From 10545d220cfc455549878c5b7659de89d5d06e4c Mon Sep 17 00:00:00 2001 From: Benjamin VanderSloot Date: Mon, 3 Mar 2025 14:44:40 -0500 Subject: [PATCH 1/7] Integrate with HTTP WG's layered-cookies draft Co-Authored-By: Anne van Kesteren --- fetch.bs | 214 ++++++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 173 insertions(+), 41 deletions(-) diff --git a/fetch.bs b/fetch.bs index 4d01e315b..e37ed60ab 100755 --- a/fetch.bs +++ b/fetch.bs @@ -54,10 +54,29 @@ urlPrefix:https://tc39.es/ecma262/#;type:dfn;spec:ecma-262 url:realm;text:realm url:sec-list-and-record-specification-type;text:Record url:current-realm;text:current realm + +urlPrefix:https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-layered-cookies#;type:dfn;spec:cookies + url:name-cookie-store-and-limits;text:cookie store + url:name-parse-and-store-a-cookie;text:parse and store a cookie + url:name-parse-a-cookie;text:parse a cookie + url:name-store-a-cookie;text:store a cookie + url:name-retrieve-cookies;text:retrieve cookies + url:name-serialize-cookies;text:serialize cookies + url:name-garbage-collect-cookies;text:garbage collect cookies + + +urlPrefix:https://html.spec.whatwg.org#;type:dfn;spec:html + url:TODO;text:has cross-site ancestor;for:environment + url:TODO;text:has storage access;for:environment 
 {
+    "COOKIES": {
+        "authors": ["Johann Hofmann", "Anne van Kesteren"],
+        "href": "https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-layered-cookies",
+        "title": "Cookies: HTTP State Management Mechanism"
+    },
     "HTTP": {
         "aliasOf": "RFC9110"
     },
@@ -1961,6 +1980,10 @@ not always relevant and might require different behavior.
 "client" or an origin. Unless stated otherwise it is
 "client".
 
+
A request has an associated
+top-level navigation initiator origin,
+which is an origin or null. Unless stated otherwise it is null.
+
 
"client" is changed to an origin during
 fetching. It provides a convenient way for standards to not have to set
 request's origin.
@@ -2249,9 +2272,9 @@ or "object".
 

 
 

-
A request request has a
-redirect-tainted origin if these steps
-return true:
+
To compute the redirect-taint of a
+request request, perform the following steps. They return
+"same-origin", "same-site", or "cross-site".
 
 
    
  
  1. Assert: request's origin is not
@@ -2259,6 +2282,8 @@ return true:
 
  
  2. Let lastURL be null.
 
+ 
  3. Let computedTaint be "same-origin".
+
  
  4. 
   
    For each url of request's URL list:
 
@@ -2266,14 +2291,20 @@ return true:
    
  5. If lastURL is null, then set lastURL to url and
    continue.
 
+   
  6. If url's origin is not same site with
+   lastURL's origin and request's origin is
+   not same site with lastURL's origin, then return
+   "cross-site".
+
    
  7. If url's origin is not same origin with
    lastURL's origin and request's origin is
-   not same origin with lastURL's origin, then return true.
+   not same origin with lastURL's origin, then set
+   computedTaint to "same-site".
 
    
  8. Set lastURL to url.
   

 
- 
  • Return false.
+ 
  • Return computedTaint.
 
 
    • 
 
@@ -2285,8 +2316,8 @@ run these steps:
  
  • Assert: request's origin is not
  "client".
 
- 
  • If request has a redirect-tainted origin, then return
- "null".
+ 
  • If request's redirect-taint is not "same-origin",
+ then return "null".
 
  
  • Return request's origin,
  serialized.
@@ -2385,20 +2416,20 @@ source of security bugs. Please seek security review for features that deal with
  "client".
 
  
  • If request's mode is not "no-cors", then return
- true.
    
+ true.
 
- 
  • If request's client is null, then return true.
    
+ 
  • If request's client is null, then return true.
 
  
  • If request's client's
  policy container's
  embedder policy's value is not
- "credentialless", then return true.
    
+ "credentialless", then return true.
 
  
  • If request's origin is same origin with
- request's current URL's origin and request
- does not have a redirect-tainted origin, then return true.
    
+ request's current URL's origin and request's
+ redirect-taint is not "same-origin", then return true.
 
- 
  • Return false.
    
+ 
  • Return false.
 
 
 
@@ -2509,8 +2540,9 @@ this is also tracked internally using the request's timing allow
 service worker timing info (null or a
 service worker timing info), which is initially null.
 
-
    A response has an associated has-cross-origin-redirects
-(a boolean), which is initially false.
+
    A response has an associated redirect taint
+("same-origin", "same-site", or "cross-site"), which is
+initially "same-origin".
 
 
    
 
@@ -4252,6 +4284,125 @@ prefetch, or to treat it differently when counting page visits.
 
 
 
+
    Cookies
    
+
+
+
+
    The `Cookie` header is largely defined in its own specification. We define
+additional infrastructure to be able to use them conveniently here. [[COOKIES]].
+
+
    
+
    To append a request `Cookie` header,
+given a request request:
+
+
      
+ 
    1. If the user agent is configured to disable cookies for request, then it should
+ return.
+
+ 
    2. Let |sameSite| be the result of [=determining the same-site mode=] for request.
+
+ 
    3. Let |isSecure| be false.
+
+ 
    4. If request's client is a secure context, then set
+ |isSecure| to true.
+
+ 
    5. 
+  
      Let |httpOnlyAllowed| be true.
+
+  
      True follows from this being invoked from fetch, as opposed to the
+  document.cookie getter steps for instance.
+
+ 
    6. 
+  
      Let |cookies| be the result of running retrieve cookies given |isSecure|,
+  request's current URL's host, request's
+  current URL's path, |httpOnlyAllowed|, and |sameSite|.
+
+  
      The cookie store returns an ordered list of cookies
+
+ 
    7. If |cookies| is empty, then return.
+
+ 
    8. Let |value| be the result of running serialize cookies given |cookies|.
+
+ 
    9. Append (`Cookie`, value) to
+ request's header list.
+
    
+
    
+
+
    
+
    To
+parse and store response `Set-Cookie` headers,
+given a request request and a response response:
+
+
      
+ 
    1. If the user agent is configured to disable cookies for request,
+ then it should return.
+
+ 
    2. Let |allowNonHostOnlyCookieForPublicSuffix| be false.
+
+ 
    3. Let |isSecure| be false.
+
+ 
    4. If request's current URL's scheme is
+ "https", then set |isSecure| to true.
+
+ 
    5. 
+  
      Let |httpOnlyAllowed| be true.
+
+  
      True follows from this being invoked from fetch, as opposed to the
+  document.cookie getter steps for instance.
+
+ 
    6. Let |sameSiteStrictOrLaxAllowed| be true if the result of [=determine the same-site mode=]
+ for |request| is "StrictOrLess", and false otherwise.
+
+ 
    7. For each header of response's
+ header list:
+
+ 
        
+  
      1. If header's name is not a byte-case-insensitive match
+  for `Set-Cookie`, continue.
+
+  
      2. Parse and store a cookie given header's value,
+  |isSecure|, request's current URL's host,
+  request's current URL's path, |httpOnlyAllowed|,
+  |allowNonHostOnlyCookieForPublicSuffix|, and |sameSiteStrictOrLaxAllowed|.
+
+  
      3. Garbage collect cookies given request's
+  current URL's host.
+ 
      
+
    
+
    
+
+
+
+
    These algorithms are not only for use with the `Cookie` header, and are used in
+other specifications.
+
+
    
+
    To determine the same-site mode for a given request request:
+
+
      
+ 
    1. Assert: request's method is "GET"
+ or "POST".
+
+ 
    2. If request's top-level navigation initiator origin is not
+ null and is not same site to request's URL's
+ origin, then return "UnsetOrLess".
+
+ 
    3. If request's method is "GET" and
+ request's destination is "document", then return
+ "LaxOrLess".
+
+ 
    4. If request's client's
+ has cross-site ancestor is true then return "UnsetOrLess".
+
+ 
    5. If request's redirect-taint is "cross-site",
+ then return "UnsetOrLess".
+
+ 
    6. Return "StrictOrLess".
+
    
+
    
+
+
+
 
    Fetching
    
 
 
    The algorithm below defines fetching. In broad strokes, it takes
@@ -4729,8 +4880,8 @@ steps:
  
 
- 
  • If request has a redirect-tainted origin, then set
- internalResponse's has-cross-origin-redirects to true.
+ 
  • Set internalResponse's redirect taint to request's
+ redirect-taint.
 
  
  • If request's timing allow failed flag is unset, then set
  internalResponse's timing allow passed flag.
@@ -4883,7 +5034,7 @@ steps:
      
  • 
       
    If fetchParams's request's mode is
       not "navigate" or response's
-      has-cross-origin-redirects is false:
+      redirect taint is "same-origin":
 
       
      
        
    1. Set responseStatus to response's status.
@@ -5766,21 +5917,7 @@ run these steps:
     
      If includeCredentials is true, then:
 
     
        
-     
      1. 
-      
        If the user agent is not configured to block cookies for httpRequest (see
-      section 7 of
-      [[!COOKIES]]), then:
-
-      
          
-       
        1. Let cookies be the result of running the "cookie-string" algorithm (see
-       section 5.4 of
-       [[!COOKIES]]) with the user agent's cookie store and httpRequest's
-       current URL.
-
-       
        2. If cookies is not the empty string, then append
-       (`Cookie`, cookies) to httpRequest's
-       header list.
-      
        
+     
      2. Append a request `Cookie` header for httpRequest.
 
      
      3. 
       
        If httpRequest's header list
@@ -6343,14 +6480,9 @@ optional boolean forceNewConnection (default false), run these steps:
  
      4. Set response's body to a new body whose
  stream is stream.
 
- 
      5. If includeCredentials is true and the user agent is not
- configured to block cookies for request (see
- section 7 of
- [[!COOKIES]]), then run the "set-cookie-string" parsing algorithm (see
- section 5.2 of [[!COOKIES]]) on the
- value of each header whose name is a
- byte-case-insensitive match for `Set-Cookie` in response's
- header list, if any, and request's current URL.
+ 
      6. If includeCredentials is true, then the user agent should
+ parse and store response `Set-Cookie` headers given request and
+ response.
 
  
      7. 
   
        Run these steps in parallel:

From b9b0b80e1f2191057c6ead590ca7328fdca8c629 Mon Sep 17 00:00:00 2001
From: Anne van Kesteren 
Date: Tue, 20 May 2025 10:48:23 +0200
Subject: [PATCH 2/7] nits and some minor errors

---
 fetch.bs | 90 +++++++++++++++++++++++++++++---------------------------
 1 file changed, 46 insertions(+), 44 deletions(-)

diff --git a/fetch.bs b/fetch.bs
index e37ed60ab..b227bf7ff 100755
--- a/fetch.bs
+++ b/fetch.bs
@@ -1981,8 +1981,8 @@ not always relevant and might require different behavior.
 "client".
 
 
        A request has an associated
-top-level navigation initiator origin,
-which is an origin or null. Unless stated otherwise it is null.
+top-level navigation initiator origin, which is an origin
+or null. Unless stated otherwise it is null.
 
 
        "client" is changed to an origin during
 fetching. It provides a convenient way for standards to not have to set
@@ -2301,7 +2301,7 @@ or "object".
    not same origin with lastURL's origin, then set
    computedTaint to "same-site".
 
-   
      8. Set lastURL to url.
+   
      9. Set lastURL to url.
   
      
 
  
    2. Return computedTaint.
@@ -4286,14 +4286,16 @@ prefetch, or to treat it differently when counting page visits.
 
 
      Cookies
      
 
-
+
      The `Cookie` request header and `Set-Cookie` response headers are
+largely defined in their own specifications. We define additional infrastructure to be able to use
+them conveniently here. [[COOKIES]].
+
 
-
      The `Cookie` header is largely defined in its own specification. We define
-additional infrastructure to be able to use them conveniently here. [[COOKIES]].
+
      
 
 
      
-
      To append a request `Cookie` header,
-given a request request:
+
      To append a request `Cookie` header, given a request
+request:
 
 
        
  
      1. If the user agent is configured to disable cookies for request, then it should
@@ -4301,10 +4303,8 @@ given a request request:
 
  
      2. Let |sameSite| be the result of [=determining the same-site mode=] for request.
 
- 
      3. Let |isSecure| be false.
-
- 
      4. If request's client is a secure context, then set
- |isSecure| to true.
+ 
      5. Let |isSecure| be true if request's current URL's
+ scheme is "https"; otherwise false.
 
  
      6. 
   
        Let |httpOnlyAllowed| be true.
@@ -4328,21 +4328,21 @@ given a request request:
 
      
 
      
 
+
+
+
 
      
-
      To
-parse and store response `Set-Cookie` headers,
-given a request request and a response response:
+
      To parse and store response `Set-Cookie` headers, given a
+request request and a response response:
 
 
        
- 
      1. If the user agent is configured to disable cookies for request,
- then it should return.
+ 
      2. If the user agent is configured to disable cookies for request, then it should
+ return.
 
  
      3. Let |allowNonHostOnlyCookieForPublicSuffix| be false.
 
- 
      4. Let |isSecure| be false.
-
- 
      5. If request's current URL's scheme is
- "https", then set |isSecure| to true.
+ 
      6. Let |isSecure| be true if request's current URL's
+ scheme is "https"; otherwise false.
 
  
      7. 
   
        Let |httpOnlyAllowed| be true.
@@ -4351,30 +4351,32 @@ given a request request and a response document.cookie getter steps for instance.
 
  
      8. Let |sameSiteStrictOrLaxAllowed| be true if the result of [=determine the same-site mode=]
- for |request| is "StrictOrLess", and false otherwise.
+ for |request| is "strict-or-less"; otherwise false.
 
- 
      9. For each header of response's
- header list:
+ 
      10. 
+  
        For each header of response's
+  header list:
 
- 
          
-  
        1. If header's name is not a byte-case-insensitive match
-  for `Set-Cookie`, continue.
+  
            
+   
          1. If header's name is not a byte-case-insensitive match
+   for `Set-Cookie`, then continue.
 
-  
          2. Parse and store a cookie given header's value,
-  |isSecure|, request's current URL's host,
-  request's current URL's path, |httpOnlyAllowed|,
-  |allowNonHostOnlyCookieForPublicSuffix|, and |sameSiteStrictOrLaxAllowed|.
+   
          3. Parse and store a cookie given header's value,
+   |isSecure|, request's current URL's host,
+   request's current URL's path, |httpOnlyAllowed|,
+   |allowNonHostOnlyCookieForPublicSuffix|, and |sameSiteStrictOrLaxAllowed|.
 
-  
          4. Garbage collect cookies given request's
-  current URL's host.
- 
          
+   
        2. Garbage collect cookies given request's current URL's
+   host.
+  
        
+
+  
        As noted elsewhere the `Set-Cookie` header cannot be combined and
+  therefore each occurrence is processed independently. This is not allowed for any other header.
 
      
 
      
 
-
 
-
      These algorithms are not only for use with the `Cookie` header, and are used in
-other specifications.
+
      
 
 
      
 
      To determine the same-site mode for a given request request:
@@ -4384,20 +4386,20 @@ other specifications.
  or "POST".
 
  
    3. If request's top-level navigation initiator origin is not
- null and is not same site to request's URL's
- origin, then return "UnsetOrLess".
+ null and is not same site with request's URL's
+ origin, then return "unset-or-less".
 
  
    4. If request's method is "GET" and
  request's destination is "document", then return
- "LaxOrLess".
+ "lax-or-less".
 
  
    5. If request's client's
- has cross-site ancestor is true then return "UnsetOrLess".
+ has cross-site ancestor is true, then return "unset-or-less".
 
- 
    6. If request's redirect-taint is "cross-site",
- then return "UnsetOrLess".
+ 
    7. If request's redirect-taint is "cross-site", then
+ return "unset-or-less".
 
- 
    8. Return "StrictOrLess".
+ 
    9. Return "strict-or-less".
 
    
 
 

From 0f03c7aa7d3437ca9e7d1e64c4f1baa8dc904150 Mon Sep 17 00:00:00 2001
From: Anne van Kesteren 
Date: Tue, 20 May 2025 13:55:03 +0200
Subject: [PATCH 3/7] this should not come before the note that applies to
 origin

---
 fetch.bs | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/fetch.bs b/fetch.bs
index b227bf7ff..ee267eb09 100755
--- a/fetch.bs
+++ b/fetch.bs
@@ -1980,14 +1980,14 @@ not always relevant and might require different behavior.
 "client" or an origin. Unless stated otherwise it is
 "client".
 
-
    A request has an associated
-top-level navigation initiator origin, which is an origin
-or null. Unless stated otherwise it is null.
-
 
    "client" is changed to an origin during
 fetching. It provides a convenient way for standards to not have to set
 request's origin.
 
+
    A request has an associated
+top-level navigation initiator origin, which is an origin
+or null. Unless stated otherwise it is null.
+
 
    A request has an associated
 policy container, which is
 "client" or a policy container. Unless stated otherwise it is

From f1f4c66695d76fc81306306a9454b4ea6d0287d6 Mon Sep 17 00:00:00 2001
From: Benjamin VanderSloot 
Date: Tue, 10 Jun 2025 07:57:58 -0400
Subject: [PATCH 4/7] +ack

---
 fetch.bs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fetch.bs b/fetch.bs
index ee267eb09..aa5de79b4 100755
--- a/fetch.bs
+++ b/fetch.bs
@@ -9290,6 +9290,7 @@ Axel Rauschmayer,
 Ben Kelly,
 Benjamin Gruenbaum,
 Benjamin Hawkes-Lewis,
+Benjamin VanderSloot,
 Bert Bos,
 Björn Höhrmann,
 Boris Zbarsky,

From 951fee066d3bc119b812b6d35e49510f4c64ed63 Mon Sep 17 00:00:00 2001
From: Benjamin VanderSloot 
Date: Thu, 24 Jul 2025 14:41:53 -0400
Subject: [PATCH 5/7] incoprorating nits from @annevk

---
 fetch.bs | 250 +++++++++++++++++++++++++++----------------------------
 1 file changed, 123 insertions(+), 127 deletions(-)

diff --git a/fetch.bs b/fetch.bs
index aa5de79b4..cbf7a0b2a 100755
--- a/fetch.bs
+++ b/fetch.bs
@@ -64,10 +64,9 @@ urlPrefix:https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-layered-cooki
     url:name-serialize-cookies;text:serialize cookies
     url:name-garbage-collect-cookies;text:garbage collect cookies
 
-
+
 urlPrefix:https://html.spec.whatwg.org#;type:dfn;spec:html
     url:TODO;text:has cross-site ancestor;for:environment
-    url:TODO;text:has storage access;for:environment
 
    • @@ -2282,7 +2281,7 @@ or "object".
 
  
  • Let lastURL be null.
 
- 
  • Let computedTaint be "same-origin".
+ 
  • Let taint be "same-origin".
 
  
  • 
   
    For each url of request's URL list:
@@ -2299,12 +2298,12 @@ or "object".
    
  • If url's origin is not same origin with
    lastURL's origin and request's origin is
    not same origin with lastURL's origin, then set
-   computedTaint to "same-site".
+   taint to "same-site".
 
    
  • Set lastURL to url.
   
 
- 
  • Return computedTaint.
+ 
  • Return taint.
 
 
 
@@ -3347,6 +3346,125 @@ through TLS using ALPN. The protocol cannot be spoofed through HTTP requests in
 
 
    HTTP extensions
    
 
+
    Cookies
    
+
+
    The `Cookie` request header and `Set-Cookie` response headers are
+largely defined in their own specifications. We define additional infrastructure to be able to use
+them conveniently here. [[COOKIES]].
+
+
+
    
+
+
    
+
    To append a request `Cookie` header, given a request
+request:
+
+
      
+ 
    1. If the user agent is configured to disable cookies for request, then it should
+ return.
+
+ 
    2. Let |sameSite| be the result of [=determining the same-site mode=] for request.
+
+ 
    3. Let |isSecure| be true if request's current URL's
+ scheme is "https"; otherwise false.
+
+ 
    4. 
+  
      Let |httpOnlyAllowed| be true.
+
+  
      True follows from this being invoked from fetch, as opposed to the
+  document.cookie getter steps for instance.
+
+ 
    5. 
+  
      Let |cookies| be the result of running retrieve cookies given |isSecure|,
+  request's current URL's host, request's
+  current URL's path, |httpOnlyAllowed|, and |sameSite|.
+
+  
      The cookie store returns an ordered list of cookies
+
+ 
    6. If |cookies| is empty, then return.
+
+ 
    7. Let |value| be the result of running serialize cookies given |cookies|.
+
+ 
    8. Append (`Cookie`, value) to
+ request's header list.
+
    
+
    
+
+
+
+
+
    
+
    To parse and store response `Set-Cookie` headers, given a
+request request and a response response:
+
+
      
+ 
    1. If the user agent is configured to disable cookies for request, then it should
+ return.
+
+ 
    2. Let |allowNonHostOnlyCookieForPublicSuffix| be false.
+
+ 
    3. Let |isSecure| be true if request's current URL's
+ scheme is "https"; otherwise false.
+
+ 
    4. 
+  
      Let |httpOnlyAllowed| be true.
+
+  
      True follows from this being invoked from fetch, as opposed to the
+  document.cookie getter steps for instance.
+
+ 
    5. Let |sameSiteStrictOrLaxAllowed| be true if the result of [=determine the same-site mode=]
+ for |request| is "strict-or-less"; otherwise false.
+
+ 
    6. 
+  
      For each header of response's
+  header list:
+
+  
        
+   
      1. If header's name is not a byte-case-insensitive match
+   for `Set-Cookie`, then continue.
+
+   
      2. Parse and store a cookie given header's value,
+   |isSecure|, request's current URL's host,
+   request's current URL's path, |httpOnlyAllowed|,
+   |allowNonHostOnlyCookieForPublicSuffix|, and |sameSiteStrictOrLaxAllowed|.
+
+   
      3. Garbage collect cookies given request's current URL's
+   host.
+  
      
+
+  
      As noted elsewhere the `Set-Cookie` header cannot be combined and
+  therefore each occurrence is processed independently. This is not allowed for any other header.
+
    
+
    
+
+
+
+
+
    
+
    To determine the same-site mode for a given request request:
+
+
      
+ 
    1. Assert: request's method is "GET"
+ or "POST".
+
+ 
    2. If request's top-level navigation initiator origin is not
+ null and is not same site with request's URL's
+ origin, then return "unset-or-less".
+
+ 
    3. If request's method is "GET" and
+ request's destination is "document", then return
+ "lax-or-less".
+
+ 
    4. If request's client's
+ has cross-site ancestor is true, then return "unset-or-less".
+
+ 
    5. If request's redirect-taint is "cross-site", then
+ return "unset-or-less".
+
+ 
    6. Return "strict-or-less".
+
    
+
    
+
 
    `Origin` header
    
 
 
    The `Origin`
@@ -4283,128 +4401,6 @@ indicates the request’s purpose is to fetch a resource that is anticipated to
 prefetch, or to treat it differently when counting page visits.
 
 
-
-
    Cookies
    
-
-
    The `Cookie` request header and `Set-Cookie` response headers are
-largely defined in their own specifications. We define additional infrastructure to be able to use
-them conveniently here. [[COOKIES]].
-
-
-
    
-
-
    
-
    To append a request `Cookie` header, given a request
-request:
-
-
      
- 
    1. If the user agent is configured to disable cookies for request, then it should
- return.
-
- 
    2. Let |sameSite| be the result of [=determining the same-site mode=] for request.
-
- 
    3. Let |isSecure| be true if request's current URL's
- scheme is "https"; otherwise false.
-
- 
    4. 
-  
      Let |httpOnlyAllowed| be true.
-
-  
      True follows from this being invoked from fetch, as opposed to the
-  document.cookie getter steps for instance.
-
- 
    5. 
-  
      Let |cookies| be the result of running retrieve cookies given |isSecure|,
-  request's current URL's host, request's
-  current URL's path, |httpOnlyAllowed|, and |sameSite|.
-
-  
      The cookie store returns an ordered list of cookies
-
- 
    6. If |cookies| is empty, then return.
-
- 
    7. Let |value| be the result of running serialize cookies given |cookies|.
-
- 
    8. Append (`Cookie`, value) to
- request's header list.
-
    
-
    
-
-
-
-
-
    
-
    To parse and store response `Set-Cookie` headers, given a
-request request and a response response:
-
-
      
- 
    1. If the user agent is configured to disable cookies for request, then it should
- return.
-
- 
    2. Let |allowNonHostOnlyCookieForPublicSuffix| be false.
-
- 
    3. Let |isSecure| be true if request's current URL's
- scheme is "https"; otherwise false.
-
- 
    4. 
-  
      Let |httpOnlyAllowed| be true.
-
-  
      True follows from this being invoked from fetch, as opposed to the
-  document.cookie getter steps for instance.
-
- 
    5. Let |sameSiteStrictOrLaxAllowed| be true if the result of [=determine the same-site mode=]
- for |request| is "strict-or-less"; otherwise false.
-
- 
    6. 
-  
      For each header of response's
-  header list:
-
-  
        
-   
      1. If header's name is not a byte-case-insensitive match
-   for `Set-Cookie`, then continue.
-
-   
      2. Parse and store a cookie given header's value,
-   |isSecure|, request's current URL's host,
-   request's current URL's path, |httpOnlyAllowed|,
-   |allowNonHostOnlyCookieForPublicSuffix|, and |sameSiteStrictOrLaxAllowed|.
-
-   
      3. Garbage collect cookies given request's current URL's
-   host.
-  
      
-
-  
      As noted elsewhere the `Set-Cookie` header cannot be combined and
-  therefore each occurrence is processed independently. This is not allowed for any other header.
-
    
-
    
-
-
-
-
-
    
-
    To determine the same-site mode for a given request request:
-
-
      
- 
    1. Assert: request's method is "GET"
- or "POST".
-
- 
    2. If request's top-level navigation initiator origin is not
- null and is not same site with request's URL's
- origin, then return "unset-or-less".
-
- 
    3. If request's method is "GET" and
- request's destination is "document", then return
- "lax-or-less".
-
- 
    4. If request's client's
- has cross-site ancestor is true, then return "unset-or-less".
-
- 
    5. If request's redirect-taint is "cross-site", then
- return "unset-or-less".
-
- 
    6. Return "strict-or-less".
-
    
-
    
-
-
-
 
    Fetching
    
 
 
    The algorithm below defines fetching. In broad strokes, it takes

From ca688d99131cb43837c218933dc9b875a7f98c34 Mon Sep 17 00:00:00 2001
From: Anne van Kesteren 
Date: Fri, 25 Jul 2025 11:36:40 +0200
Subject: [PATCH 6/7] nits

---
 fetch.bs | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/fetch.bs b/fetch.bs
index cbf7a0b2a..53d1e39f5 100755
--- a/fetch.bs
+++ b/fetch.bs
@@ -63,17 +63,13 @@ urlPrefix:https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-layered-cooki
     url:name-retrieve-cookies;text:retrieve cookies
     url:name-serialize-cookies;text:serialize cookies
     url:name-garbage-collect-cookies;text:garbage collect cookies
-
-
-urlPrefix:https://html.spec.whatwg.org#;type:dfn;spec:html
-    url:TODO;text:has cross-site ancestor;for:environment
 
    •  {
     "COOKIES": {
         "authors": ["Johann Hofmann", "Anne van Kesteren"],
-        "href": "https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-layered-cookies",
+        "href": "https://httpwg.org/http-extensions/draft-ietf-httpbis-layered-cookies.html",
         "title": "Cookies: HTTP State Management Mechanism"
     },
     "HTTP": {
@@ -3465,6 +3461,7 @@ them conveniently here. [[COOKIES]].
 
 
 
+
 
    `Origin` header
    
 
 
    The `Origin`
@@ -4401,6 +4398,7 @@ indicates the request’s purpose is to fetch a resource that is anticipated to
 prefetch, or to treat it differently when counting page visits.
 
 
+
 
    Fetching
    
 
 
    The algorithm below defines fetching. In broad strokes, it takes

From b86975bc7c431808e2ed560d7688b65789b32d67 Mon Sep 17 00:00:00 2001
From: Anne van Kesteren 
Date: Fri, 25 Jul 2025 11:38:37 +0200
Subject: [PATCH 7/7] Update fetch.bs

---
 fetch.bs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fetch.bs b/fetch.bs
index 53d1e39f5..f1ed1e46f 100755
--- a/fetch.bs
+++ b/fetch.bs
@@ -3452,7 +3452,8 @@ them conveniently here. [[COOKIES]].
  "lax-or-less".
 
  
  • If request's client's
- has cross-site ancestor is true, then return "unset-or-less".
+ has cross-site ancestor is true, then return
+ "unset-or-less".
 
  
  • If request's redirect-taint is "cross-site", then
  return "unset-or-less".