You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@couchdb.apache.org by "Nolan Lawson (JIRA)" <ji...@apache.org> on 2017/03/19 21:48:41 UTC
[jira] [Commented] (COUCHDB-3090) Error when handling empty
"Access-Control-Request-Headers" header
[ https://issues.apache.org/jira/browse/COUCHDB-3090?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15931981#comment-15931981 ]
Nolan Lawson commented on COUCHDB-3090:
---------------------------------------
FWIW I've found the same bug in Safari. It's now officially a browser bug and not a CouchDB bug, because they changed the spec to work around CouchDB's behavior 🙃 https://github.com/w3c/web-platform-tests/pull/4556
WebKit bug: https://bugs.webkit.org/show_bug.cgi?id=169851
> Error when handling empty "Access-Control-Request-Headers" header
> -----------------------------------------------------------------
>
> Key: COUCHDB-3090
> URL: https://issues.apache.org/jira/browse/COUCHDB-3090
> Project: CouchDB
> Issue Type: Bug
> Components: HTTP Interface
> Reporter: Will Holley
>
> Sending an empty "Access-Control-Request-Headers" header as part of a pre-flight request (as opposed to excluding it) causes CouchDB to respond with a 405 Method Not Allowed:
> With the header excluded:
> {code}
> $ curl 'http://localhost:15984/_session' -H "Access-Control-Request-Headers:" -H "Access-Control-Request-Method: POST" -H "Origin:https://something.com" -XOPTIONS -v
> Mon 1 Aug 2016 13:48:26 BST
> * Trying ::1...
> * connect to ::1 port 15984 failed: Connection refused
> * Trying 127.0.0.1...
> * Connected to localhost (127.0.0.1) port 15984 (#0)
> > OPTIONS /_session HTTP/1.1
> > Host: localhost:15984
> > User-Agent: curl/7.43.0
> > Accept: */*
> > Access-Control-Request-Method: POST
> > Origin:https://something.com
> >
> < HTTP/1.1 204 No Content
> < Access-Control-Allow-Credentials: true
> < Access-Control-Allow-Headers:
> < Access-Control-Allow-Methods: GET, PUT, POST, HEAD, DELETE
> < Access-Control-Allow-Origin: https://something.com
> < Access-Control-Max-Age: 600
> < Content-Length: 0
> < Date: Mon, 01 Aug 2016 12:48:25 GMT
> < Server: CouchDB/b49d069 (Erlang OTP/18)
> < X-Couch-Request-ID: c68c601375
> < X-CouchDB-Body-Time: 0
> <
> * Connection #0 to host localhost left intact
> {code}
> With an empty header:
> {code}
> $ curl 'http://localhost:15984/_session' -H "Access-Control-Request-Headers;" -H "Access-Control-Request-Method: POST" -H "Origin:https://something.com" -XOPTIONS -v
> Mon 1 Aug 2016 13:48:21 BST
> * Trying ::1...
> * connect to ::1 port 15984 failed: Connection refused
> * Trying fe80::1...
> * connect to fe80::1 port 15984 failed: Connection refused
> * Trying 127.0.0.1...
> * Connected to localhost (127.0.0.1) port 15984 (#0)
> > OPTIONS /_session HTTP/1.1
> > Host: localhost:15984
> > User-Agent: curl/7.43.0
> > Accept: */*
> > Access-Control-Request-Headers:
> > Access-Control-Request-Method: POST
> > Origin:https://something.com
> >
> < HTTP/1.1 405 Method Not Allowed
> < Access-Control-Allow-Credentials: true
> < Access-Control-Allow-Origin: https://something.com
> < Access-Control-Expose-Headers: content-type, cache-control, accept-ranges, etag, server, x-couch-request-id, x-couch-update-newrev, x-couchdb-body-time
> < Allow: GET,HEAD,POST,DELETE
> < Cache-Control: must-revalidate
> < Content-Length: 76
> < Content-Type: application/json
> < Date: Mon, 01 Aug 2016 12:48:21 GMT
> < Server: CouchDB/b49d069 (Erlang OTP/18)
> <
> {"error":"method_not_allowed","reason":"Only GET,HEAD,POST,DELETE allowed"}
> * Connection #0 to host localhost left intact
> {code}
> A recent release of Chrome (52) has resulted in the browser sending this empty header instead of excluding it, resulting in CORS breaking against CouchDB (both 1.6 and 2.0/master) - see https://github.com/nolanlawson/pouchdb-authentication/issues/111
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)