whatwg · bvandersloot-mozilla · Nov 7, 2022 · Nov 14, 2022 · Nov 22, 2022 · Nov 30, 2022
diff --git a/fetch.bs b/fetch.bs
@@ -35,6 +35,8 @@ urlPrefix:https://w3c.github.io/hr-time/#;spec:hr-time
     type:typedef;url:dom-domhighrestimestamp;text:DOMHighResTimeStamp
 
 urlPrefix:https://tc39.es/ecma262/#;type:dfn;spec:ecma-262
+    url:sec-agent-clusters;text:agent cluster
+    url:host-environment;text:host environment
     url:realm;text:realm
     url:sec-list-and-record-specification-type;text:Record
 </pre>
@@ -1773,8 +1775,8 @@ to not have to set <a for=/>request</a>'s <a for=request>referrer</a>.
 <p>A <a for=/>request</a> has an associated
 <dfn export for=request id=concept-request-mode>mode</dfn>, which is
 "<code>same-origin</code>", "<code>cors</code>", "<code>no-cors</code>",
-"<code>navigate</code>", or "<code>websocket</code>". Unless stated otherwise, it is
-"<code>no-cors</code>".
+"<code>navigate</code>", "<code>unsafe-no-cors</code>", or "<code>websocket</code>".
+Unless stated otherwise, it is "<code>no-cors</code>".
 
 <div class="note no-backref">
  <dl>
@@ -1796,13 +1798,27 @@ to not have to set <a for=/>request</a>'s <a for=request>referrer</a>.
   <dt>"<code>navigate</code>"
   <dd>This is a special mode used only when <a>navigating</a> between documents.
 
+  <dt>"<code>unsafe-no-cors</code>"
+  <dd>This is a special mode for the <a>host environment</a> to use internally to wittingly make
+  requests that are unsafe. It restricts requests to using <a>CORS-safelisted methods</a> and
+  <a>CORS-safelisted request-headers</a>. However, the request will not be required to pass a
+  <a>cross-origin resource policy check</a> or to test if
+  <a>Cross-Origin-Embedder-Policy allows credentials</a>. Additionally, upon success a fetch will
+  return a <a>cors filtered response</a>. However, a request with this mode cannot
+  use <a>service-workers mode</a> "<code>all</code>".
+
   <dt>"<code>websocket</code>"
   <dd>This is a special mode used only when
   <a spec=websockets lt="establish a WebSocket connection">establishing a WebSocket connection</a>.
  </dl>
 
  <p>Even though the default <a for=/>request</a> <a for=request>mode</a> is "<code>no-cors</code>",
  standards are highly discouraged from using it for new features. It is rather unsafe.
+
+ <p class=warning> Using <a for=/>request</a> <a for=request>mode</a> "<code>unsafe-no-cors</code>"
+ is even more discouraged and unsafe than "<code>no-cors</code>". Any use of this mode must be in an
+ <a>agent cluster</a> associated with the <a>host environment</a> itself to isolate its results from
+ misuse. This <a for=request>mode</a> is deliberately not exposed in the {{RequestMode}}.
 </div>
 
 <p>A <a for=/>request</a> has an associated
@@ -4051,7 +4067,7 @@ the request.
    <a>HTTP(S) scheme</a>
 
    <li><p><var>request</var>'s <a for=request>mode</a> is "<code>same-origin</code>",
-   "<code>cors</code>", or "<code>no-cors</code>"
+   "<code>cors</code>", "<code>no-cors</code>", or "<code>unsafe-no-cors</code>"
 
    <li><p><var>request</var>'s <a for=request>window</a> is not null
 
@@ -4302,6 +4318,15 @@ steps:
      <li><p>Return <var>corsWithPreflightResponse</var>.
     </ol>
 
+   <dt><var>request</var>'s <a for=request>mode</a> is "<code>unsafe-no-cors</code>"
+   <dd>
+    <ol>
+     <li><p>Set <var>request</var>'s <a for=request>response tainting</a> to
+     "<code>basic</code>".
+
+     <li><p>Return the result of running <a>HTTP fetch</a> given <var>fetchParams</var>.
+    </ol>
+
    <dt>Otherwise
    <dd>
     <ol>
@@ -4788,6 +4813,8 @@ these steps:
        <li><p><var>request</var>'s <a for=request>mode</a> is not "<code>no-cors</code>" and
        <var>response</var>'s <a for=response>type</a> is "<code>opaque</code>"
 
+       <li><p><var>request</var>'s <a for=request>mode</a> is "<code>unsafe-no-cors</code>"
+
        <li><var>request</var>'s <a for=request>redirect mode</a> is not "<code>manual</code>" and
        <var>response</var>'s <a for=response>type</a> is "<code>opaqueredirect</code>"
 
@@ -8303,6 +8330,7 @@ Axel Rauschmayer,
 Ben Kelly,
 Benjamin Gruenbaum,
 Benjamin Hawkes-Lewis,
+Benjamin VanderSloot,
 Bert Bos,
 Björn Höhrmann,
 Boris Zbarsky,