Welcome! Log In Create A New Profile

Advanced

Re: [PATCH] Add "compliant" option to ssl_verify_client for CORS support

January 16, 2020 02:26PM
the fact is that CORS is part of the whatwg spec, endpoint consumers don't
differentiate what section of the spec it's a part of, and requiring
credentials on a preflight request is against the spec, so no, it's not
compliant. https://bugzilla.mozilla.org/show_bug.cgi?id=1019603#c9

On Thu, Jan 16, 2020 at 11:09 AM Maxim Dounin <mdounin@mdounin.ru> wrote:

> Hello!
>
> On Thu, Jan 16, 2020 at 08:18:10AM -0700, Sampson Crowley wrote:
>
> > 1) The consumer shouldn't need a whole series of checks just to actually
> do
> > things correctly and be *compliant* with the http specs
>
> You assume that CORS is a part of HTTP specification. It's not.
> Neither it's a part of SSL / TLS specification, which is a
> separate one. Further, all current variants of ssl_verify_client
> are HTTP-complaint, as well as SSL/TLS-complaint. Further, I
> suspect that these are also CORS-complaint (though I never checked
> the exact wording of the CORS specification), even if some of them
> may prevent CORS preflight requests from working.
>
> > 2) I don't see how "compliant" is misleading to be "compliant" with how
> > things are SUPPOSED to work in the first place
>
> Sure. And things already complaint. The question is how exactly
> things work, and what exactly happens in a given situation.
> Introducing a separate "complaint" variant suggests that other
> variants aren't complaint, which is not true. Further, it doesn't
> define to what exactly things are expected to be complaint.
>
> --
> Maxim Dounin
> http://mdounin.ru/
> _______________________________________________
> nginx-devel mailing list
> nginx-devel@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PATCH] Add "compliant" option to ssl_verify_client for CORS support

Anonymous User 144 January 15, 2020 03:52PM

Re: [PATCH] Add "compliant" option to ssl_verify_client for CORS support

Maxim Dounin 52 January 16, 2020 07:10AM

Re: [PATCH] Add "compliant" option to ssl_verify_client for CORS support

sampson@downundersports.com 49 January 16, 2020 10:20AM

Re: [PATCH] Add "compliant" option to ssl_verify_client for CORS support

sampson@downundersports.com 50 January 16, 2020 10:40AM

Re: [PATCH] Add "compliant" option to ssl_verify_client for CORS support

Maxim Dounin 42 January 16, 2020 01:12PM

Re: [PATCH] Add "compliant" option to ssl_verify_client for CORS support

sampson@downundersports.com 40 January 16, 2020 02:26PM

Re: [PATCH] Add "compliant" option to ssl_verify_client for CORS support

sampson@downundersports.com 44 January 16, 2020 02:44PM

Re: [PATCH] Add "compliant" option to ssl_verify_client for CORS support

Maxim Dounin 42 January 17, 2020 06:54AM

Re: [PATCH] Add "compliant" option to ssl_verify_client for CORS support

sampson@downundersports.com 76 January 17, 2020 11:54AM

Re: [PATCH] Add "compliant" option to ssl_verify_client for CORS support

Maxim Dounin 45 January 17, 2020 07:00AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 75
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready