Hello!

On Thu, Jan 16, 2020 at 12:24:54PM -0700, Sampson Crowley wrote:

> the fact is that CORS is part of the whatwg spec, endpoint consumers don't
> differentiate what section of the spec it's a part of, and requiring
> credentials on a preflight request is against the spec, so no, it's not
> compliant. https://bugzilla.mozilla.org/show_bug.cgi?id=1019603#c9

There is more than one spec in the world, and being complaint to
one of them can easily mean being non-complaint to another one.
The word "complaint" means nothing unless it specifies complaint
to what.

And no, requiring credentials on all requests doesn't mean that
nginx with "ssl_verify_client on;" isn't complaint with the CORS
spec. This behaviour might be perfectly complaint, for example,
if no preflight requests are expected on the server.

Anyway, thank you for the patch. It was considered and it won't
be committed. If you want to allow preflight requests while using
SSL certificate verification, consider using "ssl_verify_client
optional;" with appropriate checks during request processing.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel