Forum List Message List New Topic Print View

sampson@downundersports.com

January 16, 2020 02:44PM

Registered: 4 years ago
Posts: 6

Maxim the work around you provided is invalid,

ssl_verify_client optional;

set $allow 0;

if ($ssl_client_verify = OK) {
set $allow 1;
}

if ($method = OPTIONS) {
set $allow 1;
}

if (!$allow) {
return 496;
}

returns 'invalid condition "!$allow" by nginx and the service fails to start

On Thu, Jan 16, 2020 at 12:24 PM Sampson Crowley <
sampson@downundersports.com> wrote:

> the fact is that CORS is part of the whatwg spec, endpoint consumers don't
> differentiate what section of the spec it's a part of, and requiring
> credentials on a preflight request is against the spec, so no, it's not
> compliant. https://bugzilla.mozilla.org/show_bug.cgi?id=1019603#c9
>
> On Thu, Jan 16, 2020 at 11:09 AM Maxim Dounin <mdounin@mdounin.ru> wrote:
>
>> Hello!
>>
>> On Thu, Jan 16, 2020 at 08:18:10AM -0700, Sampson Crowley wrote:
>>
>> > 1) The consumer shouldn't need a whole series of checks just to
>> actually do
>> > things correctly and be *compliant* with the http specs
>>
>> You assume that CORS is a part of HTTP specification. It's not.
>> Neither it's a part of SSL / TLS specification, which is a
>> separate one. Further, all current variants of ssl_verify_client
>> are HTTP-complaint, as well as SSL/TLS-complaint. Further, I
>> suspect that these are also CORS-complaint (though I never checked
>> the exact wording of the CORS specification), even if some of them
>> may prevent CORS preflight requests from working.
>>
>> > 2) I don't see how "compliant" is misleading to be "compliant" with how
>> > things are SUPPOSED to work in the first place
>>
>> Sure. And things already complaint. The question is how exactly
>> things work, and what exactly happens in a given situation.
>> Introducing a separate "complaint" variant suggests that other
>> variants aren't complaint, which is not true. Further, it doesn't
>> define to what exactly things are expected to be complaint.
>>
>> --
>> Maxim Dounin
>> http://mdounin.ru/
>> _______________________________________________
>> nginx-devel mailing list
>> nginx-devel@nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>>
>
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
[PATCH] Add "compliant" option to ssl_verify_client for CORS support	Anonymous User	391	January 15, 2020 03:52PM
Re: [PATCH] Add "compliant" option to ssl_verify_client for CORS support	Maxim Dounin	212	January 16, 2020 07:10AM
Re: [PATCH] Add "compliant" option to ssl_verify_client for CORS support	sampson@downundersports.com	258	January 16, 2020 10:20AM
Re: [PATCH] Add "compliant" option to ssl_verify_client for CORS support	sampson@downundersports.com	261	January 16, 2020 10:40AM
Re: [PATCH] Add "compliant" option to ssl_verify_client for CORS support	Maxim Dounin	180	January 16, 2020 01:12PM
Re: [PATCH] Add "compliant" option to ssl_verify_client for CORS support	sampson@downundersports.com	228	January 16, 2020 02:26PM
Re: [PATCH] Add "compliant" option to ssl_verify_client for CORS support	sampson@downundersports.com	264	January 16, 2020 02:44PM
Re: [PATCH] Add "compliant" option to ssl_verify_client for CORS support	Maxim Dounin	179	January 17, 2020 06:54AM
Re: [PATCH] Add "compliant" option to ssl_verify_client for CORS support	sampson@downundersports.com	304	January 17, 2020 11:54AM
Re: [PATCH] Add "compliant" option to ssl_verify_client for CORS support	Maxim Dounin	174	January 17, 2020 07:00AM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 305

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018