Plack::App::File should check request method

[robrwo]

It would make sense to modify Plack::App::File to check the request method.

Currently it seems to accept any request method.

If it gets an OPTIONS request, it could return HTTP 204 with the Allow header set to "GET, HEAD, OPTIONS" (perhaps with an optional callback attribute that allows one to hook into it to handle CORS preflight requests).

If it gets something other than a GET or HEAD request, it should return HTTP 405 (method not allowed).

(Possibly for backwards compatibility one could specify a lit of allowed request methods, in case one wants to accept POST requests.)

[robrwo]

I'm working on a PR for it. I think the simplest way forward is to simply behave as normal if no methods are set.

If methods are set, then it validates against the list and returns an HTTP 405 if not an allowed method.

If methods are set and it gets an OPTIONS request, it returns a simple response, as per https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS

If there is a CORS handler configured, it passes the environment, file and response to the handler.

[miyagawa]

https://metacpan.org/pod/Plack::Middleware::CrossOrigin implements more comprehensive solution and you can enable it in front of Plack::App::File, or any other PSGI app.

[robrwo]

CORS is less important. I care more about restricting the request methods, and adding OPTIONS support (since I have a site that often gets OPTIONS requests for some things.)

[miyagawa]

I'm sure the middleware above has configuration options to let you do what I want, but if not, you can write your own middleware (possibly inline) to return 204 with GET, HEAD, and OPTIONS to OPTIONS requests. My argument here is that your need should not be specific to App::File app at all.