W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2017

Re: Propose "Obsolete" status for CORS spec

From: Mark Nottingham <mnot@mnot.net>
Date: Tue, 1 Aug 2017 11:04:32 +1000
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-Id: <3F28C06E-7697-46FC-8231-947F5BA44C58@mnot.net>
To: Daniel Veditz <dveditz@mozilla.com>
Hi Daniel,

What's the status of CORS for Developers? If it's still intended to be a WG NOTE, it might be friendly to link to that as well.

Cheers,

> On 1 Aug 2017, at 6:50 am, Daniel Veditz <dveditz@mozilla.com> wrote:
> 
> The new W3 process documents now support an "Obsolete" status[1]. Given that the CORS spec no longer describes what browsers do we don't want people implementing that version. The non-W3C Fetch[2] spec is the de facto update to CORS, and Fetch is what this group's current work references.
> 
> I'd like this WG to request that the Director obsolete the CORS spec, which will begin the formal process. I'm assuming this will not be controversial in this group because Fetch-related objections to our current work come from outside the group, but now is the time for anyone with objections to speak up. Our next scheduled call is about two weeks away (August 16) and we'll determine the consensus at that point.
> 
> Wendy has said that the language added to the CORS standard would be something like the following:
> 
>    This document has been obsoleted. Do not implement this specification.
>    The <a href="https://fetch.spec.whatwg.org/">Fetch Living Standard</a>
>    provides the same set of features with additional refinements to
>    improve security, such as the <a href=
>    "https://fetch.spec.whatwg.org/#cors-safelisted-request-header">CORS
>    safelisted request headers</a>. It also contains new features, which
>    would not be covered by the <a href=
>    "https://www.w3.org/Consortium/Patent-Policy-20040205/">5 February
>    2004 W3C Patent Policy</a>, such as the possibility to use a <a href=
>    "https://fetch.spec.whatwg.org/#cors-preflight-fetch-0">wildcard "*"
>    </a> in CORS headers.
>    As an historical reference, a <a href=
>    "https://fetch.spec.whatwg.org/commit-snapshots/f3bb21991abdd335175fcc5d26a0d0b7b380d4fe/">
>    snapshot</a> of the Fetch Living Standard as of 15 June 2017 is
>    also available.
> 
> [1] https://www.w3.org/2017/Process-20170301/#rec-rescind
> [2] https://fetch.spec.whatwg.org/
> 
> -Dan Veditz

--
Mark Nottingham   https://www.mnot.net/
Received on Tuesday, 1 August 2017 01:05:31 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:23 UTC