forked from matrix-org/matrix-spec-proposals
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
MSC4138: Update allowed HTTP methods in CORS responses (matrix-org#4138)
- Loading branch information
Showing
1 changed file
with
47 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
# MSC4138: Update allowed HTTP methods in CORS responses | ||
|
||
The [specification](https://spec.matrix.org/v1.10/client-server-api/#web-browser-clients) suggests | ||
that servers allow a limited subset of the available [HTTP methods](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods) | ||
available in [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) responses. However, it's | ||
reasonable to expect the specification to use other methods in the future or as part of feature | ||
detection. To permit these use cases early, this MSC proposes adding a few more allowable values to | ||
the `Access-Control-Allow-Methods` header. | ||
|
||
## Proposal | ||
|
||
The [`Access-Control-Allow-Methods` header's recommended value](https://spec.matrix.org/v1.10/client-server-api/#web-browser-clients) | ||
is updated to include the following: | ||
|
||
* `PATCH` - A plausibly useful HTTP method for future use. | ||
* `HEAD` - Similar to `PATCH`, `HEAD` is plausibly useful for feature detection and cases like | ||
[MSC4120](https://github.com/matrix-org/matrix-spec-proposals/pull/4120). | ||
|
||
The following methods are *not* included because they don't have foreseeable use in Matrix: | ||
|
||
* `CONNECT` | ||
* `TRACE` | ||
|
||
## Potential issues | ||
|
||
None anticipated. | ||
|
||
## Alternatives | ||
|
||
No significant alternatives. | ||
|
||
## Security considerations | ||
|
||
CORS is meant to help ensure requests made by the client are properly scoped in the client. If the | ||
client wishes to use an HTTP method not allowed by the server, the web browser will mask the | ||
response with an error before the application can inspect it. Therefore, to increase future | ||
compatibility, we append a few useful HTTP methods while still excluding ones which are (currently) | ||
nonsensical. | ||
|
||
## Unstable prefix | ||
|
||
This proposal cannot have an unstable prefix due to the nature of CORS. Servers are already able to | ||
go off-spec and serve different headers because the spec is merely a recommendation. | ||
|
||
## Dependencies | ||
|
||
This proposal has no dependencies. |