I suspect the fetch spec changed a bit and https://wicg.github.io/private-network-access/#integration-fetch need some updates. I'm opening this as an issue separate from #33 as mine should hopefully just be simple tweaks.

The HTTP fetch algorithm should be adjusted to ensure that a preflight is triggered for all private network requests. This might be as simple as changing the current "HTTP(S) scheme" block of the switch statement to the following:

Skimming over https://fetch.spec.whatwg.org/#concept-http-fetch, I don't see any direct mention of "HTTP(S)" and the only switch is on "request’s redirect mode". This switch links to https://fetch.spec.whatwg.org/#http-redirect-fetch to handle which indeed mentions HTTP(S) but IIUC the preflight thing is not really specific to redirect...

On the other hand https://fetch.spec.whatwg.org/#scheme-fetch has a switch on request’s current URL’s scheme with a "HTTP(S) scheme" block and that corresponds more to the suggested amendment. So probably what is meant here is "scheme fetch" instead of "HTTP fetch"?

The CORS-preflight fetch algorithm should be further adjusted to ensure that consent is explicitly granted via an appropriate "Access-Control-Allow-Private-Network" header in the response. For instance, the following could be executed before the current step 10:

Steps 8-10 of the fetch spec calculates the max-age for use in the next steps. Earlier steps of the "CORS check" block decide about network errors. So probably this is meant to be "before the current step 8"?

Change the cache match algorithm to take

It seems this sentence is not finished and there is no explicit definition of a "cache match algorithm" in the fetch spec. Probably one need to elaborate a bit more here.

Not sure whether other changes would be needed with the current version of the fetch spec, but the rest of the proposed changes looks good to me. Nit : one could be more accurate than "the current step XXX" in case the fetch spec is updated in the future...