderList is greater than 4KB: +

    5. Let sensitiveHeaderList be the result of running filter include on request's + header list with an include list of `(Authorization, Cookie)`.

        -
      1. If the header `Authorization` is present in - sensitiveHeaderList and `Cookie` is not present or the - value of `Authorization` is larger than the value of - `Cookie`. - -

          -
        1. delete `Authorization` from - sensitiveHeaderList. - -

        2. set `Sensitive-Header-Truncated` in - sensitiveHeaderList to the value ?1. -

        - -
      2. Else if the header `Cookie` is present in - sensitiveHeaderList and `Authorization` is not present or the - value of `Cookie` is larger than the value of - `Authorization`. - -

          -
        1. delete `Cookie` from - sensitiveHeaderList. - -

        2. set `Sensitive-Header-Truncated` in - sensitiveHeaderList to the value ?1. -

        +
      3. TBD
      -
    6. Let nonSensitiveHeaderList be the result of filtering header list to include - only headers not in sensitiveHeaderList - -

    7. While the serialized size of nonSensitiveHeaderList is greater than 4KB: +

    8. Let nonSensitiveHeaderList be the result of running filter exclude on request's + header list with an exclude list of `(Authorization, Cookie)`.

        -
      1. Let nameOfLargestHeader be the name of the largest serialized header in - nonSensitiveHeaderList except `Non-Sensitive-Header-Truncated`. - -

      2. delete nameOfLargestHeader from nonSensitiveHeaderList. - -

      3. set `Non-Sensitive-Header-Truncated` in - nonSensitiveHeaderList to the value ?1. +

      4. TBD
      - -
    9. Let newHeaderList be the result of taking sensitiveHeaderList and running - sort and combine with nonSensitiveHeaderList. - -

    10. Overwrite header list with newHeaderList.

    From 31b775d16f20fe9058a1bf7821ebf9a8cebeadf1 Mon Sep 17 00:00:00 2001 From: Ari Chivukula Date: Tue, 31 May 2022 10:30:11 -0400 Subject: [PATCH 04/21] Update fetch.bs --- fetch.bs | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/fetch.bs b/fetch.bs index 0804236a1..fb42cde9e 100644 --- a/fetch.bs +++ b/fetch.bs @@ -2864,33 +2864,32 @@ run these steps:
  • Return allowed. -

    -Prevent sensitive header size probing

    +

    +Header size is over CORS limit

    Note: The goal of this algorithm is to prevent cross-origin requests from probing the size of sensitive headers (`Authorization` or `Cookie`) by adding headers -to cross-site requests until the total size of all HTTP request headers exceeds the server side limit. In order -for this approach to succeed, servers should not set a HTTP request headers size limit below 8KB. +to cross-site requests until the total size of all HTTP request headers exceeds the server side limit. If this +algorithm returns true, the CORS-preflight request must be run. In order for this approach to succeed, servers should +not set a HTTP request headers size limit below 8KB.

    Run these steps on the provided request:

    1. If request's origin is same origin with request's - current URL's origin, return. + current URL's origin, return `false`.

    2. Let sensitiveHeaderList be the result of running filter include on request's header list with an include list of `(Authorization, Cookie)`. -

        -
      1. TBD -
      +
    3. If the result of running size on sensitiveHeaderList is greater than 4KB, return `true`.

    4. Let nonSensitiveHeaderList be the result of running filter exclude on request's header list with an exclude list of `(Authorization, Cookie)`. -

        -
      1. TBD -
      +
    5. If the result of running size on nonSensitiveHeaderList is greater than 4KB, return `true`. + +

    6. Return `false`.

    From 4d557f1df706a467b1ddf7b652c637bf3427908a Mon Sep 17 00:00:00 2001 From: Ari Chivukula Date: Tue, 31 May 2022 10:43:19 -0400 Subject: [PATCH 05/21] Update fetch.bs --- fetch.bs | 35 +++++++++++++++++++++++++++++++++-- 1 file changed, 33 insertions(+), 2 deletions(-) diff --git a/fetch.bs b/fetch.bs index fb42cde9e..2da10b370 100644 --- a/fetch.bs +++ b/fetch.bs @@ -1132,6 +1132,37 @@ format of range header value can be set using add a range header. implementation-defined header value for the `User-Agent` header. +

    To +filter include a +header list list and header names includeNames, run these steps: + +

      +
    1. Let filteredList be an empty header list. + +
    2. For each (name, value) in list: + +
        +
      1. If name in includeNames then append (name, value) to filteredList. +
      + +
    3. Return filteredList. +

    + +

    To +filter exclude a +header list list and header names excludeNames, run these steps: + +

      +
    1. Let filteredList be an empty header list. + +
    2. For each (name, value) in list: + +
        +
      1. If name not in excludeNames then append (name, value) to filteredList. +
      + +
    3. Return filteredList. +

    Statuses

    @@ -2880,12 +2911,12 @@ not set a HTTP request headers size limit below 8KB. current URL's origin, return `false`.
  • Let sensitiveHeaderList be the result of running filter include on request's - header list with an include list of `(Authorization, Cookie)`. + header list with `(Authorization, Cookie) as includeNames`.

  • If the result of running size on sensitiveHeaderList is greater than 4KB, return `true`.

  • Let nonSensitiveHeaderList be the result of running filter exclude on request's - header list with an exclude list of `(Authorization, Cookie)`. + header list with `(Authorization, Cookie) as excludeNames`.

  • If the result of running size on nonSensitiveHeaderList is greater than 4KB, return `true`. From c940a8d13110761b629b9ac58b5e635e6a01b073 Mon Sep 17 00:00:00 2001 From: Ari Chivukula Date: Tue, 31 May 2022 10:49:08 -0400 Subject: [PATCH 06/21] Update fetch.bs --- fetch.bs | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/fetch.bs b/fetch.bs index 2da10b370..22614a6db 100644 --- a/fetch.bs +++ b/fetch.bs @@ -1164,6 +1164,25 @@ format of range header value can be set using add a range header.

  • Return filteredList. +

    To get the +size of a +header list list, run these steps: + +

      +
    1. Let sizeInBytes be `0`. + +
    2. For each (name, value) in list: + +
        +
      1. Add the size of name to sizeInBytes. +
      2. Add `2` to sizeInBytes (represents the `: ` after the name). +
      3. Add the size of value to sizeInBytes. +
      4. Add `2` to sizeInBytes (represents the `\r\n` after the value). +
      + +
    3. Return sizeInBytes. +

    +

    Statuses

    A status is an integer in the range 0 to 999, inclusive. From 077ab19f925ff79f44962b91c5ba72e56152cca0 Mon Sep 17 00:00:00 2001 From: Ari Chivukula Date: Tue, 31 May 2022 10:59:55 -0400 Subject: [PATCH 07/21] Update fetch.bs --- fetch.bs | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/fetch.bs b/fetch.bs index 22614a6db..9d76216f3 100644 --- a/fetch.bs +++ b/fetch.bs @@ -4748,17 +4748,19 @@ these steps:

    1. -

      If makeCORSPreflight is true and one of these conditions is true: +

      If one of these conditions is true:

      Then: From b0b529336839d0e6d97a704e573182b366aa7dc0 Mon Sep 17 00:00:00 2001 From: Ari Chivukula Date: Thu, 2 Jun 2022 11:16:13 -0400 Subject: [PATCH 08/21] Update fetch.bs --- fetch.bs | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/fetch.bs b/fetch.bs index 9d76216f3..98ee666ba 100644 --- a/fetch.bs +++ b/fetch.bs @@ -1149,7 +1149,7 @@ format of range header value can be set using add a range header.

    To -filter exclude a +filter exclude a header list list and header names excludeNames, run these steps:

      @@ -1164,8 +1164,8 @@ format of range header value can be set using add a range header.
    1. Return filteredList.

    -

    To get the -size of a +

    To +get the size of a header list list, run these steps:

      @@ -2932,12 +2932,12 @@ not set a HTTP request headers size limit below 8KB.
    1. Let sensitiveHeaderList be the result of running filter include on request's header list with `(Authorization, Cookie) as includeNames`. -

    2. If the result of running size on sensitiveHeaderList is greater than 4KB, return `true`. +

    3. If the result of running get the size on sensitiveHeaderList is greater than 4KB, return `true`.

    4. Let nonSensitiveHeaderList be the result of running filter exclude on request's header list with `(Authorization, Cookie) as excludeNames`. -

    5. If the result of running size on nonSensitiveHeaderList is greater than 4KB, return `true`. +

    6. If the result of running get the size on nonSensitiveHeaderList is greater than 4KB, return `true`.

    7. Return `false`.

    From 827e6d4ed0814c1764fd7b11eab5a35c9a89ed34 Mon Sep 17 00:00:00 2001 From: Ari Chivukula Date: Fri, 3 Jun 2022 13:58:42 -0400 Subject: [PATCH 09/21] Update fetch.bs --- fetch.bs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/fetch.bs b/fetch.bs index 98ee666ba..95cc9a125 100644 --- a/fetch.bs +++ b/fetch.bs @@ -2914,8 +2914,8 @@ run these steps:
  • Return allowed. -

    -Header size is over CORS limit

    +

    +Is a CORS request's header size over the limit?

    Note: The goal of this algorithm is to prevent cross-origin requests from probing the size of sensitive headers (`Authorization` or `Cookie`) by adding headers @@ -2923,7 +2923,7 @@ to cross-site requests until the total size of all HTTP request header< algorithm returns true, the CORS-preflight request must be run. In order for this approach to succeed, servers should not set a HTTP request headers size limit below 8KB. -

    Run these steps on the provided request: +

    Run these steps to check if the header size is over the CORS limits on the provided request:

    1. If request's origin is same origin with request's @@ -4760,7 +4760,7 @@ these steps: CORS-unsafe request-header names with request's header list for which there is no header-name cache entry match using request. -

    2. Header size is over cors limit is true. +
    3. If the header size is over the CORS limits for request.

      Then: From 40bb9f4bb3cd20ff911351b903dbee3c7b47c26b Mon Sep 17 00:00:00 2001 From: Ari Chivukula Date: Fri, 3 Jun 2022 14:00:14 -0400 Subject: [PATCH 10/21] Update fetch.bs --- fetch.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fetch.bs b/fetch.bs index 95cc9a125..359b2f42e 100644 --- a/fetch.bs +++ b/fetch.bs @@ -4760,7 +4760,7 @@ these steps: CORS-unsafe request-header names with request's header list for which there is no header-name cache entry match using request. -

    4. If the header size is over the CORS limits for request. +
    5. The header size is over the CORS limits for request.

      Then: From b9fc11fcb9056f738340ef9276c5b199f1b9eeca Mon Sep 17 00:00:00 2001 From: Ari Chivukula Date: Tue, 28 Jun 2022 17:39:15 -0400 Subject: [PATCH 11/21] Update fetch.bs --- fetch.bs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/fetch.bs b/fetch.bs index b6c345419..6e1119dc5 100644 --- a/fetch.bs +++ b/fetch.bs @@ -2919,9 +2919,9 @@ Is a CORS request's header size over the limit? Note: The goal of this algorithm is to prevent cross-origin requests from probing the size of sensitive headers (`Authorization` or `Cookie`) by adding headers -to cross-site requests until the total size of all HTTP request headers exceeds the server side limit. If this +to cross-origin requests until the total size of all HTTP request headers exceeds the server side limit. If this algorithm returns true, the CORS-preflight request must be run. In order for this approach to succeed, servers should -not set a HTTP request headers size limit below 8KB. +not set an HTTP request headers size limit below 8KB.

      Run these steps to check if the header size is over the CORS limits on the provided request: @@ -4717,7 +4717,7 @@ these steps: CORS-unsafe request-header names with request's header list for which there is no header-name cache entry match using request. -

    6. The header size is over the CORS limits for request. +
    7. The header size is over the CORS limits given request returns true.

      Then: From b4c78cac78d49bdc7b1aee4ed3061998377183c7 Mon Sep 17 00:00:00 2001 From: Ari Chivukula Date: Wed, 5 Oct 2022 10:12:08 -0400 Subject: [PATCH 12/21] Update fetch.bs --- fetch.bs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/fetch.bs b/fetch.bs index 38bcd043b..06d86bd54 100644 --- a/fetch.bs +++ b/fetch.bs @@ -3027,7 +3027,7 @@ Note: The goal of this algorithm is to prevent cross-origin requests from probin (`Authorization` or `Cookie`) by adding headers to cross-origin requests until the total size of all HTTP request headers exceeds the server side limit. If this algorithm returns true, the CORS-preflight request must be run. In order for this approach to succeed, servers should -not set an HTTP request headers size limit below 8KB. +not set an HTTP request headers size limit below 8 kibibyte.

      Run these steps to check if the header size is over the CORS limits on the provided request: @@ -3038,12 +3038,12 @@ not set an HTTP request headers size limit below 8KB.

    8. Let sensitiveHeaderList be the result of running filter include on request's header list with `(Authorization, Cookie) as includeNames`. -

    9. If the result of running get the size on sensitiveHeaderList is greater than 4KB, return `true`. +

    10. If the result of running get the size on sensitiveHeaderList is greater than 4 kibibyte, return `true`.

    11. Let nonSensitiveHeaderList be the result of running filter exclude on request's header list with `(Authorization, Cookie) as excludeNames`. -

    12. If the result of running get the size on nonSensitiveHeaderList is greater than 4KB, return `true`. +

    13. If the result of running get the size on nonSensitiveHeaderList is greater than 4 kibibyte, return `true`.

    14. Return `false`.

    From 42669aa420f4a114c041c491e1f1eafb0e5843d0 Mon Sep 17 00:00:00 2001 From: Ari Chivukula Date: Wed, 5 Oct 2022 10:13:14 -0400 Subject: [PATCH 13/21] Update fetch.bs --- fetch.bs | 1 + 1 file changed, 1 insertion(+) diff --git a/fetch.bs b/fetch.bs index 06d86bd54..f0ef6ceef 100644 --- a/fetch.bs +++ b/fetch.bs @@ -1247,6 +1247,7 @@ downloads. This format of range header value can be set using add a range hea
  • Return sizeInBytes. +

    Statuses

    A status is an integer in the range 0 to 999, inclusive. From 236805e923d09991a931da56129c3248009afbd1 Mon Sep 17 00:00:00 2001 From: Ari Chivukula Date: Wed, 5 Oct 2022 10:16:00 -0400 Subject: [PATCH 14/21] Update fetch.bs --- fetch.bs | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/fetch.bs b/fetch.bs index f0ef6ceef..baa8e1ec1 100644 --- a/fetch.bs +++ b/fetch.bs @@ -1201,12 +1201,12 @@ downloads. This format of range header value can be set using add a range hea header list list and header names includeNames, run these steps:

      -
    1. Let filteredList be an empty header list. +
    2. Let filteredList be an empty header list. -

    3. For each (name, value) in list: +
    4. For each (name, value) in list:

        -
      1. If name in includeNames then append (name, value) to filteredList. +
      2. If name in includeNames then append (name, value) to filteredList.

    5. Return filteredList. @@ -1217,12 +1217,12 @@ downloads. This format of range header value can be set using add a range hea header list list and header names excludeNames, run these steps:

        -
      1. Let filteredList be an empty header list. +
      2. Let filteredList be an empty header list. -

      3. For each (name, value) in list: +
      4. For each (name, value) in list:

          -
        1. If name not in excludeNames then append (name, value) to filteredList. +
        2. If name not in excludeNames then append (name, value) to filteredList.

      5. Return filteredList. @@ -1233,15 +1233,15 @@ downloads. This format of range header value can be set using add a range hea header list list, run these steps:

          -
        1. Let sizeInBytes be `0`. +
        2. Let sizeInBytes be `0`. -

        3. For each (name, value) in list: +
        4. For each (name, value) in list:

            -
          1. Add the size of name to sizeInBytes. -
          2. Add `2` to sizeInBytes (represents the `: ` after the name). -
          3. Add the size of value to sizeInBytes. -
          4. Add `2` to sizeInBytes (represents the `\r\n` after the value). +
          5. Add the size of name to sizeInBytes. +

          6. Add `2` to sizeInBytes (represents the `: ` after the name). +

          7. Add the size of value to sizeInBytes. +

          8. Add `2` to sizeInBytes (represents the `\r\n` after the value).

        5. Return sizeInBytes. @@ -4818,7 +4818,7 @@ these steps: method is not a CORS-safelisted method or request's use-CORS-preflight flag is set. -

        6. makeCORSPreflight is true and there is at least one item in the +
        7. makeCORSPreflight is true and there is at least one item in the CORS-unsafe request-header names with request's header list for which there is no header-name cache entry match using request. From 3eaeda2ee170dc7bc4576771ddc8068c19826f7a Mon Sep 17 00:00:00 2001 From: Ari Chivukula Date: Wed, 5 Oct 2022 10:21:26 -0400 Subject: [PATCH 15/21] Update fetch.bs --- fetch.bs | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/fetch.bs b/fetch.bs index baa8e1ec1..269b473d5 100644 --- a/fetch.bs +++ b/fetch.bs @@ -1238,15 +1238,16 @@ downloads. This format of range header value can be set using add a range hea

        8. For each (name, value) in list:

            -
          1. Add the size of name to sizeInBytes. -

          2. Add `2` to sizeInBytes (represents the `: ` after the name). -

          3. Add the size of value to sizeInBytes. -

          4. Add `2` to sizeInBytes (represents the `\r\n` after the value). +

          5. Add the length of name to sizeInBytes. +

          6. Add the length of value to sizeInBytes. +

          7. Add 4 to sizeInBytes (represents the `: ` after the name and the `\r\n` after the value).

        9. Return sizeInBytes.

        +Note: The 4 bytes added to account for the HTTP/1 syntax may need to be adjusted for different/updates syntaxes. +

        Statuses

        From 4c94c66fd249e7c02b18f6a0067bf68dff83b49f Mon Sep 17 00:00:00 2001 From: Ari Chivukula Date: Wed, 5 Oct 2022 10:26:11 -0400 Subject: [PATCH 16/21] Update fetch.bs --- fetch.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fetch.bs b/fetch.bs index 269b473d5..768b8ef11 100644 --- a/fetch.bs +++ b/fetch.bs @@ -1206,7 +1206,7 @@ downloads. This format of range header value can be set using add a range hea
      6. For each (name, value) in list:

          -
        1. If name in includeNames then append (name, value) to filteredList. +

        2. If name is in includeNames, then append (name, value) to filteredList.

      7. Return filteredList. From d7519ef2dcd58870fd5170ef28e1c270aca6336c Mon Sep 17 00:00:00 2001 From: Ari Chivukula Date: Wed, 5 Oct 2022 10:32:53 -0400 Subject: [PATCH 17/21] Update fetch.bs --- fetch.bs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fetch.bs b/fetch.bs index 768b8ef11..38270cd3d 100644 --- a/fetch.bs +++ b/fetch.bs @@ -1198,7 +1198,7 @@ downloads. This format of range header value can be set using add a range hea

        To filter include a -header list list and header names includeNames, run these steps: +header list list and a list of names includeNames, run these steps:

        1. Let filteredList be an empty header list. @@ -1214,7 +1214,7 @@ downloads. This format of range header value can be set using add a range hea

          To filter exclude a -header list list and header names excludeNames, run these steps: +header list list and a list of names excludeNames, run these steps:

          1. Let filteredList be an empty header list. From 08198aa8f9d16b3ea48d264b6d9cd64f3f9f40bd Mon Sep 17 00:00:00 2001 From: Ari Chivukula Date: Wed, 5 Oct 2022 10:34:30 -0400 Subject: [PATCH 18/21] Update fetch.bs --- fetch.bs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fetch.bs b/fetch.bs index 38270cd3d..90e4a78c6 100644 --- a/fetch.bs +++ b/fetch.bs @@ -3022,8 +3022,8 @@ run these steps:

          2. Return allowed.

          -

          -Is a CORS request's header size over the limit?

          +

          +Is a cross-origin request's header size over the limit?

          Note: The goal of this algorithm is to prevent cross-origin requests from probing the size of sensitive headers (`Authorization` or `Cookie`) by adding headers From cb907cd5ceae0f7f520396878fef128f4835a9a4 Mon Sep 17 00:00:00 2001 From: Ari Chivukula Date: Wed, 5 Oct 2022 10:36:36 -0400 Subject: [PATCH 19/21] Update fetch.bs --- fetch.bs | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/fetch.bs b/fetch.bs index 90e4a78c6..44e48d8ed 100644 --- a/fetch.bs +++ b/fetch.bs @@ -3027,11 +3027,10 @@ Is a cross-origin request's header size over the limit? Note: The goal of this algorithm is to prevent cross-origin requests from probing the size of sensitive headers (`Authorization` or `Cookie`) by adding headers -to cross-origin requests until the total size of all HTTP request headers exceeds the server side limit. If this -algorithm returns true, the CORS-preflight request must be run. In order for this approach to succeed, servers should -not set an HTTP request headers size limit below 8 kibibyte. +to cross-origin requests until the total size of all HTTP request headers exceeds the server side limit. In order +for this approach to succeed, servers should not set an HTTP request headers size limit below 8 kibibyte. -

          Run these steps to check if the header size is over the CORS limits on the provided request: +

          Run these steps to check if the header size is over the cross-origin limits on the provided request:

          1. If request's origin is same origin with request's @@ -4823,7 +4822,7 @@ these steps: CORS-unsafe request-header names with request's header list for which there is no header-name cache entry match using request. -

          2. The header size is over the CORS limits given request returns true. +
          3. The header size is over the cross-origin limits given request returns true.

            Then: From 41e7b1d387dfb5cc25cb8c61c900928b61c58508 Mon Sep 17 00:00:00 2001 From: Ari Chivukula Date: Wed, 5 Oct 2022 10:38:15 -0400 Subject: [PATCH 20/21] Update fetch.bs --- fetch.bs | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/fetch.bs b/fetch.bs index 44e48d8ed..20831faf5 100644 --- a/fetch.bs +++ b/fetch.bs @@ -4810,19 +4810,17 @@ these steps:

            1. -

              If one of these conditions is true: +

              If makeCORSPreflight is true and one of these conditions is true:

              Then: From 219cd5cc6ed4a0b783bc594e42aabbebcfeeb96b Mon Sep 17 00:00:00 2001 From: Ari Chivukula Date: Wed, 5 Oct 2022 10:43:36 -0400 Subject: [PATCH 21/21] Update fetch.bs --- fetch.bs | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/fetch.bs b/fetch.bs index 20831faf5..bbabc5083 100644 --- a/fetch.bs +++ b/fetch.bs @@ -3027,8 +3027,9 @@ Is a cross-origin request's header size over the limit? Note: The goal of this algorithm is to prevent cross-origin requests from probing the size of sensitive headers (`Authorization` or `Cookie`) by adding headers -to cross-origin requests until the total size of all HTTP request headers exceeds the server side limit. In order -for this approach to succeed, servers should not set an HTTP request headers size limit below 8 kibibyte. +to cross-origin requests until the total size of all HTTP request headers exceeds the server side limit. If this +algorithm returns true, the CORS-preflight request must be run. In order for this approach to succeed, servers should +not set an HTTP request headers size limit below 8 kibibyte.

              Run these steps to check if the header size is over the cross-origin limits on the provided request: @@ -4810,18 +4811,19 @@ these steps:

              1. -

                If makeCORSPreflight is true and one of these conditions is true: +

                If one of these conditions is true:

                +
              2. makeCORSPreflight is true and there is at least one item in the + CORS-unsafe request-header names with request's header list + for which there is no header-name cache entry match using request. + +

              3. The header size is over the cross-origin limits given request returns true.

                Then: