From 3cee98e9d9feccece578879787aec852fae96697 Mon Sep 17 00:00:00 2001 From: Travis Ralston Date: Fri, 3 May 2024 12:19:21 -0600 Subject: [PATCH] Update allowed HTTP methods in CORS responses --- proposals/4138-update-cors-methods.md | 46 +++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 proposals/4138-update-cors-methods.md diff --git a/proposals/4138-update-cors-methods.md b/proposals/4138-update-cors-methods.md new file mode 100644 index 00000000..98b9047d --- /dev/null +++ b/proposals/4138-update-cors-methods.md @@ -0,0 +1,46 @@ +# MSC4138: Update allowed HTTP methods in CORS responses + +The [specification](https://spec.matrix.org/v1.10/client-server-api/#web-browser-clients) suggests +that servers allow a limited subset of the available [HTTP methods](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods) +available in [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) responses. However, it's +reasonable to expect the specification to use other methods in the future or as part of feature +detection. To permit these use cases early, this MSC proposes adding a few more allowable values to +the `Access-Control-Allow-Methods` header. + +## Proposal + +The `Access-Control-Allow-Methods` header's recommended value is updated to include the following: + +* `PATCH` - A plausibly useful HTTP method for future use. +* `HEAD` - Similar to `PATCH`, `HEAD` is plausibly useful for feature detection and cases like + [MSC4120](https://github.com/matrix-org/matrix-spec-proposals/pull/4120). + +The following methods are *not* included because they don't have foreseeable use in Matrix: + +* `CONNECT` +* `TRACE` + +## Potential issues + +None anticipated. + +## Alternatives + +No significant alternatives. + +## Security considerations + +CORS is meant to help ensure requests made by the client are properly scoped in the client. If the +client wishes to use an HTTP method not allowed by the server, the web browser will mask the +response with an error before the application can inspect it. Therefore, to increase future +compatibility, we append a few useful HTTP methods while still excluding ones which are (currently) +nonsensical. + +## Unstable prefix + +This proposal cannot have an unstable prefix due to the nature of CORS. Servers are already able to +go off-spec and serve different headers because the spec is merely a recommendation. + +## Dependencies + +This proposal has no dependencies.