Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Won't Fix
-
None
-
None
-
None
Description
Sending an empty "Access-Control-Request-Headers" header as part of a pre-flight request (as opposed to excluding it) causes CouchDB to respond with a 405 Method Not Allowed:
With the header excluded:
$ curl 'http://localhost:15984/_session' -H "Access-Control-Request-Headers:" -H "Access-Control-Request-Method: POST" -H "Origin:https://something.com" -XOPTIONS -v Mon 1 Aug 2016 13:48:26 BST * Trying ::1... * connect to ::1 port 15984 failed: Connection refused * Trying 127.0.0.1... * Connected to localhost (127.0.0.1) port 15984 (#0) > OPTIONS /_session HTTP/1.1 > Host: localhost:15984 > User-Agent: curl/7.43.0 > Accept: */* > Access-Control-Request-Method: POST > Origin:https://something.com > < HTTP/1.1 204 No Content < Access-Control-Allow-Credentials: true < Access-Control-Allow-Headers: < Access-Control-Allow-Methods: GET, PUT, POST, HEAD, DELETE < Access-Control-Allow-Origin: https://something.com < Access-Control-Max-Age: 600 < Content-Length: 0 < Date: Mon, 01 Aug 2016 12:48:25 GMT < Server: CouchDB/b49d069 (Erlang OTP/18) < X-Couch-Request-ID: c68c601375 < X-CouchDB-Body-Time: 0 < * Connection #0 to host localhost left intact
With an empty header:
$ curl 'http://localhost:15984/_session' -H "Access-Control-Request-Headers;" -H "Access-Control-Request-Method: POST" -H "Origin:https://something.com" -XOPTIONS -v Mon 1 Aug 2016 13:48:21 BST * Trying ::1... * connect to ::1 port 15984 failed: Connection refused * Trying fe80::1... * connect to fe80::1 port 15984 failed: Connection refused * Trying 127.0.0.1... * Connected to localhost (127.0.0.1) port 15984 (#0) > OPTIONS /_session HTTP/1.1 > Host: localhost:15984 > User-Agent: curl/7.43.0 > Accept: */* > Access-Control-Request-Headers: > Access-Control-Request-Method: POST > Origin:https://something.com > < HTTP/1.1 405 Method Not Allowed < Access-Control-Allow-Credentials: true < Access-Control-Allow-Origin: https://something.com < Access-Control-Expose-Headers: content-type, cache-control, accept-ranges, etag, server, x-couch-request-id, x-couch-update-newrev, x-couchdb-body-time < Allow: GET,HEAD,POST,DELETE < Cache-Control: must-revalidate < Content-Length: 76 < Content-Type: application/json < Date: Mon, 01 Aug 2016 12:48:21 GMT < Server: CouchDB/b49d069 (Erlang OTP/18) < {"error":"method_not_allowed","reason":"Only GET,HEAD,POST,DELETE allowed"} * Connection #0 to host localhost left intact
A recent release of Chrome (52) has resulted in the browser sending this empty header instead of excluding it, resulting in CORS breaking against CouchDB (both 1.6 and 2.0/master) - see https://github.com/nolanlawson/pouchdb-authentication/issues/111
Attachments
Issue Links
- links to
