[discovery-api] Re-write CORS-related parts of the spec following subsequent feedback on http://lists.w3.org/Archives/Public/public-device-apis/2013Oct/0049.html
authorRich Tibbett <richt@opera.com>
Thu, 10 Oct 2013 12:36:37 +1100
changeset 483 140b6c8d4c18
parent 482 6968bc039244
child 484 608edb43c84d
[discovery-api] Re-write CORS-related parts of the spec following subsequent feedback on http://lists.w3.org/Archives/Public/public-device-apis/2013Oct/0049.html
discovery-api/Overview.html
discovery-api/Overview.src.html
--- a/discovery-api/Overview.html	Mon Oct 07 09:41:44 2013 +0300
+++ b/discovery-api/Overview.html	Thu Oct 10 12:36:37 2013 +1100
@@ -224,10 +224,10 @@
       </h1>
       <h2 property="dcterms:issued"
           datatype="xsd:dateTime"
-          content="2013-10-06T16:06:07.000Z"
-          id="w3c-editor-s-draft-07-october-2013">
+          content="2013-10-09T14:32:43.000Z"
+          id="w3c-editor-s-draft-10-october-2013">
         <abbr title="World Wide Web Consortium">W3C</abbr> Editor's Draft <time class="dt-published"
-            datetime="2013-10-07">07 October 2013</time>
+            datetime="2013-10-10">10 October 2013</time>
       </h2>
       <dl>
         <dt>
@@ -540,8 +540,8 @@
         "#dfn-service-discovery-mechanisms"
            class="internalDFN">service discovery mechanisms</a> included in this recommendation, attempts to match the
            requested service type to a discovered service according to the processing described herein. Only
-           Local-networked Services that pass a <a href="#dfn-cors-preflight-check"
-           class="internalDFN">CORS preflight check</a> should be made available to web pages by a user agent. A user
+           Local-networked Services that pass a <a href="#dfn-preliminary-cors-check"
+           class="internalDFN">preliminary CORS check</a> should be made available to web pages by a user agent. A user
            agent may provide a way for users to white-list non-CORS enabled Local-networked Services but implementation
            of such a feature is left to the discretion of the implementer.
       </p>
@@ -854,16 +854,14 @@
         <p>
           A <a href="#dfn-user-agent"
              class="internalDFN">user agent</a> <em class="rfc2119"
-             title="MUST">MUST</em> allow web pages to connect only with Local-networked Services that have passed a
-             <a href="#dfn-cors-preflight-check"
-             class="internalDFN">CORS preflight check</a> indicating they support Cross-Origin Resource Sharing
+             title="SHOULD">SHOULD</em> only allow web pages to connect with Local-networked Services that have passed
+             a <a href="#dfn-preliminary-cors-check"
+             class="internalDFN">preliminary CORS check</a> indicating they support Cross-Origin Resource Sharing
              [<cite><a class="bibref"
-             href="#bib-CORS">CORS</a></cite>] during the <a href="#dfn-service-discovery-mechanisms"
-             class="internalDFN">service discovery mechanisms</a> provided in this specification. In this way, a
-             <a href="#dfn-user-agent"
+             href="#bib-CORS">CORS</a></cite>]. In this way, a <a href="#dfn-user-agent"
              class="internalDFN">user agent</a> <em class="rfc2119"
-             title="MUST NOT">MUST NOT</em> allow web pages to access other arbitrary networked services on the current
-             local network.
+             title="SHOULD NOT">SHOULD NOT</em> allow web pages to access other arbitrary networked services on the
+             current local network.
         </p>
         <p>
           A <a href="#dfn-user-agent"
@@ -1054,14 +1052,26 @@
               <ol class="rule">
                 <li>For each <var>requested control type</var> in <var>requested control types</var>: If <var>available
                 service</var>'s <code>type</code> attribute equals the <var>requested control type</var> then let <var>
-                  matched service</var> equal the value of <var>available service</var> and continue at the step
-                  labeled <var>attach</var> below.
+                  matched service</var> equal the value of <var>available service</var>. Otherwise, abort the remaining
+                  sub-steps and continue above at the next <var>available service</var>.
                 </li>
-                <li>Continue at the next <var>available service</var>.
-                </li>
-                <li>
-                  <em>Attach</em>: If <var>matched service</var> is not empty then run the following steps:
+                <li>If <var>matched service</var> is not empty then run the following steps:
                   <ol class="rule">
+                    <li>Let <var>CORS check result</var> be the result of running the <a href=
+                    "#dfn-preliminary-cors-check"
+                          class="internalDFN">preliminary CORS check</a> algorithm, passing in <var>matched
+                          services</var>'s <code>url</code> attribute as the <var>control endpoint URL</var> argument
+                          and the <a href=
+                          "http://www.whatwg.org/specs/web-apps/current-work/complete/browsers.html#entry-script"
+                          class="externalDFN">entry script</a>'s <a href=
+                          "http://www.whatwg.org/specs/web-apps/current-work/complete/origin-0.html#origin"
+                          class="externalDFN">origin</a> as the <var>request origin</var> argument.
+                    </li>
+                    <li>If <var>CORS check result</var> is not <code>pass</code> and <var>matched service</var>'s
+                    <code>type</code> attribute is also not present in the <a href="#dfn-network-services-whitelist"
+                          class="internalDFN">network services whitelist</a> then abort the remaining sub-steps and
+                          continue above at the next <var>available service</var>.
+                    </li>
                     <li>Let <var>new service object</var> be a new <a href=
                     "#networkservice"><code>NetworkService</code></a> object, mapping the parameters of <var>matched
                     service</var> to this new object where possible.
@@ -1191,9 +1201,55 @@
                class="externalDFN">user interaction task source</a>.
           </p>
           <p>
+            The <dfn id="dfn-preliminary-cors-check">preliminary CORS check</dfn> algorithm determines whether a
+            Local-networked Service supports Cross-Origin Resource Sharing [<cite><a class="bibref"
+               href="#bib-CORS">CORS</a></cite>] as part of a call to the <a href=
+               "#dom-navigator-getnetworkservices"><code>getNetworkServices()</code></a> method, prior to that service
+               being proposed for sharing to users and prior to active sharing with web pages. This algorithm takes two
+               arguments, <var>control endpoint URL</var> and <var>request origin</var>, and consists of running the
+               following steps:
+          </p>
+          <ol class="rule">
+            <li>Let <var>CORS available check</var> be the result of applying the <a href=
+            "http://www.w3.org/TR/cors/#make-a-request-steps"
+                  class="externalDFN">make a request steps</a> [<cite><a class="bibref"
+                 href="#bib-CORS">CORS</a></cite>], setting the <a href="http://www.w3.org/TR/cors/#request-method"
+                  class="externalDFN">request method</a> to <code>OPTIONS</code>, the <a href=
+                  "http://www.w3.org/TR/cors/#request-url"
+                  class="externalDFN">request URL</a> to <var>control endpoint URL</var>, the <a href=
+                  "http://www.w3.org/TR/cors/#source-origin"
+                  class="externalDFN">source origin</a> to <var>request origin</var>, setting the <a href=
+                  "http://www.w3.org/TR/cors/#omit-credentials-flag"
+                  class="externalDFN">omit credentials flag</a> to <code>true</code> and including an <a href=
+                  "http://www.w3.org/TR/cors/#http-access-control-request-method"
+                  class="externalDFN"><code>Access-Control-Request-Method</code></a> header with a value of
+                  <code>GET</code>.
+            </li>
+            <li>If <var>CORS available check</var> is cancelled by the user, or it results in a network error, or its
+            response does not have an <abbr title="Hypertext Transfer Protocol">HTTP</abbr> status code of
+            <code>200</code> then abort any remaining steps and return <code>fail</code>.
+            </li>
+            <li>Return the result of running the <a href="http://www.w3.org/TR/cors/#resource-sharing-check"
+                  class="externalDFN">resource sharing check</a> [<cite><a class="bibref"
+                 href="#bib-CORS">CORS</a></cite>] against the successful <abbr title=
+                 "Hypertext Transfer Protocol">HTTP</abbr> response of the <var>CORS available check</var>.
+              <div class="note">
+                <div class="note-title"
+                     aria-level="3"
+                     role="heading"
+                     id="h_note_1">
+                  <span>Note</span>
+                </div>
+                <p class="">
+                  This returned result will always be either <code>pass</code> or <code>fail</code>.
+                </p>
+              </div>
+            </li>
+          </ol>
+          <p>
             There is no implied persistence to networked service sharing provided to a web page. It <em class="rfc2119"
-               title="MUST NOT">MUST NOT</em> be possible to access a previously white-listed networked service without
-               user authorization in all of the following cases:
+               title="MUST NOT">MUST NOT</em> be possible to access a networked service previously granted to a web
+               page without user authorization in all of the following cases:
           </p>
           <ul>
             <li>If the current script is reloaded at any point in the same or different window.
@@ -1396,7 +1452,7 @@
           <div class="note-title"
                aria-level="3"
                role="heading"
-               id="h_note_1">
+               id="h_note_2">
             <span>Note</span>
           </div>
           <p class="">
@@ -1897,49 +1953,6 @@
            class="internalDFN">removing an available service</a>, passing in the expired service record's
            <code>id</code> attribute as the only argument.
       </p>
-      <p>
-        The <dfn id="dfn-cors-preflight-check">CORS preflight check</dfn> algorithm determines whether a
-        Local-networked Service supports Cross-Origin Resource Sharing [<cite><a class="bibref"
-           href="#bib-CORS">CORS</a></cite>] prior to that service being proposed for sharing to users and prior to
-           active sharing with web pages. This algorithm takes one argument, <var>control endpoint URL</var>, and
-           consists of running the following steps:
-      </p>
-      <ol class="rule">
-        <li>Let <var>cross-origin request status</var> be set to the resulting value of <a href=
-        "http://www.w3.org/TR/cors/#cross-origin-request-status"
-              class="externalDFN">cross-origin request status</a> [<cite><a class="bibref"
-             href="#bib-CORS">CORS</a></cite>] after performing a <a href=
-             "http://www.w3.org/TR/cors/#cross-origin-request-with-preflight"
-              class="externalDFN">cross-origin request with preflight</a> [<cite><a class="bibref"
-             href="#bib-CORS">CORS</a></cite>] towards the <var>control endpoint URL</var> with the <a href=
-             "http://www.w3.org/TR/cors/#source-origin"
-              class="externalDFN">source origin</a> [<cite><a class="bibref"
-             href="#bib-CORS">CORS</a></cite>] set to the public IP address of the current machine, terminating this
-             algorithm at Step 2 (when <a href="http://www.w3.org/TR/cors/#cross-origin-request-status"
-              class="externalDFN">cross-origin request status</a> has been set to <var>preflight complete</var> or a
-              prior error has occurred in the algorithm).
-        </li>
-        <li>If <var>cross-origin request status</var> is set to <var>preflight complete</var> then return
-        <code>pass</code>. Otherwise, return <code>fail</code>.
-        </li>
-      </ol>
-      <p>
-        User agents <em class="rfc2119"
-           title="SHOULD">SHOULD</em> re-run the <a href="#dfn-cors-preflight-check"
-           class="internalDFN">CORS preflight check</a> algorithm against service endpoint URLs when their <a href=
-           "http://www.w3.org/TR/cors/#cache-max-age"
-           class="externalDFN">max-age</a> [<cite><a class="bibref"
-           href="#bib-CORS">CORS</a></cite>] entry in the <a href="http://www.w3.org/TR/cors/#preflight-result-cache"
-           class="externalDFN">preflight result cache</a> [<cite><a class="bibref"
-           href="#bib-CORS">CORS</a></cite>] exceeds the current time. If this subsequent execution of the <a href=
-           "#dfn-cors-preflight-check"
-           class="internalDFN">CORS preflight check</a> algorithm returns <code>fail</code> then the <a href=
-           "#dfn-user-agent"
-           class="internalDFN">user agent</a> <em class="rfc2119"
-           title="MUST">MUST</em> run the general rule for <a href="#dfn-removing-an-available-service"
-           class="internalDFN">removing an available service</a> passing in the associated <var>network service
-           record</var>'s <code>id</code> attribute as the only argument.
-      </p>
       <section id="zeroconf-mdns-dns-sd">
         <h3 aria-level="2"
             role="heading"
@@ -1999,16 +2012,9 @@
               <li>Set <var>network service record</var>'s <code>expiryTimestamp</code> property to the value of the
               current date, in UTC timestamp format, plus a value of <code>120</code> seconds.
               </li>
-              <li>If the result of running the <a href="#dfn-cors-preflight-check"
-                    class="internalDFN">CORS preflight check</a> algorithm is <code>pass</code>, passing in the current
-                    <var>network service record</var>'s <code>url</code> property as the only argument, or the current
-                    <var>network service record</var>'s <code>type</code> property is present in the <a href=
-                    "#dfn-network-services-whitelist"
-                    class="internalDFN">network services whitelist</a> then run the general rule for <a href=
-                    "#dfn-adding-an-available-service"
+              <li>Run the general rule for <a href="#dfn-adding-an-available-service"
                     class="internalDFN">adding an available service</a>, passing in the current <var>network service
-                    record</var> as the only argument. Otherwise, discard the current <var>network service
-                    record</var>.
+                    record</var> as the only argument.
               </li>
             </ol>
           </li>
@@ -2248,16 +2254,9 @@
               <li>Set <var>network service record</var>'s <code>expiryTimestamp</code> property to the value of the
               current date, in UTC timestamp format, plus the value of <var>device expiry</var>.
               </li>
-              <li>If the result of running the <a href="#dfn-cors-preflight-check"
-                    class="internalDFN">CORS preflight check</a> algorithm is <code>pass</code>, passing in the current
-                    <var>network service record</var>'s <code>url</code> property as the only argument, or the current
-                    <var>network service record</var>'s <code>type</code> property is present in the <a href=
-                    "#dfn-network-services-whitelist"
-                    class="internalDFN">network services whitelist</a> then run the general rule for <a href=
-                    "#dfn-adding-an-available-service"
+              <li>Run the general rule for <a href="#dfn-adding-an-available-service"
                     class="internalDFN">adding an available service</a>, passing in the current <var>network service
-                    record</var> as the only argument. Otherwise, discard the current <var>network service
-                    record</var>.
+                    record</var> as the only argument.
               </li>
             </ol>
           </li>
@@ -2552,16 +2551,9 @@
               <li>Set <var>network service record</var>'s <code>expiryTimestamp</code> property to the value of the
               current date, in UTC timestamp format, plus the value of <var>device expiry</var>.
               </li>
-              <li>If the result of running the <a href="#dfn-cors-preflight-check"
-                    class="internalDFN">CORS preflight check</a> algorithm is <code>pass</code>, passing in the current
-                    <var>network service record</var>'s <code>url</code> property as the only argument, or the current
-                    <var>network service record</var>'s <code>type</code> property is present in the <a href=
-                    "#dfn-network-services-whitelist"
-                    class="internalDFN">network services whitelist</a> then run the general rule for <a href=
-                    "#dfn-adding-an-available-service"
+              <li>Run the general rule for <a href="#dfn-adding-an-available-service"
                     class="internalDFN">adding an available service</a>, passing in the current <var>network service
-                    record</var> as the only argument. Otherwise, discard the current <var>network service
-                    record</var>.
+                    record</var> as the only argument.
               </li>
             </ol>
           </li>
@@ -2710,7 +2702,7 @@
         <div class="note-title"
              aria-level="2"
              role="heading"
-             id="h_note_2">
+             id="h_note_3">
           <span>Note</span>
         </div>
         <p class="">
@@ -3276,10 +3268,7 @@
         "World Wide Web Consortium">W3C</abbr> Device APIs Working Group, <abbr title=
         "World Wide Web Consortium">W3C</abbr> Web and TV Interest Group.
       </p>
-    </section><style>
-a.externalDFN { color: #00C; border-bottom: 1px dashed #00C; }
-    a.internalDFN { color: #00C; text-decoration: solid; }
-    </style>
+    </section>
     <section id="references"
              class="appendix"
              typeof="bibo:Chapter"
@@ -3387,6 +3376,9 @@
           </dd>
         </dl>
       </section>
-    </section>
+    </section><style>
+a.externalDFN { color: #00C; border-bottom: 1px dashed #00C; }
+    a.internalDFN { color: #00C; text-decoration: solid; }
+    </style>
   </body>
 </html>
--- a/discovery-api/Overview.src.html	Mon Oct 07 09:41:44 2013 +0300
+++ b/discovery-api/Overview.src.html	Thu Oct 10 12:36:37 2013 +1100
@@ -143,10 +143,10 @@
       <p>
         The user agent, having captured all advertised services on the network from the <a>service discovery
         mechanisms</a> included in this recommendation, attempts to match the requested service type to a discovered
-        service according to the processing described herein. Only Local-networked Services that pass a <a>CORS
-        preflight check</a> should be made available to web pages by a user agent. A user agent may provide a way for
-        users to white-list non-CORS enabled Local-networked Services but implementation of such a feature is left to
-        the discretion of the implementer.
+        service according to the processing described herein. Only Local-networked Services that pass a <a>preliminary
+        CORS check</a> should be made available to web pages by a user agent. A user agent may provide a way for users
+        to white-list non-CORS enabled Local-networked Services but implementation of such a feature is left to the
+        discretion of the implementer.
       </p>
       <p>
         If a service connectivity request is successful then the Web page is provided with a promise-based success
@@ -356,10 +356,10 @@
           Security considerations for API implementations
         </h3>
         <p>
-          A <a>user agent</a> MUST allow web pages to connect only with Local-networked Services that have passed a
-          <a>CORS preflight check</a> indicating they support Cross-Origin Resource Sharing [[!CORS]] during the
-          <a>service discovery mechanisms</a> provided in this specification. In this way, a <a>user agent</a> MUST NOT
-          allow web pages to access other arbitrary networked services on the current local network.
+          A <a>user agent</a> SHOULD only allow web pages to connect with Local-networked Services that have passed a
+          <a>preliminary CORS check</a> indicating they support Cross-Origin Resource Sharing [[!CORS]]. In this way, a
+          <a>user agent</a> SHOULD NOT allow web pages to access other arbitrary networked services on the current
+          local network.
         </p>
         <p>
           A <a>user agent</a> MAY provide a way for users to enable access to non-CORS enabled Local-networked Services
@@ -515,14 +515,23 @@
               <ol class="rule">
                 <li>For each <var>requested control type</var> in <var>requested control types</var>: If <var>available
                 service</var>'s <code>type</code> attribute equals the <var>requested control type</var> then let <var>
-                  matched service</var> equal the value of <var>available service</var> and continue at the step
-                  labeled <var>attach</var> below.
+                  matched service</var> equal the value of <var>available service</var>. Otherwise, abort the remaining
+                  sub-steps and continue above at the next <var>available service</var>.
                 </li>
-                <li>Continue at the next <var>available service</var>.
-                </li>
-                <li>
-                  <em>Attach</em>: If <var>matched service</var> is not empty then run the following steps:
+                <li>If <var>matched service</var> is not empty then run the following steps:
                   <ol class="rule">
+                    <li>Let <var>CORS check result</var> be the result of running the <a>preliminary CORS check</a>
+                    algorithm, passing in <var>matched services</var>'s <code>url</code> attribute as the <var>control
+                    endpoint URL</var> argument and the <a href=
+                    "http://www.whatwg.org/specs/web-apps/current-work/complete/browsers.html#entry-script"
+                          class="externalDFN">entry script</a>'s <a href=
+                          "http://www.whatwg.org/specs/web-apps/current-work/complete/origin-0.html#origin"
+                          class="externalDFN">origin</a> as the <var>request origin</var> argument.
+                    </li>
+                    <li>If <var>CORS check result</var> is not <code>pass</code> and <var>matched service</var>'s
+                    <code>type</code> attribute is also not present in the <a>network services whitelist</a> then abort
+                    the remaining sub-steps and continue above at the next <var>available service</var>.
+                    </li>
                     <li>Let <var>new service object</var> be a new <a href=
                     "#networkservice"><code>NetworkService</code></a> object, mapping the parameters of <var>matched
                     service</var> to this new object where possible.
@@ -631,9 +640,45 @@
                class="externalDFN">user interaction task source</a>.
           </p>
           <p>
+            The <dfn>preliminary CORS check</dfn> algorithm determines whether a Local-networked Service supports
+            Cross-Origin Resource Sharing [[!CORS]] as part of a call to the <a href=
+            "#dom-navigator-getnetworkservices"><code>getNetworkServices()</code></a> method, prior to that service
+            being proposed for sharing to users and prior to active sharing with web pages. This algorithm takes two
+            arguments, <var>control endpoint URL</var> and <var>request origin</var>, and consists of running the
+            following steps:
+          </p>
+          <ol class="rule">
+            <li>Let <var>CORS available check</var> be the result of applying the <a href=
+            "http://www.w3.org/TR/cors/#make-a-request-steps"
+                  class="externalDFN">make a request steps</a> [[!CORS]], setting the <a href=
+                  "http://www.w3.org/TR/cors/#request-method"
+                  class="externalDFN">request method</a> to <code>OPTIONS</code>, the <a href=
+                  "http://www.w3.org/TR/cors/#request-url"
+                  class="externalDFN">request URL</a> to <var>control endpoint URL</var>, the <a href=
+                  "http://www.w3.org/TR/cors/#source-origin"
+                  class="externalDFN">source origin</a> to <var>request origin</var>, setting the <a href=
+                  "http://www.w3.org/TR/cors/#omit-credentials-flag"
+                  class="externalDFN">omit credentials flag</a> to <code>true</code> and including an <a href=
+                  "http://www.w3.org/TR/cors/#http-access-control-request-method"
+                  class="externalDFN"><code>Access-Control-Request-Method</code></a> header with a value of
+                  <code>GET</code>.
+            </li>
+            <li>If <var>CORS available check</var> is cancelled by the user, or it results in a network error, or its
+            response does not have an HTTP status code of <code>200</code> then abort any remaining steps and return
+            <code>fail</code>.
+            </li>
+            <li>Return the result of running the <a href="http://www.w3.org/TR/cors/#resource-sharing-check"
+                  class="externalDFN">resource sharing check</a> [[!CORS]] against the successful HTTP response of the
+                  <var>CORS available check</var>.
+              <p class="note">
+                This returned result will always be either <code>pass</code> or <code>fail</code>.
+              </p>
+            </li>
+          </ol>
+          <p>
             There is no implied persistence to networked service sharing provided to a web page. It MUST NOT be
-            possible to access a previously white-listed networked service without user authorization in all of the
-            following cases:
+            possible to access a networked service previously granted to a web page without user authorization in all
+            of the following cases:
           </p>
           <ul>
             <li>If the current script is reloaded at any point in the same or different window.
@@ -1248,39 +1293,6 @@
         <a>user agent</a> SHOULD run the rule for <a>removing an available service</a>, passing in the expired service
         record's <code>id</code> attribute as the only argument.
       </p>
-      <p>
-        The <dfn>CORS preflight check</dfn> algorithm determines whether a Local-networked Service supports
-        Cross-Origin Resource Sharing [[!CORS]] prior to that service being proposed for sharing to users and prior to
-        active sharing with web pages. This algorithm takes one argument, <var>control endpoint URL</var>, and consists
-        of running the following steps:
-      </p>
-      <ol class="rule">
-        <li>Let <var>cross-origin request status</var> be set to the resulting value of <a href=
-        "http://www.w3.org/TR/cors/#cross-origin-request-status"
-              class="externalDFN">cross-origin request status</a> [[!CORS]] after performing a <a href=
-              "http://www.w3.org/TR/cors/#cross-origin-request-with-preflight"
-              class="externalDFN">cross-origin request with preflight</a> [[!CORS]] towards the <var>control endpoint
-              URL</var> with the <a href="http://www.w3.org/TR/cors/#source-origin"
-              class="externalDFN">source origin</a> [[!CORS]] set to the public IP address of the current machine,
-              terminating this algorithm at Step 2 (when <a href=
-              "http://www.w3.org/TR/cors/#cross-origin-request-status"
-              class="externalDFN">cross-origin request status</a> has been set to <var>preflight complete</var> or a
-              prior error has occurred in the algorithm).
-        </li>
-        <li>If <var>cross-origin request status</var> is set to <var>preflight complete</var> then return
-        <code>pass</code>. Otherwise, return <code>fail</code>.
-        </li>
-      </ol>
-      <p>
-        User agents SHOULD re-run the <a>CORS preflight check</a> algorithm against service endpoint URLs when their
-        <a href="http://www.w3.org/TR/cors/#cache-max-age"
-           class="externalDFN">max-age</a> [[!CORS]] entry in the <a href=
-           "http://www.w3.org/TR/cors/#preflight-result-cache"
-           class="externalDFN">preflight result cache</a> [[!CORS]] exceeds the current time. If this subsequent
-           execution of the <a>CORS preflight check</a> algorithm returns <code>fail</code> then the <a>user agent</a>
-           MUST run the general rule for <a>removing an available service</a> passing in the associated <var>network
-           service record</var>'s <code>id</code> attribute as the only argument.
-      </p>
       <section>
         <h4>
           Zeroconf (<abbr title="Multicast DNS">mDNS</abbr> + <abbr title="Domain Name System">DNS</abbr>-<abbr title=
@@ -1323,12 +1335,8 @@
               <li>Set <var>network service record</var>'s <code>expiryTimestamp</code> property to the value of the
               current date, in UTC timestamp format, plus a value of <code>120</code> seconds.
               </li>
-              <li>If the result of running the <a>CORS preflight check</a> algorithm is <code>pass</code>, passing in
-              the current <var>network service record</var>'s <code>url</code> property as the only argument, or the
-              current <var>network service record</var>'s <code>type</code> property is present in the <a>network
-              services whitelist</a> then run the general rule for <a>adding an available service</a>, passing in the
-              current <var>network service record</var> as the only argument. Otherwise, discard the current
-              <var>network service record</var>.
+              <li>Run the general rule for <a>adding an available service</a>, passing in the current <var>network
+              service record</var> as the only argument.
               </li>
             </ol>
           </li>
@@ -1493,12 +1501,8 @@
               <li>Set <var>network service record</var>'s <code>expiryTimestamp</code> property to the value of the
               current date, in UTC timestamp format, plus the value of <var>device expiry</var>.
               </li>
-              <li>If the result of running the <a>CORS preflight check</a> algorithm is <code>pass</code>, passing in
-              the current <var>network service record</var>'s <code>url</code> property as the only argument, or the
-              current <var>network service record</var>'s <code>type</code> property is present in the <a>network
-              services whitelist</a> then run the general rule for <a>adding an available service</a>, passing in the
-              current <var>network service record</var> as the only argument. Otherwise, discard the current
-              <var>network service record</var>.
+              <li>Run the general rule for <a>adding an available service</a>, passing in the current <var>network
+              service record</var> as the only argument.
               </li>
             </ol>
           </li>
@@ -1720,12 +1724,8 @@
               <li>Set <var>network service record</var>'s <code>expiryTimestamp</code> property to the value of the
               current date, in UTC timestamp format, plus the value of <var>device expiry</var>.
               </li>
-              <li>If the result of running the <a>CORS preflight check</a> algorithm is <code>pass</code>, passing in
-              the current <var>network service record</var>'s <code>url</code> property as the only argument, or the
-              current <var>network service record</var>'s <code>type</code> property is present in the <a>network
-              services whitelist</a> then run the general rule for <a>adding an available service</a>, passing in the
-              current <var>network service record</var> as the only argument. Otherwise, discard the current
-              <var>network service record</var>.
+              <li>Run the general rule for <a>adding an available service</a>, passing in the current <var>network
+              service record</var> as the only argument.
               </li>
             </ol>
           </li>