Transition Request: Proposed Obsolete for CORS from Daniel Veditz on 2017-08-25 (public-webappsec@w3.org from August 2017)

From: Daniel Veditz <dveditz@mozilla.com>
Date: Fri, 25 Aug 2017 12:42:30 -0700
To: timbl@w3.org, ralph@w3.org
Cc: Philippe Le Hégaret <plh@w3.org>, Comm <w3t-comm@w3.org>, chairs@w3.org, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CADYDTCDsOnBFiAcWSc_2GO2RQS86gvGEOH=pWEbxKsW0APB1+w@mail.gmail.com>

Director and Chairs,

This is a Proposed Obsolete Recommendation transition request.

* Document title, URIs of the W3C Recommendation.
Cross-Origin Resource Sharing, W3C Recommendation 16 January 2014
https://www.w3.org/TR/cors/

* Rationale: Since the CORS spec no longer describes what browsers do,
we don't want people implementing that version. The non-W3C Fetch[2]
spec is the de facto update to CORS, and Fetch is what this group's
current work references.

We propose the following Status of the Document:

   This document has been obsoleted. Do not implement this specification.
   The <a href="https://fetch.spec.whatwg.org/">Fetch Living Standard</a>
   provides the same set of features with additional refinements to
   improve security, such as the <a href=
   "https://fetch.spec.whatwg.org/#cors-safelisted-request-header">CORS
   safelisted request headers</a>. It also contains new features, which
   would not be covered by the <a href=
   "https://www.w3.org/Consortium/Patent-Policy-20040205/">5 February
   2004 W3C Patent Policy</a>, such as the possibility to use a <a href=
   "https://fetch.spec.whatwg.org/#cors-preflight-fetch-0">wildcard "*"
   </a> in CORS headers.
   As an historical reference, a <a href=
   "https://fetch.spec.
whatwg.org/commit-snapshots/f3bb21991abdd335175fcc5d26a0d0b7b380d4fe/">
   snapshot</a> of the Fetch Living Standard as of 15 June 2017 is
   also available.

* Decision to request transition:
https://www.w3.org/2017/08/16-webappsec-minutes.html#item03
and
https://lists.w3.org/Archives/Public/public-webappsec/2017Aug/0006.html

* Wide Review:

CORS staleness has been discussed multiple times by WebAppSec, including
a previous consensus to make non-normative updates to re-direct readers
to Fetch.[2]
No opposition has been expressed to the current CfC.

* Implementation

Browsers are following Fetch, not CORS, for new or updated features.

[1] https://fetch.spec.whatwg.org/
[2] https://lists.w3.org/Archives/Public/public-webappsec/2015Aug/0001.html

Received on Friday, 25 August 2017 19:43:14 UTC