[PATCH] Add "compliant" option to ssl_verify_client for CORS support

Maxim Dounin mdounin at mdounin.ru
Fri Jan 17 11:58:53 UTC 2020


On Thu, Jan 16, 2020 at 12:24:54PM -0700, Sampson Crowley wrote:

> the fact is that CORS is part of the whatwg spec, endpoint consumers don't
> differentiate what section of the spec it's a part of, and requiring
> credentials on a preflight request is against the spec, so no, it's not
> compliant. https://bugzilla.mozilla.org/show_bug.cgi?id=1019603#c9

There is more than one spec in the world, and being complaint to 
one of them can easily mean being non-complaint to another one.  
The word "complaint" means nothing unless it specifies complaint 
to what.

And no, requiring credentials on all requests doesn't mean that 
nginx with "ssl_verify_client on;" isn't complaint with the CORS 
spec.  This behaviour might be perfectly complaint, for example, 
if no preflight requests are expected on the server.

Anyway, thank you for the patch.  It was considered and it won't 
be committed.  If you want to allow preflight requests while using 
SSL certificate verification, consider using "ssl_verify_client 
optional;" with appropriate checks during request processing.

Maxim Dounin

More information about the nginx-devel mailing list