Transition Request: Proposed Obsolete for CORS

# Daniel Veditz (11 hours ago)

Director and Chairs,

This is a Proposed Obsolete Recommendation transition request.

  • Document title, URIs of the W3C Recommendation. Cross-Origin Resource Sharing, W3C Recommendation 16 January 2014 www.w3.org/TR/cors

  • Rationale: Since the CORS spec no longer describes what browsers do, we don't want people implementing that version. The non-W3C Fetch[2] spec is the de facto update to CORS, and Fetch is what this group's current work references.

We propose the following Status of the Document:

This document has been obsoleted. Do not implement this specification. The <a href="[https://fetch.spec.whatwg.org/](https://fetch.spec.whatwg.org/)">Fetch Living Standard</a> provides the same set of features with additional refinements to improve security, such as the <a href= "[https://fetch.spec.whatwg.org/#cors-safelisted-request-header](https://fetch.spec.whatwg.org/#cors-safelisted-request-header)">CORS safelisted request headers</a>. It also contains new features, which would not be covered by the <a href= "[https://www.w3.org/Consortium/Patent-Policy-20040205/](https://www.w3.org/Consortium/Patent-Policy-20040205/)">5 February 2004 W3C Patent Policy</a>, such as the possibility to use a <a href= "[https://fetch.spec.whatwg.org/#cors-preflight-fetch-0](https://fetch.spec.whatwg.org/#cors-preflight-fetch-0)">wildcard "*" </a> in CORS headers. As an historical reference, a <a href= "[https://fetch.spec](https://fetch.spec). whatwg.org/commit-snapshots/f3bb21991abdd335175fcc5d26a0d0b7b380d4fe/"> snapshot</a> of the Fetch Living Standard as of 15 June 2017 is also available.

CORS staleness has been discussed multiple times by WebAppSec, including a previous consensus to make non-normative updates to re-direct readers to Fetch.[2] No opposition has been expressed to the current CfC.

  • Implementation

Browsers are following Fetch, not CORS, for new or updated features.

[1] fetch.spec.whatwg.org [2] lists.w3.org/Archives/Public/public-webappsec/2015Aug/0001.html

Contact us to advertise here

Want more features?

Request early access to our private beta of readable email premium.