W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2017

Propose "Obsolete" status for CORS spec

From: Daniel Veditz <dveditz@mozilla.com>
Date: Mon, 31 Jul 2017 13:50:37 -0700
Message-ID: <CADYDTCBmDpVPfmaXriyk_BH3XNj_PkN8XA0Lu=b_AX51XiZ7OQ@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
The new W3 process documents now support an "Obsolete" status[1]. Given
that the CORS spec no longer describes what browsers do we don't want
people implementing that version. The non-W3C Fetch[2] spec is the de facto
update to CORS, and Fetch is what this group's current work references.

I'd like this WG to request that the Director obsolete the CORS spec, which
will begin the formal process. I'm assuming this will not be controversial
in this group because Fetch-related objections to our current work come
from outside the group, but now is the time for anyone with objections to
speak up. Our next scheduled call is about two weeks away (August 16) and
we'll determine the consensus at that point.

Wendy has said that the language added to the CORS standard would be
something like the following:

   This document has been obsoleted. Do not implement this specification.
   The <a href="https://fetch.spec.whatwg.org/">Fetch Living Standard</a>
   provides the same set of features with additional refinements to
   improve security, such as the <a href=
   "https://fetch.spec.whatwg.org/#cors-safelisted-request-header">CORS
   safelisted request headers</a>. It also contains new features, which
   would not be covered by the <a href=
   "https://www.w3.org/Consortium/Patent-Policy-20040205/">5 February
   2004 W3C Patent Policy</a>, such as the possibility to use a <a href=
   "https://fetch.spec.whatwg.org/#cors-preflight-fetch-0">wildcard "*"
   </a> in CORS headers.
   As an historical reference, a <a href=
   "https://fetch.spec.
whatwg.org/commit-snapshots/f3bb21991abdd335175fcc5d26a0d0b7b380d4fe/">
   snapshot</a> of the Fetch Living Standard as of 15 June 2017 is
   also available.

[1] https://www.w3.org/2017/Process-20170301/#rec-rescind
[2] https://fetch.spec.whatwg.org/

-Dan Veditz
Received on Monday, 31 July 2017 20:51:33 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:23 UTC