From 866083c80c5a5345192930985080ccc5d0ec8fdf Mon Sep 17 00:00:00 2001 From: Anne van Kesteren Date: Wed, 14 Jan 2026 08:25:38 +0100 Subject: [PATCH] Block 416 alongside 206 While it is less likely you can attack a 416, it's probably good to stay consistent. --- fetch.bs | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/fetch.bs b/fetch.bs index 8f27d0963..0926ff634 100755 --- a/fetch.bs +++ b/fetch.bs @@ -1465,6 +1465,8 @@ worked on in issue #1156

An ok status is a status in the range 200 to 299, inclusive. +

A range status is a status that is 206 or 416. +

A redirect status is a status that is 301, 302, 303, 307, or 308. @@ -5017,15 +5019,16 @@ steps:

  • If response's type is "opaque", - internalResponse's status is 206, internalResponse's - range-requested flag is set, and request's - header list does not contain `Range`, - then set response and internalResponse to a network error. + internalResponse's status is a range status, + internalResponse's range-requested flag is set, and + request's header list does not contain + `Range`, then set response and internalResponse to a + network error.

    Traditionally, APIs accept a ranged response even if a range was not requested. This prevents - a partial response from an earlier ranged request being provided to an API that did not make a - range request. + a partial response or a range not satisfiable response from an earlier ranged request being + provided to an API that did not make a range request.

    Further details @@ -10328,6 +10331,7 @@ Wayne Carr, Xabier Rodríguez, Yehuda Katz, Yoav Weiss, +Yoshisato Yanagisawa, Youenn Fablet, Yoichi Osato, 平野裕 (Yutaka Hirano), and