Update allowed HTTP methods in CORS responses
parent
d6edcbd946
commit
3cee98e9d9
@ -0,0 +1,46 @@
|
|||||||
|
# MSC4138: Update allowed HTTP methods in CORS responses
|
||||||
|
|
||||||
|
The [specification](https://spec.matrix.org/v1.10/client-server-api/#web-browser-clients) suggests
|
||||||
|
that servers allow a limited subset of the available [HTTP methods](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods)
|
||||||
|
available in [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) responses. However, it's
|
||||||
|
reasonable to expect the specification to use other methods in the future or as part of feature
|
||||||
|
detection. To permit these use cases early, this MSC proposes adding a few more allowable values to
|
||||||
|
the `Access-Control-Allow-Methods` header.
|
||||||
|
|
||||||
|
## Proposal
|
||||||
|
|
||||||
|
The `Access-Control-Allow-Methods` header's recommended value is updated to include the following:
|
||||||
|
|
||||||
|
* `PATCH` - A plausibly useful HTTP method for future use.
|
||||||
|
* `HEAD` - Similar to `PATCH`, `HEAD` is plausibly useful for feature detection and cases like
|
||||||
|
[MSC4120](https://github.com/matrix-org/matrix-spec-proposals/pull/4120).
|
||||||
|
|
||||||
|
The following methods are *not* included because they don't have foreseeable use in Matrix:
|
||||||
|
|
||||||
|
* `CONNECT`
|
||||||
|
* `TRACE`
|
||||||
|
|
||||||
|
## Potential issues
|
||||||
|
|
||||||
|
None anticipated.
|
||||||
|
|
||||||
|
## Alternatives
|
||||||
|
|
||||||
|
No significant alternatives.
|
||||||
|
|
||||||
|
## Security considerations
|
||||||
|
|
||||||
|
CORS is meant to help ensure requests made by the client are properly scoped in the client. If the
|
||||||
|
client wishes to use an HTTP method not allowed by the server, the web browser will mask the
|
||||||
|
response with an error before the application can inspect it. Therefore, to increase future
|
||||||
|
compatibility, we append a few useful HTTP methods while still excluding ones which are (currently)
|
||||||
|
nonsensical.
|
||||||
|
|
||||||
|
## Unstable prefix
|
||||||
|
|
||||||
|
This proposal cannot have an unstable prefix due to the nature of CORS. Servers are already able to
|
||||||
|
go off-spec and serve different headers because the spec is merely a recommendation.
|
||||||
|
|
||||||
|
## Dependencies
|
||||||
|
|
||||||
|
This proposal has no dependencies.
|
Loading…
Reference in New Issue