- From: Ivan Herman <ivan@w3.org>
- Date: Fri, 1 Sep 2017 07:08:25 +0200
- To: David Wood <david.wood@ephox.com>
- Cc: Leonard Rosenthol <lrosenth@adobe.com>, Tzviya Siegman <tsiegman@wiley.com>, W3C Publishing Working Group <public-publ-wg@w3.org>
- Message-Id: <591C4F34-F69E-4CE1-996E-5C902F2B9F11@w3.org>
David, Leonard, I agree these are valid concerns but I do not think this is something to be discussed in this WG… There is a review going on, as announced: https://lists.w3.org/Archives/Member/w3c-ac-members/2017JulSep/0036.html <https://lists.w3.org/Archives/Member/w3c-ac-members/2017JulSep/0036.html> for what is, at this moment, a proposal only. You or your AC rep should raise the concerns there… Cheers Ivan > On 1 Sep 2017, at 02:48, David Wood <david.wood@ephox.com <mailto:david.wood@ephox.com>> wrote: > > Hi all, > > I have a different concern. It seems to me that ceding key specs (HTML, URL, CORS...) to the WHAT WG removes one of the key advantages of the W3C; the Patent Policy. > > It is difficult for me not to view the movement of these specs from a consensus group to a group with explicit commercial interests as threatening to the Open Web Platform. > > Of course, I seem to be taking a rather misanthropic approach to W3C Management this year. Maybe it is them and maybe it is me :/ > > Regards, > Dave > > On 1 September 2017 at 07:29, Leonard Rosenthol <lrosenth@adobe.com <mailto:lrosenth@adobe.com>> wrote: > Yeah, those are my two concerns with this direction as well, Ivan… > > On 8/31/17, 7:20 AM, "Ivan Herman" <ivan@w3.org <mailto:ivan@w3.org>> wrote: > > Yep, although the concept is not gone. The WhatWG Fetch spec includes the same features as CORS[1] (as far as I know), so it is more that it is superseded. However, the Fetch spec is not a W3C spec, so, formally, superseded is not the right term… > > Fetch is, of course:-), an extremely-difficult-to-read spec. Anybody knows of a good tutorial like text that we could use? > > Ivan > > [1] https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffetch.spec.whatwg.org%2F%23http-cors-protocol&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=Od79aZ9WBFJmBCX%2B1ED25N2Oa9X5VFTvBU3PbsrWrSY%3D&reserved=0 <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffetch.spec.whatwg.org%2F%23http-cors-protocol&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=Od79aZ9WBFJmBCX%2B1ED25N2Oa9X5VFTvBU3PbsrWrSY%3D&reserved=0> > > > > > On 31 Aug 2017, at 13:10, Siegman, Tzviya - Hoboken <tsiegman@wiley.com <mailto:tsiegman@wiley.com>> wrote: > > > > Our group has mentioned CORS many times in our discussions of origins and manifests. It's worth noting that it is being formally obsoleted. > > > > Tzviya Siegman > > Information Standards Lead > > Wiley > > 201-748-6884 <tel:201-748-6884> > > tsiegman@wiley.com <mailto:tsiegman@wiley.com> > > > > -----Original Message----- > > From: Coralie Mercier [mailto:coralie@w3.org <mailto:coralie@w3.org>] > > Sent: Thursday, August 31, 2017 4:36 AM > > To: w3c-ac-forum@w3.org <mailto:w3c-ac-forum@w3.org> > > Cc: chairs@w3.org <mailto:chairs@w3.org> > > Subject: Proposal to Republish CORS as Obsolete Recommendation (Call for Review) > > > > Dear Advisory Committee Representative, > > Chairs, > > > > This is a proposal to republish the following W3C Recommendation as Obsolete Recommendation: > > > > Cross-Origin Resource Sharing, W3C Recommendation 16 January 2014 > > https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2FTR%2F2014%2FREC-cors-20140116%2F&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=GF8iZLUdT1tnBAbkl3TkftbO7jJikxYpO1KVSVENlvA%3D&reserved=0 <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2FTR%2F2014%2FREC-cors-20140116%2F&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=GF8iZLUdT1tnBAbkl3TkftbO7jJikxYpO1KVSVENlvA%3D&reserved=0> > > > > The SoTD should read: > > > > [[ > > This specification is obsolete and should no longer be used as a basis for implementation. > > The [Fetch Living Standard](https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffetch.spec.whatwg.org%2F&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=jtrKxtefDkFtGlNt2AWPWtWuLroAT5cPyhqruJxpdEg%3D&reserved=0 <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffetch.spec.whatwg.org%2F&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=jtrKxtefDkFtGlNt2AWPWtWuLroAT5cPyhqruJxpdEg%3D&reserved=0>) provides the same set of features with additional refinements to improve security, such as the [CORS safelisted request headers](https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffetch.spec.whatwg.org%2F%23cors-safelisted-request-header&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=E%2Fy06HuZiukNnvq8NfyVpggu6Fo7kbJB%2FPGEQb8R6%2Bg%3D&reserved=0 <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffetch.spec.whatwg.org%2F%23cors-safelisted-request-header&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=E%2Fy06HuZiukNnvq8NfyVpggu6Fo7kbJB%2FPGEQb8R6%2Bg%3D&reserved=0>). The Fetch specification also contains new features, which would not be covered by the [5 February 2004 W3C Patent Policy](https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FConsortium%2FPatent-Policy-20040205%2F&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=wc2%2B1eDkXEr4KsKnGRrB%2B2xr4%2FhKfPpX4SyP6DV73pk%3D&reserved=0 <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FConsortium%2FPatent-Policy-20040205%2F&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=wc2%2B1eDkXEr4KsKnGRrB%2B2xr4%2FhKfPpX4SyP6DV73pk%3D&reserved=0>), such as the possibility to use a [wildcard "*"](https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffetch.spec.whatwg.org%2F%23cors-preflight-fetch-0&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=C3OBbuXbpYO3dKkrqKOorhTc82G7fFRTwgrzdjFW68Y%3D&reserved=0 <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffetch.spec.whatwg.org%2F%23cors-preflight-fetch-0&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=C3OBbuXbpYO3dKkrqKOorhTc82G7fFRTwgrzdjFW68Y%3D&reserved=0>) in CORS headers. As an historical reference, a [snapshot](https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffetch.spec.whatwg.org%2Fcommit-snapshots%2Ff3bb21991abdd335175fcc5d26a0d0b7b380d4fe%2F&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=TXi1T8nI03tuNNhVQbFmG0G6%2FQNR5RMpESaiZLOpgIA%3D&reserved=0 <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffetch.spec.whatwg.org%2Fcommit-snapshots%2Ff3bb21991abdd335175fcc5d26a0d0b7b380d4fe%2F&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=TXi1T8nI03tuNNhVQbFmG0G6%2FQNR5RMpESaiZLOpgIA%3D&reserved=0>) of the Fetch Living Standard as of 15 June 2017 is also available. > > ]] > > > > Although the Fetch Living Standard continues to evolve and accordingly W3C cannot speak to the stability of the entire spec - the portions of the Fetch spec that obsolete the CORS spec are stable and have sufficient implementations on the Web - the Director supports the Working Group's request to republish the CORS Recommendation as an Obsolete Recommendation. > > > > The approval and publication are in response to this transition request from the Web Application Security Working Group [1]: > > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.w3.org%2FArchives%2FMember%2Fchairs%2F2017JulSep%2F0089.html&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=9xTzHWPu5Mm%2Bqv7h%2FJDMrpQPhqoen%2FWRqDqH9pftQgw%3D&reserved=0 <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.w3.org%2FArchives%2FMember%2Fchairs%2F2017JulSep%2F0089.html&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=9xTzHWPu5Mm%2Bqv7h%2FJDMrpQPhqoen%2FWRqDqH9pftQgw%3D&reserved=0> > > > > There wasn't any Formal Objection within the Web Application Security Working Group. > > > > Issues are welcome by 2017-09-28 and should be sent to <public-webappsec@w3.org <mailto:public-webappsec@w3.org>>. > > > > Please review this proposal and indicate whether your organization supports obsoleting this Recommendation or objects to this action, by completing the following questionnaire: > > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2F2002%2F09%2Fwbs%2F101147%2Fcors-obs-2017-09%2F&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=uxBsm8rN%2FpDcsCwhwd9doZnEOsN9tjXH3oqCgc%2BIdfU%3D&reserved=0 <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2F2002%2F09%2Fwbs%2F101147%2Fcors-obs-2017-09%2F&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=uxBsm8rN%2FpDcsCwhwd9doZnEOsN9tjXH3oqCgc%2BIdfU%3D&reserved=0> > > > > The deadline for responses is 23:59, Boston time on 2017-09-28. Additional details about the review are available in the questionnaire. > > > > This Call for review follows section 6.9 "Obsoleting or Rescinding a W3C Recommendation" of the W3C Process Document: > > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2F2017%2FProcess-20170301%2F%23rec-rescind&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=ovI2aiUoBWiGMysuTedNSU7PNm%2F5lPv4sIrfs87RMpE%3D&reserved=0 <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2F2017%2FProcess-20170301%2F%23rec-rescind&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=ovI2aiUoBWiGMysuTedNSU7PNm%2F5lPv4sIrfs87RMpE%3D&reserved=0> > > > > Thank you, > > > > For Tim Berners-Lee, W3C Director, and > > Philippe Le Hégaret, Project Management Lead; Coralie Mercier, Head of W3C Marketing & Communications > > > > [1] https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2011%2Fwebappsec%2F&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=p87NBNXKwxEfSztkz2k3JucAyF7C7k8X88APYWLd9Bs%3D&reserved=0 <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2011%2Fwebappsec%2F&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=p87NBNXKwxEfSztkz2k3JucAyF7C7k8X88APYWLd9Bs%3D&reserved=0> > > > > -- > > Coralie Mercier - W3C Marketing & Communications - https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=W8jM3pONCqiXDlJrbwuFXmN1dtiTNSJd2b7WjbEoLZI%3D&reserved=0 <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=W8jM3pONCqiXDlJrbwuFXmN1dtiTNSJd2b7WjbEoLZI%3D&reserved=0> mailto:coralie@w3.org <mailto:coralie@w3.org> +336 4322 0001 <tel:%2B336%204322%200001> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FPeople%2FCMercier%2F&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=57nT55ERVtzi89z3CDmsq1cUmudidGYZWhHU0lKNYz4%3D&reserved=0 <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FPeople%2FCMercier%2F&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=57nT55ERVtzi89z3CDmsq1cUmudidGYZWhHU0lKNYz4%3D&reserved=0> > > > > > > > > > > > > > ---- > Ivan Herman, W3C > Publishing@W3C Technical Lead > Home: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2FPeople%2FIvan%2F&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=na7mATfltYvMYuFh7KOPW0guNRmMoMLxitkPnqfLOOs%3D&reserved=0 <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2FPeople%2FIvan%2F&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=na7mATfltYvMYuFh7KOPW0guNRmMoMLxitkPnqfLOOs%3D&reserved=0> > mobile: +31-641044153 <tel:%2B31-641044153> > ORCID ID: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Forcid.org%2F0000-0003-0782-2704&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=3Bx%2BjULd4iAUDxqp74LIqk4jntWAVRlSsGTkOiFHTio%3D&reserved=0 <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Forcid.org%2F0000-0003-0782-2704&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=3Bx%2BjULd4iAUDxqp74LIqk4jntWAVRlSsGTkOiFHTio%3D&reserved=0> > > > > > ---- Ivan Herman, W3C Publishing@W3C Technical Lead Home: http://www.w3.org/People/Ivan/ <http://www.w3.org/People/Ivan/> mobile: +31-641044153 ORCID ID: http://orcid.org/0000-0003-0782-2704 <http://orcid.org/0000-0003-0782-2704>
Received on Friday, 1 September 2017 05:08:06 UTC