Deal with SRI (SRI PR TBD)

whatwg · Feb 18, 2021 · c9fe740 · c9fe740
1 parent ac1e951
commit c9fe740
Showing 1 changed file with 37 additions and 13 deletions.
diff --git a/fetch.bs b/fetch.bs
@@ -3635,24 +3635,48 @@ steps:
   <p class=note>This standardizes the error handling for servers that violate HTTP.
 
  <li>
-  <p>If <var>response</var> is not a <a>network error</a> and <var>request</var>'s
-  <a for=request>integrity metadata</a> is not the empty string, then:
+  <p>If <var>request</var>'s <a for=request>integrity metadata</a> is not the empty string, then:
 
   <ol>
-   <li><p><a lt=wait for=body>Wait</a> for <var>response</var>'s
-   <a for=response>body</a>.
-
-   <li><p>If <var>response</var>'s <a for=response>body</a>'s <a for=body>stream</a> has not
-   <a for=ReadableStream>errored</a>, and <var>response</var> does not
-   <a href=https://w3c.github.io/webappsec-subresource-integrity/#does-response-match-metadatalist>match</a>
-   <var>request</var>'s <a for=request>integrity metadata</a>, set <var>response</var> and
-   <var>internalResponse</var> to a <a>network error</a>.
-   [[!SRI]]
+   <li><p>Let <var>processError</var> be this step: run <a>fetch finale</a> given
+   <var>fetchParams</var> and a <a>network error</a>.
+
+
+   <li><p>If <var>request</var>'s <a for=request>response tainting</a> is "<code>opaque</code>" or
+   <var>response</var> is a <a>network error</a>, then run <var>processError</var> and abort these
+   steps.
+
+   <li>
+    <p>Let <var>processBody</var> given <var>bytes</var> be these steps:
+
+    <ol>
+     <li><p>If <var>bytes</var> do not
+     <a href=https://w3c.github.io/webappsec-subresource-integrity/#does-response-match-metadatalist>match</a>
+     <var>request</var>'s <a for=request>integrity metadata</a>, then run <var>processError</var>
+     and abort these steps. [[!SRI]]
+
+     <li><p>Let <var>body</var> and <var ignore>ignoreType</var> be the result of
+     <a for=BodyInit>safely extracting</a> <var>bytes</var>.
+
+     <li><p>Set <var>response</var>'s <a for=response>body</a> to <var>body</var>.
+
+     <li><p>Run <a>fetch finale</a> given <var>fetchParams</var> and <var>response</var>.
+    </ol>
+
+   <li><p><a for=body>Fully read</a> <var>response</var>'s <a for=response>body</a> given
+   <var>processBody</var> and with <a for="body/fully read"><i>processError</i></a> set to
+   <var>processError</var>.
   </ol>
 
-  <p class=note>This operates on <var>response</var> as this algorithm is not supposed to observe
-  <var>internalResponse</var>. That would allow an attacker to use hashes as an oracle.
+ <li><p>Otherwise, run <a>fetch finale</a> given <var>fetchParams</var> and <var>response</var>.
+</ol>
+
+<hr>
+
+<p>The <dfn>fetch finale</dfn>, given a <a for=/>fetch params</a> <var>fetchParams</var> and a
+<a for=/>response</a> <var>response</var>, run these steps:
 
+<ol>
  <li>
   <p>If <var>fetchParams</var>'s <a for="fetch params">process response</a> is non-null, then: