That fails the request even with a valid certificate On Fri, Jan 17, 2020, 04:53 Maxim Dounin <mdounin@mdounin.ru> wrote: > Hello! > > On Thu, Jan 16, 2020 at 12:42:38PM -0700, Sampson Crowley wrote: > > > Maxim the work around you provided is invalid, > > > > ssl_verify_client optional; > > > > set $allow 0; > > > > if ($ssby sampson@downundersports.com - Nginx Development
Maxim the work around you provided is invalid, ssl_verify_client optional; set $allow 0; if ($ssl_client_verify = OK) { set $allow 1; } if ($method = OPTIONS) { set $allow 1; } if (!$allow) { return 496; } returns 'invalid condition "!$allow" by nginx and the service fails to start On Thu, Jan 16, 2020 at 12:24 PM Sampson Croby sampson@downundersports.com - Nginx Development
the fact is that CORS is part of the whatwg spec, endpoint consumers don't differentiate what section of the spec it's a part of, and requiring credentials on a preflight request is against the spec, so no, it's not compliant. https://bugzilla.mozilla.org/show_bug.cgi?id=1019603#c9 On Thu, Jan 16, 2020 at 11:09 AM Maxim Dounin <mdounin@mdounin.ru> wrote: > Hello! > > On Thu, Jan 1by sampson@downundersports.com - Nginx Development
What if it's changed to "preflight_optional" or "on_spec_compliant" is that a better description in your opinion? On Thu, Jan 16, 2020, 08:18 Sampson Crowley <sampson@downundersports.com> wrote: > 1) The consumer shouldn't need a whole series of checks just to actually > do things correctly and be *compliant* with the http specs > > 2) I don't see how "by sampson@downundersports.com - Nginx Development
1) The consumer shouldn't need a whole series of checks just to actually do things correctly and be *compliant* with the http specs 2) I don't see how "compliant" is misleading to be "compliant" with how things are SUPPOSED to work in the first place On Thu, Jan 16, 2020, 05:09 Maxim Dounin <mdounin@mdounin.ru> wrote: > Hello! > > On Wed, Jan 15, 2020 at 01:5by sampson@downundersports.com - Nginx Development
What is the right way to allow OPTIONS requests through with "ssl_verify_client on;"? the CORS spec specifically prohibits credentials with preflight requests; this isn't a problem with chrome or safari because they chose to just ignore that part, but it makes it impossible to do an authenticated CORS request with firefox unless you set it to optional, which i do not want to do. Soby sampson@downundersports.com - How to...