Fetch Standard

Fetch

Living Standard — Last Updated

Participate:
GitHub whatwg/fetch (new issue, open issues)
Chat on Matrix
Commits:
GitHub whatwg/fetch/commits
Snapshot as of this commit
@fetchstandard
Tests:
web-platform-tests fetch/ (ongoing work)
Translations (non-normative):
日本語

Abstract

The Fetch standard defines requests, responses, and the process that binds them: fetching.

Goals

The goal is to unify fetching across the web platform and provide consistent handling of everything that involves, including:

To do so it also supersedes the HTTP `Origin` header semantics originally defined in The Web Origin Concept. [ORIGIN]

1. Preface

At a high level, fetching a resource is a fairly simple operation. A request goes in, a response comes out. The details of that operation are however quite involved and used to not be written down carefully and differ from one API to the next.

Numerous APIs provide the ability to fetch a resource, e.g. HTML’s img and script element, CSS' cursor and list-style-image, the navigator.sendBeacon() and self.importScripts() JavaScript APIs. The Fetch Standard provides a unified architecture for these features so they are all consistent when it comes to various aspects of fetching, such as redirects and the CORS protocol.

The Fetch Standard also defines the fetch() JavaScript API, which exposes most of the networking functionality at a fairly low level of abstraction.

2. Infrastructure

This specification depends on the Infra Standard. [INFRA]

This specification uses terminology from ABNF, Encoding, HTML, HTTP, MIME Sniffing, Streams, URL, Web IDL, and WebSockets. [ABNF] [ENCODING] [HTML] [HTTP] [MIMESNIFF] [STREAMS] [URL] [WEBIDL] [WEBSOCKETS]

ABNF means ABNF as augmented by HTTP (in particular the addition of #) and RFC 7405. [RFC7405]

Credentials are HTTP cookies, TLS client certificates, and authentication entries (for HTTP authentication). [COOKIES] [TLS] [HTTP]

A fetch params is a struct used as a bookkeeping detail by the fetch algorithm. It has the following items:

request
A request.
process request body chunk length (default null)
process request end-of-body (default null)
process early hints response (default null)
process response (default null)
process response end-of-body (default null)
process response consume body (default null)
Null or an algorithm.
task destination (default null)
Null, a global object, or a parallel queue.
cross-origin isolated capability (default false)
A boolean.
controller (default a new fetch controller)
A fetch controller.
timing info
A fetch timing info.
preloaded response candidate (default null)
Null, "pending", or a response.

A fetch controller is a struct used to enable callers of fetch to perform certain operations on it after it has started. It has the following items:

state (default "ongoing")
"ongoing", "terminated", or "aborted"
full timing info (default null)
Null or a fetch timing info.
report timing steps (default null)
Null or an algorithm accepting a global object.
serialized abort reason (default null)
Null or a Record (result of StructuredSerialize).
next manual redirect steps (default null)
Null or an algorithm accepting nothing.

To report timing for a fetch controller controller given a global object global:

  1. Assert: controller’s report timing steps is non-null.

  2. Call controller’s report timing steps with global.

To process the next manual redirect for a fetch controller controller:

  1. Assert: controller’s next manual redirect steps is non-null.

  2. Call controller’s next manual redirect steps.

To extract full timing info given a fetch controller controller:

  1. Assert: controller’s full timing info is non-null.

  2. Return controller’s full timing info.

To abort a fetch controller controller with an optional error:

  1. Set controller’s state to "aborted".

  2. Let fallbackError be an "AbortError" DOMException.

  3. Set error to fallbackError if it is not given.

  4. Let serializedError be StructuredSerialize(error). If that threw an exception, catch it, and let serializedError be StructuredSerialize(fallbackError).

  5. Set controller’s serialized abort reason to serializedError.

To deserialize a serialized abort reason, given null or a Record abortReason and a realm realm:

  1. Let fallbackError be an "AbortError" DOMException.

  2. Let deserializedError be fallbackError.

  3. If abortReason is non-null, then set deserializedError to StructuredDeserialize(abortReason, realm). If that threw an exception or returned undefined, then set deserializedError to fallbackError.

  4. Return deserializedError.

To terminate a fetch controller controller, set controller’s state to "terminated".

A fetch params fetchParams is aborted if its controller’s state is "aborted".

A fetch params fetchParams is canceled if its controller’s state is "aborted" or "terminated".

A fetch timing info is a struct used to maintain timing information needed by Resource Timing and Navigation Timing. It has the following items: [RESOURCE-TIMING] [NAVIGATION-TIMING]

start time (default 0)
redirect start time (default 0)
redirect end time (default 0)
post-redirect start time (default 0)
final service worker start time (default 0)
final network-request start time (default 0)
first interim network-response start time (default 0)
final network-response start time (default 0)
end time (default 0)
A DOMHighResTimeStamp.
final connection timing info (default null)
Null or a connection timing info.
server-timing headers (default « »)
A list of strings.
render-blocking (default false)
A boolean.

A response body info is a struct used to maintain information needed by Resource Timing and Navigation Timing. It has the following items: [RESOURCE-TIMING] [NAVIGATION-TIMING]

encoded size (default 0)
decoded size (default 0)
A number.
content type (default the empty string)
An ASCII string.

To create an opaque timing info, given a fetch timing info timingInfo, return a new fetch timing info whose start time and post-redirect start time are timingInfo’s start time.

To queue a fetch task, given an algorithm algorithm, a global object or a parallel queue taskDestination, run these steps:

  1. If taskDestination is a parallel queue, then enqueue algorithm to taskDestination.

  2. Otherwise, queue a global task on the networking task source with taskDestination and algorithm.

To serialize an integer, represent it as a string of the shortest possible decimal number.

This will be replaced by a more descriptive algorithm in Infra. See infra/201.

2.1. URL

A local scheme is "about", "blob", or "data".

A URL is local if its scheme is a local scheme.

This definition is also used by Referrer Policy. [REFERRER]

An HTTP(S) scheme is "http" or "https".

A fetch scheme is "about", "blob", "data", "file", or an HTTP(S) scheme.

HTTP(S) scheme and fetch scheme are also used by HTML. [HTML]

2.2. HTTP

While fetching encompasses more than just HTTP, it borrows a number of concepts from HTTP and applies these to resources obtained via other means (e.g., data URLs).

An HTTP tab or space is U+0009 TAB or U+0020 SPACE.

HTTP whitespace is U+000A LF, U+000D CR, or an HTTP tab or space.

HTTP whitespace is only useful for specific constructs that are reused outside the context of HTTP headers (e.g., MIME types). For HTTP header values, using HTTP tab or space is preferred, and outside that context ASCII whitespace is preferred. Unlike ASCII whitespace this excludes U+000C FF.

An HTTP newline byte is 0x0A (LF) or 0x0D (CR).

An HTTP tab or space byte is 0x09 (HT) or 0x20 (SP).

An HTTP whitespace byte is an HTTP newline byte or HTTP tab or space byte.

To collect an HTTP quoted string from a string input, given a position variable position and an optional boolean extract-value (default false):

  1. Let positionStart be position.

  2. Let value be the empty string.

  3. Assert: the code point at position within input is U+0022 (").

  4. Advance position by 1.

  5. While true:

    1. Append the result of collecting a sequence of code points that are not U+0022 (") or U+005C (\) from input, given position, to value.

    2. If position is past the end of input, then break.

    3. Let quoteOrBackslash be the code point at position within input.

    4. Advance position by 1.

    5. If quoteOrBackslash is U+005C (\), then:

      1. If position is past the end of input, then append U+005C (\) to value and break.

      2. Append the code point at position within input to value.

      3. Advance position by 1.

    6. Otherwise:

      1. Assert: quoteOrBackslash is U+0022 (").

      2. Break.

  6. If extract-value is true, then return value.

  7. Return the code points from positionStart to position, inclusive, within input.

Input Output Output with extract-value set to true Final position variable value
""\" ""\" "\" 2
""Hello" World" ""Hello"" "Hello" 7
""Hello \\ World\""" ""Hello \\ World\""" "Hello \ World"" 18

The position variable always starts at 0 in these examples.

2.2.1. Methods

A method is a byte sequence that matches the method token production.

A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.

A forbidden method is a method that is a byte-case-insensitive match for `CONNECT`, `TRACE`, or `TRACK`. [HTTPVERBSEC1], [HTTPVERBSEC2], [HTTPVERBSEC3]

To normalize a method, if it is a byte-case-insensitive match for `DELETE`, `GET`, `HEAD`, `OPTIONS`, `POST`, or `PUT`, byte-uppercase it.

Normalization is done for backwards compatibility and consistency across APIs as methods are actually "case-sensitive".

Using `patch` is highly likely to result in a `405 Method Not Allowed`. `PATCH` is much more likely to succeed.

There are no restrictions on methods. `CHICKEN` is perfectly acceptable (and not a misspelling of `CHECKIN`). Other than those that are normalized there are no casing restrictions either. `Egg` or `eGg` would be fine, though uppercase is encouraged for consistency.

2.2.2. Headers

HTTP generally refers to a header as a "field" or "header field". The web platform uses the more colloquial term "header". [HTTP]

A header list is a list of zero or more headers. It is initially « ».

A header list is essentially a specialized multimap: an ordered list of key-value pairs with potentially duplicate keys. Since headers other than `Set-Cookie` are always combined when exposed to client-side JavaScript, implementations could choose a more efficient representation, as long as they also support an associated data structure for `Set-Cookie` headers.

To get a structured field value given a header name name and a string type from a header list list, run these steps. They return null or a structured field value.

  1. Assert: type is one of "dictionary", "list", or "item".

  2. Let value be the result of getting name from list.

  3. If value is null, then return null.

  4. Let result be the result of parsing structured fields with input_string set to value and header_type set to type.

  5. If parsing failed, then return null.

  6. Return result.

Get a structured field value intentionally does not distinguish between a header not being present and its value failing to parse as a structured field value. This ensures uniform processing across the web platform.

To set a structured field value given a tuple (header name name, structured field value structuredValue), in a header list list:

  1. Let serializedValue be the result of executing the serializing structured fields algorithm on structuredValue.

  2. Set (name, serializedValue) in list.

Structured field values are defined as objects which HTTP can (eventually) serialize in interesting and efficient ways. For the moment, Fetch only supports header values as byte sequences, which means that these objects can be set in header lists only via serialization, and they can be obtained from header lists only by parsing. In the future the fact that they are objects might be preserved end-to-end. [RFC8941]

A header list list contains a header name name if list contains a header whose name is a byte-case-insensitive match for name.

To get a header name name from a header list list, run these steps. They return null or a header value.

  1. If list does not contain name, then return null.

  2. Return the values of all headers in list whose name is a byte-case-insensitive match for name, separated from each other by 0x2C 0x20, in order.

To get, decode, and split a header name name from header list list, run these steps. They return null or a list of strings.

  1. Let value be the result of getting name from list.

  2. If value is null, then return null.

  3. Return the result of getting, decoding, and splitting value.

This is how get, decode, and split functions in practice with `A` as the name argument:

Headers (as on the network) Output 
A: nosniff,
« "nosniff", "" » 
A: nosniff
B: sniff
A:

A: text/html;", x/x
« "text/html;", x/x" » 
A: text/html;"
A: x/x

A: x/x;test="hi",y/y
« "x/x;test="hi"", "y/y" » 
A: x/x;test="hi"
C: **bingo**
A: y/y

A: x / x,,,1
« "x / x", "", "", "1" » 
A: x / x
A: ,
A: 1

A: "1,2", 3
« ""1,2"", "3" » 
A: "1,2"
D: 4
A: 3

To get, decode, and split a header value value, run these steps. They return a list of strings.

  1. Let input be the result of isomorphic decoding value.

  2. Let position be a position variable for input, initially pointing at the start of input.

  3. Let values be a list of strings, initially empty.

  4. Let temporaryValue be the empty string.

  5. While position is not past the end of input:

    1. Append the result of collecting a sequence of code points that are not U+0022 (") or U+002C (,) from input, given position, to temporaryValue.

      The result might be the empty string.

    2. If position is not past the end of input, then:

      1. If the code point at position within input is U+0022 ("), then:

        1. Append the result of collecting an HTTP quoted string from input, given position, to temporaryValue.

        2. If position is not past the end of input, then continue.

      2. Otherwise:

        1. Assert: the code point at position within input is U+002C (,).

        2. Advance position by 1.

    3. Remove all HTTP tab or space from the start and end of temporaryValue.

    4. Append temporaryValue to values.

    5. Set temporaryValue to the empty string.

  6. Return values.

Except for blessed call sites, the algorithm directly above is not to be invoked directly. Use get, decode, and split instead.

To append a header (name, value) to a header list list:

  1. If list contains name, then set name to the first such header’s name.

    This reuses the casing of the name of the header already in list, if any. If there are multiple matched headers their names will all be identical.

  2. Append (name, value) to list.

To delete a header name name from a header list list, remove all headers whose name is a byte-case-insensitive match for name from list.

To set a header (name, value) in a header list list:

  1. If list contains name, then set the value of the first such header to value and remove the others.

  2. Otherwise, append (name, value) to list.

To combine a header (name, value) in a header list list:

  1. If list contains name, then set the value of the first such header to its value, followed by 0x2C 0x20, followed by value.

  2. Otherwise, append (name, value) to list.

Combine is used by XMLHttpRequest and the WebSocket protocol handshake.

To convert header names to a sorted-lowercase set, given a list of names headerNames, run these steps. They return an ordered set of header names.

  1. Let headerNamesSet be a new ordered set.

  2. For each name of headerNames, append the result of byte-lowercasing name to headerNamesSet.

  3. Return the result of sorting headerNamesSet in ascending order with byte less than.

To sort and combine a header list list, run these steps. They return a header list.

  1. Let headers be a header list.

  2. Let names be the result of convert header names to a sorted-lowercase set with all the names of the headers in list.

  3. For each name of names:

    1. If name is `set-cookie`, then:

      1. Let values be a list of all values of headers in list whose name is a byte-case-insensitive match for name, in order.

      2. For each value of values:

        1. Append (name, value) to headers.

    2. Otherwise:

      1. Let value be the result of getting name from list.

      2. Assert: value is non-null.

      3. Append (name, value) to headers.

  4. Return headers.

A header is a tuple that consists of a name (a header name) and value (a header value).

A header name is a byte sequence that matches the field-name token production.

A header value is a byte sequence that matches the following conditions:

The definition of header value is not defined in terms of the field-value token production as it is not compatible with deployed content.

To normalize a byte sequence potentialValue, remove any leading and trailing HTTP whitespace bytes from potentialValue.

To determine whether a header (name, value) is a CORS-safelisted request-header, run these steps:

  1. If value’s length is greater than 128, then return false.

  2. Byte-lowercase name and switch on the result:

    `accept`

    If value contains a CORS-unsafe request-header byte, then return false.

    `accept-language`
    `content-language`

    If value contains a byte that is not in the range 0x30 (0) to 0x39 (9), inclusive, is not in the range 0x41 (A) to 0x5A (Z), inclusive, is not in the range 0x61 (a) to 0x7A (z), inclusive, and is not 0x20 (SP), 0x2A (*), 0x2C (,), 0x2D (-), 0x2E (.), 0x3B (;), or 0x3D (=), then return false.

    `content-type`

    1. If value contains a CORS-unsafe request-header byte, then return false.

    2. Let mimeType be the result of parsing the result of isomorphic decoding value.

    3. If mimeType is failure, then return false.

    4. If mimeType’s essence is not "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", then return false.

    This intentionally does not use extract a MIME type as that algorithm is rather forgiving and servers are not expected to implement it.

    If extract a MIME type were used the following request would not result in a CORS preflight and a naïve parser on the server might treat the request body as JSON: 

    fetch("https://victim.example/naïve-endpoint", {
  method: "POST",
  headers: [
    ["Content-Type", "application/json"],
    ["Content-Type", "text/plain"]
  ],
  credentials: "include",
  body: JSON.stringify(exerciseForTheReader)
});
    `range`

    1. Let rangeValue be the result of parsing a single range header value given value and false.

    2. If rangeValue is failure, then return false.

    3. If rangeValue[0] is null, then return false.

      As web browsers have historically not emitted ranges such as `bytes=-500` this algorithm does not safelist them.

    Otherwise

    Return false.

  3. Return true.

There are limited exceptions to the `Content-Type` header safelist, as documented in CORS protocol exceptions.

A CORS-unsafe request-header byte is a byte byte for which one of the following is true:

The CORS-unsafe request-header names, given a header list headers, are determined as follows:

  1. Let unsafeNames be a new list.

  2. Let potentiallyUnsafeNames be a new list.

  3. Let safelistValueSize be 0.

  4. For each header of headers:

    1. If header is not a CORS-safelisted request-header, then append header’s name to unsafeNames.

    2. Otherwise, append header’s name to potentiallyUnsafeNames and increase safelistValueSize by header’s value’s length.

  5. If safelistValueSize is greater than 1024, then for each name of potentiallyUnsafeNames, append name to unsafeNames.

  6. Return the result of convert header names to a sorted-lowercase set with unsafeNames.

A CORS non-wildcard request-header name is a header name that is a byte-case-insensitive match for `Authorization`.

A privileged no-CORS request-header name is a header name that is a byte-case-insensitive match for one of

These are headers that can be set by privileged APIs, and will be preserved if their associated request object is copied, but will be removed if the request is modified by unprivileged APIs.

`Range` headers are commonly used by downloads and media fetches.

A helper is provided to add a range header to a particular request.

A CORS-safelisted response-header name, given a list of header names list, is a header name that is a byte-case-insensitive match for one of

A no-CORS-safelisted request-header name is a header name that is a byte-case-insensitive match for one of

To determine whether a header (name, value) is a no-CORS-safelisted request-header, run these steps:

  1. If name is not a no-CORS-safelisted request-header name, then return false.

  2. Return whether (name, value) is a CORS-safelisted request-header.

A header (name, value) is forbidden request-header if these steps return true:

  1. If name is a byte-case-insensitive match for one of:

    then return true.

  2. If name when byte-lowercased starts with `proxy-` or `sec-`, then return true.

  3. If name is a byte-case-insensitive match for one of:

    • `X-HTTP-Method`
    • `X-HTTP-Method-Override`
    • `X-Method-Override`

    then:

    1. Let parsedValues be the result of getting, decoding, and splitting value.

    2. For each method of parsedValues: if the isomorphic encoding of method is a forbidden method, then return true.

  4. Return false.

These are forbidden so the user agent remains in full control over them.

Header names starting with `Sec-` are reserved to allow new headers to be minted that are safe from APIs using fetch that allow control over headers by developers, such as XMLHttpRequest. [XHR]

The `Set-Cookie` header is semantically a response header, so it is not useful on requests. Because `Set-Cookie` headers cannot be combined, they require more complex handling in the Headers object. It is forbidden here to avoid leaking this complexity into requests.

A forbidden response-header name is a header name that is a byte-case-insensitive match for one of:

A request-body-header name is a header name that is a byte-case-insensitive match for one of:

To extract header values given a header header, run these steps:

  1. If parsing header’s value, per the ABNF for header’s name, fails, then return failure.

  2. Return one or more values resulting from parsing header’s value, per the ABNF for header’s name.

To extract header list values given a header name name and a header list list, run these steps:

  1. If list does not contain name, then return null.

  2. If the ABNF for name allows a single header and list contains more than one, then return failure.

    If different error handling is needed, extract the desired header first.

  3. Let values be an empty list.

  4. For each header header list contains whose name is name:

    1. Let extract be the result of extracting header values from header.

    2. If extract is failure, then return failure.

    3. Append each value in extract, in order, to values.

  5. Return values.

To build a content range given an integer rangeStart, an integer rangeEnd, and an integer fullLength, run these steps:

  1. Let contentRange be `bytes `.

  2. Append rangeStart, serialized and isomorphic encoded, to contentRange.

  3. Append 0x2D (-) to contentRange.

  4. Append rangeEnd, serialized and isomorphic encoded to contentRange.

  5. Append 0x2F (/) to contentRange.

  6. Append fullLength, serialized and isomorphic encoded to contentRange.

  7. Return contentRange.

To parse a single range header value from a byte sequence value and a boolean allowWhitespace, run these steps:

  1. Let data be the isomorphic decoding of value.

  2. If data does not start with "bytes", then return failure.

  3. Let position be a position variable for data, initially pointing at the 5th code point of data.

  4. If allowWhitespace is true, collect a sequence of code points that are HTTP tab or space, from data given position.

  5. If the code point at position within data is not U+003D (=), then return failure.

  6. Advance position by 1.

  7. If allowWhitespace is true, collect a sequence of code points that are HTTP tab or space, from data given position.

  8. Let rangeStart be the result of collecting a sequence of code points that are ASCII digits, from data given position.

  9. Let rangeStartValue be rangeStart, interpreted as decimal number, if rangeStart is not the empty string; otherwise null.

  10. If allowWhitespace is true, collect a sequence of code points that are HTTP tab or space, from data given position.

  11. If the code point at position within data is not U+002D (-), then return failure.

  12. Advance position by 1.

  13. If allowWhitespace is true, collect a sequence of code points that are HTTP tab or space, from data given position.

  14. Let rangeEnd be the result of collecting a sequence of code points that are ASCII digits, from data given position.

  15. Let rangeEndValue be rangeEnd, interpreted as decimal number, if rangeEnd is not the empty string; otherwise null.

  16. If position is not past the end of data, then return failure.

  17. If rangeEndValue and rangeStartValue are null, then return failure.

  18. If rangeStartValue and rangeEndValue are numbers, and rangeStartValue is greater than rangeEndValue, then return failure.

  19. Return (rangeStartValue, rangeEndValue).

    The range end or start can be omitted, e.g., `bytes=0-` or `bytes=-500` are valid ranges.

Parse a single range header value succeeds for a subset of allowed range header values, but it is the most common form used by user agents when requesting media or resuming downloads. This format of range header value can be set using add a range header.

A default `User-Agent` value is an implementation-defined header value for the `User-Agent` header.

The document `Accept` header value is `text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8`.

2.2.3. Statuses

A status is an integer in the range 0 to 999, inclusive.

Various edge cases in mapping HTTP/1’s status-code to this concept are worked on in issue #1156.

A null body status is a status that is 101, 103, 204, 205, or 304.

An ok status is a status in the range 200 to 299, inclusive.

A redirect status is a status that is 301, 302, 303, 307, or 308.

2.2.4. Bodies

A body consists of:

To clone a body body, run these steps:

  1. Let « out1, out2 » be the result of teeing body’s stream.

  2. Set body’s stream to out1.

  3. Return a body whose stream is out2 and other members are copied from body.

To get a byte sequence bytes as a body, return the body of the result of safely extracting bytes.

To incrementally read a body body, given an algorithm processBodyChunk, an algorithm processEndOfBody, an algorithm processBodyError, and an optional null, parallel queue, or global object taskDestination (default null), run these steps. processBodyChunk must be an algorithm accepting a byte sequence. processEndOfBody must be an algorithm accepting no arguments. processBodyError must be an algorithm accepting an exception.

  1. If taskDestination is null, then set taskDestination to the result of starting a new parallel queue.

  2. Let reader be the result of getting a reader for body’s stream.

    This operation will not throw an exception.

  3. Perform the incrementally-read loop given reader, taskDestination, processBodyChunk, processEndOfBody, and processBodyError.

To perform the incrementally-read loop, given a ReadableStreamDefaultReader object reader, parallel queue or global object taskDestination, algorithm processBodyChunk, algorithm processEndOfBody, and algorithm processBodyError:

  1. Let readRequest be the following read request:

    chunk steps, given chunk

    1. Let continueAlgorithm be null.

    2. If chunk is not a Uint8Array object, then set continueAlgorithm to this step: run processBodyError given a TypeError.

    3. Otherwise:

      1. Let bytes be a copy of chunk.

        Implementations are strongly encouraged to use an implementation strategy that avoids this copy where possible.

      2. Set continueAlgorithm to these steps:

        1. Run processBodyChunk given bytes.

        2. Perform the incrementally-read loop given reader, taskDestination, processBodyChunk, processEndOfBody, and processBodyError.

    4. Queue a fetch task given continueAlgorithm and taskDestination.

    close steps

    1. Queue a fetch task given processEndOfBody and taskDestination.

    error steps, given e

    1. Queue a fetch task to run processBodyError given e, with taskDestination.

  2. Read a chunk from reader given readRequest.

To fully read a body body, given an algorithm processBody, an algorithm processBodyError, and an optional null, parallel queue, or global object taskDestination (default null), run these steps. processBody must be an algorithm accepting a byte sequence. processBodyError must be an algorithm optionally accepting an exception.

  1. If taskDestination is null, then set taskDestination to the result of starting a new parallel queue.

  2. Let successSteps given a byte sequence bytes be to queue a fetch task to run processBody given bytes, with taskDestination.

  3. Let errorSteps optionally given an exception exception be to queue a fetch task to run processBodyError given exception, with taskDestination.

  4. Let reader be the result of getting a reader for body’s stream. If that threw an exception, then run errorSteps with that exception and return.

  5. Read all bytes from reader, given successSteps and errorSteps.

A body with type is a tuple that consists of a body (a body) and a type (a header value or null).

To handle content codings given codings and bytes, run these steps:

  1. If codings are not supported, then return bytes.

  2. Return the result of decoding bytes with codings as explained in HTTP, if decoding does not result in an error, and failure otherwise. [HTTP]

2.2.5. Requests

This section documents how requests work in detail. To get started, see Setting up a request.

The input to fetch is a request.

A request has an associated method (a method). Unless stated otherwise it is `GET`.

This can be updated during redirects to `GET` as described in HTTP fetch.

A request has an associated URL (a URL).

Implementations are encouraged to make this a pointer to the first URL in request’s URL list. It is provided as a distinct field solely for the convenience of other standards hooking into Fetch.

A request has an associated local-URLs-only flag. Unless stated otherwise it is unset.

A request has an associated header list (a header list). Unless stated otherwise it is « ».

A request has an associated unsafe-request flag. Unless stated otherwise it is unset.

The unsafe-request flag is set by APIs such as fetch() and XMLHttpRequest to ensure a CORS-preflight fetch is done based on the supplied method and header list. It does not free an API from outlawing forbidden methods and forbidden request-headers.

A request has an associated body (null, a byte sequence, or a body). Unless stated otherwise it is null.

A byte sequence will be safely extracted into a body early on in fetch. As part of HTTP fetch it is possible for this field to be set to null due to certain redirects.

A request has an associated client (null or an environment settings object).

A request has an associated reserved client (null, an environment, or an environment settings object). Unless stated otherwise it is null.

This is only used by navigation requests and worker requests, but not service worker requests. It references an environment for a navigation request and an environment settings object for a worker request.

A request has an associated replaces client id (a string). Unless stated otherwise it is the empty string.

This is only used by navigation requests. It is the id of the target browsing context’s active document’s environment settings object.

A request has an associated window ("no-window", "client", or an environment settings object whose global object is a Window object). Unless stated otherwise it is "client".

The "client" value is changed to "no-window" or request’s client during fetching. It provides a convenient way for standards to not have to explicitly set request’s window.

A request has an associated boolean keepalive. Unless stated otherwise it is false.

This can be used to allow the request to outlive the environment settings object, e.g., navigator.sendBeacon() and the HTML img element use this. Requests with this set to true are subject to additional processing requirements.

A request has an associated initiator type, which is null, "audio", "beacon", "body", "css", "early-hints", "embed", "fetch", "font", "frame", "iframe", "image", "img", "input", "link", "object", "ping", "script", "track", "video", "xmlhttprequest", or "other". Unless stated otherwise it is null. [RESOURCE-TIMING]

A request has an associated service-workers mode, that is "all" or "none". Unless stated otherwise it is "all".

This determines which service workers will receive a fetch event for this fetch.

"all"
Relevant service workers will get a fetch event for this fetch.
"none"
No service workers will get events for this fetch.

A request has an associated initiator, which is the empty string, "download", "imageset", "manifest", "prefetch", "prerender", or "xslt". Unless stated otherwise it is the empty string.

A request’s initiator is not particularly granular for the time being as other specifications do not require it to be. It is primarily a specification device to assist defining CSP and Mixed Content. It is not exposed to JavaScript. [CSP] [MIX]

A request has an associated destination, which is the empty string, "audio", "audioworklet", "document", "embed", "font", "frame", "iframe", "image", "json", "manifest", "object", "paintworklet", "report", "script", "serviceworker", "sharedworker", "style", "track", "video", "webidentity", "worker", or "xslt". Unless stated otherwise it is the empty string.

These are reflected on RequestDestination except for "serviceworker" and "webidentity" as fetches with those destinations skip service workers.

A request’s destination is script-like if it is "audioworklet", "paintworklet", "script", "serviceworker", "sharedworker", or "worker".

Algorithms that use script-like should also consider "xslt" as that too can cause script execution. It is not included in the list as it is not always relevant and might require different behavior.

The following table illustrates the relationship between a request’s initiator, destination, CSP directives, and features. It is not exhaustive with respect to features. Features need to have the relevant values defined in their respective standards.

Initiator Destination CSP directive Features
"" "report" CSP, NEL reports.
"document" HTML’s navigate algorithm (top-level only).
"frame" child-src HTML’s
"iframe" child-src HTML’s