You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@couchdb.apache.org by "Will Holley (JIRA)" <ji...@apache.org> on 2016/08/01 12:53:20 UTC
[jira] [Created] (COUCHDB-3090) Error when handling empty
"Access-Control-Request-Headers" header
Will Holley created COUCHDB-3090:
------------------------------------
Summary: Error when handling empty "Access-Control-Request-Headers" header
Key: COUCHDB-3090
URL: https://issues.apache.org/jira/browse/COUCHDB-3090
Project: CouchDB
Issue Type: Bug
Components: HTTP Interface
Reporter: Will Holley
Sending an empty "Access-Control-Request-Headers" header as part of a pre-flight request (as opposed to excluding it) causes CouchDB to respond with a 405 Method Not Allowed:
With the header excluded:
{code}
$ curl 'http://localhost:15984/_session' -H "Access-Control-Request-Headers:" -H "Access-Control-Request-Method: POST" -H "Origin:https://something.com" -XOPTIONS -v
Mon 1 Aug 2016 13:48:26 BST
* Trying ::1...
* connect to ::1 port 15984 failed: Connection refused
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 15984 (#0)
> OPTIONS /_session HTTP/1.1
> Host: localhost:15984
> User-Agent: curl/7.43.0
> Accept: */*
> Access-Control-Request-Method: POST
> Origin:https://something.com
>
< HTTP/1.1 204 No Content
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Headers:
< Access-Control-Allow-Methods: GET, PUT, POST, HEAD, DELETE
< Access-Control-Allow-Origin: https://something.com
< Access-Control-Max-Age: 600
< Content-Length: 0
< Date: Mon, 01 Aug 2016 12:48:25 GMT
< Server: CouchDB/b49d069 (Erlang OTP/18)
< X-Couch-Request-ID: c68c601375
< X-CouchDB-Body-Time: 0
<
* Connection #0 to host localhost left intact
{code}
With an empty header:
{code}
$ curl 'http://localhost:15984/_session' -H "Access-Control-Request-Headers;" -H "Access-Control-Request-Method: POST" -H "Origin:https://something.com" -XOPTIONS -v
Mon 1 Aug 2016 13:48:21 BST
* Trying ::1...
* connect to ::1 port 15984 failed: Connection refused
* Trying fe80::1...
* connect to fe80::1 port 15984 failed: Connection refused
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 15984 (#0)
> OPTIONS /_session HTTP/1.1
> Host: localhost:15984
> User-Agent: curl/7.43.0
> Accept: */*
> Access-Control-Request-Headers:
> Access-Control-Request-Method: POST
> Origin:https://something.com
>
< HTTP/1.1 405 Method Not Allowed
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Origin: https://something.com
< Access-Control-Expose-Headers: content-type, cache-control, accept-ranges, etag, server, x-couch-request-id, x-couch-update-newrev, x-couchdb-body-time
< Allow: GET,HEAD,POST,DELETE
< Cache-Control: must-revalidate
< Content-Length: 76
< Content-Type: application/json
< Date: Mon, 01 Aug 2016 12:48:21 GMT
< Server: CouchDB/b49d069 (Erlang OTP/18)
<
{"error":"method_not_allowed","reason":"Only GET,HEAD,POST,DELETE allowed"}
* Connection #0 to host localhost left intact
{code}
A recent release of Chrome (52) has resulted in the browser sending this empty header instead of excluding it, resulting in CORS breaking against CouchDB (both 1.6 and 2.0/master) - see https://github.com/nolanlawson/pouchdb-authentication/issues/111
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)