The Fetch standard defines requests, responses, and the process that binds them; fetching.
To unify fetching across the web platform this specification supplants a number of algorithms and specifications:
Origin` header semantics
[ORIGIN]
Unifying fetching provides consistent handling of:
Referer` [REFERRER]
All diagrams, examples, and notes in this specification are non-normative, as are all sections explicitly marked non-normative. Everything else in this specification is normative.
The key words "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in the normative parts of this specification are to be interpreted as described in RFC2119. For readability, these words do not appear in all uppercase letters in this specification. [RFC2119]
This specification uses terminology from the Encoding, HTML, and URL Standards. [ENCODING] [HTML] [URL]
A byte sequence with bytes in the range 0x00 to 0x7F is represented as a utf-8 encoded string with code points in the range U+0000 to U+007F. To avoid confusion with an actual string backticks are used.
"true" is a
string, while `true` is a
byte sequence.
Comparing two byte sequences in a byte case-insensitive manner means comparing them exactly, byte for byte, except that the bytes in the range 0x41 to 0x5A are considered to also match their corresponding byte in the range 0x61 to 0x7A.
A case-insensitive byte sequence is a byte sequence that when compared to another byte sequence does so in a byte case-insensitive manner.
The
case-insensitive byte sequences
`Content-Type` and `content-TYPE` are equal.
To byte lowercase a byte sequence, increase each byte it contains, in the range 0x41 to 0x5A, by 0x20.
To byte uppercase a byte sequence, subtract each byte it contains, in the range 0x61 to 0x7A, by 0x20.
To queue a fetch task on request request to run an operation, queue a task to run an operation on request's client's responsible event loop using the networking task source.
While fetching encompasses more than just HTTP, it
borrows a number of concepts from HTTP and applies these to resources obtained via other
means (e.g. data URLs).
A method is a byte sequence that matches the Method token production.
A simple method is a method that is
`GET`, `HEAD`, or `POST`.
A forbidden method is a method that is a
byte case-insensitive match for one of `CONNECT`,
`TRACE`, and `TRACK`.
[HTTPVERBSEC]
To normalize a
method, if it is a byte case-insensitive
match for `DELETE`, `GET`,
`HEAD`, `OPTIONS`, `POST`, or
`PUT`, byte uppercase it.
Normalization is done for backwards compatibility and consistency across APIs as methods are actually "case-sensitive".
A header list consists of zero or more headers.
To append a name/value (name/value) pair to a header list (list), append a new header whose name is name, byte lowercased, and value is value, to list.
To delete a name (name) from a header list (list), remove all headers whose name is name, byte lowercased, from list.
To set a name/value (name/value) pair in a header list (list), run these steps:
Byte lowercase name.
If there are any headers in list whose name is name, set the value of the first such header to value and remove the others.
Otherwise, append a new header whose name is name and value is value, to list.
To combine a name/value (name/value) pair in a header list (list), run these steps:
Byte lowercase name.
If there are any headers in list whose name is name, set the value of the first such header to value, followed by 0x2C 0x20, followed by value.
Otherwise, append a new header whose name is name and value is value, to list.
Combine solely
exists for XMLHttpRequest.
A header consists of a name and value. A name is a case-insensitive byte sequence that matches the field-name token production. A value is a byte sequence that matches the field-value token production and contains no 0x0A or 0x0D bytes.
Allowing 0x0A and 0x0D bytes can lead to reparsing issues.
A simple header is a header whose
name is either one of `Accept`,
`Accept-Language`, and `Content-Language`, or whose
name is `Content-Type` and
value,
once parsed, has a MIME type (ignoring parameters)
that is one of `application/x-www-form-urlencoded`,
`multipart/form-data`, and `text/plain`.
A forbidden header name is a header name that either is one of
Accept-Charset`
Accept-Encoding`
Access-Control-Request-Headers`
Access-Control-Request-Method`
Connection`
Content-Length`
Cookie`
Cookie2`
Date`
DNT`
Expect`
Host`
Keep-Alive`
Origin`
Referer`
TE`
Trailer`
Transfer-Encoding`
Upgrade`
User-Agent`
Via`
or starts with `Proxy-` or `Sec-`
(including when it is just `Proxy-` or `Sec-`).
These are forbidden so the user agent remains in full control over them.
Names starting with `Sec-` are
reserved to allow new headers to be minted that are safe
from APIs using fetch that allow control over
headers by developers, such as
XMLHttpRequest.
[XHR]
A forbidden response header name is a header name that is one of:
Set-Cookie`
Set-Cookie2`
To parse a header value given a name (name) and either a header or a header list (headers), run these steps:
If name is not in headers, return null.
If the ABNF for name allows a single header and headers contains more than one, return failure.
That if you require different error handling, you need to extract the desired header first.
If parsing all the headers named name in headers, per the ABNF for name, failed, return failure.
Return one or more values resulting from parsing all the headers named name in headers, per the ABNF for name.
To extract a MIME type from a header list (headers), run these steps:
Let MIMEType be the result of
parsing `Content-Type` in
headers.
If MIMEType is null or failure, return the empty byte sequence.
Return MIMEType, byte lowercased.
A body is a byte stream. It has an associated transmitted which is an integer and initially 0, length which is an integer and initially 0, and error flag which is initially unset.
To handle content codings given codings and bytes, run these substeps:
If codings are not supported, return bytes.
Return the result of decoding bytes with the given codings as explained in HTTP. [HTTP]
The input to fetch is a request.
A request has an associated
method (a
method). Unless stated otherwise it is
`GET`.
A request has an associated url (a URL).
This is updated during redirects as described in HTTP fetch.
A request has an associated sandboxed storage area URLs flag. Unless stated otherwise it is unset.
A request has an associated header list (a header list). Unless stated otherwise it is empty.
A request has an associated unsafe request flag. Unless stated otherwise it is unset.
The unsafe request flag is set by APIs such as
fetch() and
XMLHttpRequest to ensure a
CORS preflight fetch is done based on the supplied
method and
header list. It does not free an API from
outlawing forbidden methods and
forbidden header names.
A request has an associated body (null or a body). Unless stated otherwise it is null.
A request has an associated client (an environment settings object).
A request has an associated skip service worker flag. Unless stated otherwise it is unset.
A request has an associated context, which is one of audio, beacon, cspreport, download, embed, eventsource, favicon, fetch, font, form, frame, hyperlink, iframe, image, imageset, import, internal, location, manifest, object, ping, plugin, prefetch, script, serviceworker, sharedworker, subresource, style, track, video, worker, xmlhttprequest, and xslt.
A request has an associated context frame type, which is one of auxiliary, top-level, nested, and none. Unless stated otherwise it is none.
Remove auxiliary? Not sure it is distinctive enough.
The following table illustrates the relationship between a request's context, its context frame type, and CSP directives:
| context | context frame type | CSP directive | Platform feature example |
|---|---|---|---|
| audio | none | media-src
| HTML's audio element
|
| beacon | none | connect-src
| navigator.sendBeacon()
|
| cspreport | none | connect-src
| CSP's report feature |
| download | none | — | HTML's a element when its download attribute is set
|
| embed | none | object-src
| HTML's embed element
|
| eventsource | none | connect-src
| EventSource
|
| favicon | none | — | /favicon.ico resource
|
| fetch | none | connect-src
| fetch()
|
| font | none | font-src
| CSS' @font-face
|
| form | any but none | form-action, potentially child-src
| HTML's form element
|
| frame | nested | child-src
| HTML's frame element
|
| hyperlink | any but none | potentially child-src
| HTML's a element
|
| iframe | nested | child-src
| HTML's iframe element
|
| image | none | img-src
| SVG's image element
|
| imageset | none | img-src
| HTML's picture element
|
| import | none | script-src
| HTML's link element when its rel attribute is set to
"import"
|
| internal | any | User agent actions such as refresh, back, forward; other user agent usage | |
| location | any but none
| potentially child-src
| window.location
|
| manifest | none | — | HTML's link element when its rel attribute is set to
"manifest"
|
| object | none | object-src
| HTML's object element
|
| ping | none | connect-src
| HTML's ping attribute
|
| plugin | none | — | A fetch from a plugin |
| prefetch | none | — | HTML's link element when its rel attribute is set to
"prefetch"
|
| script | none | script-src
| HTML's script element
|
| serviceworker | none | — | navigator.serviceWorker.register()
|
| sharedworker | none | child-src
| SharedWorker
|
| subresource | none | — | HTML's link element when its rel attribute is set to
"subresource"
|
| style | none | style-src
| HTML's link element when its rel attribute is set to
"stylesheet"
|
| track | none | media-src
| HTML's track element
|
| video | none | media-src
| HTML's video element
|
| worker | none | child-src
| Worker
|
| xmlhttprequest | none | connect-src
| XMLHttpRequest
|
| xslt | none | script-src
| <?xml-stylesheet>
|
A request has an associated origin (an origin). Unless stated otherwise it is an opaque identifier.
A request has an associated
force Origin header flag. Unless stated otherwise it is unset.
A request has an associated same-origin data URL flag. Unless stated otherwise it is unset.
A request has an associated referrer, which is no referrer, client, or a URL. Unless stated otherwise it is client.
A request has an associated authentication flag. Unless stated otherwise it is unset.
A request has an associated synchronous flag. Unless stated otherwise it is unset.
A request has an associated mode, which is one of same-origin, no CORS, CORS, and CORS-with-forced-preflight. Unless stated otherwise, it is no CORS.
A request has an associated credentials mode, which is one of omit, same-origin, and include. Unless stated otherwise, it is omit.
A request has an associated use URL credentials flag. Unless stated otherwise, it is unset.
A request has an associated cache mode, which is one of default, no-store, reload, no-cache, force cache, and only-if-cached. Unless stated otherwise, it is default.
If header list
contains a header whose
name is one of
`If-Modified-Since`,
`If-None-Match`,
`If-Unmodified-Since`,
`If-Match`, and
`If-Range`, fetch will set
cache mode to no-store if it is
default.
A request has an associated manual redirect flag. Unless stated otherwise, it is unset.
A request has an associated redirect count. Unless stated otherwise, it is zero.
A request has an associated response tainting, which is one of basic, CORS, and opaque. Unless stated otherwise, it is basic.
A request's redirect count and response tainting are used as bookkeeping details by the fetch algorithm.
The result of fetch is a response. A response evolves over time. That is, not all its fields are available straight away.
A response has an associated type which is one of basic, CORS, default, error, and opaque. Unless stated otherwise, it is default.
A response can have an associated termination reason which is one of end-user abort, fatal, and timeout.
A response has an associated url (null or a URL). Unless stated otherwise it is null.
A response has an associated
status. Unless stated otherwise it is
200.
A response has an associated
status message. Unless stated otherwise
it is `OK`.
A response has an associated header list (a header list). Unless stated otherwise it is empty.
A response has an associated body (null or a body). Unless stated otherwise it is null.
A response has an associated cache state which is one of none, local, validated, and partial. Unless stated otherwise, it is none.
A response has an associated TLS state which is one of unauthenticated, deprecated authentication, and authenticated. Unless stated otherwise, it is unauthenticated.
A response delivered over TLS will typically have its TLS state set to authenticated.
A response whose type is error is known as a network error.
A network error is a
response whose
status is always 0,
status message is always the empty byte sequence,
header list is aways empty,
body is always null, and
cache state is always none.
A filtered response is a limited view on a response that is not a network error. This response is referred to as the filtered response's associated internal response.
The fetch algorithm returns such a view to ensure APIs do not accidentally leak information. If the information is required, e.g. to feed image data to a decoder, the associated internal response can be used, which is only "accessible" to internal specification algorithms.
A basic filtered response is a
filtered response whose
type is basic,
header list excludes any
headers in
internal response's
header list whose
name is `Set-Cookie` or
`Set-Cookie2`.
A CORS filtered response is a
filtered response whose
type is CORS,
header list excludes all
headers in
internal response's
header list, except those whose
name is either one of
`Cache-Control`, `Content-Language`,
`Content-Type`, `Expires`,
`Last-Modified`, and `Pragma`, and except those
whose name is one of the
values resulting from
parsing
`Access-Control-Expose-Headers` in
internal response's
header list.
An opaque filtered response is a
filtered response whose
type is opaque,
status is 0,
status message is the empty byte sequence,
header list is an empty list,
body is null, and
cache state is none.
In other words, an opaque filtered response is nearly indistinguishable from a network error. When introducing new APIs, do not use the internal response for internal specification algorithms as you will leak information.
An authentication entry and a proxy authentication entry are tuples of username, password, and realm, associated with one or more requests.
User agents should allow either to be cleared together with HTTP cookies and similar tracking functionality.
Further details are defined by HTTP. [HTTPAUTH]
Origin` headerThe `Origin` request
header indicates where a
fetch originates from.
The `Origin` header is a version
of the `Referer` [sic] header that does not reveal a
path. It is used for
all HTTP fetches whose CORS flag is
set as well as those where request's
method is `POST`. Due to
compatibility constraints it is not included in all
fetches.
Its value ABNF:
Origin = origin-or-null origin-or-null = origin / %x6E.75.6C.6C ; "null", case-sensitive origin = scheme "://" host [ ":" port ]
This supplants the `Origin`
header.
[ORIGIN]
To allow sharing resources cross-origin and allow for more versatile HTTP requests than
possible with HTML's form element, the platform has
a CORS protocol layered on top of HTTP. It allows resources to declare they
can be shared with resources residing on a different
origin.
It needs to be an opt-in mechanism to prevent leaking data from resources behind a firewall (intranets). Additionally, for credentialed HTTP requests it needs to be opt-in to prevent leaking potentially-sensitive data.
This section explains the CORS protocol as it pertains to servers. Requirements for user agents are part of the fetch algorithm.
The CORS protocol consists of a set of headers that indicates whether a particular resource can be shared cross-origin.
For HTTP requests that are more involved than what is possible with HTML's
form element, a CORS preflight fetch is
performed, to ensure the resource understands the CORS protocol.
An HTTP request can be identified as pertaining in the CORS protocol if it
includes an `Origin` header. This is named a
CORS request.
An HTTP request can be identified as being a check to see if the
CORS protocol is understood if it is a CORS request, uses
`OPTIONS` as method, and includes
these headers:
Access-Control-Request-Method`
Indicates which method a future CORS request to the same resource might use.
Access-Control-Request-Headers`
Indicates which headers a future CORS request to the same resource might use.
This is named a CORS preflight request.
An HTTP response to a CORS request can include the following headers:
Access-Control-Allow-Origin`
Indicates whether a resource can be shared, via returning the literal
value of the
Origin request header
(which can be `null`) or `*` in a response.
Access-Control-Allow-Credentials`
Indicates whether a resource can be shared when request's credentials mode is include.
For a CORS preflight request, request's credentials mode is always omit, but for any subsequent CORS requests it might not be. Support therefore needs to be indicated as part of the HTTP response to the CORS preflight request as well.
An HTTP response to a CORS preflight request can include the following headers:
Access-Control-Allow-Methods`
Indicates which methods are supported by the resource for the purposes of the CORS protocol.
The `Allow` header is
not relevant for the purposes of the CORS protocol.
Access-Control-Allow-Headers`
Indicates which headers are supported by the resource for the purposes of the CORS protocol.
Access-Control-Max-Age`
Indicates how long the information provided by the
`Access-Control-Allow-Methods` and
`Access-Control-Allow-Headers`
headers can be cached.
An HTTP response to a CORS request that is not a CORS preflight request can also include the following header:
Access-Control-Expose-Headers`
Indicates which headers can be exposed as part of the HTTP response, via listing their names.
ABNF for the values of the headers used by the CORS protocol:
Access-Control-Request-Method = Method Access-Control-Request-Headers = #field-name Access-Control-Allow-Origin = origin-or-null / "*" Access-Control-Allow-Credentials = %x74.72.75.65 ; "true", case-sensitive Access-Control-Expose-Headers = #field-name Access-Control-Max-Age = delta-seconds Access-Control-Allow-Methods = #Method Access-Control-Allow-Headers = #field-name
The algorithm below defines fetching. In broad strokes, it takes a request and outputs a response.
That is, it either returns a response if request's synchronous flag is set, or it queues tasks annotated process response, process response body, and process response end-of-file for the response.
To capture uploads, if request's synchronous flag is unset, tasks annotated process request body and process request end-of-file for the request can be queued.
To perform a fetch using request, optionally with a CORS flag, run the steps below. An ongoing fetch can be terminated with reason reason, which must be one of end-user abort, fatal, or timeout.
The CORS flag is a bookkeeping detail for handling redirects. Only use the request parameter in other standards.
If request's url contains a Known HSTS Host, modify it per the requirements of the "URI [sic] Loading and Port Mapping" chapter of HTTP Strict Transport Security. [HSTS]
If request's referrer is not no referrer, set request's referrer to the result of invoking determine request's referrer. [REFERRER]
As stated in Referrer Policy, user agents can provide the end user with options to override request's referrer to no referrer or have it expose less sensitive information.
If request's synchronous flag is unset and fetch is not invoked recursively, run the remaining steps in parallel.
Let response be the value corresponding to the first matching statement:
data" and request's
same-origin data URL flag is set
about"
The result of performing a basic fetch using request.
Set request's response tainting to opaque.
The result of performing a basic fetch using request.
http" and "https"
Set request's response tainting to CORS.
The result of performing an HTTP fetch using request with the CORS flag and CORS preflight flag set.
Set request's response tainting to CORS.
The result of performing an HTTP fetch using request with the CORS flag set.
If fetch is invoked recursively, return response.
If should response to request be blocked as mixed content returns blocked, set response to a network error. [MIX]
If response is not a network error, set response to the following filtered response with response as its internal response, depending on request's response tainting:
If request's synchronous flag is set, wait for either end-of-file to have been pushed to response's body or for response to have a termination reason, and then return response.
This terminates fetch.
If request's body is
non-null and request's url's
scheme is
"http" or "https",
queue a fetch task on request to
process request end-of-file for request.
Queue a fetch task on request to process response for response.
If response's body is null, run these substeps:
Queue a fetch task on request to process response end-of-file for response.
Otherwise, if response's body is non-null, run these substeps:
Whenever response's body's is pushed to, for and as long as response has no termination reason and end-of-file has not been pushed, queue a fetch task on request to process response body for response.
Once end-of-file has been pushed to response's body or response has a termination reason, queue a fetch task on request to process response end-of-file for response.
Ideally FTP/HTTP define this in more detail and this becomes a set of simple hooks.
Use the networking task source for these tasks.
To perform a basic fetch using request, switch on request's url's scheme, and run the associated steps:
about"
If request's url's
scheme data is
"blank", return a response whose
header list consist of a single
header whose
name is `Content-Type` and
value is
`text/html;charset=utf-8`,
body is the empty byte sequence, and
TLS state is request's
client's TLS state.
Otherwise, return a network error.
URLs such
as "about:config" are handled during
navigation and result in a
network error in the context of
fetching.
blob"
If blob is null, return a network error.
Let length be blob's
size attribute value.
Let response be a new response.
Append
`Content-Length`/length to
response's
header list.
Append
`Content-Type`/blob's
type attribute value to
response's
header list.
Set response's body to the result of performing the read operation on blob.
Return response.
data"
If request's method is
`GET` and
obtaining a resource from
request's url does not return
failure, return a response whose
header list consist of a single
header whose
name is `Content-Type` and
value is the MIME type and parameters returned
from obtaining a resource,
body is the data returned from
obtaining a resource, and
TLS state is request's
client's TLS state.
[DATAURL]
Otherwise, return a network error.
file"
ftp"
For now, unfortunate as it is, file and ftp
URLs are left as an exercise for the
reader.
When in doubt, return a network error.
filesystem"If request's sandboxed storage area URLs flag is set, return a network error.
Otherwise, … this scheme still needs to be defined.
http"
https"
Return the result of performing an HTTP fetch using request.
Return a network error.
To perform an HTTP fetch using request with an optional CORS flag, CORS preflight flag, and authentication fetch flag, run these steps:
The CORS flag is still a bookkeeping detail. The CORS preflight flag and authentication fetch flag are too. The former indicates a CORS preflight request is required and the latter indicates an attempt to authenticate.
Let response be null.
If request's skip service worker flag is unset and
request's client's
global object is not a
ServiceWorkerGlobalScope object, run these substeps:
[HTML]
[SW]
Set response to the result of invoking handle fetch for request. [SW]
If either response's type is opaque and request's mode is not no CORS or response's type is error, return a network error.
If response is null, run these substeps:
If the CORS preflight flag is set and one of these conditions is true:
Then run these subsubsteps:
Let response be the result of performing a CORS preflight fetch using request.
If response is a network error, return response.
Set request's skip service worker flag.
There might be redirects. Alternatively, request's authentication flag is set and the CORS flag is unset.
Let credentials flag be set if either request's credentials mode is include, or request's credentials mode is same-origin and the CORS flag is unset, and unset otherwise.
If request's
cache mode is default and
request's header list
contains a header
named
`If-Modified-Since`,
`If-None-Match`,
`If-Unmodified-Since`,
`If-Match`, or
`If-Range`, set request's
cache mode to no-store.
Set response to the result of performing an HTTP network or cache fetch using request with credentials flag if set and authentication fetch flag if set.
If the CORS flag is set and a CORS check for request and response returns failure, return a network error.
There is no need to apply this to a response from a service worker.
Then, switch on response's status:
304
If request's cache mode is neither default nor no-cache, do nothing.
Otherwise, run these subsubsteps:
If there is no entry in the HTTP cache for request and response, return a network error.
Set response to the result of obtaining a response from the HTTP cache using request and response.
This changes response entirely,
including its status which is most
likely 200 now.
Set response's cache state to validated.
301
302
303
307
308
Let location be the result of
parsing `Location` in
response's
header list.
If location is null, return response.
If location is failure, return a network error.
Let locationURL be the result of parsing location with request's url.
If locationURL is failure, return a network error.
If request's redirect count is twenty, return a network error.
Increase request's redirect count by one.
Unset request's same-origin data URL flag.
If the CORS preflight flag is set, set response's type to error and set request's manual redirect flag. This way we avoid running the substeps below.
If request's manual redirect flag is unset, run these substeps:
If the CORS flag is set and locationURL's origin is not request's url's origin, set request's origin to an opaque identifier.
If the CORS flag is set and either locationURL's username is not the empty string or locationURL's password is non-null, return a network error.
Set request's url to locationURL.
Return the result of performing a fetch using request, with the CORS flag set if set.
401
If request's authentication flag is unset or the CORS flag is set, return response.
Needs testing: multiple `WWW-Authenticate` headers,
missing, parsing issues.
If request's use URL credentials flag is unset, or the authentication fetch flag is set, run these substeps:
Let username and password be the result of prompting the end user for a username and password, respectively.
Set the username given request's url and username.
Set the password given request's url and password.
Return the result of performing an HTTP fetch using request, with the authentication fetch flag set.
407
Needs testing: multiple `Proxy-Authenticate` headers,
missing, parsing issues.
Prompt the end user as appropriate and store the result as appropriate as a proxy authentication entry. [HTTP]
Remaining details surrounding proxy authentication are defined by HTTP.
Return the result of performing an HTTP fetch using request.
Do nothing.
If the authentication fetch flag is set, create an authentication entry for request and the given realm. [HTTPAUTH]
If the CORS preflight flag is set and response is a network error, clear cache entries using request.
Return response. Typically response's body is still being pushed to after returning.
To perform a HTTP network or cache fetch using request with an optional credentials flag and authentication fetch flag, run these steps:
The authentication fetch flag is still a bookkeeping detail. The credentials flag is one too.
Let HTTPRequest be a copy of request, except that HTTPRequest's body is a tee of request's body.
Headers need to be added without affecting request. Due to redirects or authentication failure, it can get reused.
Append
`Referer`/empty byte sequence, if HTTPRequest's
referrer is no referrer, and
`Referer`/HTTPRequest's
referrer,
serialized and
utf-8 encoded, otherwise, to
HTTPRequest's
header list.
If HTTPRequest's
force Origin header flag is set,
append
`Origin`/HTTPRequest's
origin,
serialized
and utf-8 encoded, to
HTTPRequest's
header list.
If credentials flag is set, run these substeps:
Modify HTTPRequest's header list per HTTP State Management Mechanism. [COOKIES]
Let authorizationValue be null.
If there's an authentication entry for HTTPRequest and either HTTPRequest's use URL credentials flag is unset or HTTPRequest's url does not include credentials, set authorizationValue to authentication entry.
Otherwise, if HTTPRequest's
url does
include credentials and the
authentication fetch flag is set, set
authorizationValue to HTTPRequest's
url,
converted to an `Authorization` value.
If authorizationValue is non-null,
append
`Authorization`/authorizationValue to
HTTPRequest's
header list.
If there's a proxy authentication entry, use it as appropriate.
This intentionally does not depend on HTTPRequest's credentials mode.
Let response be null.
If request's cache mode is neither no-store nor reload, and there is a complete response in the HTTP cache for request run these substeps:
If request's cache mode is either force cache or only-if-cached, set response to the response in the HTTP cache for request.
Otherwise, if request's cache mode is default and the response in the HTTP cache for request does not require revalidation, set response to that response and set response's cache state to local.
Otherwise, if request's cache mode is either default or no-cache, and the response in the HTTP cache for request does require revalidation, modify HTTPRequest's header list with revalidation headers.
Otherwise, if request's cache mode is either default or force cache, and there is a partial response in the HTTP cache for request, modify HTTPRequest's header list with resume headers.
If response is null, modify HTTPRequest's header list per HTTP.
It would be great if we could make this more normative
somehow. At this point headers such as
`Accept-Encoding`,
`Connection`,
`DNT`, and
`Host`,
are to be appended if necessary.
`Accept-Charset` must not be included.
`Accept` and
`Accept-Language` must not be included at this
point. See HTTP header layer division.
If response is null, set response to the result of making an HTTP request, using HTTPRequest, following the requirements from HTTP, and waiting until either all the headers are transmitted or a network error was returned. If a network error was returned due to fetch being terminated with reason reason, set response's termination reason to reason. [HTTP]
If response is not a network error and request's cache mode is not no-store, update response in the HTTP cache for request.
If response was retrieved over TLS set its TLS state to either deprecated authentication or authenticated. [TLS]
The exact determination here is up to user agents for the time being. User agents are strongly encouraged to only succeed TLS connections with strong security properties and return network errors otherwise.
If HTTPRequest's body is non-null, run these substeps:
If HTTPRequest's body's payload body length is known, set HTTPRequest's body's length to HTTPRequest's body's payload body length.
Whenever HTTPRequest's body is read from (i.e. is transmitted), increase HTTPRequest's body's transmitted with the amount of payload body bytes transmitted and then queue a fetch task on request to process request body for HTTPRequest.
Use the networking task source.
Run these substeps in parallel, after the outer set of steps has returned:
If response's body is non-null, set response's body's length to response's body's payload body length.
Whenever one or more bytes are transmitted, let bytes be the transmitted bytes and run these subsubsteps:
Increase response's body's transmitted with bytes' length.
Let codings be the result of
parsing `Content-Encoding`
in response's
header list.
Set bytes to the result of handling content codings given codings and bytes.
Push bytes to response's body.
These are run in parallel as at this point it is unclear whether response's body is relevant (response might be a redirect).
Delete
`Content-Encoding` from response's
header list if one of the following
conditions is true:
Content-Encoding` in response's
header list returns
`gzip` and parsing
`Content-Type in response's
header list returns
`application/gzip`, `application/x-gunzip`, or
`application/x-gzip`.
Content-Encoding` in response's
header list returns
`compress` and parsing
`Content-Type in response's
header list returns
`application/compress` or
`application/x-compress.
This deals with broken Apache configurations. Ideally HTTP would define this.
Gecko bug 1030660 looks into whether this quirk can be removed.
If credentials flag is set and response's
header list contains one or more
headers named
`Set-Cookie`, run these substeps:
Wait until ownership of the storage mutex can be taken by this instance of the fetch algorithm.
Take ownership of the storage mutex.
Update the cookies. [COOKIES]
This is a fingerprinting vector.
Release the storage mutex so that it is once again free.
Return response. Typically response's body is still being pushed to after returning.
To perform a CORS preflight fetch using request, run these steps:
Let preflight be a new request
whose method is `OPTIONS`,
url is request's
url,
origin is request's
origin,
force Origin header flag is set,
referrer is request's
referrer,
Set
`Access-Control-Request-Method` to
request's method in
preflight's header list.
Let headers be the names of request's header list's headers, excluding duplicates, sorted lexicographically, and byte lowercased.
Let value be the items in headers separated from each other by 0x2C 0x20.
Set
`Access-Control-Request-Headers`
to value in
preflight's header list.
Let response be the result of performing an HTTP network or cache fetch using preflight.
If a CORS check for request and response returns success and response's status is in the range 200 to 299, run these substeps:
The CORS check is done on request rather than preflight to ensure the correct credentials mode is used.
Let methods be the result of
parsing
`Access-Control-Allow-Methods` in
response's
header list.
Let headerNames be the result of
parsing
`Access-Control-Allow-Headers` in
response's
header list.
If either methods or headerNames is failure, return a network error.
If methods is null and request's mode is CORS-with-forced-preflight, set methods to request's method.
This ensures that a CORS preflight fetch that happened due to request's mode being CORS-with-forced-preflight is cached.
If request's method is not in methods and is not a simple method, return a network error.
If one of request's header list' names is not in headerNames and its corresponding header is not a simple header, return a network error.
Let max-age be the result of
parsing
`Access-Control-Max-Age` in
response's
header list.
If max-age is failure or null, set max-age to zero.
If max-age is greater than an imposed limit on max-age, set max-age to the imposed limit.
If the user agent does not provide for a cache, return response.
For each method in methods for which there is a method cache match using request, set matching entry's max-age to max-age.
For each method in methods for which there is no method cache match using request, create a new entry in CORS preflight cache as follows:
For each headerName in headerNames for which there is a header name cache match using request, set matching entry's max-age to max-age.
For each headerName in headerNames for which there is no header name cache match using request, create a new entry in CORS preflight cache as follows:
Return response.
Otherwise, return a network error.
A CORS preflight cache consists of a collection of entries where each entry has these fields: origin, url, max-age, credentials, method, and header name.
Entries must be removed after the seconds specified in the max-age field have passed since storing the entry. Entries may be removed before that moment arrives.
To clear cache entries given a request, remove any entries in the CORS preflight cache whose origin is request's origin and whose url is request's url.
There is a cache match for request if origin is request's origin, url is request's url, and either credentials is false and request's credentials mode is not include or credentials is true.
There is a method cache match for method using request when there is an entry in CORS preflight cache for which there is a cache match for request and its method is method.
There is a header name cache match for headerName using request when there is an entry in CORS preflight cache for which there is a cache match for request and its header name is headerName.
To perform a CORS check for a request and response, run these steps:
Let origin be the result of
parsing
`Access-Control-Allow-Origin` in
response's header list.
If origin is null or failure, return failure.
Null is not `null`.
If request's
credentials mode is not
include and origin is `*`, return success.
If request's origin, serialized and utf-8 encoded, is not origin, return failure.
If request's credentials mode is not include, return success.
Let credentials be the result of
parsing
`Access-Control-Allow-Credentials`
in response's
header list.
If credentials is `true`, return success.
It has been suggested to check for origin not being
`null` here as that would be equal to allowing credentials and
`*` which is also forbidden.
Return failure.
The fetch() method is relatively
low-level API for fetching resources. It covers slightly
more ground than XMLHttpRequest, although it is
currently lacking when it comes to reporting progression.
The fetch() method makes it quite straightforward
to fetch a resource and extract its contents as a
Blob:
fetch("/music/pk/altes-kamuffel.flac")
.then(res => res.blob()).then(playBlob)
If you just care to log a particular response header:
fetch("/", {method:"HEAD"})
.then(res => log(res.headers.get("strict-transport-security")))
If you want to check a particular response header and then process the response of a cross-origin resources:
fetch("https://pk.example/berlin-calling.json", {mode:"cors"})
.then(res => {
if(res.headers.get("content-type") == "application/json") {
return res.json()
} else {
throw new TypeError()
}
}).then(processJSON)
typedef (Headers or sequence<sequence<ByteString>> or OpenEndedDictionary<ByteString>) HeadersInit;
OpenEndedDictionary<T> is a future IDL construct. Expect it to be used as such:
var meta = { "Content-Type": "text/xml", "Breaking-Bad": "<3" }
new Headers(meta)
[Constructor(optional HeadersInit init),
Exposed=(Window,Worker)]
interface Headers {
void append(ByteString name, ByteString value);
void delete(ByteString name);
ByteString? get(ByteString name);
sequence<ByteString> getAll(ByteString name);
boolean has(ByteString name);
void set(ByteString name, ByteString value);
iterable<ByteString, ByteString>;
};
A Headers object has an associated
header list (a
header list).
A Headers object also has an associated
guard, which is one of immutable,
request, request-no-CORS, response and
none (initially none).
immutable exists for service workers. [SW]
To fill a Headers object
(headers) with a given object (object), run these steps:
If object is a Headers object, copy its
header list as
headerListCopy and then for each header in
headerListCopy, retaining order,
append
header's name/header's value
to headers. Rethrow any exception.
Once Headers.prototype[Symbol.iterator] is defined this
special casing will no longer be needed.
Otherwise, if object is a sequence, then for each header in object, run these substeps:
Otherwise, if object is an open-ended dictionary, then for each header in object, run these substeps:
Set header's key to header's key, converted to ByteString. Rethrow any exception.
Append header's key/header's value to headers. Rethrow any exception.
The Headers(init) constructor,
when invoked, must run these steps:
Let headers be a new Headers object.
If init is given, fill headers with init. Rethrow any exception.
Return headers.
To append a
name/value
(name/value) pair to a
Headers object (headers), run these steps:
If name is not a name or
value is not a value,
throw a TypeError.
Otherwise, if guard is request and name is a forbidden header name, return.
Otherwise, if guard is request-no-CORS and name/value is not a simple header, return.
Otherwise, if guard is response and name is a forbidden response header name, return.
Append name/value to header list.
The
append(name, value)
method, when invoked, must append
name/value to the
context object and rethrow any exception.
The delete(name)
method, when invoked, must run these steps:
Otherwise, if guard is request and name is a forbidden header name, return.
Otherwise, if guard is
request-no-CORS and name/`invalid` is
not a simple header, return.
Otherwise, if guard is response and name is a forbidden response header name, return.
Delete name from header list.
The get(name) method, when
invoked, must run these steps:
Return the value of the first header in header list whose name is name, and null otherwise.
The getAll(name) method,
when invoked, must run these steps:
Return the values of all headers in header list whose name is name, in list order, and the empty sequence otherwise.
The has(name) method,
when invoked, must run these steps:
Return true if there is a header in header list whose name is name, and false otherwise.
The
set(name, value)
method, when invoked, must run these steps:
If name is not a name or
value is not a value,
throw a TypeError.
Otherwise, if guard is request and name is a forbidden header name, return.
Otherwise, if guard is request-no-CORS and name/value is not a simple header, return.
Otherwise, if guard is response and name is a forbidden response header name, return.
Set name/value in header list.
The value pairs to iterate over are the headers in the header list with the key being the name and value the value.
typedef object JSON; typedef (Blob or BufferSource or FormData or URLSearchParams or USVString) BodyInit;
To extract a byte stream and a
`Content-Type` value from
object, run these steps:
Let stream be an empty byte stream.
Let Content-Type be null.
Switch on object's type:
Blob
Push a copy of object's contents to stream.
If object's
type attribute is not the
empty byte sequence, set Content-Type to its value.
BufferSource
Push a copy of object to stream.
FormData
Push the result of running the
multipart/form-data encoding algorithm,
with object as form data set and with
utf-8 as the explicit character encoding, to
stream.
Set Content-Type to `multipart/form-data;boundary=`,
followed by the
multipart/form-data boundary string
generated by the
multipart/form-data encoding algorithm.
URLSearchParams
Push the result of running the
application/x-www-form-urlencoded serializer,
with data's associated list of name-value pairs as pairs, to
stream.
Set Content-Type to
`application/x-www-form-urlencoded;charset=UTF-8`.
USVString
Push the result of running utf-8 encode on object to stream.
Set Content-Type to `text/plain;charset=UTF-8`.
Return stream and Content-Type.
[NoInterfaceObject]
interface Body {
readonly attribute boolean bodyUsed;
Promise<ArrayBuffer> arrayBuffer();
Promise<Blob> blob();
Promise<FormData> formData();
Promise<JSON> json();
Promise<USVString> text();
};
Formats you would not want a network layer to be dependent upon, such as HTML, will likely not be exposed here. Rather, an HTML parser API might accept a stream in due course.
Objects implementing the Body mixin gain an associated
body (a byte stream), a
used flag (initially unset), and a
MIME type (initially the empty byte sequence).
The bodyUsed attribute's getter must
return true if the used flag is set, and false
otherwise.
Objects implementing the Body mixin also have an associated
consume body algorithm, which given a
type, runs these steps:
Let p be a new promise.
If used flag is set, reject
p with a TypeError.
Otherwise, set used flag and then run these substeps in parallel:
Let stream be body.
If stream is null, set stream to an empty byte sequence.
Let bytes be the result of reading from stream until it returns end-of-stream.
Switch on type:
Resolve p with an ArrayBuffer whose contents are
bytes.
Resolve p with a Blob
whose contents are bytes and
type is
MIME type.
If MIME type (ignoring parameters)
is `multipart/form-data`, run these subsubsteps:
Parse bytes, using the value of the
`boundary` parameter from
MIME type and
utf-8 as encoding, per the rules set forth
in Returning Values from Forms: multipart/form-data.
[RFC2388]
If that fails for some reason, reject p with a
TypeError.
Otherwise, resolve p with a new
FormData object, running
create an entry for each entry as the result of
the parsing operation and appending it to
entries.
The above is a rough approximation of what is required for
`multipart/form-data`, a more detailed parsing specification is to be
written. Volunteers welcome.
Otherwise, if MIME type
(ignoring parameters) is `application/x-www-form-urlencoded`, run these
subsubsteps:
Let entries be the result of parsing bytes.
If entries is failure, reject p with a
TypeError.
Resolve p with a new
FormData object whose
entries are
entries.
Otherwise, reject p with a TypeError.
Let JSON be the result of invoking the initial value of the
parse property of the JSON object with the
result of running utf-8 decode on
bytes as argument.
If that threw an exception, reject p with that exception.
Otherwise, resolve p with JSON.
Resolve p with the result of running utf-8 decode on bytes.
Return p.
The arrayBuffer()
method, when invoked, must return the result of running
consume body with ArrayBuffer.
The blob() method, when
invoked, must return the result of running
consume body with Blob.
The formData() method,
when invoked, must return the result of running
consume body with FormData.
The json() method, when
invoked, must return the result of running
consume body with JSON.
The text() method, when
invoked, must return the result of running
consume body with text.
Expose client member? See
SW #318.
typedef (Request or USVString) RequestInfo;
[Constructor(RequestInfo input, optional RequestInit init),
Exposed=(Window,Worker)]
interface Request {
readonly attribute ByteString method;
readonly attribute USVString url;
readonly attribute Headers headers;
readonly attribute RequestContext context;
readonly attribute DOMString referrer;
readonly attribute RequestMode mode;
readonly attribute RequestCredentials credentials;
readonly attribute RequestCache cache;
Request clone();
};
Request implements Body;
dictionary RequestInit {
ByteString method;
HeadersInit headers;
BodyInit body;
RequestMode mode;
RequestCredentials credentials;
RequestCache cache;
};
enum RequestContext {
"audio", "beacon", "cspreport", "download", "embed", "eventsource", "favicon", "fetch",
"font", "form", "frame", "hyperlink", "iframe", "image", "imageset", "import",
"internal", "location", "manifest", "object", "ping", "plugin", "prefetch", "script",
"serviceworker", "sharedworker", "subresource", "style", "track", "video", "worker",
"xmlhttprequest", "xslt"
};
enum RequestMode { "same-origin", "no-cors", "cors" };
enum RequestCredentials { "omit", "same-origin", "include" };
enum RequestCache { "default", "no-store", "reload", "no-cache", "force-cache", "only-if-cached" };
A Request object has an associated
request (a
request).
A Request object also has an associated Headers object which
is itself associated with request's
header list and whose
guard is request.
A Request object's body is its
request's
body.
The
Request(input, init)
constructor must run these steps:
If input is a Request object and
input's body is non-null, run
these substeps:
Let request be input's associated
request, if input is a
Request object, and a new request
otherwise.
Set request to a new request
whose url is request's
url,
method is request's
method,
header list is a copy of
request's header list,
unsafe request flag is set,
body is request's
body,
client is
entry settings object,
origin is
entry settings object's
origin,
force Origin header flag is set,
same-origin data URL flag is set,
referrer is client,
context is fetch,
mode is request's
mode,
credentials mode is
request's
credentials mode,
and
cache mode is
request's
cache mode.
Let fallbackMode be null.
Let fallbackCredentials be null.
Let fallbackCache be null.
If input is a string, run these substeps:
Let parsedURL be the result of parsing input with entry settings object's API base URL.
If parsedURL is failure,
throw a TypeError.
Set request's url to parsedURL.
Set fallbackMode to CORS.
Set fallbackCredentials to omit.
Set fallbackCache to default.
Let mode be init's mode
member if it is present, and fallbackMode otherwise.
If mode is non-null, set request's mode to mode.
Let credentials be init's
credentials member if it is present, and
fallbackCredentials otherwise.
If credentials is non-null, set request's credentials mode to credentials.
Let cache be init's cache
member if it is present, and fallbackCache otherwise.
If cache is non-null, set request's cache mode to cache.
If init's method member is present, let
method be it and run these substeps:
If method is not a method or
method is a forbidden method,
throw a TypeError.
Normalize method.
Set request's method to method.
Let r be a new Request object associated with
request and a new Headers object.
Let headers be a copy of r's
Headers object.
If init's headers member is present, set
headers to init's headers member.
Empty r's request's header list.
Fill r's
Headers object with headers. Rethrow any exceptions.
If init's body member is present, run these
substeps:
Let stream and Content-Type be the result of
extracting init's
body member.
If Content-Type is non-null and r's
request's
header list contains no
header named
`Content-Type`, append
`Content-Type`/Content-Type to r's
Headers object. Rethrow any exception.
Set r's MIME type to the result of extracting a MIME type from r's request's header list.
Return r.
The method attribute's getter must
return request's
method.
The url attribute's getter must
return request's
url,
serialized with the
exclude fragment flag set.
The headers attribute's getter must
return the associated Headers object.
The context attribute's getter must
return request's
context.
The referrer attribute's getter must
return the empty string if request's
referrer is no referrer,
"about:client" if request's
referrer is client and
request's
referrer,
serialized, otherwise.
The mode attribute's getter must
return the value corresponding to the first matching statement, switching on
request's
mode:
same-origin"
no-cors"
cors"
The credentials attribute's
getter must return request's
credentials mode.
The cache attribute's getter must
return the value corresponding to the first matching statement, switching on
request's
cache mode:
force-cache"
The clone() method, when invoked, must
run these steps:
Let newRequest be a copy of request, except that newRequest's body is a tee of request's body.
Let r be a new Request object associated with
newRequest and a new Headers object.
Return r.
[Constructor(optional BodyInit body, optional ResponseInit init),
Exposed=(Window,Worker)]
interface Response {
static Response error();
static Response redirect(USVString url, optional unsigned short status = 302);
readonly attribute ResponseType type;
readonly attribute USVString url;
readonly attribute unsigned short status;
readonly attribute ByteString statusText;
readonly attribute Headers headers;
Response clone();
};
Response implements Body;
dictionary ResponseInit {
unsigned short status = 200;
ByteString statusText = "OK";
HeadersInit headers;
};
enum ResponseType { "basic", "cors", "default", "error", "opaque" };
A Response object has an associated
response (a
response).
A Response object also has an associated Headers object which
is itself associated with response's
header list and whose
guard is response.
A Response object's body is its
response's
body.
The
Response(body, init)
constructor, when invoked, must run these steps:
If init's status member is not in the range
200 to 599, throw a RangeError.
If init's statusText member does not match the
Reason-Phrase token production,
throw a TypeError.
Let r be a new Response object, associated with a
new response and a new Headers object.
Set r's response's
status message to
init's statusText member.
If init's headers member is present, run these
substeps:
Empty r's response's header list.
Fill r's
Headers object with init's headers
member. Rethrow any exceptions.
If body is given, run these substeps:
Let stream and Content-Type be the result of extracting body.
If Content-Type is non-null and r's
response's
header list contains no
header named
`Content-Type`, append
`Content-Type`/Content-Type to
r's response's
header list.
Set r's MIME type to the result of extracting a MIME type from r's response's header list.
Set r's response's TLS state to entry settings object's TLS state.
Return r.
The static error() method, when
invoked, must run return a new Response object, associated with a new
network error and a new Headers
object.
The static
redirect(url, status)
method, when invoked, must run these steps:
Let parsedURL be the result of parsing url with entry settings object's API base URL.
If parsedURL is failure,
throw a TypeError.
If status is not one of
301,
302,
303,
307, and
308,
throw a RangeError.
Let r be a new Response object, associated with a
new response and a new Headers object.
Set `Location` to
parsedURL,
serialized and
utf-8 encoded, in
r's response's
header list.
Return r.
The type attribute's getter must return
response's
type.
The url attribute's getter must return
the empty string if response's
url is null and
response's
url,
serialized with the
exclude fragment flag set, otherwise.
[URL]
The status attribute's getter must
return response's
status.
The statusText attribute's getter
must return response's
status message.
The headers attribute's getter must
return the associated Headers object.
The clone() method, when invoked, must
run these steps:
Let newResponse be a copy of response, except that newResponse's body is a tee of request's body.
Let r be a new Response object associated with
newResponse and a new Headers object.
Return r.
Headers, Request, and Response objectsUnlikely to happen anytime soon due to difficulty of cloning promises and streams. See SW #313 for details.
[NoInterfaceObject]
interface GlobalFetch {
Promise<Response> fetch(RequestInfo input, optional RequestInit init);
};
Window implements GlobalFetch;
WorkerGlobalScope implements GlobalFetch;
The
fetch(input, init)
method, must run these steps:
Let p be a new promise.
Let r be the associated
request of the result of invoking the initial value of
Request as constructor with input and
init as arguments. If this throws an exception, reject
p with it.
Run the following in parallel:
Fetch r.
To process response for response, run these substeps:
If response's type is
error, reject p with a TypeError.
Otherwise, resolve p with new Response object
associated with response.
To process response body for response, do nothing.
To process response end-of-file for response, do nothing.
Return p.
This section and its subsections are informative only.
For the purposes of fetching, the platform has an API layer (HTML's
img, CSS' background-image), service worker layer,
and network & cache layer. `Accept` and
`Accept-Language` are set at the API layer
(typically by the user agent). Most other headers controlled by the user agent, such as
`Accept-Encoding`,
`Host`, and `Referer`, are
set in the network & cache layer. Developers can set headers either at the API layer
or in the service worker layer (typically through a Request object).
Developers have almost no control over
forbidden headers, but can control
`Accept` and have the means to constrain and disable
`Referer` for instance.
Throughout the platform, redirects (a response whose status is one of 301, 302, 303, 307, and 308) are not exposed to APIs. Exposing redirects might leak information not otherwise available through a cross-site scripting attack.
A fetch to https://example.org/auth that includes a
Cookie marked HttpOnly could result in a redirect to
https://other-origin.invalid/4af955781ea1c84a3b11. This new URL contains a
secret. If we expose redirects that secret would be available through a cross-site
scripting attack.
For resources where data is protected through IP authentication or a firewall (unfortunately relatively common still), using the CORS protocol is unsafe. (This is the reason why the CORS protocol had to be invented.)
However, otherwise using the following header is:
Access-Control-Allow-Origin: *
Even if a resource exposes additional information based on cookie or HTTP
authentication, using the above header will not reveal
it. It will share the resource with APIs such as
XMLHttpRequest, much like it is already shared with
curl and wget.
Thus in other words, if a resource cannot be accessed from a random device connected to
the web using curl and wget the aforementioned
header is not to be included. If it can be accessed
however, it is perfectly fine to do so.
If CORS protocol requirements are more complicated than setting
`Access-Control-Allow-Origin` to
* or a static origin,
`Vary` is to be used.
[HTML]
[HTTP]
Vary: Access-Control-Allow-Origin
Thanks to Adam Barth, Alexey Proskuryakov, Ángel González, Anssi Kostiainen, Arne Johannessen, Arthur Barstow, Axel Rauschmayer, Ben Kelly, Benjamin Hawkes-Lewis, Bert Bos, Björn Höhrmann, Boris Zbarsky, Brad Hill, Brad Porter, Cameron McCormack, Clement Pellerin, Collin Jackson, David Håsäther, David Orchard, Domenic Denicola, Dean Jackson, Eric Lawrence, Frank Ellerman, Frederick Hirsch, Gavin Carothers, Glenn Maynard, Graham Klyne, Hal Lockhart, Hallvord R. M. Steen, Henri Sivonen, Honza Bambas, Ian Hickson, Jake Archibald, James Graham, Janusz Majnert, Jeff Hodges, Jeffrey Yasskin, Jesse M. Heines, Jonas Sicking, Julian Reschke, Jussi Kalliokoski, Kenji Baheux, Lachlan Hunt, Lucas Gonze, 呂康豪 (Kang-Hao Lu), Maciej Stachowiak, Marc Silbey, Marcos Caceres, Mark Nottingham, Mark S. Miller, Martin Dürst, Matt Falkenhagen, Matt Oshry, Matt Womer, Mhano Harkness, Michael Smith, Mike West, Mohamed Zergaoui, Nikhil Marathe, Nikunj Mehta, Odin Hørthe Omdal, Ondřej Žára, Philip Jägenstedt, R. Auburn, Sharath Udupa, Shivakumar Jagalur Matt, Simon Pieters, Sunava Dutta, Surya Ismail, 吉野剛史 (Takeshi Yoshino), Thomas Roessler, Tobie Langel, Tomás Aparicio, 保呂毅 (Tsuyoshi Horo), Tyler Close, Vladimir Dzhuvinov, Wayne Carr, and Zhenbin Xu for being awesome.
This standard is written by Anne van Kesteren (Mozilla, annevk@annevk.nl).
Per CC0, to the extent possible under law, the editor has waived all copyright and related or neighboring rights to this work.