Skip to content

Commit

Permalink
Remove location URL as field on responses
Browse files Browse the repository at this point in the history
It does not need to be stored on a response and therefore resulted in confusion.

Also clarify that synthetic responses need to have an absolute URL in the Location header field value (Response.redirect() does this automatically).

Corresponding HTML PR: whatwg/html#6340.

Tests: https://chromium-review.googlesource.com/c/chromium/src/+/2665871.

Closes #631, closes #633, closes #958, closes #1146, and closes web-platform-tests/wpt#10449. (Some of these can be closed due to #1030 making response's URL no longer null for network responses.)
  • Loading branch information
annevk authored Feb 2, 2021
1 parent 987c3fd commit 89cfc1d
Showing 1 changed file with 46 additions and 42 deletions.
88 changes: 46 additions & 42 deletions fetch.bs
Original file line number Diff line number Diff line change
Expand Up @@ -1882,16 +1882,6 @@ allowed on the resource fetched by looking at the flag of the response returned.
the response of a redirect has to be set if it was set for previous responses in the redirect chain,
this is also tracked internally using the request's <a for=request>timing allow failed flag</a>.

<p>A <a for=/>response</a> can have an associated
<dfn export for=response id=concept-response-location-url>location URL</dfn> (null, failure, or a
<a for=/>URL</a>). Unless specified otherwise, <a for=/>response</a> has no
<a for=response>location URL</a>.

<p class="note no-backref">This concept is used for redirect handling in Fetch and in HTML's
navigate algorithm. It ensures `<code>Location</code>` has
<a lt="extracting header values">its value extracted</a> consistently and only once.
[[!HTML]]

<hr>

<p>A <a for=/>response</a> whose
Expand Down Expand Up @@ -2008,6 +1998,36 @@ is a <a>filtered response</a> whose
<p>A <dfn export id=concept-stale-response>stale response</dfn> is a <a for=/>response</a> that is
not a <a>fresh response</a> or a <a>stale-while-revalidate response</a>.

<hr>

<p>The <dfn export for=response id=concept-response-location-url>location URL</dfn> algorithm of
given a <a for=/>response</a> <var>response</var> is the following steps. They return null, failure,
or a <a for=/>URL</a>.

<ol>
<li><p>If <var>response</var>'s <a for=response>status</a> is not a <a>redirect status</a>, then
return null.

<li><p>Let <var>location</var> be the result of <a>extracting header list values</a> given
`<code>Location</code>` and <var>response</var>'s <a for=response>header list</a>.
<!-- https://github.com/whatwg/fetch/issues/814#issuecomment-431366126 -->

<li>
<p>If <var>location</var> is a <a for=header>value</a>, then set <var>location</var> to the result
of <a lt="url parser">parsing</a> <var>location</var> with <var>response</var>'s
<a for=response>URL</a>.

<p class=note>If <var>response</var> was constructed through the {{Response}} constructor,
<var>response</var>'s <a for=response>URL</a> will be null, meaning that <var>location</var> will
only parse successfully if it is an <a>absolute-URL-with-fragment string</a>.

<li><p>Return <var>location</var>.
</ol>

<p class=note>The <a for=response>location URL</a> algorithm is exclusively used for redirect
handling in this standard and in <cite>HTML</cite>'s navigate algorithm which handles redirects
manually. [[!HTML]]


<h4 id=miscellaneous>Miscellaneous</h4>

Expand Down Expand Up @@ -3950,16 +3970,6 @@ optional <i>CORS-preflight flag</i>, run these steps:

<p class=note>303 is excluded as certain communities ascribe special status to it.

<li><p>Let <var>location</var> be the result of <a>extracting header list values</a> given
`<code>Location</code>` and <var>actualResponse</var>'s <a for=response>header list</a>.

<li><p>If <var>location</var> is a <a for=header>value</a>, then set <var>location</var> to the
result of <a lt="URL parser">parsing</a> <var>location</var> with <var>actualResponse</var>'s
<a for=response>URL</a>.

<li><p>Set <var>actualResponse</var>'s
<a for=response>location URL</a> to <var>location</var>.

<li>
<p>Switch on <var>request</var>'s
<a for=request>redirect mode</a>:
Expand Down Expand Up @@ -3998,18 +4008,14 @@ optional <i>CORS-preflight flag</i>, run these steps:
<a>filtered response</a>, and <var>response</var>'s
<a for="filtered response">internal response</a> otherwise.

<li><p>If <var>actualResponse</var>'s <a for=response>location URL</a>
is null, then return <var>response</var>.
<li><p>Let <var>locationURL</var> be <var>actualResponse</var>'s <a for=response>location URL</a>.

<li><p>If <var>locationURL</var> is null, then return <var>response</var>.

<li><p>If <var>actualResponse</var>'s <a for=response>location URL</a>
is failure, then return a <a>network error</a>.
<!-- only Gecko does this; and even that is currently more complicated -->
<li><p>If <var>locationURL</var> is failure, then return a <a>network error</a>.

<li><p>If <var>actualResponse</var>'s
<a for=response>location URL</a>'s
<a for=url>scheme</a> is <em>not</em> an
<a>HTTP(S) scheme</a>, then return a
<a>network error</a>.
<li><p>If <var>locationURL</var>'s <a for=url>scheme</a> is not an <a>HTTP(S) scheme</a>, then
return a <a>network error</a>.

<li><p>If <var>request</var>'s <a for=request>redirect count</a> is
twenty, return a <a>network error</a>.
Expand All @@ -4018,27 +4024,25 @@ optional <i>CORS-preflight flag</i>, run these steps:
<a for=request>redirect count</a> by one.

<li><p>If <var>request</var>'s <a for=request>mode</a> is "<code>cors</code>",
<var>actualResponse</var>'s <a for=response>location URL</a>
<a lt="include credential">includes credentials</a>, and <var>request</var>'s
<a for=request>origin</a> is not <a>same origin</a> with <var>actualResponse</var>'s
<a for=response>location URL</a>'s <a for=url>origin</a>, then return a <a>network error</a>.
<var>locationURL</var> <a>includes credentials</a>, and <var>request</var>'s
<a for=request>origin</a> is not <a>same origin</a> with <var>locationURL</var>'s
<a for=url>origin</a>, then return a <a>network error</a>.

<li>
<p>If <var>request</var>'s <a for=request>response tainting</a> is "<code>cors</code>" and
<var>actualResponse</var>'s <a for=response>location URL</a>
<a lt="include credential">includes credentials</a>, then return a <a>network error</a>.
<var>locationURL</var> <a>includes credentials</a>, then return a <a>network error</a>.

<p class=note>This catches a cross-origin resource redirecting to a same-origin URL.

<li><p>If <var>actualResponse</var>'s <a for=response>status</a> is not 303, <var>request</var>'s
<a for=request>body</a> is non-null, and <var>request</var>'s <a for=request>body</a>'s
<a for=body>source</a> is null, then return a <a>network error</a>.

<li><p>If <var>actualResponse</var>'s <a for=response>location URL</a>'s <a for=url>origin</a> is
not <a>same origin</a> with <var>request</var>'s <a for=request>current URL</a>'s
<a for=url>origin</a> and <var>request</var>'s <a for=request>origin</a> is not <a>same origin</a>
with <var>request</var>'s <a for=request>current URL</a>'s <a for=url>origin</a>, then set
<var>request</var>'s <a for=request>tainted origin flag</a>.
<li><p>If <var>locationURL</var>'s <a for=url>origin</a> is not <a>same origin</a> with
<var>request</var>'s <a for=request>current URL</a>'s <a for=url>origin</a> and
<var>request</var>'s <a for=request>origin</a> is not <a>same origin</a> with <var>request</var>'s
<a for=request>current URL</a>'s <a for=url>origin</a>, then set <var>request</var>'s
<a for=request>tainted origin flag</a>.

<li>
<p>If one of the following is true
Expand Down Expand Up @@ -4069,7 +4073,7 @@ optional <i>CORS-preflight flag</i>, run these steps:
<p class="note no-backref"><var>request</var>'s <a for=request>body</a>'s <a for=body>source</a>'s
nullity has already been checked.

<li><p>Append <var>actualResponse</var>'s <a for=response>location URL</a> to <var>request</var>'s
<li><p><a for=list>Append</a> <var>locationURL</var> to <var>request</var>'s
<a for=request>URL list</a>.

<li><p>Invoke <a>set <var>request</var>'s referrer policy on redirect</a> on <var>request</var> and
Expand Down

0 comments on commit 89cfc1d

Please sign in to comment.