[jira] [Commented] (COUCHDB-2027) CORS should not require authentication on preflight OPTIONS request

Sat, 05 Apr 2014 06:22:35 -0700 

    [ 
https://issues.apache.org/jira/browse/COUCHDB-2027?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13961082#comment-13961082
 ] 

Sasha Simkin commented on COUCHDB-2027:
---------------------------------------

j ermouth, require_valid_user already false.
As i say this request with right credentials works properly:
{code:javascript}
var xhr = new XMLHttpRequest();
xhr.open("GET", "http://cors.enabled.crossorigin.couchdb:5984/dbname/";);
xhr.setRequestHeader("Authorization","Basic "+btoa("username:password"));
xhr.send();
{code}
This request works with any issues too:
{code:javascript}
var xhr = new XMLHttpRequest();
xhr.open("GET", "http://cors.enabled.crossorigin.couchdb:5984/dbname/";);
xhr.send();
{code}

But when I try do such requests with jQuery - there is 405. Eg. (Request comes 
from http://localhost:3000 which present in [cors] origins)
{code}
Request URL:https://cors.enabled.crossorigin.couchdb/dbname/
Request Method:OPTIONS
Status Code:405 Method Not Allowed
Request Headersview parsed
OPTIONS /dbname/ HTTP/1.1
Host: cors.enabled.crossorigin.couchdb
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
Access-Control-Request-Method: GET
Origin: http://localhost:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like 
Gecko) Chrome/33.0.1750.149 Safari/537.36
Access-Control-Request-Headers: accept, x-csrf-token
Accept: */*
DNT: 1
Referer: http://localhost:3000/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
{code}
Here is response from server(CouchDb behind nginx, but such behaviour if not):
{code}
HTTP/1.1 405 Method Not Allowed
Server: nginx/1.4.7
Date: Sat, 05 Apr 2014 13:09:50 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 76
Connection: keep-alive
Cache-Control: must-revalidate
Allow: DELETE,GET,HEAD,POST
Access-Control-Expose-Headers: Content-Type, Server, Allow
Access-Control-Allow-Origin: http://localhost:3000
Access-Control-Allow-Credentials: true
{code}
Such behaviour if I send OPTIONS request from curl with or without credentials.

> CORS should not require authentication on preflight OPTIONS request
> -------------------------------------------------------------------
>
>                 Key: COUCHDB-2027
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-2027
>             Project: CouchDB
>          Issue Type: Bug
>          Components: HTTP Interface
>            Reporter: Stéphane Alnet
>
> The discussion in https://github.com/daleharvey/pouchdb/issues/1003 points to 
> an issue whereby CouchDB is requiring authentication for preflight OPTIONS 
> message where it shouldn't.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to