6

I just read on Wikipedia (based on W3 minutes) that CORS is now obsolete:

https://en.wikipedia.org/wiki/Cross-origin_resource_sharing

From the meeting minutes at https://www.w3.org/2017/08/16-webappsec-minutes.html#item03

Obsoleting CORS

dveditz: I raised on the list obsoleting CORS. The spec is old and doesn't reflect what browsers actually do

scribe ... ongoing work is in Fetch

UNKNOWN_SPEAKER: so it's not useful to have CORS sitting around
... mark as Obsolete and point to replacement
... to serve implementors better
... only reply was mnot asking about CORS for Developers
... I'd like to get Brad's feedback
... I'll call for consensus on this call, and then announce on list

dveditz: any objection to obsoleting CORS?

terri: sounds reasonable to me

PROPOSED: Obsolete CORS

RESOLUTION: Obsolete CORS

dveditz: I'll announce that decision to the list

How is this possible, what allows CORS to be obsolete?

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
Anthony
  • 13,434
  • 14
  • 60
  • 80

1 Answers1

7

That discussion’s only about retiring the old CORS specification—basically, putting clear indications on it that it should no longer be used by implementors as the basis for implementations, and that implementors should use the Fetch spec at https://fetch.spec.whatwg.org/ instead.

The reason is, all current CORS requirements for browsers are in the Fetch spec, and the Fetch spec is the only specification for CORS that continues to be actively maintained—the only one to get refinements and spec-bug fixes, and to which any new CORS-related features will be added.

See https://lists.w3.org/Archives/Public/public-webappsec/2017Aug/0010.html:

We propose the following Status of the Document:

This document has been obsoleted. Do not implement this specification. The Fetch Living Standard provides the same set of features with additional refinements to improve security, such as the CORS safelisted request headers. It also contains new features, which would not be covered by the 5 February 2004 W3C Patent Policy, such as the possibility to use a wildcard "*" in CORS headers.

So now the W3C Web Applications Security Working Group has made their decision, sometime very soon they’ll republish the old CORS specification with that text added to its Status section.

I just read on Wikipedia (based on W3 minutes) that CORS is now obsolete:

https://en.wikipedia.org/wiki/Cross-origin_resource_sharing

I’ve just now updated that Wikipedia CORS article to state things more accurately:

The specification for CORS was originally published as a W3C Recommendation but that document is obsolete. The current actively-maintained specification that defines CORS is the Fetch Living Standard.

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
  • It's true that the Fetch spec is the CORS actually implemented by browsers today. But technically, the W3C did not deprecate their own spec. That was only a discussion in a committee. They resolved to deprecate it - mark it as officially deprecated on the official list, and add a note to that effect in the spec document itself - but in the end, it never actually happened. At least not yet. – Yitz Dec 08 '19 at 16:22