PATCH request not allowed with CORS?

[Jonathan Griffiths]

Hey.

I've got a CORS setup (basically two servers running on the same network) for testing, and, while I have got it working nicely for GET requests, I can't seem to PATCH without getting this error

XMLHttpRequest cannot load http://192.168.2.102:8080/tokens/5239fcd94453495cae0000a7/. Origin http://localhost:8383 is not allowed by Access-Control-Allow-Origin.

The relevant part of my settings.py looks like this

SERVER_NAME = '192.168.2.102:8080'

HATEOAS = False

DEBUG = False

PROJECTION = True

RESOURCE_METHODS = ['GET', 'POST']

ITEM_METHODS = ['GET', 'PATCH', 'DELETE']

PUBLIC_METHODS = ['GET', 'PATCH', 'POST', 'DELETE']

X_DOMAINS = "*"

X_HEADERS = ['Content-Type', 'If-Match']

The last thing I tried was the PUBLIC_METHODS part, but that didn't do anything at all. I have also tried to specifically set the X_DOMAIN to match my client server (the localhost:8383 one), but also to no avail.

Any light to be shed on this would be greatly appreciated.

All the best

/Jonthathan.

[Nicola Iarocci]

Hello,

could you try sending a OPTIONS request to the Eve server with Postman or curl, to see what CORS headers are you getting back?

- Nicola

[Jonathan Griffiths]

These are the headers coming from a different location on the network

Access-Control-Allow-Headers ?Content-Type, If-Match

Access-Control-Allow-Max-Age ?21600

Access-Control-Allow-Methods ?HEAD, GET, POST, OPTIONS

Access-Control-Allow-Origin ?*

Allow ?HEAD, GET, POST, OPTIONS

Content-Length ?0

Content-Type ?text/html; charset=utf-8

Date ?Wed, 02 Oct 2013 10:07:42 GMT

Server ?Eve/0.1 Werkzeug/0.9.4 Python/2.7.5

[Jonathan Griffiths]

just tried a OPTIONS request on an individual documen (token) and received these headers.

Access-Control-Allow-Headers ?Content-Type, If-Match

Access-Control-Allow-Max-Age ?21600

Access-Control-Allow-Methods ?HEAD, GET, POST, DELETE, OPTIONS, PATCH

Access-Control-Allow-Origin ?*

Allow ?HEAD, GET, POST, DELETE, OPTIONS, PATCH

Content-Length ?0

Content-Type ?text/html; charset=utf-8

Date ?Wed, 02 Oct 2013 10:42:47 GMT

Server ?Eve/0.1 Werkzeug/0.9.4 Python/2.7.5

So now I really can't see why it's not working

[Jonathan Griffiths]

Been checking in Chrome console for the request going out on the PATCH request

first the OPTIONS is being sent (as always for CORS requests):

1. Request URL:
   http://192.168.2.102:8080/tokens/5239fcd94453495cae0000a7/
2. Request Method:
   OPTIONS
3. Status Code:
   200 OK
4. Request Headers
1. Accept:
   */*
2. Accept-Encoding:
   gzip,deflate,sdch
3. Accept-Language:
   en-GB,en;q=0.8,sv;q=0.6,es;q=0.4
4. Access-Control-Request-Headers:
   accept, origin, if-match, content-type
5. Access-Control-Request-Method:
   PATCH
6. Connection:
   keep-alive
7. Host:
   192.168.2.102:8080
8. Origin:
   http://localhost:8383
9. Referer:
   http://localhost:8383/RPG_Admin_Client/index.html
10. User-Agent:
    Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.76 Safari/537.36
5. Response Headers
1. Access-Control-Allow-Headers:
   Content-Type, If-Match
2. Access-Control-Allow-Max-Age:
   21600
3. Access-Control-Allow-Methods:

1. HEAD, GET, POST, DELETE, OPTIONS, PATCH

2. Access-Control-Allow-Origin:
   *
3. Allow:

1. HEAD, GET, POST, DELETE, OPTIONS, PATCH

2. Content-Length:
   0
3. Content-Type:
   text/html; charset=utf-8
4. Date:
   Wed, 02 Oct 2013 11:32:31 GMT
5. Server:
   Eve/0.1 Werkzeug/0.9.4 Python/2.7.5

Then the actual PATCH request:

1. Request URL:
   http://192.168.2.102:8080/tokens/5239fcd94453495cae0000a7/
2. Request Headers
1. PATCH http://192.168.2.102:8080/tokens/5239fcd94453495cae0000a7/ HTTP/1.1 Accept: application/json, text/javascript, */*; q=0.01 Referer: http://localhost:8383/RPG_Admin_Client/index.html Origin: http://localhost:8383 If-Match: 22fb5c3b1547e8dcdc2e0b433285799d7c3ab2d5 User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.76 Safari/537.36 Content-Type: application/json
3. Request Payloadview parsed
1. {"text":"income taxes","etag":"22fb5c3b1547e8dcdc2e0b433285799d7c3ab2d5","color":"aa9999","shortcode":"Tx"}

[Nicola Iarocci]

Hello,

try commenting out the X_HEADERS settings and see what happens.

Also, when a request contains a Origin header, Eve will always attach the CORS headers, even when the method is not OPTIONS. A perfectly-compliant CORS server is probably supposed to include CORS headers *only* on pre-flight requests (actually I'm not 100% positive on this). Could that might a problem for your client? I could push an cors-only-in-pre-flights branch to the repo, if you're willing to install it and see if if helps?

- Nicola

[Jonathan Griffiths]

Hi again.

Just tried that, but doing so made even the GET requests I'm doing fail (It took me quite a while to figure out to put the X_HEADERS in there to begin with ;))

Very much willing to try a different branch if you have the possibility to try it.

cheers

/J

[Jonathan Griffiths]

Hi Again.

Turns out I won't need the different branch after all.

It was all down to me passing along the current etag along with updated object. Once I removed that, it worked fine. However, still quite annoying that the error message I received in netbeans didn't tell me that to begin with.

Sorry for wasting your time (again?)

all the best

/J.

[Nicola Iarocci]

That's good to hear.

- Nicola