From aef5c9d279154401c22bc71105542b9b2c3c37c0 Mon Sep 17 00:00:00 2001 From: Benjamin VanderSloot Date: Mon, 3 Mar 2025 14:44:40 -0500 Subject: [PATCH 1/5] Cookie layering, part 1: only the same-site stuff --- fetch.bs | 146 +++++++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 114 insertions(+), 32 deletions(-) diff --git a/fetch.bs b/fetch.bs index 4b1f0c2ca..321f58bd8 100644 --- a/fetch.bs +++ b/fetch.bs @@ -54,10 +54,28 @@ urlPrefix:https://tc39.es/ecma262/#;type:dfn;spec:ecma-262 url:realm;text:realm url:sec-list-and-record-specification-type;text:Record url:current-realm;text:current realm + +urlPrefix:https://www.ietf.org/archive/id/draft-annevk-johannhof-httpbis-cookies-00.html#;type:dfn;spec:cookies + url:name-cookie-store-and-limits;text:cookie store + url:name-parse-and-store-a-cookie;text:parse and store a cookie + url:name-parse-a-cookie;text:parse a cookie + url:name-store-a-cookie;text:store a cookie + url:name-retrieve-cookies;text:retrieve cookies + url:name-serialize-cookies;text:serialize cookies + + +urlPrefix:https://html.spec.whatwg.org#;type:dfn;spec:html + url:TODO;text:ancestry;for:environment + url:TODO;text:has storage access;for:environment 
 {
+    "COOKIES": {
+      "authors": ["Johann Hofmann", "Anne Van Kesteren"],
+      "href": "https://www.ietf.org/archive/id/draft-annevk-johannhof-httpbis-cookies-00.html",
+      "title": "Cookies: HTTP State Management Mechanism"
+    },
     "HTTP": {
         "aliasOf": "RFC9110"
     },
@@ -1938,6 +1956,10 @@ not always relevant and might require different behavior.
 "client" or an origin. Unless stated otherwise it is
 "client".
 
+
A request has an associated
+top-level navigation initiator origin, which is
+an origin or null. Unless stated otherwise it is null.
+
 
"client" is changed to an origin during
 fetching. It provides a convenient way for standards to not have to set
 request's origin.
@@ -2226,9 +2248,9 @@ or "object".
 

 
 

-
A request request has a
-redirect-tainted origin if these steps
-return true:
+
A request has a redirect-taint,
+which is "None", "Cross-Origin", or "Cross-Site".
+
To get request request's redirect-taint:
 
 
    
  
  1. Assert: request's origin is not
@@ -2236,6 +2258,8 @@ return true:
 
  
  2. Let lastURL be null.
 
+ 
  3. Let crossOriginTaint be "None".
+
  
  4. 
   
    For each url of request's URL list:
 
@@ -2243,14 +2267,19 @@ return true:
    
  5. If lastURL is null, then set lastURL to url and
    continue.
 
+   
  6. If url's origin is not same site with
+   lastURL's origin and request's origin is
+   not same site with lastURL's origin, then return "Cross-Site".
+
    
  7. If url's origin is not same origin with
    lastURL's origin and request's origin is
-   not same origin with lastURL's origin, then return true.
+   not same origin with lastURL's origin,
+   then let crossOriginTaint be "Cross-Origin"..
 
    
  8. Set lastURL to url.
   

 
- 
  • Return false.
+ 
  • Return crossOriginTaint.
 
 
    • 
 
@@ -2262,8 +2291,8 @@ run these steps:
  
  • Assert: request's origin is not
  "client".
 
- 
  • If request has a redirect-tainted origin, then return
- "null".
+ 
  • If request's redirect-taint is not "None",
+ then return "null".
 
  
  • Return request's origin,
  serialized.
@@ -2372,8 +2401,8 @@ source of security bugs. Please seek security review for features that deal with
  "credentialless", then return true.
    
 
  
  • If request's origin is same origin with
- request's current URL's origin and request
- does not have a redirect-tainted origin, then return true.
    
+ request's current URL's origin and request's
+ redirect-taint is not "None", then return true.
    
 
  
  • Return false.
    
 
@@ -2489,6 +2518,9 @@ this is also tracked internally using the request's timing allow
 
    A response has an associated has-cross-origin-redirects
 (a boolean), which is initially false.
 
+
    A response has an associated has-cross-site-redirects
+(a boolean), which is initially false.
+
 
    
 
 
    A network error is a response whose
@@ -3292,6 +3324,72 @@ through TLS using ALPN. The protocol cannot be spoofed through HTTP requests in
 
 
    HTTP extensions
    
 
+
+
+
    The `Cookie`
+request header allows the request to carry locally stored state, such as user credentials.
+
+
    
+
    To append a request `Cookie` header,
+given a request request, run these steps:
+  
      
+     
    1. Let |sameSite| be the result of [=determining the same-site mode=] for request.
+     
    2. Let |isSecure| be false.
+     
    3. If request's client is a secure context, then set |isSecure| to true.
+     
    4. Let |httpOnlyAllowed| be true.
+     
      Fetch implies that the request is http-only, as opposed to document.cookie
+     
    5. Let |cookies| be the result of running retrieve cookies given
+      |isSecure|,
+      request's current URL's host,
+      request's current URL's path,
+      |httpOnlyAllowed|, and
+      |sameSite|
+
+     
      It is expected that the cookie store returns an ordered list of cookies
+     
    6. If |cookies| is empty, then return.
+     
    7. Let |value| be the result of running serialize cookies given |cookies|.
+     
    8. Append (`Cookie`, value) to request's header list.
+  
    
+
    
+
+
    
+
    To parse and store response `Set-Cookie` headers,
+given a request request and a response response, run these steps:
+  
      
+     
    1. Let |allowNonHostOnlyCookieForPublicSuffix| be false.
+     
    2. Let |isSecure| be false.
+     
    3. If request's client is a secure context, then set |isSecure| to true.
+     
    4. Let |httpOnlyAllowed| be true.
+     
      Fetch implies that the request is http-only, as opposed to document.cookie
+     
    5. Let |sameSiteStrictOrLaxAllowed| be true if the result of [=determine the same-site mode=] for |request| is "StrictOrLess", and false otherwise.
+     
    6. For each header of response's header list:
+     
        
+      
      1. If header's name is not a byte-case-insensitive match for `Set-Cookie`, then continue.
+      
      2. Parse and store a cookie given
+      header's value,
+      |isSecure|,
+      request's current URL's host,
+      request's current URL's path,
+      |httpOnlyAllowed|,
+      |allowNonHostOnlyCookieForPublicSuffix|, and
+      |sameSiteStrictOrLaxAllowed|
+     
      
+  
    
+
    
+
+
    
+
    To determine the same-site mode for a given request request, run these steps:
+  
      
+   
    1. Assert: request's method is "GET" or "POST".
+   
    2. If request's top-level navigation initiator origin is not null and is not same site to request's URL's origin, return "UnsetOrLess".
+   
    3. If request's method is "GET" and
+    request's destination is "document", return "LaxOrLess".
+   
    4. If request's client's ancestry is "cross-site", return "UnsetOrLess".
+   
    5. If request's redirect-taint is "Cross-Site", return "UnsetOrLess".
+   
    6. Return "StrictOrLess".
+  
    
+
    
+
 
    `Origin` header
    
 
 
    The `Origin`
@@ -4680,9 +4778,12 @@ steps:
  
 
- 
  • If request has a redirect-tainted origin, then set
+ 
  • If request's redirect-taint is not "None", then set
  internalResponse's has-cross-origin-redirects to true.
 
+ 
  • If request's redirect-taint is "Cross-Site", then set
+ internalResponse's has-cross-site-redirects to true.
+
  
  • If request's timing allow failed flag is unset, then set
  internalResponse's timing allow passed flag.
 
@@ -5710,21 +5811,9 @@ run these steps:
     
    If includeCredentials is true, then:
 
     
      
-     
    1. 
-      
      If the user agent is not configured to block cookies for httpRequest (see
-      section 7 of
-      [[!COOKIES]]), then:
+     
      This permits some implementations to choose to not support cookies for some or all httpRequests.
 
-      
        
-       
      1. Let cookies be the result of running the "cookie-string" algorithm (see
-       section 5.4 of
-       [[!COOKIES]]) with the user agent's cookie store and httpRequest's
-       current URL.
-
-       
      2. If cookies is not the empty string, then append
-       (`Cookie`, cookies) to httpRequest's
-       header list.
-      
      
+     
    2. The user agent should append a request `Cookie` header for httpRequest.
 
      
    3. 
       
      If httpRequest's header list
@@ -6288,14 +6377,7 @@ optional boolean forceNewConnection (default false), run these steps:
  
    4. Set response's body to a new body whose
  stream is stream.
 
- 
    5. If includeCredentials is true and the user agent is not
- configured to block cookies for request (see
- section 7 of
- [[!COOKIES]]), then run the "set-cookie-string" parsing algorithm (see
- section 5.2 of [[!COOKIES]]) on the
- value of each header whose name is a
- byte-case-insensitive match for `Set-Cookie` in response's
- header list, if any, and request's current URL.
+ 
    6. If includeCredentials is true, the user agent should parse and store response `Set-Cookie` headers given request and response.
 
  
    7. 
   
      Run these steps in parallel:

From 7a6a1feb818e121da5e6ad1c3f6d6baafa1415e3 Mon Sep 17 00:00:00 2001
From: bvandersloot-mozilla
 <90582190+bvandersloot-mozilla@users.noreply.github.com>
Date: Mon, 10 Mar 2025 12:03:10 -0400
Subject: [PATCH 2/5] apologies for American

Co-authored-by: Anne van Kesteren 
---
 fetch.bs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fetch.bs b/fetch.bs
index 321f58bd8..21228f949 100644
--- a/fetch.bs
+++ b/fetch.bs
@@ -72,7 +72,7 @@ urlPrefix:https://html.spec.whatwg.org#;type:dfn;spec:html
 
       {
     "COOKIES": {
-      "authors": ["Johann Hofmann", "Anne Van Kesteren"],
+      "authors": ["Johann Hofmann", "Anne van Kesteren"],
       "href": "https://www.ietf.org/archive/id/draft-annevk-johannhof-httpbis-cookies-00.html",
       "title": "Cookies: HTTP State Management Mechanism"
     },

From c79ead3ffd0be87be7e521a1d731c8378799d2c3 Mon Sep 17 00:00:00 2001
From: bvandersloot-mozilla
 <90582190+bvandersloot-mozilla@users.noreply.github.com>
Date: Mon, 10 Mar 2025 14:48:30 -0400
Subject: [PATCH 3/5] Apply suggestions from code review

Co-authored-by: Anne van Kesteren 
---
 fetch.bs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fetch.bs b/fetch.bs
index 21228f949..12b4930f2 100644
--- a/fetch.bs
+++ b/fetch.bs
@@ -3331,7 +3331,7 @@ request header allows the request to carry locally stored state, su
 
 
      
 
      To append a request `Cookie` header,
-given a request request, run these steps:
+given a request request:
   
        
      
      1. Let |sameSite| be the result of [=determining the same-site mode=] for request.
      
      2. Let |isSecure| be false.
@@ -3347,7 +3347,7 @@ given a request request, run these steps:
 
      
        It is expected that the cookie store returns an ordered list of cookies
      
      3. If |cookies| is empty, then return.
-     
      4. Let |value| be the result of running serialize cookies given |cookies|.
+     
      5. Let |value| be the result of serializing cookies given |cookies|.
      
      6. Append (`Cookie`, value) to request's header list.
   
      
 
      

From 853595b5ffa749e11b32cb7d4dd69e91e65799d1 Mon Sep 17 00:00:00 2001
From: Benjamin VanderSloot 
Date: Mon, 10 Mar 2025 15:46:27 -0400
Subject: [PATCH 4/5] Enum rollup, fix capitalization, and add a cookie section

---
 fetch.bs | 168 +++++++++++++++++++++++++++----------------------------
 1 file changed, 81 insertions(+), 87 deletions(-)

diff --git a/fetch.bs b/fetch.bs
index 12b4930f2..91730645f 100644
--- a/fetch.bs
+++ b/fetch.bs
@@ -2249,7 +2249,7 @@ or "object".
 
 
      
 
      A request has a redirect-taint,
-which is "None", "Cross-Origin", or "Cross-Site".
+which is "same-origin", "same-site", or "cross-site".
 
      To get request request's redirect-taint:
 
 
        
@@ -2258,7 +2258,7 @@ which is "None", "Cross-Origin", or "Cross-Site<
 
  
      1. Let lastURL be null.
 
- 
      2. Let crossOriginTaint be "None".
+ 
      3. Let computedTaint be "same-origin".
 
  
      4. 
   
        For each url of request's URL list:
@@ -2269,17 +2269,17 @@ which is "None", "Cross-Origin", or "Cross-Site<
 
    
      5. If url's origin is not same site with
    lastURL's origin and request's origin is
-   not same site with lastURL's origin, then return "Cross-Site".
+   not same site with lastURL's origin, then return "cross-site".
 
    
      6. If url's origin is not same origin with
    lastURL's origin and request's origin is
    not same origin with lastURL's origin,
-   then let crossOriginTaint be "Cross-Origin"..
+   then set computedTaint to "same-site".
 
    
      7. Set lastURL to url.
   
      
 
- 
    8. Return crossOriginTaint.
+ 
    9. Return computedTaint.
 
    
 
 
@@ -2291,7 +2291,7 @@ run these steps:
  
  • Assert: request's origin is not
  "client".
 
- 
  • If request's redirect-taint is not "None",
+ 
  • If request's redirect-taint is not "same-origin",
  then return "null".
 
  
  • Return request's origin,
@@ -2402,7 +2402,7 @@ source of security bugs. Please seek security review for features that deal with
 
  
  • If request's origin is same origin with
  request's current URL's origin and request's
- redirect-taint is not "None", then return true.
    
+ redirect-taint is not "same-origin", then return true.
    
 
  
  • Return false.
    
 
@@ -2515,11 +2515,8 @@ this is also tracked internally using the request's timing allow
 service worker timing info (null or a
 service worker timing info), which is initially null.
 
-
    A response has an associated has-cross-origin-redirects
-(a boolean), which is initially false.
-
-
    A response has an associated has-cross-site-redirects
-(a boolean), which is initially false.
+
    A response has an associated redirect taint ("same-origin",
+"same-site", or "cross-site", which is initially "same-origin".
 
 
    
 
@@ -3324,72 +3321,6 @@ through TLS using ALPN. The protocol cannot be spoofed through HTTP requests in
 
 
    HTTP extensions
    
 
-
-
-
    The `Cookie`
-request header allows the request to carry locally stored state, such as user credentials.
-
-
    
-
    To append a request `Cookie` header,
-given a request request:
-  
      
-     
    1. Let |sameSite| be the result of [=determining the same-site mode=] for request.
-     
    2. Let |isSecure| be false.
-     
    3. If request's client is a secure context, then set |isSecure| to true.
-     
    4. Let |httpOnlyAllowed| be true.
-     
      Fetch implies that the request is http-only, as opposed to document.cookie
-     
    5. Let |cookies| be the result of running retrieve cookies given
-      |isSecure|,
-      request's current URL's host,
-      request's current URL's path,
-      |httpOnlyAllowed|, and
-      |sameSite|
-
-     
      It is expected that the cookie store returns an ordered list of cookies
-     
    6. If |cookies| is empty, then return.
-     
    7. Let |value| be the result of serializing cookies given |cookies|.
-     
    8. Append (`Cookie`, value) to request's header list.
-  
    
-
    
-
-
    
-
    To parse and store response `Set-Cookie` headers,
-given a request request and a response response, run these steps:
-  
      
-     
    1. Let |allowNonHostOnlyCookieForPublicSuffix| be false.
-     
    2. Let |isSecure| be false.
-     
    3. If request's client is a secure context, then set |isSecure| to true.
-     
    4. Let |httpOnlyAllowed| be true.
-     
      Fetch implies that the request is http-only, as opposed to document.cookie
-     
    5. Let |sameSiteStrictOrLaxAllowed| be true if the result of [=determine the same-site mode=] for |request| is "StrictOrLess", and false otherwise.
-     
    6. For each header of response's header list:
-     
        
-      
      1. If header's name is not a byte-case-insensitive match for `Set-Cookie`, then continue.
-      
      2. Parse and store a cookie given
-      header's value,
-      |isSecure|,
-      request's current URL's host,
-      request's current URL's path,
-      |httpOnlyAllowed|,
-      |allowNonHostOnlyCookieForPublicSuffix|, and
-      |sameSiteStrictOrLaxAllowed|
-     
      
-  
    
-
    
-
-
    
-
    To determine the same-site mode for a given request request, run these steps:
-  
      
-   
    1. Assert: request's method is "GET" or "POST".
-   
    2. If request's top-level navigation initiator origin is not null and is not same site to request's URL's origin, return "UnsetOrLess".
-   
    3. If request's method is "GET" and
-    request's destination is "document", return "LaxOrLess".
-   
    4. If request's client's ancestry is "cross-site", return "UnsetOrLess".
-   
    5. If request's redirect-taint is "Cross-Site", return "UnsetOrLess".
-   
    6. Return "StrictOrLess".
-  
    
-
    
-
 
    `Origin` header
    
 
 
    The `Origin`
@@ -4323,7 +4254,75 @@ indicates the request’s purpose is to fetch a resource that is anticipated to
 
    The server can use this to adjust the caching expiry for prefetches, to disallow the
 prefetch, or to treat it differently when counting page visits.
 
+
    Cookies
    
 
+
+
+
    The `Cookie` header is largely defined in its own specification. [[COOKIES]].
+We define infrastructure to be able to use conveniently here.
+
+
    
+
    To append a request `Cookie` header,
+given a request request, run these steps:
+  
      
+     
    1. If the user-agent is configured to disable cookies for request, it should return.
+     
    2. Let |sameSite| be the result of [=determining the same-site mode=] for request.
+     
    3. Let |isSecure| be false.
+     
    4. If request's client is a secure context, then set |isSecure| to true.
+     
    5. Let |httpOnlyAllowed| be true.
+     
      Fetch implies that the request is http-only, as opposed to document.cookie
+     
    6. Let |cookies| be the result of running retrieve cookies given
+      |isSecure|,
+      request's current URL's host,
+      request's current URL's path,
+      |httpOnlyAllowed|, and
+      |sameSite|
+
+     
      It is expected that the cookie store returns an ordered list of cookies
+     
    7. If |cookies| is empty, then return.
+     
    8. Let |value| be the result of running serialize cookies given |cookies|.
+     
    9. Append (`Cookie`, value) to request's header list.
+  
    
+
    
+
+
    
+
    To parse and store response `Set-Cookie` headers,
+given a request request and a response response, run these steps:
+  
      
+     
    1. If the user-agent is configured to disable cookies for request, it should return.
+     
    2. Let |allowNonHostOnlyCookieForPublicSuffix| be false.
+     
    3. Let |isSecure| be false.
+     
    4. If request's client is a secure context, then set |isSecure| to true.
+     
    5. Let |httpOnlyAllowed| be true.
+     
      Fetch implies that the request is http-only, as opposed to document.cookie
+     
    6. Let |sameSiteStrictOrLaxAllowed| be true if the result of [=determine the same-site mode=] for |request| is "StrictOrLess", and false otherwise.
+     
    7. For each header of response's header list:
+     
        
+      
      1. If header's name is not a byte-case-insensitive match for `Set-Cookie`, then continue.
+      
      2. Parse and store a cookie given
+      header's value,
+      |isSecure|,
+      request's current URL's host,
+      request's current URL's path,
+      |httpOnlyAllowed|,
+      |allowNonHostOnlyCookieForPublicSuffix|, and
+      |sameSiteStrictOrLaxAllowed|
+     
      
+  
    
+
    
+
+
    
+
    To determine the same-site mode for a given request request, run these steps:
+  
      
+   
    1. Assert: request's method is "GET" or "POST".
+   
    2. If request's top-level navigation initiator origin is not null and is not same site to request's URL's origin, return "UnsetOrLess".
+   
    3. If request's method is "GET" and
+    request's destination is "document", return "LaxOrLess".
+   
    4. If request's client's ancestry is "cross-site", return "UnsetOrLess".
+   
    5. If request's redirect-taint is "cross-site", return "UnsetOrLess".
+   
    6. Return "StrictOrLess".
+  
    
+
    
 
 
    Fetching
    
 
@@ -4778,11 +4777,8 @@ steps:
  
 
- 
  • If request's redirect-taint is not "None", then set
- internalResponse's has-cross-origin-redirects to true.
-
- 
  • If request's redirect-taint is "Cross-Site", then set
- internalResponse's has-cross-site-redirects to true.
+ 
  • Set internalResponse's redirect taint to request's
+ redirect-taint.
 
  
  • If request's timing allow failed flag is unset, then set
  internalResponse's timing allow passed flag.
@@ -4935,7 +4931,7 @@ steps:
      
  • 
       
    If fetchParams's request's mode is
       not "navigate" or response's
-      has-cross-origin-redirects is false:
+      redirect taint is "same-origin":
 
       
      
        
    1. Set responseStatus to response's status.
@@ -5811,9 +5807,7 @@ run these steps:
     
      If includeCredentials is true, then:
 
     
        
-     
        This permits some implementations to choose to not support cookies for some or all httpRequests.
-
-     
      1. The user agent should append a request `Cookie` header for httpRequest.
+     
      2. Append a request `Cookie` header for httpRequest.
 
      
      3. 
       
        If httpRequest's header list

From fb5a26a3046da1d81a9e293dacc4d4fc432bc3d1 Mon Sep 17 00:00:00 2001
From: Benjamin VanderSloot 
Date: Tue, 11 Mar 2025 08:36:40 -0400
Subject: [PATCH 5/5] Fix spacing

---
 fetch.bs | 155 ++++++++++++++++++++++++++++++++++---------------------
 1 file changed, 96 insertions(+), 59 deletions(-)

diff --git a/fetch.bs b/fetch.bs
index 91730645f..fb383dc84 100644
--- a/fetch.bs
+++ b/fetch.bs
@@ -1957,8 +1957,8 @@ not always relevant and might require different behavior.
 "client".
 
 
        A request has an associated
-top-level navigation initiator origin, which is
-an origin or null. Unless stated otherwise it is null.
+top-level navigation
+initiator origin, which is an origin or null. Unless stated otherwise it is null.
 
 
        "client" is changed to an origin during
 fetching. It provides a convenient way for standards to not have to set
@@ -2269,12 +2269,13 @@ which is "same-origin", "same-site", or "cross-s
 
    
      4. If url's origin is not same site with
    lastURL's origin and request's origin is
-   not same site with lastURL's origin, then return "cross-site".
+   not same site with lastURL's origin, then return
+   "cross-site".
 
    
      5. If url's origin is not same origin with
    lastURL's origin and request's origin is
-   not same origin with lastURL's origin,
-   then set computedTaint to "same-site".
+   not same origin with lastURL's origin, then set
+   computedTaint to "same-site".
 
    
      6. Set lastURL to url.
   
      
@@ -2515,8 +2516,9 @@ this is also tracked internally using the request's timing allow
 service worker timing info (null or a
 service worker timing info), which is initially null.
 
-
      A response has an associated redirect taint ("same-origin",
-"same-site", or "cross-site", which is initially "same-origin".
+
      A response has an associated redirect taint
+("same-origin", "same-site", or "cross-site", which is
+initially "same-origin".
 
 
      
 
@@ -4259,69 +4261,102 @@ prefetch, or to treat it differently when counting page visits.
 
 
 
      The `Cookie` header is largely defined in its own specification. [[COOKIES]].
-We define infrastructure to be able to use conveniently here.
+We define infrastructure to be able to use them conveniently here.
 
 
      
 
      To append a request `Cookie` header,
 given a request request, run these steps:
-  
        
-     
      1. If the user-agent is configured to disable cookies for request, it should return.
-     
      2. Let |sameSite| be the result of [=determining the same-site mode=] for request.
-     
      3. Let |isSecure| be false.
-     
      4. If request's client is a secure context, then set |isSecure| to true.
-     
      5. Let |httpOnlyAllowed| be true.
-     
        Fetch implies that the request is http-only, as opposed to document.cookie
-     
      6. Let |cookies| be the result of running retrieve cookies given
-      |isSecure|,
-      request's current URL's host,
-      request's current URL's path,
-      |httpOnlyAllowed|, and
-      |sameSite|
-
-     
        It is expected that the cookie store returns an ordered list of cookies
-     
      7. If |cookies| is empty, then return.
-     
      8. Let |value| be the result of running serialize cookies given |cookies|.
-     
      9. Append (`Cookie`, value) to request's header list.
-  
      
+
+
        
+  
      1. If the user-agent is configured to disable cookies for request, it should
+  return.
+
+  
      2. Let |sameSite| be the result of [=determining the same-site mode=] for request.
+
+  
      3. Let |isSecure| be false.
+
+  
      4. If request's client is a secure context, then set
+  |isSecure| to true.
+
+  
      5. Let |httpOnlyAllowed| be true.
+
+  
        Fetch implies that the request is http-only, as opposed to document.cookie
+
+  
      6. Let |cookies| be the result of running retrieve cookies given |isSecure|,
+  request's current URL's host, request's
+  current URL's path, |httpOnlyAllowed|, and |sameSite|
+
+  
        It is expected that the cookie store returns an ordered list of cookies
+
+  
      7. If |cookies| is empty, then return.
+
+  
      8. Let |value| be the result of running serialize cookies given |cookies|.
+
+  
      9. Append (`Cookie`, value) to
+  request's header list.
+
      
 
      
 
 
      
-
      To parse and store response `Set-Cookie` headers,
-given a request request and a response response, run these steps:
+
      To parse and store response
+`Set-Cookie` headers, given a request request and a response response, run these steps:
+
+
        
+  
      1. If the user-agent is configured to disable cookies for request, it should
+  return.
+
+  
      2. Let |allowNonHostOnlyCookieForPublicSuffix| be false.
+
+  
      3. Let |isSecure| be false.
+
+  
      4. If request's client is a secure context, set
+  |isSecure| to true.
+
+  
      5. Let |httpOnlyAllowed| be true.
+
+  
        Fetch implies that the request is http-only, as opposed to document.cookie
+
+  
      6. Let |sameSiteStrictOrLaxAllowed| be true if the result of [=determine the same-site mode=]
+  for |request| is "StrictOrLess", and false otherwise.
+
+  
      7. For each header of response's header
+  list:
+
   
          
-     
        1. If the user-agent is configured to disable cookies for request, it should return.
-     
        2. Let |allowNonHostOnlyCookieForPublicSuffix| be false.
-     
        3. Let |isSecure| be false.
-     
        4. If request's client is a secure context, then set |isSecure| to true.
-     
        5. Let |httpOnlyAllowed| be true.
-     
          Fetch implies that the request is http-only, as opposed to document.cookie
-     
        6. Let |sameSiteStrictOrLaxAllowed| be true if the result of [=determine the same-site mode=] for |request| is "StrictOrLess", and false otherwise.
-     
        7. For each header of response's header list:
-     
            
-      
          1. If header's name is not a byte-case-insensitive match for `Set-Cookie`, then continue.
-      
          2. Parse and store a cookie given
-      header's value,
-      |isSecure|,
-      request's current URL's host,
-      request's current URL's path,
-      |httpOnlyAllowed|,
-      |allowNonHostOnlyCookieForPublicSuffix|, and
-      |sameSiteStrictOrLaxAllowed|
-     
          
+    
        8. If header's name is not a byte-case-insensitive match
+    for `Set-Cookie`, continue.
+
+    
        9. Parse and store a cookie given header's value,
+    |isSecure|, request's current URL's host,
+    request's current URL's path, |httpOnlyAllowed|,
+    |allowNonHostOnlyCookieForPublicSuffix|, and |sameSiteStrictOrLaxAllowed|
   
        
+
      
 
      
 
 
      
-
      To determine the same-site mode for a given request request, run these steps:
-  
        
-   
      1. Assert: request's method is "GET" or "POST".
-   
      2. If request's top-level navigation initiator origin is not null and is not same site to request's URL's origin, return "UnsetOrLess".
-   
      3. If request's method is "GET" and
-    request's destination is "document", return "LaxOrLess".
-   
      4. If request's client's ancestry is "cross-site", return "UnsetOrLess".
-   
      5. If request's redirect-taint is "cross-site", return "UnsetOrLess".
-   
      6. Return "StrictOrLess".
-  
      
+
      To determine the same-site mode for a given request request,
+run these steps:
+
+
        
+  
      1. Assert: request's method is "GET" or "POST".
+
+  
      2. If request's top-level navigation initiator origin is not
+  null and is not same site to request's URL's
+  origin, return "UnsetOrLess".
+
+  
      3. If request's method is "GET" and request's destination is "document", return "LaxOrLess".
+
+  
      4. If request's client's ancestry is
+  "cross-site", return "UnsetOrLess".
+
+  
      5. If request's redirect-taint is "cross-site",
+  return "UnsetOrLess".
+
+  
      6. Return "StrictOrLess".
+
      
 
      
 
 
      Fetching
      
@@ -6371,7 +6406,9 @@ optional boolean forceNewConnection (default false), run these steps:
  
    2. Set response's body to a new body whose
  stream is stream.
 
- 
    3. If includeCredentials is true, the user agent should parse and store response `Set-Cookie` headers given request and response.
+ 
    4. If includeCredentials is true, the user agent should parse and
+ store response `Set-Cookie` headers given request and
+ response.
 
  
    5. 
   
      Run these steps in parallel: