From 10f655db094645ce66c2829dff066dcaf15e43c8 Mon Sep 17 00:00:00 2001 From: Yoav Weiss Date: Fri, 5 Jun 2026 10:26:14 +0200 Subject: [PATCH 1/4] Add TAO destination check for navigation redirect chains --- fetch.bs | 85 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 83 insertions(+), 2 deletions(-) diff --git a/fetch.bs b/fetch.bs index 7872b8067..dd656e6e1 100755 --- a/fetch.bs +++ b/fetch.bs @@ -2307,10 +2307,15 @@ Unless stated otherwise, it is unset. timing allow failed flag. Unless stated otherwise, it is unset. +

A request has an associated +timing allow check set (a list of zero or more +strings). Unless stated otherwise, it is « "*" ». +

A request's URL list, current URL, redirect count, response tainting, -done flag, and timing allow failed flag are used as -bookkeeping details by the fetch algorithm. +done flag, timing allow failed flag, and +timing allow check set are used as bookkeeping details by the +fetch algorithm.

A request has an associated WebDriver id @@ -2608,6 +2613,14 @@ allowed on the resource fetched by looking at the flag of the response returned. the response of a redirect has to be set if it was set for previous responses in the redirect chain, this is also tracked internally using the request's timing allow failed flag. +

A response has an associated +timing allow check set (a list of zero or more +strings). Unless stated otherwise, it is « "*" ». + +

This is used by responses to navigation requests so that +callers can determine, once the navigation's destination origin is known, whether that origin is +allowed by every redirect in the redirect chain. +

A response has an associated body info (a response body info). Unless stated otherwise, it is a new @@ -5104,6 +5117,10 @@ steps:

  • Set internalResponse's redirect taint to request's redirect-taint. +

  • If request is a navigation request, then set + internalResponse's timing allow check set to a clone + of request's timing allow check set. +

  • If request's timing allow failed flag is unset, then set internalResponse's timing allow passed flag. @@ -5884,6 +5901,10 @@ these steps:

    If internalResponse's status is a redirect status:

      +

    1. If request is a navigation request, then + update a request's timing allow check set given request and + internalResponse. +

    2. If internalResponse's status is not 303, request's body is non-null, and the connection uses HTTP/2, then user agents @@ -7311,6 +7332,66 @@ agent's CORS-preflight cache for which there is a cache entry match +

      +

      To update a request's timing allow check set, given a request +request and a response response, run these steps: + +

        +

      1. Assert: request is a navigation request. + +

      2. Let values be the result of + getting, decoding, and splitting `Timing-Allow-Origin` from + response's header list. + +

      3. If values is null, then set values to « ». + +

      4. Let newSet be « ». + +

      5. +

        For each value of request's + timing allow check set: + +

          +

        1. If values contains value, or + values contains "*", then append + value to newSet. +

        + +
      6. +

        If request's timing allow check set contains + "*", then for each value of values: + +

          +

        1. If newSet contains value, then + continue. + +

        2. Append value to newSet. +

        + +

      7. If values contains "*" is false, then + remove "*" from newSet. + +

      8. Set request's timing allow check set to newSet. +

      +
      + +
      +

      To perform a navigation TAO check for a +response response and an origin +destinationOrigin, run these steps. They return a boolean. + +

        +

      1. If response's timing allow check set contains + "*", then return true. + +

      2. If response's timing allow check set contains + destinationOrigin, serialized, then return + true. + +

      3. Return false. +

      +
      +

      Deferred fetching

      Deferred fetching allows callers to request that a fetch is invoked at the latest possible From 165dcad6248608f2e90511ec6883c6ae887d11e0 Mon Sep 17 00:00:00 2001 From: Yoav Weiss Date: Fri, 5 Jun 2026 10:33:01 +0200 Subject: [PATCH 2/4] success/failure --- fetch.bs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/fetch.bs b/fetch.bs index dd656e6e1..cf2f267f1 100755 --- a/fetch.bs +++ b/fetch.bs @@ -7378,17 +7378,17 @@ agent's CORS-preflight cache for which there is a cache entry match

      To perform a navigation TAO check for a response response and an origin -destinationOrigin, run these steps. They return a boolean. +destinationOrigin, run these steps:

      1. If response's timing allow check set contains - "*", then return true. + "*", then return success.

      2. If response's timing allow check set contains destinationOrigin, serialized, then return - true. + success. -

      3. Return false. +

      4. Return failure.

      From 46394866fa5cffed7ec43209ce8f98e5c853dd49 Mon Sep 17 00:00:00 2001 From: Yoav Weiss Date: Fri, 5 Jun 2026 11:28:33 +0200 Subject: [PATCH 3/4] Variable rename and simplification --- fetch.bs | 71 +++++++++++++++++++++++++++++++------------------------- 1 file changed, 39 insertions(+), 32 deletions(-) diff --git a/fetch.bs b/fetch.bs index cf2f267f1..076099b5e 100755 --- a/fetch.bs +++ b/fetch.bs @@ -2308,13 +2308,13 @@ Unless stated otherwise, it is unset. otherwise, it is unset.

      A request has an associated -timing allow check set (a list of zero or more -strings). Unless stated otherwise, it is « "*" ». +navigation timing allow check set (a list of zero or +more strings). Unless stated otherwise, it is « "*" ».

      A request's URL list, current URL, redirect count, response tainting, done flag, timing allow failed flag, and -timing allow check set are used as bookkeeping details by the +navigation timing allow check set are used as bookkeeping details by the fetch algorithm.

      A request has an associated @@ -2614,8 +2614,8 @@ the response of a redirect has to be set if it was set for previous responses in this is also tracked internally using the request's timing allow failed flag.

      A response has an associated -timing allow check set (a list of zero or more -strings). Unless stated otherwise, it is « "*" ». +navigation timing allow check set (a list of zero or +more strings). Unless stated otherwise, it is « "*" ».

      This is used by responses to navigation requests so that callers can determine, once the navigation's destination origin is known, whether that origin is @@ -5118,8 +5118,9 @@ steps: redirect-taint.

    3. If request is a navigation request, then set - internalResponse's timing allow check set to a clone - of request's timing allow check set. + internalResponse's navigation timing allow check set to a + clone of request's + navigation timing allow check set.

    4. If request's timing allow failed flag is unset, then set internalResponse's timing allow passed flag. @@ -5902,7 +5903,7 @@ these steps:

      1. If request is a navigation request, then - update a request's timing allow check set given request and + update a request's navigation timing allow check set given request and internalResponse.

      2. @@ -7333,45 +7334,51 @@ agent's CORS-preflight cache for which there is a cache entry match
        -

        To update a request's timing allow check set, given a request -request and a response response, run these steps: +

        To update a request's navigation timing allow check set, given a +request request and a response response, run these +steps:

        1. Assert: request is a navigation request. -

        2. Let values be the result of +

        3. Let taoValues be the result of getting, decoding, and splitting `Timing-Allow-Origin` from response's header list. -

        4. If values is null, then set values to « ». +

        5. If taoValues is null, then set taoValues to « ». + +

        6. If taoValues contains "*", then return. + +

        7. Let currentSet be request's + navigation timing allow check set.

        8. Let newSet be « ».

        9. -

          For each value of request's - timing allow check set: +

          If currentSet contains "*", then:

            -

          1. If values contains value, or - values contains "*", then append - value to newSet. +

          2. +

            For each taoValue of taoValues: + +

              +

            1. If newSet contains taoValue, then + continue. + +

            2. Append taoValue to newSet. +

        10. -

          If request's timing allow check set contains - "*", then for each value of values: +

          Otherwise, for each allowedOrigin of currentSet:

            -

          1. If newSet contains value, then - continue. - -

          2. Append value to newSet. +

          3. If taoValues contains allowedOrigin, then + append allowedOrigin to newSet.

          -

        11. If values contains "*" is false, then - remove "*" from newSet. - -

        12. Set request's timing allow check set to newSet. +

        13. Set request's navigation timing allow check set to + newSet.

        @@ -7381,12 +7388,12 @@ agent's CORS-preflight cache for which there is a cache entry matchdestinationOrigin, run these steps:
          -

        1. If response's timing allow check set contains - "*", then return success. +

        2. If response's navigation timing allow check set + contains "*", then return success. -

        3. If response's timing allow check set contains - destinationOrigin, serialized, then return - success. +

        4. If response's navigation timing allow check set + contains destinationOrigin, + serialized, then return success.

        5. Return failure.

        From 7aab34b270ce8d6c1a7215a3a6e9178bbb8183dd Mon Sep 17 00:00:00 2001 From: Yoav Weiss Date: Fri, 5 Jun 2026 11:53:16 +0200 Subject: [PATCH 4/4] Add notes and clarify --- fetch.bs | 42 ++++++++++++++++++++++-------------------- 1 file changed, 22 insertions(+), 20 deletions(-) diff --git a/fetch.bs b/fetch.bs index 076099b5e..bf7f9b6eb 100755 --- a/fetch.bs +++ b/fetch.bs @@ -2308,8 +2308,8 @@ Unless stated otherwise, it is unset. otherwise, it is unset.

        A request has an associated -navigation timing allow check set (a list of zero or -more strings). Unless stated otherwise, it is « "*" ». +navigation timing allow check set (an ordered set of zero +or more strings). Unless stated otherwise, it is « "*" ».

        A request's URL list, current URL, redirect count, response tainting, @@ -2614,8 +2614,8 @@ the response of a redirect has to be set if it was set for previous responses in this is also tracked internally using the request's timing allow failed flag.

        A response has an associated -navigation timing allow check set (a list of zero or -more strings). Unless stated otherwise, it is « "*" ». +navigation timing allow check set (an ordered set of +zero or more strings). Unless stated otherwise, it is « "*" ».

        This is used by responses to navigation requests so that callers can determine, once the navigation's destination origin is known, whether that origin is @@ -5119,7 +5119,7 @@ steps:

      3. If request is a navigation request, then set internalResponse's navigation timing allow check set to a - clone of request's + clone of request's navigation timing allow check set.

      4. If request's timing allow failed flag is unset, then set @@ -5903,7 +5903,7 @@ these steps:

        1. If request is a navigation request, then - update a request's navigation timing allow check set given request and + restrict a request's navigation timing allow check set given request and internalResponse.

        2. @@ -7334,7 +7334,7 @@ agent's CORS-preflight cache for which there is a cache entry match
          -

          To update a request's navigation timing allow check set, given a +

          To restrict a request's navigation timing allow check set, given a request request and a response response, run these steps: @@ -7348,33 +7348,35 @@ steps:

        3. If taoValues is null, then set taoValues to « ».

        4. If taoValues contains "*", then return. +

          If the current response contains "*", it does not further restrict the chain.

        5. Let currentSet be request's navigation timing allow check set. -

        6. Let newSet be « ». +

        7. Let newSet be a new ordered set.

        8. -

          If currentSet contains "*", then: +

          If currentSet contains "*", then: + +

          If all previous responses in the chain contained "*", the current + response's values can be taken as is.

            -
          1. -

            For each taoValue of taoValues: +

          2. For each taoValue of taoValues, + append taoValue to newSet. -

              -

            1. If newSet contains taoValue, then - continue. +

            2. Set request's navigation timing allow check set to + newSet. -

            3. Append taoValue to newSet. -

            +

          3. Return.

        9. -

          Otherwise, for each allowedOrigin of currentSet: +

          For each allowedOrigin of currentSet:

          1. If taoValues contains allowedOrigin, then - append allowedOrigin to newSet. + append allowedOrigin to newSet.

        10. Set request's navigation timing allow check set to @@ -7389,10 +7391,10 @@ steps:

          1. If response's navigation timing allow check set - contains "*", then return success. + contains "*", then return success.

          2. If response's navigation timing allow check set - contains destinationOrigin, + contains destinationOrigin, serialized, then return success.

          3. Return failure.