I just read on Wikipedia (based on W3 minutes) that CORS is now obsolete:
https://en.wikipedia.org/wiki/Cross-origin_resource_sharing
From the meeting minutes at https://www.w3.org/2017/08/16-webappsec-minutes.html#item03
Obsoleting CORS
dveditz: I raised on the list obsoleting CORS. The spec is old and doesn't reflect what browsers actually do
scribe ... ongoing work is in Fetch
UNKNOWN_SPEAKER: so it's not useful to have CORS sitting around
... mark as Obsolete and point to replacement
... to serve implementors better
... only reply was mnot asking about CORS for Developers
... I'd like to get Brad's feedback
... I'll call for consensus on this call, and then announce on listdveditz: any objection to obsoleting CORS?
terri: sounds reasonable to me
PROPOSED: Obsolete CORS
RESOLUTION: Obsolete CORS
dveditz: I'll announce that decision to the list
How is this possible, what allows CORS to be obsolete?
That discussion’s only about retiring the old CORS specification—basically, putting clear indications on it that it should no longer be used by implementors as the basis for implementations, and that implementors should use the Fetch spec at https://fetch.spec.whatwg.org/ instead.
The reason is, all current CORS requirements for browsers are in the Fetch spec, and the Fetch spec is the only specification for CORS that continues to be actively maintained—the only one to get refinements and spec-bug fixes, and to which any new CORS-related features will be added.
See https://lists.w3.org/Archives/Public/public-webappsec/2017Aug/0010.html:
So now the W3C Web Applications Security Working Group has made their decision, sometime very soon they’ll republish the old CORS specification with that text added to its Status section.
I’ve just now updated that Wikipedia CORS article to state things more accurately: