Skip to content

Commit abaaaee

Browse files
turt2liveturt2live
authored
MSC4138: Update allowed HTTP methods in CORS responses (#4138)
1 parent 3b71085 commit abaaaee

File tree

1 file changed

+47
-0
lines changed

1 file changed

+47
-0
lines changed

proposals/4138-update-cors-methods.md

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,47 @@
1+
# MSC4138: Update allowed HTTP methods in CORS responses
2+
3+
The [specification](https://spec.matrix.org/v1.10/client-server-api/#web-browser-clients) suggests
4+
that servers allow a limited subset of the available [HTTP methods](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods)
5+
available in [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) responses. However, it's
6+
reasonable to expect the specification to use other methods in the future or as part of feature
7+
detection. To permit these use cases early, this MSC proposes adding a few more allowable values to
8+
the `Access-Control-Allow-Methods` header.
9+
10+
## Proposal
11+
12+
The [`Access-Control-Allow-Methods` header's recommended value](https://spec.matrix.org/v1.10/client-server-api/#web-browser-clients)
13+
is updated to include the following:
14+
15+
* `PATCH` - A plausibly useful HTTP method for future use.
16+
* `HEAD` - Similar to `PATCH`, `HEAD` is plausibly useful for feature detection and cases like
17+
[MSC4120](https://github.com/matrix-org/matrix-spec-proposals/pull/4120).
18+
19+
The following methods are *not* included because they don't have foreseeable use in Matrix:
20+
21+
* `CONNECT`
22+
* `TRACE`
23+
24+
## Potential issues
25+
26+
None anticipated.
27+
28+
## Alternatives
29+
30+
No significant alternatives.
31+
32+
## Security considerations
33+
34+
CORS is meant to help ensure requests made by the client are properly scoped in the client. If the
35+
client wishes to use an HTTP method not allowed by the server, the web browser will mask the
36+
response with an error before the application can inspect it. Therefore, to increase future
37+
compatibility, we append a few useful HTTP methods while still excluding ones which are (currently)
38+
nonsensical.
39+
40+
## Unstable prefix
41+
42+
This proposal cannot have an unstable prefix due to the nature of CORS. Servers are already able to
43+
go off-spec and serve different headers because the spec is merely a recommendation.
44+
45+
## Dependencies
46+
47+
This proposal has no dependencies.

0 commit comments

Comments
 (0)