[1] [DFN[[RUBY[CORS][コルス]]]] ([DFN[Cross-Origin Resource Sharing]]、[DFN[起源間資源共有]]、[DFN[HTTP CORS [RUBYB[プロトコル]@en[protocol]]]]とも。)
は、[[同一起源ポリシー]]の制約を超えて [[Webアプリケーション]]が異なる[[起源]]の[[資源]]に[[アクセス]]するための仕組みです。

[61] [[XHR]] その他の [[DOM API]] や [[HTML要素]]などを使って [[HTTP]]
アクセスを行う際に用いられます。

* 仕様書

[REFS[
- [47] '''[CITE@en-US[Fetch Standard]] ([TIME[2014-01-10 13:25:58 +09:00]] 版) <http://fetch.spec.whatwg.org/#http-cors-protocol>'''
]REFS]

[51] 仕様書としての [[CORS]] は発展的に消滅して [[Fetch Standard]] となりました。 [[W3C]]
のサイトにある [[CORS]] 仕様書はそれ以前の古い版です。

* 概要

[52] [[Web]] のセキュリティーモデルに従えば、原則として異なる[[起源]]を持つ[[資源]]にはアクセスできません ([[同一起源ポリシー]])。
例えば[[スクリプト]]は、異なる[[ドメイン]]の [[URL]] から情報を取得することができません。
[[CORS]] はこの制限を緩和するものです。異なる[[ドメイン]]の [[URL]]
であっても、 [[HTTP応答]]に [[CORS]] の適切な[[ヘッダー]]が含まれていれば、
その応答に含まれる情報に[[スクリプト]]がアクセスできるようになります。

* HTTP CORS プロトコル

[53] [[HTTP CORSプロトコル]]は [[Fetch Standard]] で規定されており、 [[fetch]] の際に [[HTTP]]
[[ヘッダー]]や [CODE(HTTP)@en[[[OPTIONS]]]] [[メソッド]]の[[要求]]を使った[[起源鯖]]と[[クライアント]]とのやりとりにより、
異なる[[起源]]の[[資源]]に対するアクセスを認めることができるものです。

@@ XXX

* CORS 属性

[54] [[HTML]] の [CODE(HTMLe)@en[[[img]]]] [[要素]]など[[埋め込み内容]]系の[[要素]]には
[CODE(HTMLa)@en[[[crossorigin]]]] [[属性]]が用意されており、 [[CORS]] を利用するかを制御できます。

@@ XXX
[[CORS設定群属性]]

* 関連

[145] 
[[AMP]]
は
[[CORS]]
と称する
[[CORS]] でないものを使っています。
[SEE[ [[CORS in AMP]], [[CORS in AMP Email]] ]]

[146] 
[[TypeError: Load failed]]

* 歴史

[3] [[CORS]] は元々は [[VoiceXML Working Group]] により [CODE(XML)@en[[[<?access-control?>]]]]
[[処理指令]]として検討されていましたが、 [[Web Apps WG]] に引き継がれ、[[HTTP]]
[[頭欄]] [CODE(HTTP)@en[[[Access-Control:]]]] [[頭欄]]などを経て、最終的に現在の形になりました。

[4] 旧案時代の歴史は [CODE(XML)@en[[[<?access-control?>]]]] の項を参照してください。

** W3C CORS

[REFS[
- [28] [CITE@en-US[Cross-Origin Resource Sharing]] ([TIME[2012-03-01 14:27:55 +09:00]] 版) <http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#introduction>
]REFS]

[30] [[CORS]] の[[応用]]の一覧は [[CORS API仕様]]の項をご覧ください。

** XHR + CORS

*** 対応ブラウザ

- [8] [[Firefox]] 3.5+ (2009/6) [SRC[>>7, >>13]]
- [9] [[Chrome]] [SRC[>>7, >>13]]
-- [16] [[Chrome]] 2 (2009/5) は既に対応している [SRC[>>15]]
-- [17] 世間では Chrome2 以降説と Chrome3 以降説が流布されているw 実際にいつから実装されてるのか不明 [TIME[2011-04-24T02:36:05.800Z]]
- [10] [[Safari]] 4+ (2009/6) [SRC[>>7, >>13]]
- [12] [[Opera]] [SRC[>>13]]
-- [14] >>13 には対応していると書いてあるものの、公式情報を見つけられないので要検証。 Opera 10 は未対応。

** XDR

*** 対応ブラウザ

- [11] [[IE]] 8+ (2009/3) [SRC[>>7, >>13]]

[18] [[IE]] (少なくても 8) では [[Cookie]] を送らせることができない。

** 出典

- [7] [CITE@ja[XMLHttpRequest - Wikipedia]] ([TIME[2011-03-23 04:23:06 +09:00]] 版) <http://ja.wikipedia.org/wiki/XMLHttpRequest#.E3.82.AF.E3.83.AD.E3.82.B9.E3.83.89.E3.83.A1.E3.82.A4.E3.83.B3>
- [13] [CITE@en[XMLHttpRequest - Wikipedia, the free encyclopedia]] ([TIME[2011-04-21 07:37:09 +09:00]] 版) <http://en.wikipedia.org/wiki/XMLHttpRequest#Cross-domain_requests>
- [15] [CITE[XMLHttpRequest Level 2 と wedata バックアップ - 0xFF]] ([TIME[2011-04-24 11:31:24 +09:00]] 版) <http://d.hatena.ne.jp/os0x/20090610/1244618814>

** HTML との統合

[5] [CITE[IRC logs: freenode / #whatwg / 20101014]]
( ([TIME[2010-10-24 00:00:38 +09:00]] 版))
<http://krijnhoetmer.nl/irc-logs/whatwg/20101014#l-476>

[6] [CITE[IRC logs: freenode / #whatwg / 20101103]]
( ([TIME[2010-11-13 16:04:31 +09:00]] 版))
<http://krijnhoetmer.nl/irc-logs/whatwg/20101103>

[19] [CITE@en[Web Applications 1.0 r6142     First draft for working out how to use CORS with <img>, <video>, and <audio>.]]
( ([TIME[2011-05-18 10:09:00 +09:00]] 版))
<http://html5.org/tools/web-apps-tracker?from=6141&to=6142>

[20] [CITE[IRC logs: freenode / #whatwg / 20110520]]
( ([TIME[2011-05-22 19:41:16 +09:00]] 版))
<http://krijnhoetmer.nl/irc-logs/whatwg/20110520>

[21] [CITE@en[Web Applications 1.0 r6144     Update how CORS works with <img> and <video> (and <audio> and <track>).]]
( ([TIME[2011-05-24 05:43:00 +09:00]] 版))
<http://html5.org/tools/web-apps-tracker?from=6143&to=6144>

[22] [CITE@en[Web Applications 1.0 r6147      Change cross-origin='' to crossorigin='' since people don't seem to like hyphens. Poor hyphens.]]
( ([TIME[2011-05-24 06:29:00 +09:00]] 版))
<http://html5.org/tools/web-apps-tracker?from=6146&to=6147>

[23] [CITE@en[Web Applications 1.0 r6255     CORS-enable EventSource, for cross-site event streams]]
( ([TIME[2011-06-18 04:57:00 +09:00]] 版))
<http://html5.org/tools/web-apps-tracker?from=6254&to=6255>

[24] [CITE[''''''[''''''whatwg'''''']'''''' CORS requests for image and video elements]]
( ([TIME[2011-06-20 23:44:55 +09:00]] 版))
<http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2011-May/031764.html>

[25] [CITE['''['''whatwg''']''' Enhancement request: change EventSource to allow cross-domain access]]
([TIME[2011-06-24 11:50:30 +09:00]] 版)
<http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2011-June/032212.html>

[26] [CITE['''['''whatwg''']''' '''['''CORS''']''' WebKit tainting image instead of throwing error]]
([TIME[2011-10-05 07:26:20 +09:00]] 版)
<http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2011-October/033389.html>

[27] [CITE[IRC logs: freenode / #whatwg / 20111011]]
( ([TIME[2011-10-12 00:08:40 +09:00]] 版))
<http://krijnhoetmer.nl/irc-logs/whatwg/20111011>

[REFS[
- [2] [CITE@en-US[Cross-Origin Resource Sharing]] 
<http://dev.w3.org/2006/waf/access-control/>
]REFS]

[29] >>2 が最新版の仕様書でしたが、 [[hg]] に移行したため現在は >>28 が最新版となっています。

[31] [CITE@en-US[Cross-Origin Resource Sharing]]
( ([TIME[2012-04-03 23:15:58 +09:00]] 版))
<http://www.w3.org/TR/2012/WD-cors-20120403/>

[32] [CITE[''''''[''''''whatwg'''''']'''''' '''['''html5''']''' r7128 - '''['''giow''']''' (2) Try to define img synchronous loading. Affected topics: HTML]]
( ([TIME[2012-08-30 01:12:43 +09:00]] 版))
<http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2012-August/037037.html>

[35] [CITE[CORS - W3C Wiki]]
( ([TIME[2012-11-27 20:36:18 +09:00]] 版))
<http://www.w3.org/wiki/CORS>

[36] [CITE@en-US[Cross-Origin Resource Sharing]]
( ([TIME[2013-01-30 02:32:11 +09:00]] 版))
<http://www.w3.org/TR/2013/CR-cors-20130129/>

** Fetch Standard へ

[48] 2012年初秋、 [[Anne]] が [[Opera]] を離れたことをきっかけに [[CORS]] は [[W3C]] から [[WHATWG]]
へ移りましたが、懸案であった [[HTML Fetch]] との統合を見据えて fetch.spec.whatwg.org というドメイン名が選ばれました。

[33] [CITE@en-US[Cross-Origin Resource Sharing Standard]]
( ([TIME[2012-09-13 21:51:45 +09:00]] 版))
<http://fetch.spec.whatwg.org/>

[34] [CITE[W3C TPAC: CORS — Anne’s Blog]]
( ([TIME[2012-11-23 13:30:05 +09:00]] 版))
<http://annevankesteren.nl/2012/11/cors>

[49] 2013年春には [[HTML Fetch]] と [[CORS]] を統合して書きなおされた新しい [[Fetch Standard]]
に置き換えられました。これによって単体の仕様書としての [[CORS]] は役目を終えました。

[37] [CITE@en[Fetch: HTTP authentication and CORS]]
( ([[Anne van Kesteren]] 著, [TIME[2013-05-03 21:57:46 +09:00]] 版))
<http://lists.w3.org/Archives/Public/public-webapps/2013AprJun/0487.html>

[38] [CITE[カスタムヘッダを使ったCSRF対策は安全に使えるかどうかということについて - 金利0無利息キャッシング – キャッシングできます - subtech]]
( ([TIME[2013-06-12 01:28:13 +09:00]] 版))
<http://subtech.g.hatena.ne.jp/mala/20130304/1362392723>

[39] [CITE[''''''[''''''whatwg'''''']'''''' Fetch: please review!]]
( ([TIME[2013-06-20 08:48:41 +09:00]] 版))
<http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2013-June/039809.html>

[40] [CITE[IRC logs: freenode / #whatwg / 20131028]]
( ([TIME[2013-10-29 22:31:33 +09:00]] 版))
<http://krijnhoetmer.nl/irc-logs/whatwg/20131028>

** W3C CORS 勧告

[50] 新しい [[Fetch Standard]] に統合された後も [[W3C Process]] 上 [[CORS]] 仕様書は残り続け、
2014年1月にはようやく [[W3C勧告]]となりました。 (しかし内容は [[Fetch]] との統合前の古いまま、つまり2年遅れです。)

[41] [CITE@en-US[Cross-Origin Resource Sharing]]
( ([TIME[2013-12-05 05:33:19 +09:00]] 版))
<http://www.w3.org/TR/2013/PR-cors-20131205/>

[42] [CITE[CORS report]]
( ([[]] 著, [TIME[2012-12-05 18:21:07 +09:00]] 版))
<http://odinho.html5.org/CORS/testsuite-report.html>

[43] [CITE[CORS Edited PR report]]
( ([[]] 著, [TIME[2013-08-16 05:30:57 +09:00]] 版))
<http://webappsec-test.info/~bhill2/pub/CORS/cors-test-supplement.htm>

[46] [CITE@en-US[Cross-Origin Resource Sharing]]
( ([TIME[2014-01-16 07:53:22 +09:00]] 版))
<http://www.w3.org/TR/2014/REC-cors-20140116/>

** その後

[44] [CITE@en[Re: ''''''[''''''beacon'''''']'''''' Random comments]]
( ([[Jonas Sicking]] 著, [TIME[2013-12-20 04:43:42 +09:00]] 版))
<http://lists.w3.org/Archives/Public/public-web-perf/2013Dec/0108.html>

[45] [CITE@en[Bug 14703 – Integrate style sheet loading with CSSOM]]
( ([TIME[2014-01-14 09:00:15 +09:00]] 版))
<https://www.w3.org/Bugs/Public/show_bug.cgi?id=14703>


[55] [CITE@en[Web Applications 1.0 r8634 Big editorial cleanup. No normative changes.]]
( ([TIME[2014-05-15 08:21:00 +09:00]] 版))
<http://html5.org/tools/web-apps-tracker?from=8633&to=8634>

[56] [CITE@en[Let CORS preflight fetch perform its own CORS check. Also if a CORS cach... · 49eb9d0 · whatwg/fetch]]
( ([TIME[2014-09-10 02:48:50 +09:00]] 版))
<https://github.com/whatwg/fetch/commit/49eb9d0e649331f9364a06767e5a17fc6155107b>

[57] [CITE@en[CORS performance]]
([[Anne van Kesteren]] 著, [TIME[2015-02-18 03:39:42 +09:00]] 版)
<https://lists.w3.org/Archives/Public/public-webapps/2015JanMar/0646.html>

[58] [CITE@en[Re: CORS performance]]
([[Anne van Kesteren]] 著, [TIME[2015-02-19 20:30:46 +09:00]] 版)
<https://lists.w3.org/Archives/Public/public-webapps/2015JanMar/0672.html>

[59] [CITE@en[CORS performance proposal]]
([[Anne van Kesteren]] 著, [TIME[2015-02-19 22:29:24 +09:00]] 版)
<https://lists.w3.org/Archives/Public/public-webappsec/2015Feb/0350.html>

[60] [CITE@en[Re: CORS performance]]
([[Jonas Sicking]] 著, [TIME[2015-02-20 05:20:38 +09:00]] 版)
<https://lists.w3.org/Archives/Public/public-webapps/2015JanMar/0696.html>

[62] [CITE@en[Re: ''''''[''''''webappsec'''''']'''''' CfC: Proposed non-normative updates to CORS]]
([[Mike West]] 著, [TIME[2015-07-01 15:49:16 +09:00]] 版)
<https://lists.w3.org/Archives/Public/public-webappsec/2015Jul/0002.html>

[63] [CITE@en[Merge pull request #485 from fmarier/sri-issue418 · w3c/webappsec@73e50e6]]
([TIME[2015-09-29 16:00:13 +09:00]] 版)
<https://github.com/w3c/webappsec/commit/73e50e6c3cd437a0c8921dd95b539f152fd85cae>

[FIG(quote)[
[FIGCAPTION[
[64] [CITE@en[Safari 4.0]]
([TIME[2015-11-04 22:53:31 +09:00]] 版)
<https://developer.apple.com/library/safari/releasenotes/General/WhatsNewInSafari/Articles/Safari_4_0.html#//apple_ref/doc/uid/TP40014305-CH4-SW15>
]FIGCAPTION]

> WebKit now has basic support for cross-site XML HTTP requests using W3C XMLHttpRequest Level 2 and W3C access control for cross-site requests. This provides a way for servers to specify that a cross-site request is allowed, by sending an Access-Control HTTP response header. 

]FIG]


[65] [CITE@en[Fix #152: give up on forced CORS preflights being a mode · whatwg/fetch@2ca5730]]
([TIME[2015-11-26 13:46:07 +09:00]] 版)
<https://github.com/whatwg/fetch/commit/2ca5730755795a4fc5e50c06f8fc477adb931d74>

[66] [CITE@en[Align with Fetch, forcing a CORS preflight is a flag again · whatwg/xhr@6ebf187]]
([TIME[2015-11-26 13:46:22 +09:00]] 版)
<https://github.com/whatwg/xhr/commit/6ebf187740869fe85893abcfcfa5a5e629a6584b>

[67] [CITE@en[Fix #169: make "no-cors" work with any credentials mode · whatwg/fetch@4147978]]
([TIME[2016-01-13 12:08:56 +09:00]] 版)
<https://github.com/whatwg/fetch/commit/4147978673c15047d1a5d4a76b1a403a7d75a956>

[70] [CITE@en[Fix #202: attempt to define CORS filtered response a little clearer · whatwg/fetch@b17b985]]
([TIME[2016-01-30 12:34:12 +09:00]] 版)
<https://github.com/whatwg/fetch/commit/b17b9859ae66de798cbad8759a8c84e7395a2557>

[68] [CITE@en[''''''[''''''integration'''''']'''''' References to external resources · w3c/svgwg@6257fcb]]
([TIME[2016-02-05 14:34:25 +09:00]] 版)
<https://github.com/w3c/svgwg/commit/6257fcb92ba52ca231d412a6b505b2c71650d215>

[69] [CITE@en["With Credentials" flag possibly inconsistent with web architecture · Issue #76 · w3ctag/spec-reviews]]
([TIME[2016-03-15 11:54:22 +09:00]] 版)
<https://github.com/w3ctag/spec-reviews/issues/76>

[71] [CITE@en[CORS and RFC1918]]
([TIME[2016-03-03 19:13:16 +09:00]] 版)
<https://mikewest.github.io/cors-rfc1918/>

[72] [CITE@en[Explain CORS protocol and credentials interaction]]
( ([[annevk]]著, [TIME[2016-05-05 19:34:15 +09:00]]))
<https://github.com/whatwg/fetch/commit/c9e8db9d9075989fd2b91203f0247c52bac0ca27>

[73] [CITE@en["With Credentials" flag possibly inconsistent with web architecture · Issue #76 · w3ctag/spec-reviews]]
( ([TIME[2016-05-06 10:56:04 +09:00]]))
<https://github.com/w3ctag/spec-reviews/issues/76>

[74] [CITE@en[Allow more wildcards in CORS when used without credentials]]
( ([[annevk]]著, [TIME[2016-05-24 18:42:09 +09:00]]))
<https://github.com/whatwg/fetch/commit/cdbb13c08650b10c9ebfc54d046bec0639e7ba7c>

[75] [CITE@en[Redirect on preflighted CORS requests generally impossible · Issue #204 · whatwg/fetch]]
( ([TIME[2016-05-25 13:13:45 +09:00]]))
<https://github.com/whatwg/fetch/issues/204#issuecomment-184257430>

[76] [CITE@en[CO Redirect in the face of CORs may not be correct in specs · Issue #32 · w3c/beacon]]
([TIME[2016-06-30 12:03:34 +09:00]])
<https://github.com/w3c/beacon/issues/32>

[77] [CITE@en[Merge pull request #33 from w3c/nocors]]
([[toddreifsteck]]著, [TIME[2016-06-30 08:57:52 +09:00]])
<https://github.com/w3c/beacon/commit/62f466477436042108f8d2cb92bc1c6cae1644ed>

[78] [CITE@en[Align Fetch's destination concept with changes in Fetch]]
([[sideshowbarker]]著, [TIME[2016-07-05 02:46:14 +09:00]])
<https://github.com/whatwg/html/commit/5e8f96a85d182d36c177db0d6fdde58b4ded86d4>

[79] [CITE@en[Allow for redirects after a CORS-preflight]]
([[annevk]]著, [TIME[2016-08-04 21:15:29 +09:00]])
<https://github.com/whatwg/fetch/commit/0d9a4db8bc02251cc9e391543bb3c1322fb882f2>

[80] [CITE@en[Merge pull request #34 from w3c/cors-whitelist]]
([[plehegar]]著, [TIME[2016-08-18 04:31:50 +09:00]])
<https://github.com/w3c/beacon/commit/b917e89fbe0e448e3318428b33d7fb9a66820cea>

[81] [CITE@en['''['''webappsec''']''' WG Note: CORS for developers]]
([[Brad Hill]]著, [TIME[2016-09-14 08:17:11 +09:00]])
<https://lists.w3.org/Archives/Public/public-webappsec/2016Sep/0047.html>

[82] [CITE@en[CORS for Developers]]
([TIME[2016-09-14 14:00:25 +09:00]])
<https://w3c.github.io/webappsec-cors-for-developers/>

[83] [CITE@en[Remove request's omit-Origin-header flag]]
([[annevk]]著, [TIME[2016-12-09 16:37:16 +09:00]])
<https://github.com/whatwg/fetch/commit/eb89fcd54bb39e81b11c569f6ad7ba615883f7b9>

[84] [CITE@en[Clarify requirements on a CORS server]]
([[annevk]]著, [TIME[2017-03-30 20:21:45 +09:00]])
<https://github.com/whatwg/fetch/commit/9289687f43b2f88fe5480f989f59fdb6eb602ac6>

[85] [CITE@en[Re: Propose "Obsolete" status for CORS spec]]
([[Mark Nottingham]]著, [TIME[2017-08-01 10:04:32 +09:00]])
<https://lists.w3.org/Archives/Public/public-webappsec/2017Aug/0000.html>

[86] [CITE@en[Last call: Obsoleting CORS]]
([[Daniel Veditz]]著, [TIME[2017-08-17 09:07:58 +09:00]])
<https://lists.w3.org/Archives/Public/public-webappsec/2017Aug/0005.html>

[87] [CITE@en[Web Application Security WG -- 16 Aug 2017]]
([TIME[2017-08-17 01:23:37 +09:00]])
<https://www.w3.org/2017/08/16-webappsec-minutes.html>

[88] [CITE@en[Transition Request: Proposed Obsolete for CORS]]
([[Daniel Veditz]]著, [TIME[2017-08-26 04:42:30 +09:00]])
<https://lists.w3.org/Archives/Public/public-webappsec/2017Aug/0010.html>

[89] [CITE@en[Using integrity with "no-cors" is fine same-origin]]
([[annevk]]著, [TIME[2017-09-02 01:19:38 +09:00]])
<https://github.com/whatwg/fetch/commit/686a1ad9e1c5a001531ebabb1bcd163dfe78edd8>

[90] [CITE@en[Adjust CORS wildcard handling slightly]]
([[annevk]]著, [TIME[2017-09-07 17:48:36 +09:00]])
<https://github.com/whatwg/fetch/commit/358dbf5296d91bb791d864b677b367bb11b3bf37>

[91] [CITE@en[Adjust wildcard handling slightly by annevk · Pull Request #592 · whatwg/fetch]]
([TIME[2017-09-08 14:54:04 +09:00]])
<https://github.com/whatwg/fetch/pull/592>

[92] [CITE@en[Access-Control-Expose-Headers: * can be interpreted in two ways · Issue #548 · whatwg/fetch]]
([TIME[2017-09-08 14:54:25 +09:00]])
<https://github.com/whatwg/fetch/issues/548>

[93] [CITE@en[Re: CORS should be abandoned]]
([[Boris Zbarsky]]著, [TIME[2017-10-14 00:42:28 +09:00]])
<https://lists.w3.org/Archives/Public/public-webapps/2017OctDec/0044.html>

[94] [CITE@en[Do not allow CORS responses to "same-origin" requests]]
([[annevk]]著, [TIME[2018-01-06 20:56:46 +09:00]])
<https://github.com/whatwg/fetch/commit/548bca234ad5d0296030b2384cc0b784799c4664>

[95] [CITE@en[1427978 - Update the WPT test we expected failure after rejecting the CORS synthesized response for the same-origin request]]
([TIME[2018-01-09 11:28:26 +09:00]])
<https://bugzilla.mozilla.org/show_bug.cgi?id=1427978>

[96] [CITE@en[consider failing same-origin fetch requests that get a cross-origin cors Response synthesized by a service worker · Issue #629 · whatwg/fetch]]
([TIME[2018-01-09 11:28:53 +09:00]])
<https://github.com/whatwg/fetch/issues/629>

[97] [CITE@en[Do not allow CORS responses to "same-origin" requests by annevk · Pull Request #655 · whatwg/fetch]]
([TIME[2018-01-09 11:28:59 +09:00]])
<https://github.com/whatwg/fetch/pull/655>

[98] [CITE@en[Return a network error for mode "no-cors" and redirect mode not "follow"]]
([[youennf]]著, [TIME[2018-01-23 21:23:16 +09:00]])
<https://github.com/whatwg/fetch/commit/14858d3e9402285a7ff3b5e47a22896ff3adc95d>

[99] [CITE@en[Return a network error in case of no-cors mode and redirect being not follow by youennf · Pull Request #663 · whatwg/fetch]]
([TIME[2018-01-24 12:58:14 +09:00]])
<https://github.com/whatwg/fetch/pull/663>

[100] [CITE@en[Deprecations and removals in Chrome 66  |  Web  |  Google Developers]]
([TIME[2018-03-30 01:37:56 +09:00]])
<https://developers.google.com/web/updates/2018/03/chrome-66-deprecations>

[101] [CITE@en[Export the definition of CORS-same-origin by csnardi · Pull Request #3605 · whatwg/html]]
([TIME[2018-04-04 15:46:38 +09:00]])
<https://github.com/whatwg/html/pull/3605>

[102] [CITE@en[IETF HTML5 Meeting March 2009 - W3C Wiki]]
([TIME[2018-04-21 13:28:11 +09:00]])
<https://www.w3.org/wiki/IETF_HTML5_Meeting_March_2009>

[103] [CITE@en[Avoid using the CORS flag to reset request's origin in redirects by annevk · Pull Request #594 · whatwg/fetch]]
([TIME[2018-06-01 01:01:46 +09:00]])
<https://github.com/whatwg/fetch/pull/594>

[104] [CITE@en[Make CORS-preflight fetches set the CORS flag]]
([[annevk]]著, [TIME[2018-05-28 21:39:53 +09:00]])
<https://github.com/whatwg/fetch/commit/9334fcbd34dc17e4508582c9fdc57f20ba5b728e>

[105] [CITE@en[Remove Reporting API from CORS exceptions]]
([[dcreager]]著, [TIME[2018-07-31 17:03:24 +09:00]])
<https://github.com/whatwg/fetch/commit/b3492ec22778d1e5705432d80b82dfa7664aedf0>

[106] [CITE@en[Remove Reporting API from CORS exceptions by dcreager · Pull Request #776 · whatwg/fetch]]
([TIME[2018-08-05 14:58:53 +09:00]])
<https://github.com/whatwg/fetch/pull/776>

[107] [CITE@en[Are report uploads supposed to send CORS preflights? · Issue #41 · w3c/reporting]]
([TIME[2018-08-05 15:00:02 +09:00]])
<https://github.com/w3c/reporting/issues/41>

[108] [CITE@en[Clarify CORS behavior for report uploads by dcreager · Pull Request #97 · w3c/reporting]]
([TIME[2018-08-05 15:01:27 +09:00]])
<https://github.com/w3c/reporting/pull/97>

[109] [CITE@en[Strengthen requirements on CORS even further by having a maximum comb…]]
([[annevk]]著, [TIME[2018-05-30 21:31:43 +09:00]])
<https://github.com/whatwg/fetch/commit/e2d62ff1df77105c519360948174a135c5eabb6c>

[110] [CITE@en[CORS-safelisted request headers should be restricted according to RFC 7231 · Issue #382 · whatwg/fetch]]
([TIME[2018-08-22 19:09:16 +09:00]])
<https://github.com/whatwg/fetch/issues/382>

[111] [CITE@en[Strengthen requirements on Headers with guard "request-no-cors"]]
([[annevk]]著, [TIME[2018-05-30 20:28:48 +09:00]])
<https://github.com/whatwg/fetch/commit/cb30d8c72879b18b1e03dc3609d1976d871c28c2>

[112] [CITE@en[Cleanup remaining Document/Window object relations]]
([[annevk]]著, [TIME[2018-08-17 18:45:49 +09:00]])
<https://github.com/whatwg/html/commit/39dbb3e6de4216476cf7193ad9e5d56a861d5297>

[113] [CITE@en[Editorial: use "append" to modify the header list]]
([[ryzokuken]]著, [TIME[2018-09-10 21:41:01 +09:00]])
<https://github.com/whatwg/fetch/commit/daca6a824c0c6c5e22b7f7eb70001f36c1732cb1>

[114] [CITE@en[Use "append" instead of "set" to modify the header list · Issue #758 · whatwg/fetch]]
([TIME[2018-10-17 13:04:32 +09:00]])
<https://github.com/whatwg/fetch/issues/758>

[115] [CITE@en[Editorial: Use "append" to modify the header list by ryzokuken · Pull Request #807 · whatwg/fetch]]
([TIME[2018-10-17 13:04:47 +09:00]])
<https://github.com/whatwg/fetch/pull/807>

[116] [CITE@en[Make CORS-preflight fetches set the CORS flag]]
([[annevk]]著, [TIME[2018-05-28 21:39:53 +09:00]])
<https://github.com/whatwg/fetch/commit/9334fcbd34dc17e4508582c9fdc57f20ba5b728e>

[117] [CITE@en[CORS-preflight fetch · Issue #741 · whatwg/fetch]]
([TIME[2019-02-27 13:52:24 +09:00]])
<https://github.com/whatwg/fetch/issues/741>

[118] [CITE@en[Make CORS-preflight fetches set the CORS flag by annevk · Pull Request #743 · whatwg/fetch]]
([TIME[2019-02-27 13:52:33 +09:00]])
<https://github.com/whatwg/fetch/pull/743>

[119] [CITE@en[Editorial: remove leftover sentence]]
([[annevk]]著, [TIME[2018-10-17 18:00:23 +09:00]])
<https://github.com/whatwg/fetch/commit/eaaa050abd1904756a25fdc4219a372fe133869f>

[120] [CITE@en[Editorial: remove leftover sentence by annevk · Pull Request #815 · whatwg/fetch]]
([TIME[2019-03-04 18:43:52 +09:00]])
<https://github.com/whatwg/fetch/pull/815>

[121] [CITE@en[Refactor the CORS check]]
([[annevk]]著, [TIME[2018-11-06 00:30:35 +09:00]])
<https://github.com/whatwg/fetch/commit/3fb65a008886005a0ad2821e76933f971f27ea60>

[122] [CITE@en[Refactor the CORS check]]
([[annevk]]著, [TIME[2018-11-06 00:30:35 +09:00]])
<https://github.com/whatwg/fetch/commit/3fb65a008886005a0ad2821e76933f971f27ea60>

[123] [CITE@en[Refactor the CORS check by annevk · Pull Request #824 · whatwg/fetch]]
([TIME[2019-03-08 12:23:41 +09:00]])
<https://github.com/whatwg/fetch/pull/824>

[124] [CITE@en[Introduce a bit to indicate the server doesn't do IP-based authentication · Issue #1993 · quicwg/base-drafts]]
([TIME[2019-03-12 12:07:16 +09:00]])
<https://github.com/quicwg/base-drafts/issues/1993>

[125] [CITE@en[fetch() "no-cors": cross-origin to same-origin redirect taints response · Issue #737 · whatwg/fetch]]
([TIME[2019-04-19 14:43:10 +09:00]])
<https://github.com/whatwg/fetch/issues/737>

[126] [CITE@en[Memorandum of Understanding Between W3C and WHATWG]]
([TIME[2019-05-28 17:23:37 +09:00]])
<https://www.w3.org/2019/04/WHATWG-W3C-MOU.html>

[127] [CITE@en[Editorial: use %s ABNF notation]]
([[annevk]]著, [TIME[2018-12-12 20:25:58 +09:00]])
<https://github.com/whatwg/fetch/commit/e69e9c2b73b1aac124de47e8f32ee8979dfdb77a>

[128] [CITE@en[Note that cookies take effect despite CORS failures]]
([[Osintopsec]]著, [TIME[2019-01-23 20:16:10 +09:00]])
<https://github.com/whatwg/fetch/commit/d219389264742ce9bb3411601f680f54a77e2f3a>

[129] [CITE@en[Doc: failed CORS fetch with credentials should ignore Set-Cookie response header · Issue #855 · whatwg/fetch]]
([TIME[2019-06-18 15:24:30 +09:00]])
<https://github.com/whatwg/fetch/issues/855>

[130] [CITE@en[Change 3.2.6 Examples to reflect current state of implementations by Osintopsec · Pull Request #858 · whatwg/fetch]]
([TIME[2019-06-18 15:26:41 +09:00]])
<https://github.com/whatwg/fetch/pull/858>

[131] [CITE@en[Editorial: spell no-cors no-CORS as part of names]]
([[annevk]]著, [TIME[2018-11-15 00:08:26 +09:00]])
<https://github.com/whatwg/fetch/commit/00ef0c4215e481a465dba18542fd8b4e3b236504>

[132] [CITE@en[Headers API corrections by annevk · Pull Request #833 · whatwg/fetch]]
([TIME[2019-06-19 13:57:02 +09:00]])
<https://github.com/whatwg/fetch/pull/833>

[133] [CITE@en[Close no-CORS Headers API holes]]
([[annevk]]著, [TIME[2018-11-15 00:48:05 +09:00]])
<https://github.com/whatwg/fetch/commit/ba2fb9c3916e7b420b2efbe70a215d2ee0d5a01e>

[134] [CITE@en[Headers API corrections by annevk · Pull Request #833 · whatwg/fetch]]
([TIME[2019-06-21 12:41:03 +09:00]])
<https://github.com/whatwg/fetch/pull/833>

[135] [CITE@en[Set CORS preflight requests' mode to "cors"]]
([[mikewest]]著, [TIME[2019-07-16 21:36:35 +09:00]])
<https://github.com/whatwg/fetch/commit/2d0d7bdec1880ed1d7df091c9d2f7604ea9f2a9c>

[136] [CITE@en[Set CORS preflight requests' `mode` to `cors`. by mikewest · Pull Request #916 · whatwg/fetch]]
([TIME[2020-01-12 16:28:14 +09:00]])
<https://github.com/whatwg/fetch/pull/916>

[137] [CITE@en[Decide on the proper `mode' value for CORS preflight requests · Issue #35 · w3c/webappsec-fetch-metadata]]
([TIME[2020-01-12 16:28:41 +09:00]])
<https://github.com/w3c/webappsec-fetch-metadata/issues/35>

[138] [CITE@en[Add Accept: */* to CORS-preflight request's headers]]
([[perryjiang]]著, [TIME[2019-09-27 18:42:12 +09:00]])
<https://github.com/whatwg/fetch/commit/412723bae95dcc1541e6aad13b8bf42d8afcfe93>

[139] [CITE@en[specify default accept header on cors preflight · Issue #922 · whatwg/fetch]]
([TIME[2020-02-01 14:47:35 +09:00]])
<https://github.com/whatwg/fetch/issues/922>

[140] [CITE@en[Add Accept: */* to CORS-preflight requests' headers by perryjiang · Pull Request #941 · whatwg/fetch]]
([TIME[2020-02-01 14:48:06 +09:00]])
<https://github.com/whatwg/fetch/pull/941>

[141] 
[[CORS]] 回避ってなんやねんw プロトコルを理解していない証拠やな

[142] [CITE@en-US[Cross-Origin Resource Sharing]]
([TIME[2020-06-02 02:20:05 +09:00]])
<https://www.w3.org/TR/2020/SPSD-cors-20200602/>

[143] [CITE@en[Editorial: remove the CORS flag]]
([[annevk]], [TIME[2019-11-11 19:02:42 +09:00]], [TIME[2021-03-16T07:18:45.000Z]])
<https://github.com/whatwg/fetch/commit/65138f3f20a80020e405c5a0fb3675abfd884013>

[144] [CITE@en[Remove the CORS flag by annevk · Pull Request #960 · whatwg/fetch]]
([TIME[2021-03-16T07:24:31.000Z]])
<https://github.com/whatwg/fetch/pull/960>