[PATCH] Add "compliant" option to ssl_verify_client for CORS support
Maxim Dounin
mdounin at mdounin.ru
Thu Jan 16 18:09:45 UTC 2020
Hello!
On Thu, Jan 16, 2020 at 08:18:10AM -0700, Sampson Crowley wrote:
> 1) The consumer shouldn't need a whole series of checks just to actually do
> things correctly and be *compliant* with the http specs
You assume that CORS is a part of HTTP specification. It's not.
Neither it's a part of SSL / TLS specification, which is a
separate one. Further, all current variants of ssl_verify_client
are HTTP-complaint, as well as SSL/TLS-complaint. Further, I
suspect that these are also CORS-complaint (though I never checked
the exact wording of the CORS specification), even if some of them
may prevent CORS preflight requests from working.
> 2) I don't see how "compliant" is misleading to be "compliant" with how
> things are SUPPOSED to work in the first place
Sure. And things already complaint. The question is how exactly
things work, and what exactly happens in a given situation.
Introducing a separate "complaint" variant suggests that other
variants aren't complaint, which is not true. Further, it doesn't
define to what exactly things are expected to be complaint.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx-devel
mailing list