我刚刚在Wikipedia上阅读(基于W3分钟),CORS现在已过时:
en.wikipedia/wiki/Cross-origin_resource_sharing
从会议开始在 www.w3/2017/的分钟08 / 16-webappsec-minutes.html#item03
淘汰CORS
dveditz: 我在列表上提出了对CORS的淘汰。规范很旧,不能反映浏览器的实际功能
scribe ...正在进行的工作在获取中
UNKNOWN_SPEAKER: 让CORS坐在周围 ...标记为已过时并指向替换 ...以更好地为实现者提供服务 ...唯一的回答不是询问CORS 对于开发人员 ...我想得到Brad的反馈 ... 我将在此次电话会议上征求共识,然后在列表中宣布
德维兹: 是否反对淘汰CORS?
terri : 对我来说合理
建议: 过时的CORS
分辨率:过时的CORS
dveditz: ,我将向list
这怎么可能,使CORS过时了?
解决方案该讨论仅是关于退出旧的CORS规范-基本上,在上面清楚地表明,实现者不应再将其用作实现的基础,并且实现者应使用 fetch.spec.whatwg/ 代替。
原因是,当前所有CORS要求浏览器已包含在Fetch规范中,而Fetch规范是继续积极维护的唯一CORS规范-唯一的改进和规范错误修复程序,并且将添加任何与CORS相关的新功能。 / p>
请参见 http s://lists.w3/Archives/Public/public-webappsec/2017Aug/0010.html :
我们提出以下文档状态:
该文档已过时。不要实现此规范。 获取生活标准提供了与相同的功能集以提高安全性,例如 CORS 安全列表请求标头。它还包含新功能,2004年2月5日W3C专利政策不会涵盖,例如可以使用在CORS标头中使用通配符 * 。
现在W3C Web应用程序安全工作组已经做出了决定,不久之后他们将重新发布旧的CORS规范,并将其文本添加到状态部分。
我刚刚在Wikipedia上阅读(基于W3分钟),CORS现在已过时:
en.wikipedia/wiki/Cross-origin_resource_sharing
我刚刚更新了Wikipedia CORS文章,以更准确地陈述内容:
CORS规范最初以W3C建议书,但该文件已过时。定义CORS的当前积极维护的规范是获取生活标准。
I just read on Wikipedia (based on W3 minutes) that CORS is now obsolete:
en.wikipedia/wiki/Cross-origin_resource_sharing
From the meeting minutes at www.w3/2017/08/16-webappsec-minutes.html#item03
Obsoleting CORS
dveditz: I raised on the list obsoleting CORS. The spec is old and doesn't reflect what browsers actually do
scribe ... ongoing work is in Fetch
UNKNOWN_SPEAKER: so it's not useful to have CORS sitting around ... mark as Obsolete and point to replacement ... to serve implementors better ... only reply was mnot asking about CORS for Developers ... I'd like to get Brad's feedback ... I'll call for consensus on this call, and then announce on list
dveditz: any objection to obsoleting CORS?
terri: sounds reasonable to me
PROPOSED: Obsolete CORS
RESOLUTION: Obsolete CORS
dveditz: I'll announce that decision to the list
How is this possible, what allows CORS to be obsolete?
解决方案That discussion’s only about retiring the old CORS specification—basically, putting clear indications on it that it should no longer be used by implementors as the basis for implementations, and that implementors should use the Fetch spec at fetch.spec.whatwg/ instead.
The reason is, all current CORS requirements for browsers are in the Fetch spec, and the Fetch spec is the only specification for CORS that continues to be actively maintained—the only one to get refinements and spec-bug fixes, and to which any new CORS-related features will be added.
See lists.w3/Archives/Public/public-webappsec/2017Aug/0010.html:
We propose the following Status of the Document:
This document has been obsoleted. Do not implement this specification. The Fetch Living Standard provides the same set of features with additional refinements to improve security, such as the CORS safelisted request headers. It also contains new features, which would not be covered by the 5 February 2004 W3C Patent Policy, such as the possibility to use a wildcard "*" in CORS headers.
So now the W3C Web Applications Security Working Group has made their decision, sometime very soon they’ll republish the old CORS specification with that text added to its Status section.
I just read on Wikipedia (based on W3 minutes) that CORS is now obsolete:
en.wikipedia/wiki/Cross-origin_resource_sharing
I’ve just now updated that Wikipedia CORS article to state things more accurately:
The specification for CORS was originally published as a W3C Recommendation but that document is obsolete. The current actively-maintained specification that defines CORS is the Fetch Living Standard.
更多推荐
CORS已过时,这意味着什么?
发布评论