MSC4138: Update allowed HTTP methods in CORS responses #4138
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| # MSC4138: Update allowed HTTP methods in CORS responses | ||
|
|
||
| The [specification](https://spec.matrix.org/v1.10/client-server-api/#web-browser-clients) suggests | ||
| that servers allow a limited subset of the available [HTTP methods](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods) | ||
| available in [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) responses. However, it's | ||
| reasonable to expect the specification to use other methods in the future or as part of feature | ||
| detection. To permit these use cases early, this MSC proposes adding a few more allowable values to | ||
| the `Access-Control-Allow-Methods` header. | ||
|
|
||
| ## Proposal | ||
|
|
||
| The [`Access-Control-Allow-Methods` header's recommended value](https://spec.matrix.org/v1.10/client-server-api/#web-browser-clients) | ||
| is updated to include the following: | ||
|
|
||
| * `PATCH` - A plausibly useful HTTP method for future use. | ||
|
|
||
| * `HEAD` - Similar to `PATCH`, `HEAD` is plausibly useful for feature detection and cases like | ||
| [MSC4120](https://github.com/matrix-org/matrix-spec-proposals/pull/4120). | ||
turt2live marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| The following methods are *not* included because they don't have foreseeable use in Matrix: | ||
|
|
||
| * `CONNECT` | ||
| * `TRACE` | ||
|
There was a problem hiding this comment. I might suggest that this could be an MSC where we propose a literal update to the text of the spec: the current spec just plucks a recommendation out of thin air with no explanation of why it's recommended, but this MSC contains a bunch of useful context. I know you're trying to write it without including a reference to an in-review MSC in the spec, but I'm finding the result quite obtuse: "future use" just makes me wonder why the server wouldn't add those methods when it has an endpoint that actually uses them. I would suggest something along the lines of, "if you implement all of the Matrix spec, you'll need this set, however this expanded set would be safe and sensible should you ever implement any MSCs that use them"? There was a problem hiding this comment. or maybe something along the lines of "... if you implement any other endpoints that use other HTTP methods, make sure that you also include those methods on CORS". There was a problem hiding this comment. #4138 (comment) is in line with this thread. Will update the MSC. |
||
|
|
||
| ## Potential issues | ||
|
|
||
| None anticipated. | ||
|
|
||
| ## Alternatives | ||
|
|
||
| No significant alternatives. | ||
|
|
||
| ## Security considerations | ||
|
|
||
| CORS is meant to help ensure requests made by the client are properly scoped in the client. If the | ||
| client wishes to use an HTTP method not allowed by the server, the web browser will mask the | ||
| response with an error before the application can inspect it. Therefore, to increase future | ||
| compatibility, we append a few useful HTTP methods while still excluding ones which are (currently) | ||
| nonsensical. | ||
|
|
||
| ## Unstable prefix | ||
|
|
||
| This proposal cannot have an unstable prefix due to the nature of CORS. Servers are already able to | ||
| go off-spec and serve different headers because the spec is merely a recommendation. | ||
|
|
||
| ## Dependencies | ||
|
|
||
| This proposal has no dependencies. | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Implementation requirements: