This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
The document uses "CORS flag" repeatedly throughout the fetch algorithms, but it doesn't give its definition.
The same goes for "HTTP authentication flag"
I tried to clarify them as bookkeeping details and included a brief elaboration. Is it better now?
Yep. Looks ok.