Merge pull request #1365 from turt2live/travis/cors

Document the CORS/preflight headers
2018-07-10 08:35:37 -06:00 · 2018-07-10 08:35:37 -06:00 · c79010f0d6
commit c79010f0d6
parent 44db84f3d8 423d5593f5
2 changed files with 21 additions and 0 deletions
--- a/changelogs/client_server.rst
+++ b/changelogs/client_server.rst
@ -35,6 +35,8 @@ Unreleased changes
    (`#1274 <https://github.com/matrix-org/matrix-doc/pull/1274>`_).
  - Document the GET version of ``/login``
    (`#1361 <https://github.com/matrix-org/matrix-doc/pull/1361>`_).
+  - Document the CORS/preflight headers
+    (`#1365 <https://github.com/matrix-org/matrix-doc/pull/1365>`_).

 - Spec clarifications:

--- a/specification/client_server_api.rst
+++ b/specification/client_server_api.rst
@ -164,6 +164,25 @@ recommended.

 {{versions_cs_http_api}}

+Web Browser Clients
+-------------------
+
+It is realistic to expect that some clients will be written to be run within a
+web browser or similar environment. In these cases, the homeserver should respond
+to pre-flight requests and supply Cross-Origin Resource Sharing (CORS) headers on
+all requests.
+
+When a client approaches the server with a pre-flight (``OPTIONS``) request, the
+server should respond with the CORS headers for that route. The recommended CORS
+headers to be returned by servers on all requests are:
+
+.. code::
+
+  Access-Control-Allow-Origin: *
+  Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
+  Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Authorization
+
+
 Client Authentication
 ---------------------