- Deal with authentication (URLs containing username/password, servers responding with 401)
- Deal with URL processing
- Define HTTP context for data: URLs, about:blank, and file: URLs.
- Progress Events
The basic model is Request -> Fetch -> Response.
- Parsed URL (object)
- method (probably with restrictions as seen in XHR)
- UA headers
- author headers (maybe rename because people get upset with "author", with implicit restrictions as seen in XHR / CORS)
- entity body
- origin (object)
- referrer source (Document / URL)
- manual redirect flag
- omit credentials flag (will replace HTML fetch block cookies flag but also has other features)
- force preflight flag (set for upload progress notifications (to not reveal existence of server in case of POST I suppose; I should know...))
- synchronous flag
- force same-origin flag
For http/https we need to allow these kind of CORS requests:
- No CORS, taint (<link>, <script>, ...); still need to allow the server to opt in to CORS anyway to effectively make the resource CORS same-origin even if not requested as such (HTML does not have this feature currently)
- No CORS, fail (<track>)
Have a case-switch on URL scheme. See also URL. Fetch results in a network error response unless the scheme is one of
CORS stuff is only relevant for http/https. Can be relevant even for same-origin requests in case of cross-origin redirect without the manual redirect flag set.
Both intermediate updates (progress, headers received, ...) and final. Also indicates network error / CORS error (exposed as network error), ...