Skip to content

06
Compare
Choose a tag to compare
@michielbdejong michielbdejong released this 30 Nov 21:05
· 86 commits to main since this release
06
04d91a8

Breaking for servers as well as clients:

  • The difference between 401 and 403 http response status was clarified to match
    the way they are defined by the Bearer token spec.
  • In the OAuth dance, client_id should now match the origin of the redirect_uri.
  • Content-Range headers are no longer allowed on PUT requests.
  • The Expires: 0 header was replaced by Cache-Control: no-cache.

Breaking for servers:

  • Apart from GET requests, HEAD requests are also allowed without Authorization
    request header on public documents.
  • Servers that support range requests should now announce this not only through
    WebFinger, but also through the HTTP 'Accept-Ranges' header.

Breaking for clients:

  • Apart from acct:[email protected] ('[email protected]' in UI), http://mydomain.com/
    ('mydomain.com' in UI) is now allowed as a user address for WebFinger discovery.
  • Access-Control-Allow-Origin: * is now also allowed on requests with preflight.
    This was changed in the CORS spec, and has already been implemented by all major
    browsers.
  • Item names '.' and '..' are no longer allowed.
Assets 2
Loading