From 4647085b947659abf19a55a5b424de1b0f341e36 Mon Sep 17 00:00:00 2001 From: Mike Taylor Date: Tue, 31 Oct 2023 07:34:59 +0000 Subject: [PATCH] Editorial: link to Fetch's destinations for Sec-Fetch-Dest (#88) SHA: 8624131b818d0e3ffc59d5bb5daba9c182fcee50 Reason: push, by mikewest Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- index.html | 2125 ++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 1463 insertions(+), 662 deletions(-) diff --git a/index.html b/index.html index a551ec2..01a21bd 100644 --- a/index.html +++ b/index.html @@ -4,12 +4,11 @@ Fetch Metadata Request Headers - - + + - - - + + - + - + + - - + + - +
-

+

Fetch Metadata Request Headers

-

W3C Working Draft,

-
-
-
This version: -
https://www.w3.org/TR/2021/WD-fetch-metadata-20210720/ -
Latest published version: -
https://www.w3.org/TR/fetch-metadata/ -
Editor's Draft: -
https://w3c.github.io/webappsec-fetch-metadata/ -
Previous Versions: -
-
Version History: -
https://github.com/w3c/webappsec-fetch-metadata/commits/main/index.bs -
Feedback: -
public-webappsec@w3.org with subject line “[fetch-metadata] … message topic …” (archives) -
Issue Tracking: -
GitHub -
Editor: -
(Google Inc.) -
Participate: -
File an issue (open issues) -
Tests: -
web-platform-tests fetch/sec-metadata/ -
-
+

W3C Working Draft,

+
+ More details about this document +
+
+
This version: +
https://www.w3.org/TR/2023/WD-fetch-metadata-20231031/ +
Latest published version: +
https://www.w3.org/TR/fetch-metadata/ +
Editor's Draft: +
https://w3c.github.io/webappsec-fetch-metadata/ +
Previous Versions: +
+
History: +
https://www.w3.org/standards/history/fetch-metadata/ +
Feedback: +
public-webappsec@w3.org with subject line “[fetch-metadata] … message topic …” (archives) +
GitHub +
Editor: +
(Google Inc.) +
Participate: +
File an issue (open issues) +
Tests: +
web-platform-tests fetch/sec-metadata/ +
+
+
-

Copyright © 2021 W3C® (MIT, ERCIM, Keio, Beihang). W3C liability, trademark and document use rules apply.

+

Copyright © 2023 World Wide Web Consortium. W3C® liability, trademark and permissive document license rules apply.

@@ -309,31 +797,31 @@

a priori decisions about whether or not to service a request based on the way it was made, and the context in which it will be used.

-

Status of this document

+

Status of this document

This section describes the status of this document at the time of - its publication. Other documents may supersede this document. A list of + its publication. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at https://www.w3.org/TR/.

-

This document was published by the Web Application Security Working Group as a Working Draft. This document is intended to become a W3C Recommendation.

+

This document was published by the Web Application Security Working Group as a Working Draft using the Recommendation + track. This document is intended to become a W3C Recommendation.

The (archived) public mailing list public-webappsec@w3.org (see instructions) is preferred for discussion of this specification. When sending e-mail, please put the text “fetch-metadata” in the subject, preferably like this: “[fetch-metadata] …summary of comment…

-

Publication as a Working Draft does not imply endorsement by the W3C - Membership. This is a draft document and may be updated, replaced or +

Publication as a Working Draft does not imply endorsement by W3C and its Members. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.

-

This document was produced by the Web Application Security Working Group.

+

This document was produced by the Web Application Security Working Group.

This document was produced by a group operating under the W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.

-

This document is governed by the 15 September 2020 W3C Process Document.

+

This document is governed by the 12 June 2023 W3C Process Document.

@@ -378,10 +866,10 @@

Table of Contents

  • 7 Acknowledgements
  • - Conformance + Conformance
      -
    1. Document conventions -
    2. Conformant Algorithms +
    3. Document conventions +
    4. Conformant Algorithms
  • Index @@ -435,37 +923,19 @@

    2.

    The following sections define several fetch metadata headers, each of which exposes an interesting request attribute to a server.

    2.1. The Sec-Fetch-Dest HTTP Request Header

    -
    - -
    -

    Headers/Sec-Fetch-Dest

    -
    - Firefox90+SafariNoneChrome80+ -
    - Opera67+Edge80+ -
    - Edge (Legacy)NoneIENone -
    - Firefox for Android90+iOS SafariNoneChrome for Android80+Android WebView80+Samsung Internet13.0+Opera MobileNone -
    -
    -
    -

    The Sec-Fetch-Dest HTTP request header exposes a request's destination to a server. It is a Structured Header whose value MUST be a token. [I-D.ietf-httpbis-header-structure] Its ABNF is:

    +

    The Sec-Fetch-Dest HTTP request header exposes a request's destination to a server. It is a Structured Header whose value MUST be a token. [I-D.ietf-httpbis-header-structure] Its ABNF is:

    Sec-Fetch-Dest = sh-token
    -

    Valid Sec-Fetch-Dest values include "audio", "audioworklet", "document", "embed", -"empty", "font", "frame", "iframe", "image", "manifest", "object", "paintworklet", -"report", "script", "serviceworker", "sharedworker", "style", "track", "video", -"worker", "xslt".

    +

    Valid Sec-Fetch-Dest values include the set of valid request destinations defined by [Fetch].

    In order to support forward-compatibility with as-yet-unknown request types, servers SHOULD ignore this header if it contains an invalid value.

    -
    // fetch()'s destination is the empty string:
+
    // fetch()’s destination is the empty string:
 Sec-Fetch-Dest: empty
 
-// <img>'s destination is "image"
+// <img>’s destination is "image"
 Sec-Fetch-Dest: image
 
-// new Worker()'s destination is "worker"
+// new Worker()’s destination is "worker"
 Sec-Fetch-Dest: worker
 
 // Top-level navigations' destinations are "document"
@@ -474,50 +944,35 @@ 
    <iframe> navigations' destinations are "iframe"
 Sec-Fetch-Dest: iframe
 
    
-   
    
-     To set the Sec-Fetch-Dest header for a request r: 
+   
    
+     To set the Sec-Fetch-Dest header for a request r: 
     
      
      
    1. 
-      
      Assert: r’s url is a potentially trustworthy URL.
      
+      
      Assert: r’s url is a potentially trustworthy URL.
      
      
    2. 
-      
      Let header be a Structured Header whose value is a token.
      
+      
      Let header be a Structured Header whose value is a token.
      
      
    3. 
-      
      If r’s destination is the empty string, set header’s value to the string
-"empty". Otherwise, set header’s value to r’s destination.
      
-      
      Note: We map Fetch’s empty string destination onto an explicit "empty" token in order to simplify processing.
      
+      
      If r’s destination is the empty string, set header’s value to the string
+"empty". Otherwise, set header’s value to r’s destination.
      
+      
      Note: We map Fetch’s empty string destination onto an explicit "empty" token in order to simplify processing.
      
      
    4. 
       
      Set a structured field value `Sec-Fetch-Dest`/header in r’s header list.
      
     
    
    
    
    
    2.2. The Sec-Fetch-Mode HTTP Request Header
    
-   
    
-    
-    
    
-     
    Headers/Sec-Fetch-Mode
    
-     
    
-      Firefox90+SafariNoneChrome76+
-      
    
-      Opera63+Edge79+
-      
    
-      Edge (Legacy)NoneIENone
-      
    
-      Firefox for Android90+iOS SafariNoneChrome for Android76+Android WebView76+Samsung Internet12.0+Opera Mobile54+
-     
    
-    
    
-   
    
-   
    The Sec-Fetch-Mode HTTP request header exposes a request's mode to a server. It is a Structured Header whose value is a token. [I-D.ietf-httpbis-header-structure] Its ABNF is:
    
+   
    The Sec-Fetch-Mode HTTP request header exposes a request's mode to a server. It is a Structured Header whose value is a token. [I-D.ietf-httpbis-header-structure] Its ABNF is:
    
 
    Sec-Fetch-Mode = sh-token
 
    
    
    Valid Sec-Fetch-Mode values include "cors", "navigate", "no-cors", "same-origin",
 and "websocket". In order to support forward-compatibility with as-yet-unknown request types,
 servers SHOULD ignore this header if it contains an invalid value.
    
-   
    
-     To set the Sec-Fetch-Mode header for a request r: 
+   
    
+     To set the Sec-Fetch-Mode header for a request r: 
     
      
      
    1. 
-      
      Assert: r’s url is a potentially trustworthy URL.
      
+      
      Assert: r’s url is a potentially trustworthy URL.
      
      
    2. 
-      
      Let header be a Structured Header whose value is a token.
      
+      
      Let header be a Structured Header whose value is a token.
      
      
    3. 
       
      Set header’s value to r’s mode.
      
      
    4. 
@@ -525,51 +980,36 @@ 
      
    
    
    
    2.3. The Sec-Fetch-Site HTTP Request Header
    
-   
    
-    
-    
    
-     
    Headers/Sec-Fetch-Site
    
-     
    
-      Firefox90+SafariNoneChrome76+
-      
    
-      Opera63+Edge79+
-      
    
-      Edge (Legacy)NoneIENone
-      
    
-      Firefox for Android90+iOS SafariNoneChrome for Android76+Android WebView76+Samsung Internet12.0+Opera Mobile54+
-     
    
-    
    
-   
    
    
    The Sec-Fetch-Site HTTP request header exposes the relationship
-between a request initiator’s origin and its target’s origin. It is a Structured Header whose value is a token. [I-D.ietf-httpbis-header-structure] Its ABNF is:
    
+between a request initiator’s origin and its target’s origin. It is a Structured Header whose value is a token. [I-D.ietf-httpbis-header-structure] Its ABNF is:
    
 
    Sec-Fetch-Site = sh-token
 
    
    
    Valid Sec-Fetch-Site values include "cross-site", "same-origin", "same-site", and "none".
 In order to support forward-compatibility with as-yet-unknown request types, servers SHOULD ignore
 this header if it contains an invalid value.
    
-   
    
-     To set the Sec-Fetch-Site header for a request r: 
+   
    
+     To set the Sec-Fetch-Site header for a request r: 
     
      
      
    1. 
-      
      Assert: r’s url is a potentially trustworthy URL.
      
+      
      Assert: r’s url is a potentially trustworthy URL.
      
      
    2. 
-      
      Let header be a Structured Header whose value is a token.
      
+      
      Let header be a Structured Header whose value is a token.
      
      
    3. 
       
      Set header’s value to same-origin.
      
      
    4. 
       
      If r is a navigation request that was explicitly caused by a user’s interaction with
 the user agent (by typing an address into the user agent directly, for example, or by
 clicking a bookmark, etc.), then set header’s value to none.
      
-      
      Note: See § 4.3 Directly User-Initiated Requests for more detail on this somewhat poorly-defined step.
      
+      
      Note: See § 4.3 Directly User-Initiated Requests for more detail on this somewhat poorly-defined step.
      
      
    5. 
       
      If header’s value is not none, then for each url in r’s url list:
      
       
        
        
      1. 
-        
        If url is same origin with r’s origin, continue.
        
+        
        If url is same origin with r’s origin, continue.
        
        
      2. 
         
        Set header’s value to cross-site.
        
        
      3. 
-        
        If r’s origin is not same site with url’s origin, then break.
        
+        
        If r’s origin is not same site with url’s origin, then break.
        
        
      4. 
         
        Set header’s value to same-site.
        
       
      
@@ -578,40 +1018,25 @@ 
      
    
    
    
    2.4. The Sec-Fetch-User HTTP Request Header
    
-   
    
-    
-    
    
-     
    Headers/Sec-Fetch-User
    
-     
    
-      Firefox90+SafariNoneChrome76+
-      
    
-      Opera63+Edge79+
-      
    
-      Edge (Legacy)NoneIENone
-      
    
-      Firefox for Android90+iOS SafariNoneChrome for Android76+Android WebView76+Samsung Internet12.0+Opera Mobile54+
-     
    
-    
    
-   
    
-   
    The Sec-Fetch-User HTTP request header exposes whether or not a navigation request was triggered by user activation. It is a Structured Header whose
-value is a boolean. [I-D.ietf-httpbis-header-structure] Its ABNF is:
    
+   
    The Sec-Fetch-User HTTP request header exposes whether or not a navigation request was triggered by user activation. It is a Structured Header whose
+value is a boolean. [I-D.ietf-httpbis-header-structure] Its ABNF is:
    
 
    Sec-Fetch-User = sh-boolean
 
    
-   
    Note: The header is delivered only for navigation requests, and only when its value is true.
+   
    Note: The header is delivered only for navigation requests, and only when its value is true.
 It might be reasonable to expand the headers' scope in the future to include subresource requests
 generally if we can spell out some use cases that would be improved by exposing that information
 (and if we can agree on ways to define that status for all the subresource request types we’d be
 interested in), but for the moment, navigation requests have clear use cases, and seem
 straightforward to define interoperably.
    
-   
    
-     To set the Sec-Fetch-User header for a request r: 
+   
    
+     To set the Sec-Fetch-User header for a request r: 
     
      
      
    1. 
-      
      Assert: r’s url is a potentially trustworthy URL.
      
+      
      Assert: r’s url is a potentially trustworthy URL.
      
      
    2. 
-      
      If r is not a navigation request, or if r’s user activation is false, return.
      
+      
      If r is not a navigation request, or if r’s user-activation is false, return.
      
      
    3. 
-      
      Let header be a Structured Header whose value is a token.
      
+      
      Let header be a Structured Header whose value is a token.
      
      
    4. 
       
      Set header’s value to true.
      
      
    5. 
@@ -619,15 +1044,15 @@ 
      
    
    
    
    3. Integration with Fetch and HTML
    
-   
    To support Sec-Fetch-User, request has a user-activation which is false,
-unless otherwise populated by HTML’s process a navigate fetch algorithm.
    
+   
    To support Sec-Fetch-User, request has a user-activation which is false,
+unless otherwise populated by HTML’s create navigation params by fetching algorithm.
    
    
    Fetch Metadata headers are appended to outgoing requests from within Fetch’s "HTTP-network-or-cache"
-algorithm, using the following steps. Consult that specification for integration details [FETCH].
    
+algorithm, using the following steps. Consult that specification for integration details [FETCH].
    
    
    
-     To append the Fetch metadata headers for a request, given request r: 
+     To append the Fetch metadata headers for a request, given request r: 
     
      
      
    1. 
-      
      If r’s url is not an potentially trustworthy URL, return.
      
+      
      If r’s url is not an potentially trustworthy URL, return.
      
      
    2. 
       
      Set the Sec-Fetch-Dest header for r.
      
      
    3. 
@@ -643,7 +1068,7 @@ 
      
    
      The user agent will send a Sec-Fetch-Site header along with each request in a
 redirect chain. The header’s value will shift in the presence of cross-origin or cross-site
 redirection in order to mitigate confusion.
      
-   
      The algorithm to set the Sec-Fetch-Site header walks the request's entire url list, and will send cross-site if any URL in the list is cross-site to the
+   
      The algorithm to set the Sec-Fetch-Site header walks the request's entire url list, and will send cross-site if any URL in the list is cross-site to the
 request’s current url, same-site only if all URLs in the list are same-site with the
 request’s current url, and same-origin only if all URLs in the list are same-origin
 with the request’s current url.
      
@@ -654,11 +1079,11 @@ 
      
 same-site with https://example.com/ and https://subdomain.example.com/). If that response
 redirects all the way back to https://example.com/, the final request’s Sec-Fetch-Site value would still be cross-site (as the redirect chain includes https://example.net/, which is
 still not same-site with the other URLs.
      
-   
      Note: For the special case of Sec-Fetch-Site: None, it seems reasonable to maintain that value
+   
      Note: For the special case of Sec-Fetch-Site: None, it seems reasonable to maintain that value
 through redirects in order to support the common case of copy/pasting shortlinks into the address
 bar. That is, if a user agent chooses to treat an address-bar navigation to https://sho.rt/link as Sec-Fetch-Site: none, a post-redirect navigation to https://target.com/long/path/goes/here should likewise assert Sec-Fetch-Site: none.
      
    
      4.2. The Sec- Prefix
      
-   
      Each of the headers defined in this document is prefixed with Sec-, which makes them all forbidden header names, and therefore unmodifiable from JavaScript. This will prevent
+   
      Each of the headers defined in this document is prefixed with Sec-, which makes them all forbidden response-header names, and therefore unmodifiable from JavaScript. This will prevent
 malicious websites from convincing user agents to send forged metadata along with requests,
 which should give sites a bit more confidence in their ability to respond reasonably to
 the advertised information.
      
@@ -731,15 +1156,15 @@ 
      
    
      5. Deployment Considerations
      
    
      5.1. Vary
      
-   
      If a given endpoint’s response depends upon the values the client delivers in a Fetch metadata header, developers should be careful to include an appropriate Vary header [RFC7231], in order to ensure that caches handle the response appropriately. For example, Vary: Accept-Encoding, Sec-Fetch-Site.
      
+   
      If a given endpoint’s response depends upon the values the client delivers in a Fetch metadata header, developers should be careful to include an appropriate Vary header [RFC9110], in order to ensure that caches handle the response appropriately. For example, Vary: Accept-Encoding, Sec-Fetch-Site.
      
    
      5.2. Header Bloat
      
    
      An earlier version of this document defined a single Sec-Metadata header, whose contents were
-a dictionary. Subsequent discussion (as well as Mark Nottingham’s excellent [mnot-designing-headers]) shifted the design away from a single dictionary to a series of simple
+a dictionary. Subsequent discussion (as well as Mark Nottingham’s excellent [mnot-designing-headers]) shifted the design away from a single dictionary to a series of simple
 headers, each of which contains only a single token. This design should perform significantly better
 under HTTP’s current HPACK compression algorithms.
      
    
      Further discussion on the topic can be found on the review thread in w3ctag/design-reviews#280.
      
    
      6. IANA Considerations
      
-   
      The permanent message header field registry should be updated with the following registrations for Fetch metadata headers: [RFC3864]
      
+   
      The permanent message header field registry should be updated with the following registrations for Fetch metadata headers: [RFC3864]
      
    
      6.1. Sec-Fetch-Dest Registration
      
    
      
     
      Header field name
@@ -816,513 +1241,889 @@ 
      7. Thanks to Anne van Kesteren, Artur Janc, Dan Veditz, Łukasz Anforowicz, Mark Nottingham, and
 Roberto Clapis, who all provided substantial support in the design of this mechanism.
      
   
-  
      Conformance
      
-  
      Document conventions
      
-  
      Conformance requirements are expressed with a combination of
-    descriptive assertions and RFC 2119 terminology. The key words “MUST”,
-    “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”,
-    “RECOMMENDED”, “MAY”, and “OPTIONAL” in the normative parts of this
-    document are to be interpreted as described in RFC 2119.
-    However, for readability, these words do not appear in all uppercase
-    letters in this specification. 
      
-  
      All of the text of this specification is normative except sections
-    explicitly marked as non-normative, examples, and notes. [RFC2119]
      
-  
      Examples in this specification are introduced with the words “for example”
-    or are set apart from the normative text with class="example",
+  
      
+   
      Conformance
      
+   
      Document conventions
      
+   
      Conformance requirements are expressed
+    with a combination of descriptive assertions
+    and RFC 2119 terminology.
+    The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL”
+    in the normative parts of this document
+    are to be interpreted as described in RFC 2119.
+    However, for readability,
+    these words do not appear in all uppercase letters in this specification. 
      
+   
      All of the text of this specification is normative
+    except sections explicitly marked as non-normative, examples, and notes. [RFC2119] 
      
+   
      Examples in this specification are introduced with the words “for example”
+    or are set apart from the normative text
+    with class="example",
+    like this: 
      
+   
      
+     
+    
      This is an example of an informative example. 
      
+   
      
+   
      Informative notes begin with the word “Note”
+    and are set apart from the normative text
+    with class="note",
     like this: 
      
-  
      
-    
-   
      This is an example of an informative example.
      
+   
      Note, this is an informative note.
      
+   
      
+    
      Conformant Algorithms
      
+    
      Requirements phrased in the imperative as part of algorithms
+    (such as "strip any leading space characters"
+    or "return false and abort these steps")
+    are to be interpreted with the meaning of the key word
+    ("must", "should", "may", etc)
+    used in introducing the algorithm. 
      
+    
      Conformance requirements phrased as algorithms or specific steps
+    can be implemented in any manner,
+    so long as the end result is equivalent.
+    In particular, the algorithms defined in this specification
+    are intended to be easy to understand
+    and are not intended to be performant.
+    Implementers are encouraged to optimize. 
      
+   
      
   
      
-  
      Informative notes begin with the word “Note” and are set apart from the
-    normative text with class="note", like this: 
      
-  
      Note, this is an informative note.
      
-  
      Conformant Algorithms
      
-  
      Requirements phrased in the imperative as part of algorithms (such as
-    "strip any leading space characters" or "return false and abort these
-    steps") are to be interpreted with the meaning of the key word ("must",
-    "should", "may", etc) used in introducing the algorithm.
      
-  
      Conformance requirements phrased as algorithms or specific steps can be
-    implemented in any manner, so long as the end result is equivalent. In
-    particular, the algorithms defined in this specification are intended to
-    be easy to understand and are not intended to be performant. Implementers
-    are encouraged to optimize.
      
-
+
   
      Index
      
   
      Terms defined by this specification
      
   
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
   
      Terms defined by reference
      
   
        
+   
      • 
+    [] defines the following terms:
+    
          
+     
        • create navigation params by fetching
+    
        
    
      • 
     [FETCH] defines the following terms:
     
          
-     
        • current url
-     
        • destination
-     
        • forbidden header name
-     
        • header list
-     
        • mode
-     
        • navigation request
-     
        • origin
-     
        • request
-     
        • set a structured field value
-     
        • url
-     
        • url list
-     
        • user-activation
+     
        • current url
+     
        • destination
+     
        • forbidden response-header name
+     
        • header list
+     
        • mode
+     
        • navigation request
+     
        • origin
+     
        • request
+     
        • set a structured field value
+     
        • url
+     
        • url list
+     
        • user-activation
     
        
    
      • 
     [HTML] defines the following terms:
     
          
-     
        • img
-     
        • picture
-     
        • process a navigate fetch
-     
        • same origin
-     
        • same site
+     
        • img
+     
        • picture
+     
        • same origin
+     
        • same site
     
        
    
      • 
     [I-D.ietf-httpbis-header-structure] defines the following terms:
     
          
-     
        • boolean
-     
        • structured header
-     
        • token
+     
        • boolean
+     
        • structured header
+     
        • token
     
        
    
      • 
     [INFRA] defines the following terms:
     
          
-     
        • break
-     
        • continue
-     
        • implementation-defined
+     
        • break
+     
        • continue
+     
        • implementation-defined
     
        
    
      • 
-    [secure-contexts] defines the following terms:
+    [SECURE-CONTEXTS] defines the following terms:
     
          
-     
        • potentially trustworthy url
+     
        • potentially trustworthy url
     
        
    
      • 
     [URL] defines the following terms:
     
          
-     
        • origin
+     
        • origin
     
        
   
      
   
      References
      
   
      Normative References
      
   
      
    
      [FETCH]
-   
      Anne van Kesteren. Fetch Standard. Living Standard. URL: https://fetch.spec.whatwg.org/
+   
      Anne van Kesteren. Fetch Standard. Living Standard. URL: https://fetch.spec.whatwg.org/
    
      [HTML]
-   
      Anne van Kesteren; et al. HTML Standard. Living Standard. URL: https://html.spec.whatwg.org/multipage/
+   
      Anne van Kesteren; et al. HTML Standard. Living Standard. URL: https://html.spec.whatwg.org/multipage/
    
      [I-D.ietf-httpbis-header-structure]
-   
      Mark Nottingham; Poul-Henning Kamp. Structured Headers for HTTP. ID. URL: https://tools.ietf.org/html/draft-ietf-httpbis-header-structure
+   
      Mark Nottingham; Poul-Henning Kamp. Structured Headers for HTTP. ID. URL: https://tools.ietf.org/html/draft-ietf-httpbis-header-structure
    
      [INFRA]
-   
      Anne van Kesteren; Domenic Denicola. Infra Standard. Living Standard. URL: https://infra.spec.whatwg.org/
+   
      Anne van Kesteren; Domenic Denicola. Infra Standard. Living Standard. URL: https://infra.spec.whatwg.org/
    
      [RFC2119]
-   
      S. Bradner. Key words for use in RFCs to Indicate Requirement Levels. March 1997. Best Current Practice. URL: https://tools.ietf.org/html/rfc2119
+   
      S. Bradner. Key words for use in RFCs to Indicate Requirement Levels. March 1997. Best Current Practice. URL: https://datatracker.ietf.org/doc/html/rfc2119
    
      [RFC3864]
-   
      G. Klyne; M. Nottingham; J. Mogul. Registration Procedures for Message Header Fields. September 2004. Best Current Practice. URL: https://www.rfc-editor.org/rfc/rfc3864
+   
      G. Klyne; M. Nottingham; J. Mogul. Registration Procedures for Message Header Fields. September 2004. Best Current Practice. URL: https://www.rfc-editor.org/rfc/rfc3864
    
      [SECURE-CONTEXTS]
-   
      Mike West. Secure Contexts. 15 September 2016. CR. URL: https://www.w3.org/TR/secure-contexts/
+   
      Mike West. Secure Contexts. 18 September 2021. CR. URL: https://www.w3.org/TR/secure-contexts/
    
      [URL]
-   
      Anne van Kesteren. URL Standard. Living Standard. URL: https://url.spec.whatwg.org/
+   
      Anne van Kesteren. URL Standard. Living Standard. URL: https://url.spec.whatwg.org/
   
      
   
      Informative References
      
   
      
    
      [MNOT-DESIGNING-HEADERS]
-   
      Mark Nottingham. Designing Headers for HTTP Compression. URL: https://www.mnot.net/blog/2018/11/27/header_compression
-   
      [RFC7231]
-   
      R. Fielding, Ed.; J. Reschke, Ed.. Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content. June 2014. Proposed Standard. URL: https://httpwg.org/specs/rfc7231.html
+   
      Mark Nottingham. Designing Headers for HTTP Compression. URL: https://www.mnot.net/blog/2018/11/27/header_compression
+   
      [RFC9110]
+   
      R. Fielding, Ed.; M. Nottingham, Ed.; J. Reschke, Ed.. HTTP Semantics. June 2022. Internet Standard. URL: https://www.rfc-editor.org/rfc/rfc9110
   
      
-  
-  
-  
-  
-  
-  
-  
-  
-  
-
+
+
+
-
-
+
\ No newline at end of file
+    function previousHighlightIndex(algoName, varName) {
+        return indexNames.get(algoName+"///"+varName);
+    }
+    function nameFromIndex(index) {
+        return "selected" + index;
+    }
+}
+
\ No newline at end of file