From 9c64c16c3e584b20f16ac0cbc393fba9f73d633a Mon Sep 17 00:00:00 2001
From: Mike West <mkwst@google.com>
Date: Fri, 14 Feb 2020 10:06:56 +0100
Subject: [PATCH 1/3] Accept 'sec-'-prefixed headers as CORS-safelisted.

As discussed in #993.
---
 fetch.bs | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/fetch.bs b/fetch.bs
index 1ec576be7..03067d839 100644
--- a/fetch.bs
+++ b/fetch.bs
@@ -708,7 +708,11 @@ production as
  <li><p>Let <var>value</var> be <var>header</var>'s <a for=header>value</a>.
 
  <li>
-  <p><a>Byte-lowercase</a> <var>header</var>'s <a for=header>name</a> and switch on the result:
+  <p>Let <var>name</var> be the result of <a>byte-lowercasing</a> <var>header</var>'s
+  <a for=header>name</a>.
+
+ <li>
+  <p>Switch on <var>name</var>:
 
   <dl class=switch>
    <dt>`<code>accept</code>`
@@ -760,7 +764,12 @@ fetch("https://victim.example/naïve-endpoint", {
     </div>
 
    <dt>Otherwise
-   <dd><p>Return false.
+   <dd>
+    <p>If <var>name</var> does not begin with the string "<code>sec-</code>", return false.
+
+    <p class=note>As all headers beginning with "<code>Sec-</code>" are <a>forbidden header
+    names</a>, we have some confidence that they're generated by the user agent, and not via APIs
+    that developers directly control.
   </dl>
 
  <li><p>If <var>value</var>'s <a for="byte sequence">length</a> is greater than 128, then return

From 1bc7627ff951c515ce784ba60de9d30571fd5edb Mon Sep 17 00:00:00 2001
From: Mike West <mkwst@google.com>
Date: Fri, 14 Feb 2020 14:30:57 +0100
Subject: [PATCH 2/3] Update fetch.bs

Co-Authored-By: Anne van Kesteren <annevk@annevk.nl>
---
 fetch.bs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fetch.bs b/fetch.bs
index 03067d839..78cadb5d7 100644
--- a/fetch.bs
+++ b/fetch.bs
@@ -765,7 +765,7 @@ fetch("https://victim.example/naïve-endpoint", {
 
    <dt>Otherwise
    <dd>
-    <p>If <var>name</var> does not begin with the string "<code>sec-</code>", return false.
+    <p>If <var>name</var> does not start with `<code>sec-</code>`, then return false.
 
     <p class=note>As all headers beginning with "<code>Sec-</code>" are <a>forbidden header
     names</a>, we have some confidence that they're generated by the user agent, and not via APIs

From 4efccc0ede2258b1da53821d057e4de087200b44 Mon Sep 17 00:00:00 2001
From: Mike West <mkwst@google.com>
Date: Fri, 14 Feb 2020 14:32:56 +0100
Subject: [PATCH 3/3] Update fetch.bs

Co-Authored-By: Anne van Kesteren <annevk@annevk.nl>
---
 fetch.bs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fetch.bs b/fetch.bs
index 78cadb5d7..f33877dc4 100644
--- a/fetch.bs
+++ b/fetch.bs
@@ -767,7 +767,7 @@ fetch("https://victim.example/naïve-endpoint", {
    <dd>
     <p>If <var>name</var> does not start with `<code>sec-</code>`, then return false.
 
-    <p class=note>As all headers beginning with "<code>Sec-</code>" are <a>forbidden header
+    <p class=note>As all headers starting with `<code>Sec-</code>` are <a>forbidden header
     names</a>, we have some confidence that they're generated by the user agent, and not via APIs
     that developers directly control.
   </dl>