Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Won't Fix
-
None
-
None
-
None
Description
With a CouchDB server running 1.5.0 (Iriscouch instance), and a database that is set to have one user as administrator and member (so no unauthenticated requests can view content of the database), I've run into an issue with cross-site requests:
CORS request to POST endpoints get "preflighted" by making an OPTIONS request first. However, the preflight request has most headers stripped out, including authentication headers. So, when trying to access the POST _changes endpoint (http://docs.couchdb.org/en/latest/api/database/changes.html#post--db-_changes), if I create the XHR request with no authorization ("Access-Control-Request-Headers" header does not include "authorization"), the OPTIONS query works, but then the POST returns a 401, which seems correct.
However, if I create the XHR request with authorization ("Access-Control-Request-Headers" includes "authorization", but no Authorization header is in the OPTIONS request as a preflight request, nor any cookies that might be bearing a session authentication key), the OPTIONS call itself returns a 401 error, which aborts the call.
Having the OPTIONS call return a 401 like that kills all the cross-origin requests that need authorization, it seems?