From 287ef66629238a7d63bed59b92a41aa3993b940a Mon Sep 17 00:00:00 2001
From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 31 May 2022 11:08:01 +0200
Subject: [PATCH] Move the opaque-response-safelist check invocation

(CORB as specified applied to service worker responses, but that seems wrong.)
---
 fetch.bs | 26 ++++++++++++--------------
 1 file changed, 12 insertions(+), 14 deletions(-)

diff --git a/fetch.bs b/fetch.bs
index ea54f4444..072c278e7 100644
--- a/fetch.bs
+++ b/fetch.bs
@@ -4366,14 +4366,8 @@ steps:
 
      <li><p>Set <var>request</var>'s <a for=request>response tainting</a> to "<code>opaque</code>".
 
-     <li><p>Let <var>opaqueResponse</var> be the result of running <a>scheme fetch</a> given
-     <var>fetchParams</var>.
+     <li><p>Return the result of running <a>scheme fetch</a> given <var>fetchParams</var>.
      <!-- file URLs end up here as they are not same-origin typically. -->
-
-     <li><p>If the <a>opaque-response-safelist check</a> given <var>request</var> and
-     <var>opaqueResponse</var> returns true, then return <var>opaqueResponse</var>.
-
-     <li><p>Return a <a>network error</a>.
     </ol>
 
    <dt><var>request</var>'s <a for=request>current URL</a>'s <a for=url>scheme</a> is not an
@@ -4947,19 +4941,23 @@ these steps:
    <li><p>Set <var>response</var> and <var>actualResponse</var> to the result of running
    <a>HTTP-network-or-cache fetch</a> given <var>fetchParams</var>.
 
-   <li>
-    <p>If <var>request</var>'s <a for=request>response tainting</a> is "<code>cors</code>" and a
-    <a>CORS check</a> for <var>request</var> and <var>response</var> returns failure, then return a
-    <a>network error</a>.
+   <li><p>If <var>request</var>'s <a for=request>response tainting</a> is "<code>opaque</code>",
+   <var>response</var>'s <a for=response>status</a> is not a <a>redirect status</a>, and the
+   <a>opaque-response-safelist check</a> given <var>request</var> and <var>response</var> returns
+   false, then return a <a>network error</a>.
 
-    <p class="note no-backref">As the <a>CORS check</a> is not to be applied to
-    <a for=/>responses</a> whose <a for=response>status</a> is 304 or 407, or <a for=/>responses</a>
-    from a service worker for that matter, it is applied here.
+   <li><p>If <var>request</var>'s <a for=request>response tainting</a> is "<code>cors</code>" and
+   the <a>CORS check</a> for <var>request</var> and <var>response</var> returns failure, then return
+   a <a>network error</a>.
 
    <li><p>If the <a>TAO check</a> for <var>request</var> and <var>response</var> returns failure,
    then set <var>request</var>'s <a for=request>timing allow failed flag</a>.
   </ol>
 
+  <p class=note>As the <a>opaque-response-safelist check</a>, <a>CORS check</a>, and
+  <a>TAO check</a> are not to be applied to <a for=/>responses</a> whose <a for=response>status</a>
+  is 304 or 407, or to <a for=/>responses</a> from a service worker, they are applied here.
+
  <li>
   <p>If either <var>request</var>'s <a for=request>response tainting</a> or <var>response</var>'s
   <a for=response>type</a> is "<code>opaque</code>", and the