Propose "Obsolete" status for CORS spec

# Daniel Veditz (3 days ago)

The new W3 process documents now support an "Obsolete" status[1]. Given that the CORS spec no longer describes what browsers do we don't want people implementing that version. The non-W3C Fetch[2] spec is the de facto update to CORS, and Fetch is what this group's current work references.

I'd like this WG to request that the Director obsolete the CORS spec, which will begin the formal process. I'm assuming this will not be controversial in this group because Fetch-related objections to our current work come from outside the group, but now is the time for anyone with objections to speak up. Our next scheduled call is about two weeks away (August 16) and we'll determine the consensus at that point.

Wendy has said that the language added to the CORS standard would be something like the following:

This document has been obsoleted. Do not implement this specification. The <a href="[https://fetch.spec.whatwg.org/](https://fetch.spec.whatwg.org/)">Fetch Living Standard</a> provides the same set of features with additional refinements to improve security, such as the <a href= "[https://fetch.spec.whatwg.org/#cors-safelisted-request-header](https://fetch.spec.whatwg.org/#cors-safelisted-request-header)">CORS safelisted request headers</a>. It also contains new features, which would not be covered by the <a href= "[https://www.w3.org/Consortium/Patent-Policy-20040205/](https://www.w3.org/Consortium/Patent-Policy-20040205/)">5 February 2004 W3C Patent Policy</a>, such as the possibility to use a <a href= "[https://fetch.spec.whatwg.org/#cors-preflight-fetch-0](https://fetch.spec.whatwg.org/#cors-preflight-fetch-0)">wildcard "*" </a> in CORS headers. As an historical reference, a <a href= "[https://fetch.spec](https://fetch.spec). whatwg.org/commit-snapshots/f3bb21991abdd335175fcc5d26a0d0b7b380d4fe/"> snapshot</a> of the Fetch Living Standard as of 15 June 2017 is also available.

[1] www.w3.org/2017/Process-20170301/#rec-rescind [2] fetch.spec.whatwg.org

-Dan Veditz

Contact us to advertise here
# Mark Nottingham (2 days ago)

What's the status of CORS for Developers? If it's still intended to be a WG NOTE, it might be friendly to link to that as well.

Cheers,

On 1 Aug 2017, at 6:50 am, Daniel Veditz dveditz@mozilla.com wrote:

The new W3 process documents now support an "Obsolete" status[1]. Given that the CORS spec no longer describes what browsers do we don't want people implementing that version. The non-W3C Fetch[2] spec is the de facto update to CORS, and Fetch is what this group's current work references.

I'd like this WG to request that the Director obsolete the CORS spec, which will begin the formal process. I'm assuming this will not be controversial in this group because Fetch-related objections to our current work come from outside the group, but now is the time for anyone with objections to speak up. Our next scheduled call is about two weeks away (August 16) and we'll determine the consensus at that point.

Wendy has said that the language added to the CORS standard would be something like the following:

This document has been obsoleted. Do not implement this specification. The <a href="[https://fetch.spec.whatwg.org/](https://fetch.spec.whatwg.org/)">Fetch Living Standard</a> provides the same set of features with additional refinements to improve security, such as the <a href= "[https://fetch.spec.whatwg.org/#cors-safelisted-request-header](https://fetch.spec.whatwg.org/#cors-safelisted-request-header)">CORS safelisted request headers</a>. It also contains new features, which would not be covered by the <a href= "[https://www.w3.org/Consortium/Patent-Policy-20040205/](https://www.w3.org/Consortium/Patent-Policy-20040205/)">5 February 2004 W3C Patent Policy</a>, such as the possibility to use a <a href= "[https://fetch.spec.whatwg.org/#cors-preflight-fetch-0](https://fetch.spec.whatwg.org/#cors-preflight-fetch-0)">wildcard "*" </a> in CORS headers. As an historical reference, a <a href= "[https://fetch.spec.whatwg.org/commit-snapshots/f3bb21991abdd335175fcc5d26a0d0b7b380d4fe/](https://fetch.spec.whatwg.org/commit-snapshots/f3bb21991abdd335175fcc5d26a0d0b7b380d4fe/)"> snapshot</a> of the Fetch Living Standard as of 15 June 2017 is also available.

[1] www.w3.org/2017/Process-20170301/#rec-rescind [2] fetch.spec.whatwg.org

-Dan Veditz

-- Mark Nottingham www.mnot.net

Want more features?

Request early access to our private beta of readable email premium.