<div dir="ltr">the fact is that CORS is part of the whatwg spec, endpoint consumers don't differentiate what section of the spec it's a part of, and requiring credentials on a preflight request is against the spec, so no, it's not compliant. <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1019603#c9">https://bugzilla.mozilla.org/show_bug.cgi?id=1019603#c9</a><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Jan 16, 2020 at 11:09 AM Maxim Dounin <<a href="mailto:mdounin@mdounin.ru">mdounin@mdounin.ru</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello!<br>
<br>
On Thu, Jan 16, 2020 at 08:18:10AM -0700, Sampson Crowley wrote:<br>
<br>
> 1) The consumer shouldn't need a whole series of checks just to actually do<br>
> things correctly and be *compliant* with the http specs<br>
<br>
You assume that CORS is a part of HTTP specification. It's not. <br>
Neither it's a part of SSL / TLS specification, which is a <br>
separate one. Further, all current variants of ssl_verify_client <br>
are HTTP-complaint, as well as SSL/TLS-complaint. Further, I <br>
suspect that these are also CORS-complaint (though I never checked <br>
the exact wording of the CORS specification), even if some of them <br>
may prevent CORS preflight requests from working.<br>
<br>
> 2) I don't see how "compliant" is misleading to be "compliant" with how<br>
> things are SUPPOSED to work in the first place<br>
<br>
Sure. And things already complaint. The question is how exactly <br>
things work, and what exactly happens in a given situation. <br>
Introducing a separate "complaint" variant suggests that other <br>
variants aren't complaint, which is not true. Further, it doesn't <br>
define to what exactly things are expected to be complaint.<br>
<br>
-- <br>
Maxim Dounin<br>
<a href="http://mdounin.ru/" rel="noreferrer" target="_blank">http://mdounin.ru/</a><br>
_______________________________________________<br>
nginx-devel mailing list<br>
<a href="mailto:nginx-devel@nginx.org" target="_blank">nginx-devel@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx-devel" rel="noreferrer" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx-devel</a><br>
</blockquote></div>