Nick Kew wrote: > > RFC2616 tells us OPTIONS * is basically a simple HTTP ping, > which suggests it could be at a 'lower' level than authconfig > and always be allowed. If there is a reason to deny it, > that could be by means of something analagous to TraceEnable.
Insufficient. If we configure server-forced connection: upgrade/TLS we had better do so in the OPTIONS phase. So I agree that files don't apply. <VirtualHost > would. <Location *> should (and I'm not stating <LocationMatch .*> or <Location />, but an explicit case which handles only OPTIONS). But I'm rather against breaking this in 2.2 to solve (what are, today) configuration quirks. Let's get this right for 2.4 and call out the change very clearly in (our overlong) CHANGES? I'm thinking of a new second-priority category after SECURITY:, e.g. CONFIG: or MUSTNOTE: so administrators who migrate aren't surprised. Bill
