Lately, we have received a lot of questions from our clients about CORS becoming obsolete. They are rightfully concerned about this possibility, because so much of Web 2.0 depends on the interoperability mechanisms that CORS provides.

In this write-up, we shed some light on whether this is a valid fear, and the actual reality of the situation.

What Is CORS?

CORS, or Cross Origin Resource Sharing is a mechanism that allows the sharing of restricted resources between websites in a manner that would normally be disallowed by the Same-Origin Policy (SOP). In general, this means that websites that support CORS will allow resources to be shared with other sites, with the CORS policy acting as the gatekeeper.

The high-level model for how CORS requests are handled is illustrated in the graph below:

Diagram explaining how CORS works.

Figure I – The browser’s decision graph for a allowing a CORS request

Is CORS Obsolete?

There are two answers to this question.

First, and most importantly for developers, the technical implementations of CORS are not obsolete. If you are worried that you will wake up one day after Chrome or Safari or Edge update and all the things you use CORS for will be broken, rest assured that the mechanisms that web developers think of as CORS will not be broken anytime soon.

What has changed is that CORS as an independent standard was obsoleted by the W3C and the CORS standard became part of a larger standard, called Fetch.

What Is Fetch?

Fetch’s purpose is to consolidate various standards for retrieving cross-site resources into one set of standards. To quote the Fetch standard’s abstract(1),

The Fetch standard defines requests, responses, and the process that binds them: fetching.

They state the goals of the Fetch standard as(2):

To unify fetching across the web platform this specification supplants a number of algorithms and specifications:

Where Did We Hear that CORS is Obsolete?

References to “Obsolete CORS” or “CORS is obsolete” were found in recent discussions in the W3C minutes. The minutes refer to the issue of obsoleting CORS being raised, and the subsequent decision(3):

dveditz: I raised on the list obsoleting CORS. The spec is old and doesn’t reflect what browsers actually do

A search of the W3C mailing list turned up a thread referencing the topic.

The primary statement of the notification is(4):

This specification (CORS) is obsolete and should no longer be used as a basis for implementation.

The discussion goes on to state that(4):

Although the Fetch Living Standard continues to evolve and accordingly W3C cannot speak to the stability of the entire spec – the portions of the Fetch spec that obsolete the CORS spec are stable and have sufficient implementations on the Web – the Director supports the Working Group’s request to republish the CORS Recommendation as an Obsolete Recommendation.

How Does This Change What We Do With CORS?

The main thing to keep in mind is to expect that official changes to the mechanisms of CORS will now be published as part of the Fetch specification, not part of the (now deprecated) CORS specification. It is unclear at the time of writing if this change was immediate, or if there will be a transition period. Changes in web standards have a history of implementation-specific bugs, and changes to the whitepaper spec rarely propagate quickly to the software that implements them.

Wise developers will be aware that this change has been made, but keep an eye on when (or if) those changes propagate to the specific web servers, browsers, and the libraries that they depend on for their own products before making any changes.

Tim Sapio is a Senior Security Analyst at Bishop Fox. He specializes in application and network penetration testing for the Fortune 1000, financial institutions, and high-tech startups. Previously, Tim authored a blog post on the Heartbleed vulnerability from 2014.

 

References

1 https://fetch.spec.whatwg.org/  (Abstract section)

2 https://fetch.spec.whatwg.org/  (Goals section)

3 https://www.w3.org/2017/08/16-webappsec-minutes.html  (Obsoleting CORS section)

4 https://lists.w3.org/Archives/Public/public-publ-wg/2017Aug/0190.html