- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Mon, 31 Jul 2017 13:50:37 -0700
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CADYDTCBmDpVPfmaXriyk_BH3XNj_PkN8XA0Lu=b_AX51XiZ7OQ@mail.gmail.com>
The new W3 process documents now support an "Obsolete" status[1]. Given that the CORS spec no longer describes what browsers do we don't want people implementing that version. The non-W3C Fetch[2] spec is the de facto update to CORS, and Fetch is what this group's current work references. I'd like this WG to request that the Director obsolete the CORS spec, which will begin the formal process. I'm assuming this will not be controversial in this group because Fetch-related objections to our current work come from outside the group, but now is the time for anyone with objections to speak up. Our next scheduled call is about two weeks away (August 16) and we'll determine the consensus at that point. Wendy has said that the language added to the CORS standard would be something like the following: This document has been obsoleted. Do not implement this specification. The <a href="https://fetch.spec.whatwg.org/">Fetch Living Standard</a> provides the same set of features with additional refinements to improve security, such as the <a href= "https://fetch.spec.whatwg.org/#cors-safelisted-request-header">CORS safelisted request headers</a>. It also contains new features, which would not be covered by the <a href= "https://www.w3.org/Consortium/Patent-Policy-20040205/">5 February 2004 W3C Patent Policy</a>, such as the possibility to use a <a href= "https://fetch.spec.whatwg.org/#cors-preflight-fetch-0">wildcard "*" </a> in CORS headers. As an historical reference, a <a href= "https://fetch.spec. whatwg.org/commit-snapshots/f3bb21991abdd335175fcc5d26a0d0b7b380d4fe/"> snapshot</a> of the Fetch Living Standard as of 15 June 2017 is also available. [1] https://www.w3.org/2017/Process-20170301/#rec-rescind [2] https://fetch.spec.whatwg.org/ -Dan Veditz
Received on Monday, 31 July 2017 20:51:33 UTC