Transition Request: Proposed Obsolete for CORS

# Daniel Veditz (11 hours ago)

Director and Chairs,

This is a Proposed Obsolete Recommendation transition request.

  • Document title, URIs of the W3C Recommendation. Cross-Origin Resource Sharing, W3C Recommendation 16 January 2014

  • Rationale: Since the CORS spec no longer describes what browsers do, we don't want people implementing that version. The non-W3C Fetch[2] spec is the de facto update to CORS, and Fetch is what this group's current work references.

We propose the following Status of the Document:

This document has been obsoleted. Do not implement this specification. The <a href="[](">Fetch Living Standard</a> provides the same set of features with additional refinements to improve security, such as the <a href= "[](">CORS safelisted request headers</a>. It also contains new features, which would not be covered by the <a href= "[](">5 February 2004 W3C Patent Policy</a>, such as the possibility to use a <a href= "[](">wildcard "*" </a> in CORS headers. As an historical reference, a <a href= "[https://fetch.spec](https://fetch.spec)."> snapshot</a> of the Fetch Living Standard as of 15 June 2017 is also available.

CORS staleness has been discussed multiple times by WebAppSec, including a previous consensus to make non-normative updates to re-direct readers to Fetch.[2] No opposition has been expressed to the current CfC.

  • Implementation

Browsers are following Fetch, not CORS, for new or updated features.

[1] [2]

Contact us to advertise here

Want more features?

Request early access to our private beta of readable email premium.