You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@couchdb.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2016/08/01 17:52:20 UTC

[jira] [Commented] (COUCHDB-3090) Error when handling empty "Access-Control-Request-Headers" header

    [ https://issues.apache.org/jira/browse/COUCHDB-3090?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15402498#comment-15402498 ] 

ASF GitHub Bot commented on COUCHDB-3090:
-----------------------------------------

GitHub user willholley opened a pull request:

    https://github.com/apache/couchdb-chttpd/pull/135

    Handle empty "Access-Control-Request-Headers" header

    When "Access-Control-Request-Headers" is empty, return an empty
    "Access-Control-Allow-Headers" in the response. This is the same
    behaviour as when the "Access-Control-Request-Headers" header is
    omitted from the request entirely.
    
    Fixes COUCHDB-3090

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/willholley/couchdb-chttpd 3090-handle-empty-access-control-request-headers

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/couchdb-chttpd/pull/135.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #135
    
----
commit 232bfe6d37b079096d1db4f786ff9c3c403c1fba
Author: Will Holley <wi...@gmail.com>
Date:   2016-08-01T16:57:44Z

    Handle empty "Access-Control-Request-Headers" header
    
    When "Access-Control-Request-Headers" is empty, return an empty
    "Access-Control-Allow-Headers" in the response. This is the same
    behaviour as when the "Access-Control-Request-Headers" header is
    omitted from the request entirely.
    
    Fixes COUCHDB-3090

----


> Error when handling empty "Access-Control-Request-Headers" header
> -----------------------------------------------------------------
>
>                 Key: COUCHDB-3090
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-3090
>             Project: CouchDB
>          Issue Type: Bug
>          Components: HTTP Interface
>            Reporter: Will Holley
>
> Sending an empty  "Access-Control-Request-Headers" header as part of a pre-flight request (as opposed to excluding it) causes CouchDB to respond with a 405 Method Not Allowed:
> With the header excluded:
> {code}
> $ curl 'http://localhost:15984/_session' -H "Access-Control-Request-Headers:" -H "Access-Control-Request-Method: POST" -H "Origin:https://something.com" -XOPTIONS -v
> Mon  1 Aug 2016 13:48:26 BST
> *   Trying ::1...
> * connect to ::1 port 15984 failed: Connection refused
> *   Trying 127.0.0.1...
> * Connected to localhost (127.0.0.1) port 15984 (#0)
> > OPTIONS /_session HTTP/1.1
> > Host: localhost:15984
> > User-Agent: curl/7.43.0
> > Accept: */*
> > Access-Control-Request-Method: POST
> > Origin:https://something.com
> > 
> < HTTP/1.1 204 No Content
> < Access-Control-Allow-Credentials: true
> < Access-Control-Allow-Headers: 
> < Access-Control-Allow-Methods: GET, PUT, POST, HEAD, DELETE
> < Access-Control-Allow-Origin: https://something.com
> < Access-Control-Max-Age: 600
> < Content-Length: 0
> < Date: Mon, 01 Aug 2016 12:48:25 GMT
> < Server: CouchDB/b49d069 (Erlang OTP/18)
> < X-Couch-Request-ID: c68c601375
> < X-CouchDB-Body-Time: 0
> < 
> * Connection #0 to host localhost left intact
> {code}
> With an empty header:
> {code}
> $ curl 'http://localhost:15984/_session' -H "Access-Control-Request-Headers;" -H "Access-Control-Request-Method: POST" -H "Origin:https://something.com" -XOPTIONS -v
> Mon  1 Aug 2016 13:48:21 BST
> *   Trying ::1...
> * connect to ::1 port 15984 failed: Connection refused
> *   Trying fe80::1...
> * connect to fe80::1 port 15984 failed: Connection refused
> *   Trying 127.0.0.1...
> * Connected to localhost (127.0.0.1) port 15984 (#0)
> > OPTIONS /_session HTTP/1.1
> > Host: localhost:15984
> > User-Agent: curl/7.43.0
> > Accept: */*
> > Access-Control-Request-Headers:
> > Access-Control-Request-Method: POST
> > Origin:https://something.com
> > 
> < HTTP/1.1 405 Method Not Allowed
> < Access-Control-Allow-Credentials: true
> < Access-Control-Allow-Origin: https://something.com
> < Access-Control-Expose-Headers: content-type, cache-control, accept-ranges, etag, server, x-couch-request-id, x-couch-update-newrev, x-couchdb-body-time
> < Allow: GET,HEAD,POST,DELETE
> < Cache-Control: must-revalidate
> < Content-Length: 76
> < Content-Type: application/json
> < Date: Mon, 01 Aug 2016 12:48:21 GMT
> < Server: CouchDB/b49d069 (Erlang OTP/18)
> < 
> {"error":"method_not_allowed","reason":"Only GET,HEAD,POST,DELETE allowed"}
> * Connection #0 to host localhost left intact
> {code}
> A recent release of Chrome (52) has resulted in the browser sending this empty header instead of excluding it, resulting in CORS breaking against CouchDB (both 1.6 and 2.0/master) - see https://github.com/nolanlawson/pouchdb-authentication/issues/111



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)