wholetrans/docs-matrix-spec
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge pull request #1365 from turt2live/travis/cors

Browse source 
Document the CORS/preflight headers
This commit is contained in:
Travis Ralston 2018-07-10 08:35:37 -06:00 committed by GitHub
commit c79010f0d6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 21 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
changelogs/client_server.rst
View file

@ -35,6 +35,8 @@ Unreleased changes
(`#1274 <https://github.com/matrix-org/matrix-doc/pull/1274>`_). (`#1274 <https://github.com/matrix-org/matrix-doc/pull/1274>`_).
- Document the GET version of ``/login`` - Document the GET version of ``/login``
(`#1361 <https://github.com/matrix-org/matrix-doc/pull/1361>`_). (`#1361 <https://github.com/matrix-org/matrix-doc/pull/1361>`_).
- Document the CORS/preflight headers
(`#1365 <https://github.com/matrix-org/matrix-doc/pull/1365>`_).
- Spec clarifications: - Spec clarifications:

19
specification/client_server_api.rst
View file

@ -164,6 +164,25 @@ recommended.
{{versions_cs_http_api}} {{versions_cs_http_api}}
Web Browser Clients
-------------------
It is realistic to expect that some clients will be written to be run within a
web browser or similar environment. In these cases, the homeserver should respond
to pre-flight requests and supply Cross-Origin Resource Sharing (CORS) headers on
all requests.
When a client approaches the server with a pre-flight (``OPTIONS``) request, the
server should respond with the CORS headers for that route. The recommended CORS
headers to be returned by servers on all requests are:
.. code::
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Authorization
Client Authentication Client Authentication
--------------------- ---------------------