Merge pull request #296 from apasel422/fetch

martinthomson · web-flow · commit a20cba87ce18 · 2025-11-24T10:43:21.000+11:00
Integrate Save-Impression header with fetch
diff --git a/api.bs b/api.bs
@@ -1402,14 +1402,21 @@ and a [=moment=] |now|:
 <div algorithm>
 The <dfn method for=Attribution>saveImpression(|options|)</dfn> method steps are:
 
-1.  Let |realm| be [=this=]'s [=relevant realm=].
-1.  Let |window| be [=this=]'s [=relevant global object=].
-1.  [=Assert=]: |window| is a {{Window}}.
-1.  If |window|'s [=associated Document=] is not
-    [=allowed to use=] the [=policy-controlled feature=] named
+1.  Let |implicitInputs| be the result of [=obtaining the implicit API inputs=] from [=this=].
+1.  [=Assert=]: |implicitInputs| is not null.
+1.  Return the result of running [=save an impression=] with |options| and |implicitInputs|.
+
+</div>
+
+<div algorithm>
+To <dfn>save an impression</dfn> given {{AttributionImpressionOptions}} |options|
+and [=implicit API inputs=] |implicitInputs|:
+
+1.  Let |document| be |implicitInputs|'s [=implicit API inputs/associated document=].
+1.  Let |realm| be |document|'s [=relevant realm=].
+1.  If |document| is not [=allowed to use=] the [=policy-controlled feature=] named
     "{{PermissionPolicy/save-impression}}", return [=a promise rejected with=]
     a {{"NotAllowedError"}} {{DOMException}} in |realm|.
-1.  Let |implicitInputs| be the result of [=obtaining the implicit API inputs=] from [=this=].
 1.  Validate the page-supplied API inputs:
     1.  If |options|.{{AttributionImpressionOptions/histogramIndex}} is
         greater than or equal to the [=implementation-defined=] [=maximum histogram size=],
@@ -1481,16 +1488,20 @@ The <dfn>implicit API inputs</dfn> is a [=struct=] with the following fields:
 <dfn>Top-Level Site</dfn>: A [=site=].
 <dfn>Intermediary Site</dfn>: A [=site=] or `undefined`.
 <dfn>Timestamp</dfn>: A [=moment=].
+<dfn>Associated Document</dfn>: A {{Document}}.
 </pre>
 </div>
 
 <div algorithm>
-To <dfn>obtain the implicit API inputs</dfn> from [=this=]:
+To <dfn>obtain the implicit API inputs</dfn> from [=realm=] |realm| with
+optional [=origin=] (default null):
 
-1.  Let |settings| be [=this=]'s [=relevant settings object=].
+1.  Let |window| be |realm|'s [=realm/global object=].
+1.  If |window| is not a {{Window}}, return null.
+1.  Let |settings| be |realm|'s [=realm/settings object=].
 1.  Let |timestamp| be |settings|' [=environment settings object/current wall time=].
 1.  Let |topLevelOrigin| be |settings|' [=environment/top-level origin=].
-1.  Let |origin| be |settings|' [=environment settings object/origin=].
+1.  If |origin| is null, set |origin| to |settings|' [=environment settings object/origin=].
 1.  Let |topLevelSite| be the result of [=obtain a site|obtaining a site=] from |topLevelOrigin|.
 1.  Let |intermediarySite| be:
     1.   a value of `undefined` if |origin| is [=same site=] with |topLevelOrigin|,
@@ -1502,6 +1513,8 @@ To <dfn>obtain the implicit API inputs</dfn> from [=this=]:
     ::  |intermediarySite|
     :   [=implicit API inputs/timestamp=]
     ::  |timestamp|
+    :   [=implicit API inputs/associated document=]:
+    ::  |window|'s [=associated document=]
 
 </div>
 
@@ -1513,14 +1526,13 @@ asynchronously, queuing work on the <dfn>Attribution [=task source=]</dfn>.
 <div algorithm>
 The <dfn method for=Attribution>measureConversion(|options|)</dfn> method steps are:
 
-1.  Let |realm| be [=this=]'s [=relevant realm=].
-1.  Let |window| be [=this=]'s [=relevant global object=].
-1.  [=Assert=]: |window| is a {{Window}}.
-1.  If |window|'s [=associated Document=] is not
-    [=allowed to use=] the [=policy-controlled feature=] named
+1.  Let |implicitInputs| be the result of [=obtaining the implicit API inputs=] from [=this=].
+1.  [=Assert=]: |implicitInputs| is not null.
+1.  Let |document| be |implicitInputs|'s [=implicit API inputs/associated document=].
+1.  Let |realm| be |document|'s [=relevant realm=].
+1.  If |document| is not [=allowed to use=] the [=policy-controlled feature=] named
     "{{PermissionPolicy/measure-conversion}}", return [=a promise rejected with=]
     a {{"NotAllowedError"}} {{DOMException}} in |realm|.
-1.  Let |implicitInputs| be the result of [=obtaining the implicit API inputs=] from [=this=].
 1.  Let |validatedOptions| be the result of
     [=validate AttributionConversionOptions|validating=] |options|,
     returning [=a promise rejected with=] any thrown reason.
@@ -2000,6 +2012,52 @@ To <dfn noexport>parse a `Save-Impression` header</dfn> given a [=header value=]
 
 </div>
 
+<div algorithm>
+To <dfn noexport>handle Attribution headers</dfn> given a [=request=] |request|
+and [=response=] |response|, run these steps:
+
+1.  If |request|'s [=request/destination=] is not one of the following,
+    return: `""`, `"audio"`, `"document"`, `"frame"`, `"iframe"`, `"image"`,
+    `"script"`, `"track"`, `"video"`.
+
+1.  If |request|'s [=request/client=] is not a [=secure context=], return.
+
+1.  If |response|'s [=response/URL=] is not a [=potentially trustworthy URL=], return.
+
+1.  If |response|'s [=response/URL=]'s [=url/scheme=] is not not "`http`" or "`https`", return.
+
+1.  Let |implicitInputs| be the result of [=obtaining the implicit API inputs=] from |request|'s [=request/client=]
+    with |response|'s [=response/URL=]'s [=url/origin=].
+
+1.  If |implicitInputs| is null, return.
+
+1.  Let |saveImpressionHeader| be the result of [=header list/get|getting=] <code>[:Save-Impression:]</code> from |response|'s [=response/header list=].
+
+1.  If |saveImpressionHeader| is null, return.
+
+1.  Let |impressionOptions| be the result of [=parse a Save-Impression header|parsing=] |saveImpressionHeader|.
+
+1.  If |impressionOptions| is an error, return.
+
+1.  [=save an impression|Save=] |impressionOptions| with |implicitInputs|.
+
+</div>
+
+## Fetch monkey patches ## {#fetch-monkey-patches}
+
+Modify [=HTTP-network fetch=] as follows:
+
+<div algorithm=fetch-monkey-patch>
+After the step
+
+> If <var ignore>includeCredentials</var> is true, then the user agent should parse and store response `Set-Cookie` headers given |request| and |response|.
+
+add the step
+
+1. [=Handle Attribution headers=] with |request| and |response|.
+
+</div>
+
 # Implementation Considerations # {#implementation-considerations}
 
 * Management and distribution of values for the following:
@@ -3037,6 +3095,7 @@ The privacy architecture is courtesy of the authors of [[PPA-DP]].
 <pre class=anchors>
 urlPrefix: https://fetch.spec.whatwg.org/; spec: html; type: dfn
     text: request origin; url: #concept-request-origin
+    text: HTTP-network fetch; url: #concept-http-network-fetch
 urlPrefix: https://html.spec.whatwg.org/; spec: html; type: dfn
     text: host; url: #concept-origin-host
     text: obtain a site
@@ -3066,6 +3125,8 @@ urlPrefix: https://w3ctag.github.io/privacy-principles/; type: dfn;
 urlPrefix: https://www.w3.org/TR/fingerprinting-guidance/; type: dfn;
     text: fingerprint; url: #dfn-browser-fingerprinting
     text: fingerprinting; url: #dfn-browser-fingerprinting
+urlPrefix:https://tc39.es/ecma262/#;type:dfn;spec:ecma-262
+    url:realm;text:realm
 </pre>
 <pre class=anchors>
 spec:structured header; type:dfn; urlPrefix: https://httpwg.org/specs/rfc9651;
