Re: Proposal to Republish CORS as Obsolete Recommendation (Call for Review) from Baldur Bjarnason on 2017-09-01 (public-publ-wg@w3.org from September 2017)

From: Baldur Bjarnason <baldur@rebus.foundation>
Date: Fri, 1 Sep 2017 10:52:25 -0400
To: David Wood <david.wood@ephox.com>
Cc: Leonard Rosenthol <lrosenth@adobe.com>, Ivan Herman <ivan@w3.org>, Tzviya Siegman <tsiegman@wiley.com>, W3C Publishing Working Group <public-publ-wg@w3.org>
Message-Id: <6ED4D3C9-630E-418C-81F0-4AEF31F64EBB@rebus.foundation>
Not to add to the debate since, as Ivan says, this isn’t the forum for these concerns.

But… in the interest of minimising misinformation, the WHATWG operates as a W3C community group and is therefore covered by the W3C patent policy AFAICT.

https://whatwg.org/faq#patent-policy

- best
- Baldur Bjarnason
  baldur@rebus.foundation



> On 31 Aug 2017, at 20:48, David Wood <david.wood@ephox.com> wrote:
> 
> Hi all,
> 
> I have a different concern. It seems to me that ceding key specs (HTML, URL, CORS...) to the WHAT WG removes one of the key advantages of the W3C; the Patent Policy.
> 
> It is difficult for me not to view the movement of these specs from a consensus group to a group with explicit commercial interests as threatening to the Open Web Platform.
> 
> Of course, I seem to be taking a rather misanthropic approach to W3C Management this year. Maybe it is them and maybe it is me :/
> 
> Regards,
> Dave
> 
> On 1 September 2017 at 07:29, Leonard Rosenthol <lrosenth@adobe.com> wrote:
> Yeah, those are my two concerns with this direction as well, Ivan…
> 
> On 8/31/17, 7:20 AM, "Ivan Herman" <ivan@w3.org> wrote:
> 
>     Yep, although the concept is not gone. The WhatWG Fetch spec includes the same features as CORS[1] (as far as I know), so it is more that it is superseded. However, the Fetch spec is not a W3C spec, so, formally, superseded is not the right term…
> 
>     Fetch is, of course:-), an extremely-difficult-to-read spec. Anybody knows of a good tutorial like text that we could use?
> 
>     Ivan
> 
>     [1] https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffetch.spec.whatwg.org%2F%23http-cors-protocol&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=Od79aZ9WBFJmBCX%2B1ED25N2Oa9X5VFTvBU3PbsrWrSY%3D&reserved=0
> 
> 
> 
>     > On 31 Aug 2017, at 13:10, Siegman, Tzviya - Hoboken <tsiegman@wiley.com> wrote:
>     >
>     > Our group has mentioned CORS many times in our discussions of origins and manifests. It's worth noting that it is being formally obsoleted.
>     >
>     > Tzviya Siegman
>     > Information Standards Lead
>     > Wiley
>     > 201-748-6884
>     > tsiegman@wiley.com
>     >
>     > -----Original Message-----
>     > From: Coralie Mercier [mailto:coralie@w3.org]
>     > Sent: Thursday, August 31, 2017 4:36 AM
>     > To: w3c-ac-forum@w3.org
>     > Cc: chairs@w3.org
>     > Subject: Proposal to Republish CORS as Obsolete Recommendation (Call for Review)
>     >
>     > Dear Advisory Committee Representative,
>     > Chairs,
>     >
>     > This is a proposal to republish the following W3C Recommendation as Obsolete Recommendation:
>     >
>     >  Cross-Origin Resource Sharing, W3C Recommendation 16 January 2014
>     >  https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2FTR%2F2014%2FREC-cors-20140116%2F&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=GF8iZLUdT1tnBAbkl3TkftbO7jJikxYpO1KVSVENlvA%3D&reserved=0
>     >
>     > The SoTD should read:
>     >
>     > [[
>     > This specification is obsolete and should no longer be used as a basis for implementation.
>     > The [Fetch Living Standard](https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffetch.spec.whatwg.org%2F&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=jtrKxtefDkFtGlNt2AWPWtWuLroAT5cPyhqruJxpdEg%3D&reserved=0) provides the same set of features with additional refinements to improve security, such as the [CORS safelisted request headers](https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffetch.spec.whatwg.org%2F%23cors-safelisted-request-header&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=E%2Fy06HuZiukNnvq8NfyVpggu6Fo7kbJB%2FPGEQb8R6%2Bg%3D&reserved=0). The Fetch specification also contains new features, which would not be covered by the [5 February 2004 W3C Patent Policy](https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FConsortium%2FPatent-Policy-20040205%2F&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=wc2%2B1eDkXEr4KsKnGRrB%2B2xr4%2FhKfPpX4SyP6DV73pk%3D&reserved=0), such as the possibility to use a [wildcard "*"](https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffetch.spec.whatwg.org%2F%23cors-preflight-fetch-0&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=C3OBbuXbpYO3dKkrqKOorhTc82G7fFRTwgrzdjFW68Y%3D&reserved=0) in CORS headers. As an historical reference, a [snapshot](https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffetch.spec.whatwg.org%2Fcommit-snapshots%2Ff3bb21991abdd335175fcc5d26a0d0b7b380d4fe%2F&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=TXi1T8nI03tuNNhVQbFmG0G6%2FQNR5RMpESaiZLOpgIA%3D&reserved=0) of the Fetch Living Standard as of 15 June 2017 is also available.
>     > ]]
>     >
>     > Although the Fetch Living Standard continues to evolve and accordingly W3C cannot speak to the stability of the entire spec - the portions of the Fetch spec that obsolete the CORS spec are stable and have sufficient implementations on the Web - the Director supports the Working Group's request to republish the CORS Recommendation as an Obsolete Recommendation.
>     >
>     > The approval and publication are in response to this transition request from the Web Application Security Working Group [1]:
>     >  https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.w3.org%2FArchives%2FMember%2Fchairs%2F2017JulSep%2F0089.html&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=9xTzHWPu5Mm%2Bqv7h%2FJDMrpQPhqoen%2FWRqDqH9pftQgw%3D&reserved=0
>     >
>     > There wasn't any Formal Objection within the Web Application Security Working Group.
>     >
>     > Issues are welcome by 2017-09-28 and should be sent to <public-webappsec@w3.org>.
>     >
>     > Please review this proposal and indicate whether your organization supports obsoleting this Recommendation or objects to this action, by completing the following questionnaire:
>     >  https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2F2002%2F09%2Fwbs%2F101147%2Fcors-obs-2017-09%2F&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=uxBsm8rN%2FpDcsCwhwd9doZnEOsN9tjXH3oqCgc%2BIdfU%3D&reserved=0
>     >
>     > The deadline for responses is 23:59, Boston time on 2017-09-28. Additional details about the review are available in the questionnaire.
>     >
>     > This Call for review follows section 6.9 "Obsoleting or Rescinding a W3C Recommendation" of the W3C Process Document:
>     >  https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2F2017%2FProcess-20170301%2F%23rec-rescind&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=ovI2aiUoBWiGMysuTedNSU7PNm%2F5lPv4sIrfs87RMpE%3D&reserved=0
>     >
>     > Thank you,
>     >
>     > For Tim Berners-Lee, W3C Director, and
>     > Philippe Le Hégaret, Project Management Lead; Coralie Mercier, Head of W3C Marketing & Communications
>     >
>     > [1] https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2011%2Fwebappsec%2F&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=p87NBNXKwxEfSztkz2k3JucAyF7C7k8X88APYWLd9Bs%3D&reserved=0
>     >
>     > --
>     > Coralie Mercier  -  W3C Marketing & Communications -  https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=W8jM3pONCqiXDlJrbwuFXmN1dtiTNSJd2b7WjbEoLZI%3D&reserved=0 mailto:coralie@w3.org +336 4322 0001 https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FPeople%2FCMercier%2F&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=57nT55ERVtzi89z3CDmsq1cUmudidGYZWhHU0lKNYz4%3D&reserved=0
>     >
>     >
>     >
>     >
>     >
> 
> 
>     ----
>     Ivan Herman, W3C
>     Publishing@W3C Technical Lead
>     Home: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2FPeople%2FIvan%2F&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=na7mATfltYvMYuFh7KOPW0guNRmMoMLxitkPnqfLOOs%3D&reserved=0
>     mobile: +31-641044153
>     ORCID ID: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Forcid.org%2F0000-0003-0782-2704&data=02%7C01%7C%7C74a023b7d2a840e5011a08d4f0623fe8%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636397752155644684&sdata=3Bx%2BjULd4iAUDxqp74LIqk4jntWAVRlSsGTkOiFHTio%3D&reserved=0
> 
> 
> 
> 
>
Received on Friday, 1 September 2017 14:52:49 UTC