Explicitly perform a CORP check in service worker (#3)

* Explicitly perform a CORP check in service worker

* fix

* fix

index.bs

@@ -353,11 +353,6 @@ to incoming responses. To do so, Fetch is patched as follows:
 2.  The [$cross-origin resource policy check$] is rewritten to take the [=/embedder policy=] into
     account, and to cover some [=navigation requests=] in addition to `no-cors` requests.
 
-3.  ISSUE: The [$cross-origin resource policy check$] needs to be performed _after_ the relevant
-    service worker has the opportunity to respond to a request, as it may otherwise be allowed to
-    respond to a `require-corp` [=request/client=] with an opaque response which doesn't assert
-    CORP.
-
 ### Cross-Origin Resource Policy Checks ### {#corp-check}
 
 To perform a <dfn abstract-op>cross-origin resource policy check</dfn> given a [=request=]
@@ -422,6 +417,20 @@ To perform a <dfn abstract-op>cross-origin resource policy check</dfn> given a [
         extensions, and I think it'll be more difficult to ship them after inverting the
         error-handling behavior.
 
+Integration with Service Worker {#integration-sw}
+-------------------------------------------------
+
+In https://w3c.github.io/ServiceWorker/#dom-fetchevent-respondwith, replace 10.1 with the following
+item.
+
+1. If |response| is not a `Response` object, or the result of performing a
+[$cross-origin resource policy check$] with _event_'s request's associated request and _response_'s
+associated response is `blocked`, then set the respond-with-error flag.
+
+Also add the following note.
+
+The [$cross-origin resource policy check$] performed here ensures that a Service Worker
+cannot respond to a client that requires CORP with an opaque response that doesn't assert CORP.
 
 Implementation Considerations {#impl-considerations}
 ====================================================