/
576.txt
441 lines (319 loc) · 21.2 KB
/
576.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
[1] [DFN[[RUBY[CORS][コルス]]]] ([DFN[Cross-Origin Resource Sharing]]、[DFN[起源間資源共有]]、[DFN[HTTP CORS [RUBYB[プロトコル]@en[protocol]]]]とも。)
は、[[同一起源ポリシー]]の制約を超えて [[Webアプリケーション]]が異なる[[起源]]の[[資源]]に[[アクセス]]するための仕組みです。
[61] [[XHR]] その他の [[DOM API]] や [[HTML要素]]などを使って [[HTTP]]
アクセスを行う際に用いられます。
* 仕様書
[REFS[
- [47] '''[CITE@en-US[Fetch Standard]] ([TIME[2014-01-10 13:25:58 +09:00]] 版) <http://fetch.spec.whatwg.org/#http-cors-protocol>'''
]REFS]
[51] 仕様書としての [[CORS]] は発展的に消滅して [[Fetch Standard]] となりました。 [[W3C]]
のサイトにある [[CORS]] 仕様書はそれ以前の古い版です。
* 概要
[52] [[Web]] のセキュリティーモデルに従えば、原則として異なる[[起源]]を持つ[[資源]]にはアクセスできません ([[同一起源ポリシー]])。
例えば[[スクリプト]]は、異なる[[ドメイン]]の [[URL]] から情報を取得することができません。
[[CORS]] はこの制限を緩和するものです。異なる[[ドメイン]]の [[URL]]
であっても、 [[HTTP応答]]に [[CORS]] の適切な[[ヘッダー]]が含まれていれば、
その応答に含まれる情報に[[スクリプト]]がアクセスできるようになります。
* HTTP CORS プロトコル
[53] [[HTTP CORSプロトコル]]は [[Fetch Standard]] で規定されており、 [[fetch]] の際に [[HTTP]]
[[ヘッダー]]や [CODE(HTTP)@en[[[OPTIONS]]]] [[メソッド]]の[[要求]]を使った[[起源鯖]]と[[クライアント]]とのやりとりにより、
異なる[[起源]]の[[資源]]に対するアクセスを認めることができるものです。
@@ XXX
* CORS 属性
[54] [[HTML]] の [CODE(HTMLe)@en[[[img]]]] [[要素]]など[[埋め込み内容]]系の[[要素]]には
[CODE(HTMLa)@en[[[crossorigin]]]] [[属性]]が用意されており、 [[CORS]] を利用するかを制御できます。
@@ XXX
[[CORS設定群属性]]
* 歴史
[3] [[CORS]] は元々は [[VoiceXML Working Group]] により [CODE(XML)@en[[[<?access-control?>]]]]
[[処理指令]]として検討されていましたが、 [[Web Apps WG]] に引き継がれ、[[HTTP]]
[[頭欄]] [CODE(HTTP)@en[[[Access-Control:]]]] [[頭欄]]などを経て、最終的に現在の形になりました。
[4] 旧案時代の歴史は [CODE(XML)@en[[[<?access-control?>]]]] の項を参照してください。
** W3C CORS
[REFS[
- [28] [CITE@en-US[Cross-Origin Resource Sharing]] ([TIME[2012-03-01 14:27:55 +09:00]] 版) <http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#introduction>
]REFS]
[30] [[CORS]] の[[応用]]の一覧は [[CORS API仕様]]の項をご覧ください。
** XHR + CORS
*** 対応ブラウザ
- [8] [[Firefox]] 3.5+ (2009/6) [SRC[>>7, >>13]]
- [9] [[Chrome]] [SRC[>>7, >>13]]
-- [16] [[Chrome]] 2 (2009/5) は既に対応している [SRC[>>15]]
-- [17] 世間では Chrome2 以降説と Chrome3 以降説が流布されているw 実際にいつから実装されてるのか不明 [TIME[2011-04-24T02:36:05.800Z]]
- [10] [[Safari]] 4+ (2009/6) [SRC[>>7, >>13]]
- [12] [[Opera]] [SRC[>>13]]
-- [14] >>13 には対応していると書いてあるものの、公式情報を見つけられないので要検証。 Opera 10 は未対応。
** XDR
*** 対応ブラウザ
- [11] [[IE]] 8+ (2009/3) [SRC[>>7, >>13]]
[18] [[IE]] (少なくても 8) では [[Cookie]] を送らせることができない。
** 出典
- [7] [CITE@ja[XMLHttpRequest - Wikipedia]] ([TIME[2011-03-23 04:23:06 +09:00]] 版) <http://ja.wikipedia.org/wiki/XMLHttpRequest#.E3.82.AF.E3.83.AD.E3.82.B9.E3.83.89.E3.83.A1.E3.82.A4.E3.83.B3>
- [13] [CITE@en[XMLHttpRequest - Wikipedia, the free encyclopedia]] ([TIME[2011-04-21 07:37:09 +09:00]] 版) <http://en.wikipedia.org/wiki/XMLHttpRequest#Cross-domain_requests>
- [15] [CITE[XMLHttpRequest Level 2 と wedata バックアップ - 0xFF]] ([TIME[2011-04-24 11:31:24 +09:00]] 版) <http://d.hatena.ne.jp/os0x/20090610/1244618814>
** HTML との統合
[5] [CITE[IRC logs: freenode / #whatwg / 20101014]]
( ([TIME[2010-10-24 00:00:38 +09:00]] 版))
<http://krijnhoetmer.nl/irc-logs/whatwg/20101014#l-476>
[6] [CITE[IRC logs: freenode / #whatwg / 20101103]]
( ([TIME[2010-11-13 16:04:31 +09:00]] 版))
<http://krijnhoetmer.nl/irc-logs/whatwg/20101103>
[19] [CITE@en[Web Applications 1.0 r6142 First draft for working out how to use CORS with <img>, <video>, and <audio>.]]
( ([TIME[2011-05-18 10:09:00 +09:00]] 版))
<http://html5.org/tools/web-apps-tracker?from=6141&to=6142>
[20] [CITE[IRC logs: freenode / #whatwg / 20110520]]
( ([TIME[2011-05-22 19:41:16 +09:00]] 版))
<http://krijnhoetmer.nl/irc-logs/whatwg/20110520>
[21] [CITE@en[Web Applications 1.0 r6144 Update how CORS works with <img> and <video> (and <audio> and <track>).]]
( ([TIME[2011-05-24 05:43:00 +09:00]] 版))
<http://html5.org/tools/web-apps-tracker?from=6143&to=6144>
[22] [CITE@en[Web Applications 1.0 r6147 Change cross-origin='' to crossorigin='' since people don't seem to like hyphens. Poor hyphens.]]
( ([TIME[2011-05-24 06:29:00 +09:00]] 版))
<http://html5.org/tools/web-apps-tracker?from=6146&to=6147>
[23] [CITE@en[Web Applications 1.0 r6255 CORS-enable EventSource, for cross-site event streams]]
( ([TIME[2011-06-18 04:57:00 +09:00]] 版))
<http://html5.org/tools/web-apps-tracker?from=6254&to=6255>
[24] [CITE[''''''[''''''whatwg'''''']'''''' CORS requests for image and video elements]]
( ([TIME[2011-06-20 23:44:55 +09:00]] 版))
<http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2011-May/031764.html>
[25] [CITE['''['''whatwg''']''' Enhancement request: change EventSource to allow cross-domain access]]
([TIME[2011-06-24 11:50:30 +09:00]] 版)
<http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2011-June/032212.html>
[26] [CITE['''['''whatwg''']''' '''['''CORS''']''' WebKit tainting image instead of throwing error]]
([TIME[2011-10-05 07:26:20 +09:00]] 版)
<http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2011-October/033389.html>
[27] [CITE[IRC logs: freenode / #whatwg / 20111011]]
( ([TIME[2011-10-12 00:08:40 +09:00]] 版))
<http://krijnhoetmer.nl/irc-logs/whatwg/20111011>
[REFS[
- [2] [CITE@en-US[Cross-Origin Resource Sharing]]
<http://dev.w3.org/2006/waf/access-control/>
]REFS]
[29] >>2 が最新版の仕様書でしたが、 [[hg]] に移行したため現在は >>28 が最新版となっています。
[31] [CITE@en-US[Cross-Origin Resource Sharing]]
( ([TIME[2012-04-03 23:15:58 +09:00]] 版))
<http://www.w3.org/TR/2012/WD-cors-20120403/>
[32] [CITE[''''''[''''''whatwg'''''']'''''' '''['''html5''']''' r7128 - '''['''giow''']''' (2) Try to define img synchronous loading. Affected topics: HTML]]
( ([TIME[2012-08-30 01:12:43 +09:00]] 版))
<http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2012-August/037037.html>
[35] [CITE[CORS - W3C Wiki]]
( ([TIME[2012-11-27 20:36:18 +09:00]] 版))
<http://www.w3.org/wiki/CORS>
[36] [CITE@en-US[Cross-Origin Resource Sharing]]
( ([TIME[2013-01-30 02:32:11 +09:00]] 版))
<http://www.w3.org/TR/2013/CR-cors-20130129/>
** Fetch Standard へ
[48] 2012年初秋、 [[Anne]] が [[Opera]] を離れたことをきっかけに [[CORS]] は [[W3C]] から [[WHATWG]]
へ移りましたが、懸案であった [[HTML Fetch]] との統合を見据えて fetch.spec.whatwg.org というドメイン名が選ばれました。
[33] [CITE@en-US[Cross-Origin Resource Sharing Standard]]
( ([TIME[2012-09-13 21:51:45 +09:00]] 版))
<http://fetch.spec.whatwg.org/>
[34] [CITE[W3C TPAC: CORS — Anne’s Blog]]
( ([TIME[2012-11-23 13:30:05 +09:00]] 版))
<http://annevankesteren.nl/2012/11/cors>
[49] 2013年春には [[HTML Fetch]] と [[CORS]] を統合して書きなおされた新しい [[Fetch Standard]]
に置き換えられました。これによって単体の仕様書としての [[CORS]] は役目を終えました。
[37] [CITE@en[Fetch: HTTP authentication and CORS]]
( ([[Anne van Kesteren]] 著, [TIME[2013-05-03 21:57:46 +09:00]] 版))
<http://lists.w3.org/Archives/Public/public-webapps/2013AprJun/0487.html>
[38] [CITE[カスタムヘッダを使ったCSRF対策は安全に使えるかどうかということについて - 金利0無利息キャッシング – キャッシングできます - subtech]]
( ([TIME[2013-06-12 01:28:13 +09:00]] 版))
<http://subtech.g.hatena.ne.jp/mala/20130304/1362392723>
[39] [CITE[''''''[''''''whatwg'''''']'''''' Fetch: please review!]]
( ([TIME[2013-06-20 08:48:41 +09:00]] 版))
<http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2013-June/039809.html>
[40] [CITE[IRC logs: freenode / #whatwg / 20131028]]
( ([TIME[2013-10-29 22:31:33 +09:00]] 版))
<http://krijnhoetmer.nl/irc-logs/whatwg/20131028>
** W3C CORS 勧告
[50] 新しい [[Fetch Standard]] に統合された後も [[W3C Process]] 上 [[CORS]] 仕様書は残り続け、
2014年1月にはようやく [[W3C勧告]]となりました。 (しかし内容は [[Fetch]] との統合前の古いまま、つまり2年遅れです。)
[41] [CITE@en-US[Cross-Origin Resource Sharing]]
( ([TIME[2013-12-05 05:33:19 +09:00]] 版))
<http://www.w3.org/TR/2013/PR-cors-20131205/>
[42] [CITE[CORS report]]
( ([[]] 著, [TIME[2012-12-05 18:21:07 +09:00]] 版))
<http://odinho.html5.org/CORS/testsuite-report.html>
[43] [CITE[CORS Edited PR report]]
( ([[]] 著, [TIME[2013-08-16 05:30:57 +09:00]] 版))
<http://webappsec-test.info/~bhill2/pub/CORS/cors-test-supplement.htm>
[46] [CITE@en-US[Cross-Origin Resource Sharing]]
( ([TIME[2014-01-16 07:53:22 +09:00]] 版))
<http://www.w3.org/TR/2014/REC-cors-20140116/>
** その後
[44] [CITE@en[Re: ''''''[''''''beacon'''''']'''''' Random comments]]
( ([[Jonas Sicking]] 著, [TIME[2013-12-20 04:43:42 +09:00]] 版))
<http://lists.w3.org/Archives/Public/public-web-perf/2013Dec/0108.html>
[45] [CITE@en[Bug 14703 – Integrate style sheet loading with CSSOM]]
( ([TIME[2014-01-14 09:00:15 +09:00]] 版))
<https://www.w3.org/Bugs/Public/show_bug.cgi?id=14703>
[55] [CITE@en[Web Applications 1.0 r8634 Big editorial cleanup. No normative changes.]]
( ([TIME[2014-05-15 08:21:00 +09:00]] 版))
<http://html5.org/tools/web-apps-tracker?from=8633&to=8634>
[56] [CITE@en[Let CORS preflight fetch perform its own CORS check. Also if a CORS cach... · 49eb9d0 · whatwg/fetch]]
( ([TIME[2014-09-10 02:48:50 +09:00]] 版))
<https://github.com/whatwg/fetch/commit/49eb9d0e649331f9364a06767e5a17fc6155107b>
[57] [CITE@en[CORS performance]]
([[Anne van Kesteren]] 著, [TIME[2015-02-18 03:39:42 +09:00]] 版)
<https://lists.w3.org/Archives/Public/public-webapps/2015JanMar/0646.html>
[58] [CITE@en[Re: CORS performance]]
([[Anne van Kesteren]] 著, [TIME[2015-02-19 20:30:46 +09:00]] 版)
<https://lists.w3.org/Archives/Public/public-webapps/2015JanMar/0672.html>
[59] [CITE@en[CORS performance proposal]]
([[Anne van Kesteren]] 著, [TIME[2015-02-19 22:29:24 +09:00]] 版)
<https://lists.w3.org/Archives/Public/public-webappsec/2015Feb/0350.html>
[60] [CITE@en[Re: CORS performance]]
([[Jonas Sicking]] 著, [TIME[2015-02-20 05:20:38 +09:00]] 版)
<https://lists.w3.org/Archives/Public/public-webapps/2015JanMar/0696.html>
[62] [CITE@en[Re: ''''''[''''''webappsec'''''']'''''' CfC: Proposed non-normative updates to CORS]]
([[Mike West]] 著, [TIME[2015-07-01 15:49:16 +09:00]] 版)
<https://lists.w3.org/Archives/Public/public-webappsec/2015Jul/0002.html>
[63] [CITE@en[Merge pull request #485 from fmarier/sri-issue418 · w3c/webappsec@73e50e6]]
([TIME[2015-09-29 16:00:13 +09:00]] 版)
<https://github.com/w3c/webappsec/commit/73e50e6c3cd437a0c8921dd95b539f152fd85cae>
[FIG(quote)[
[FIGCAPTION[
[64] [CITE@en[Safari 4.0]]
([TIME[2015-11-04 22:53:31 +09:00]] 版)
<https://developer.apple.com/library/safari/releasenotes/General/WhatsNewInSafari/Articles/Safari_4_0.html#//apple_ref/doc/uid/TP40014305-CH4-SW15>
]FIGCAPTION]
> WebKit now has basic support for cross-site XML HTTP requests using W3C XMLHttpRequest Level 2 and W3C access control for cross-site requests. This provides a way for servers to specify that a cross-site request is allowed, by sending an Access-Control HTTP response header.
]FIG]
[65] [CITE@en[Fix #152: give up on forced CORS preflights being a mode · whatwg/fetch@2ca5730]]
([TIME[2015-11-26 13:46:07 +09:00]] 版)
<https://github.com/whatwg/fetch/commit/2ca5730755795a4fc5e50c06f8fc477adb931d74>
[66] [CITE@en[Align with Fetch, forcing a CORS preflight is a flag again · whatwg/xhr@6ebf187]]
([TIME[2015-11-26 13:46:22 +09:00]] 版)
<https://github.com/whatwg/xhr/commit/6ebf187740869fe85893abcfcfa5a5e629a6584b>
[67] [CITE@en[Fix #169: make "no-cors" work with any credentials mode · whatwg/fetch@4147978]]
([TIME[2016-01-13 12:08:56 +09:00]] 版)
<https://github.com/whatwg/fetch/commit/4147978673c15047d1a5d4a76b1a403a7d75a956>
[70] [CITE@en[Fix #202: attempt to define CORS filtered response a little clearer · whatwg/fetch@b17b985]]
([TIME[2016-01-30 12:34:12 +09:00]] 版)
<https://github.com/whatwg/fetch/commit/b17b9859ae66de798cbad8759a8c84e7395a2557>
[68] [CITE@en[''''''[''''''integration'''''']'''''' References to external resources · w3c/svgwg@6257fcb]]
([TIME[2016-02-05 14:34:25 +09:00]] 版)
<https://github.com/w3c/svgwg/commit/6257fcb92ba52ca231d412a6b505b2c71650d215>
[69] [CITE@en["With Credentials" flag possibly inconsistent with web architecture · Issue #76 · w3ctag/spec-reviews]]
([TIME[2016-03-15 11:54:22 +09:00]] 版)
<https://github.com/w3ctag/spec-reviews/issues/76>
[71] [CITE@en[CORS and RFC1918]]
([TIME[2016-03-03 19:13:16 +09:00]] 版)
<https://mikewest.github.io/cors-rfc1918/>
[72] [CITE@en[Explain CORS protocol and credentials interaction]]
( ([[annevk]]著, [TIME[2016-05-05 19:34:15 +09:00]]))
<https://github.com/whatwg/fetch/commit/c9e8db9d9075989fd2b91203f0247c52bac0ca27>
[73] [CITE@en["With Credentials" flag possibly inconsistent with web architecture · Issue #76 · w3ctag/spec-reviews]]
( ([TIME[2016-05-06 10:56:04 +09:00]]))
<https://github.com/w3ctag/spec-reviews/issues/76>
[74] [CITE@en[Allow more wildcards in CORS when used without credentials]]
( ([[annevk]]著, [TIME[2016-05-24 18:42:09 +09:00]]))
<https://github.com/whatwg/fetch/commit/cdbb13c08650b10c9ebfc54d046bec0639e7ba7c>
[75] [CITE@en[Redirect on preflighted CORS requests generally impossible · Issue #204 · whatwg/fetch]]
( ([TIME[2016-05-25 13:13:45 +09:00]]))
<https://github.com/whatwg/fetch/issues/204#issuecomment-184257430>
[76] [CITE@en[CO Redirect in the face of CORs may not be correct in specs · Issue #32 · w3c/beacon]]
([TIME[2016-06-30 12:03:34 +09:00]])
<https://github.com/w3c/beacon/issues/32>
[77] [CITE@en[Merge pull request #33 from w3c/nocors]]
([[toddreifsteck]]著, [TIME[2016-06-30 08:57:52 +09:00]])
<https://github.com/w3c/beacon/commit/62f466477436042108f8d2cb92bc1c6cae1644ed>
[78] [CITE@en[Align Fetch's destination concept with changes in Fetch]]
([[sideshowbarker]]著, [TIME[2016-07-05 02:46:14 +09:00]])
<https://github.com/whatwg/html/commit/5e8f96a85d182d36c177db0d6fdde58b4ded86d4>
[79] [CITE@en[Allow for redirects after a CORS-preflight]]
([[annevk]]著, [TIME[2016-08-04 21:15:29 +09:00]])
<https://github.com/whatwg/fetch/commit/0d9a4db8bc02251cc9e391543bb3c1322fb882f2>
[80] [CITE@en[Merge pull request #34 from w3c/cors-whitelist]]
([[plehegar]]著, [TIME[2016-08-18 04:31:50 +09:00]])
<https://github.com/w3c/beacon/commit/b917e89fbe0e448e3318428b33d7fb9a66820cea>
[81] [CITE@en['''['''webappsec''']''' WG Note: CORS for developers]]
([[Brad Hill]]著, [TIME[2016-09-14 08:17:11 +09:00]])
<https://lists.w3.org/Archives/Public/public-webappsec/2016Sep/0047.html>
[82] [CITE@en[CORS for Developers]]
([TIME[2016-09-14 14:00:25 +09:00]])
<https://w3c.github.io/webappsec-cors-for-developers/>
[83] [CITE@en[Remove request's omit-Origin-header flag]]
([[annevk]]著, [TIME[2016-12-09 16:37:16 +09:00]])
<https://github.com/whatwg/fetch/commit/eb89fcd54bb39e81b11c569f6ad7ba615883f7b9>
[84] [CITE@en[Clarify requirements on a CORS server]]
([[annevk]]著, [TIME[2017-03-30 20:21:45 +09:00]])
<https://github.com/whatwg/fetch/commit/9289687f43b2f88fe5480f989f59fdb6eb602ac6>
[85] [CITE@en[Re: Propose "Obsolete" status for CORS spec]]
([[Mark Nottingham]]著, [TIME[2017-08-01 10:04:32 +09:00]])
<https://lists.w3.org/Archives/Public/public-webappsec/2017Aug/0000.html>
[86] [CITE@en[Last call: Obsoleting CORS]]
([[Daniel Veditz]]著, [TIME[2017-08-17 09:07:58 +09:00]])
<https://lists.w3.org/Archives/Public/public-webappsec/2017Aug/0005.html>
[87] [CITE@en[Web Application Security WG -- 16 Aug 2017]]
([TIME[2017-08-17 01:23:37 +09:00]])
<https://www.w3.org/2017/08/16-webappsec-minutes.html>
[88] [CITE@en[Transition Request: Proposed Obsolete for CORS]]
([[Daniel Veditz]]著, [TIME[2017-08-26 04:42:30 +09:00]])
<https://lists.w3.org/Archives/Public/public-webappsec/2017Aug/0010.html>
[89] [CITE@en[Using integrity with "no-cors" is fine same-origin]]
([[annevk]]著, [TIME[2017-09-02 01:19:38 +09:00]])
<https://github.com/whatwg/fetch/commit/686a1ad9e1c5a001531ebabb1bcd163dfe78edd8>
[90] [CITE@en[Adjust CORS wildcard handling slightly]]
([[annevk]]著, [TIME[2017-09-07 17:48:36 +09:00]])
<https://github.com/whatwg/fetch/commit/358dbf5296d91bb791d864b677b367bb11b3bf37>
[91] [CITE@en[Adjust wildcard handling slightly by annevk · Pull Request #592 · whatwg/fetch]]
([TIME[2017-09-08 14:54:04 +09:00]])
<https://github.com/whatwg/fetch/pull/592>
[92] [CITE@en[Access-Control-Expose-Headers: * can be interpreted in two ways · Issue #548 · whatwg/fetch]]
([TIME[2017-09-08 14:54:25 +09:00]])
<https://github.com/whatwg/fetch/issues/548>
[93] [CITE@en[Re: CORS should be abandoned]]
([[Boris Zbarsky]]著, [TIME[2017-10-14 00:42:28 +09:00]])
<https://lists.w3.org/Archives/Public/public-webapps/2017OctDec/0044.html>
[94] [CITE@en[Do not allow CORS responses to "same-origin" requests]]
([[annevk]]著, [TIME[2018-01-06 20:56:46 +09:00]])
<https://github.com/whatwg/fetch/commit/548bca234ad5d0296030b2384cc0b784799c4664>
[95] [CITE@en[1427978 - Update the WPT test we expected failure after rejecting the CORS synthesized response for the same-origin request]]
([TIME[2018-01-09 11:28:26 +09:00]])
<https://bugzilla.mozilla.org/show_bug.cgi?id=1427978>
[96] [CITE@en[consider failing same-origin fetch requests that get a cross-origin cors Response synthesized by a service worker · Issue #629 · whatwg/fetch]]
([TIME[2018-01-09 11:28:53 +09:00]])
<https://github.com/whatwg/fetch/issues/629>
[97] [CITE@en[Do not allow CORS responses to "same-origin" requests by annevk · Pull Request #655 · whatwg/fetch]]
([TIME[2018-01-09 11:28:59 +09:00]])
<https://github.com/whatwg/fetch/pull/655>
[98] [CITE@en[Return a network error for mode "no-cors" and redirect mode not "follow"]]
([[youennf]]著, [TIME[2018-01-23 21:23:16 +09:00]])
<https://github.com/whatwg/fetch/commit/14858d3e9402285a7ff3b5e47a22896ff3adc95d>
[99] [CITE@en[Return a network error in case of no-cors mode and redirect being not follow by youennf · Pull Request #663 · whatwg/fetch]]
([TIME[2018-01-24 12:58:14 +09:00]])
<https://github.com/whatwg/fetch/pull/663>
[100] [CITE@en[Deprecations and removals in Chrome 66 | Web | Google Developers]]
([TIME[2018-03-30 01:37:56 +09:00]])
<https://developers.google.com/web/updates/2018/03/chrome-66-deprecations>
[101] [CITE@en[Export the definition of CORS-same-origin by csnardi · Pull Request #3605 · whatwg/html]]
([TIME[2018-04-04 15:46:38 +09:00]])
<https://github.com/whatwg/html/pull/3605>
[102] [CITE@en[IETF HTML5 Meeting March 2009 - W3C Wiki]]
([TIME[2018-04-21 13:28:11 +09:00]])
<https://www.w3.org/wiki/IETF_HTML5_Meeting_March_2009>
[103] [CITE@en[Avoid using the CORS flag to reset request's origin in redirects by annevk · Pull Request #594 · whatwg/fetch]]
([TIME[2018-06-01 01:01:46 +09:00]])
<https://github.com/whatwg/fetch/pull/594>
[104] [CITE@en[Make CORS-preflight fetches set the CORS flag]]
([[annevk]]著, [TIME[2018-05-28 21:39:53 +09:00]])
<https://github.com/whatwg/fetch/commit/9334fcbd34dc17e4508582c9fdc57f20ba5b728e>
[105] [CITE@en[Remove Reporting API from CORS exceptions]]
([[dcreager]]著, [TIME[2018-07-31 17:03:24 +09:00]])
<https://github.com/whatwg/fetch/commit/b3492ec22778d1e5705432d80b82dfa7664aedf0>
[106] [CITE@en[Remove Reporting API from CORS exceptions by dcreager · Pull Request #776 · whatwg/fetch]]
([TIME[2018-08-05 14:58:53 +09:00]])
<https://github.com/whatwg/fetch/pull/776>
[107] [CITE@en[Are report uploads supposed to send CORS preflights? · Issue #41 · w3c/reporting]]
([TIME[2018-08-05 15:00:02 +09:00]])
<https://github.com/w3c/reporting/issues/41>
[108] [CITE@en[Clarify CORS behavior for report uploads by dcreager · Pull Request #97 · w3c/reporting]]
([TIME[2018-08-05 15:01:27 +09:00]])
<https://github.com/w3c/reporting/pull/97>
[109] [CITE@en[Strengthen requirements on CORS even further by having a maximum comb…]]
([[annevk]]著, [TIME[2018-05-30 21:31:43 +09:00]])
<https://github.com/whatwg/fetch/commit/e2d62ff1df77105c519360948174a135c5eabb6c>
[110] [CITE@en[CORS-safelisted request headers should be restricted according to RFC 7231 · Issue #382 · whatwg/fetch]]
([TIME[2018-08-22 19:09:16 +09:00]])
<https://github.com/whatwg/fetch/issues/382>