Reference Fetch standard in addition to CORS

w3c / wot-security

a repo exclusively for security to better manage issues and security considerations for WoT

https://w3c.github.io/wot-security/

18 stars 22 forks source link

Reference Fetch standard in addition to CORS #46

Open mmccool opened 7 years ago

mmccool commented 7 years ago

CORS is now considered obsolete, having been replaced with Fetch: https://fetch.spec.whatwg.org/ We should leave in the reference to CORS but also mention Fetch.

mmccool commented 7 years ago

Well, to be clearer, there is a proposal to mark the CORS spec obsolete, I need to check if the proposal has been approved. At any rate, Fetch does everything CORS does and more, so...

zolkis commented 7 years ago

Right, in recent discussion on Scripting I proposed using a separate fetch() and consume() method that would be more secure and also more convenient.

mmccool commented 4 years ago

This still seems like a "live" issue. We do not actually reference CORS or Fetch in the security guidelines at present at all. It's not clear where it would go; it's not currently mentioned. We probably want to mention it just to say that a single-origin policy is not really suitable for IoT and more flexibility is needed.