Uploaded image for project: 'CouchDB'
  1. CouchDB
  2. COUCHDB-3090

Error when handling empty "Access-Control-Request-Headers" header

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: HTTP Interface
    • Labels:
      None

      Description

      Sending an empty "Access-Control-Request-Headers" header as part of a pre-flight request (as opposed to excluding it) causes CouchDB to respond with a 405 Method Not Allowed:

      With the header excluded:

      $ curl 'http://localhost:15984/_session' -H "Access-Control-Request-Headers:" -H "Access-Control-Request-Method: POST" -H "Origin:https://something.com" -XOPTIONS -v
      Mon  1 Aug 2016 13:48:26 BST
      *   Trying ::1...
      * connect to ::1 port 15984 failed: Connection refused
      *   Trying 127.0.0.1...
      * Connected to localhost (127.0.0.1) port 15984 (#0)
      > OPTIONS /_session HTTP/1.1
      > Host: localhost:15984
      > User-Agent: curl/7.43.0
      > Accept: */*
      > Access-Control-Request-Method: POST
      > Origin:https://something.com
      > 
      < HTTP/1.1 204 No Content
      < Access-Control-Allow-Credentials: true
      < Access-Control-Allow-Headers: 
      < Access-Control-Allow-Methods: GET, PUT, POST, HEAD, DELETE
      < Access-Control-Allow-Origin: https://something.com
      < Access-Control-Max-Age: 600
      < Content-Length: 0
      < Date: Mon, 01 Aug 2016 12:48:25 GMT
      < Server: CouchDB/b49d069 (Erlang OTP/18)
      < X-Couch-Request-ID: c68c601375
      < X-CouchDB-Body-Time: 0
      < 
      * Connection #0 to host localhost left intact
      

      With an empty header:

      $ curl 'http://localhost:15984/_session' -H "Access-Control-Request-Headers;" -H "Access-Control-Request-Method: POST" -H "Origin:https://something.com" -XOPTIONS -v
      Mon  1 Aug 2016 13:48:21 BST
      *   Trying ::1...
      * connect to ::1 port 15984 failed: Connection refused
      *   Trying fe80::1...
      * connect to fe80::1 port 15984 failed: Connection refused
      *   Trying 127.0.0.1...
      * Connected to localhost (127.0.0.1) port 15984 (#0)
      > OPTIONS /_session HTTP/1.1
      > Host: localhost:15984
      > User-Agent: curl/7.43.0
      > Accept: */*
      > Access-Control-Request-Headers:
      > Access-Control-Request-Method: POST
      > Origin:https://something.com
      > 
      < HTTP/1.1 405 Method Not Allowed
      < Access-Control-Allow-Credentials: true
      < Access-Control-Allow-Origin: https://something.com
      < Access-Control-Expose-Headers: content-type, cache-control, accept-ranges, etag, server, x-couch-request-id, x-couch-update-newrev, x-couchdb-body-time
      < Allow: GET,HEAD,POST,DELETE
      < Cache-Control: must-revalidate
      < Content-Length: 76
      < Content-Type: application/json
      < Date: Mon, 01 Aug 2016 12:48:21 GMT
      < Server: CouchDB/b49d069 (Erlang OTP/18)
      < 
      {"error":"method_not_allowed","reason":"Only GET,HEAD,POST,DELETE allowed"}
      * Connection #0 to host localhost left intact
      

      A recent release of Chrome (52) has resulted in the browser sending this empty header instead of excluding it, resulting in CORS breaking against CouchDB (both 1.6 and 2.0/master) - see https://github.com/nolanlawson/pouchdb-authentication/issues/111

        Issue Links

          Activity

          Hide
          githubbot ASF GitHub Bot added a comment -

          GitHub user willholley opened a pull request:

          https://github.com/apache/couchdb-chttpd/pull/135

          Handle empty "Access-Control-Request-Headers" header

          When "Access-Control-Request-Headers" is empty, return an empty
          "Access-Control-Allow-Headers" in the response. This is the same
          behaviour as when the "Access-Control-Request-Headers" header is
          omitted from the request entirely.

          Fixes COUCHDB-3090

          You can merge this pull request into a Git repository by running:

          $ git pull https://github.com/willholley/couchdb-chttpd 3090-handle-empty-access-control-request-headers

          Alternatively you can review and apply these changes as the patch at:

          https://github.com/apache/couchdb-chttpd/pull/135.patch

          To close this pull request, make a commit to your master/trunk branch
          with (at least) the following in the commit message:

          This closes #135


          commit 232bfe6d37b079096d1db4f786ff9c3c403c1fba
          Author: Will Holley <willholley@gmail.com>
          Date: 2016-08-01T16:57:44Z

          Handle empty "Access-Control-Request-Headers" header

          When "Access-Control-Request-Headers" is empty, return an empty
          "Access-Control-Allow-Headers" in the response. This is the same
          behaviour as when the "Access-Control-Request-Headers" header is
          omitted from the request entirely.

          Fixes COUCHDB-3090


          Show
          githubbot ASF GitHub Bot added a comment - GitHub user willholley opened a pull request: https://github.com/apache/couchdb-chttpd/pull/135 Handle empty "Access-Control-Request-Headers" header When "Access-Control-Request-Headers" is empty, return an empty "Access-Control-Allow-Headers" in the response. This is the same behaviour as when the "Access-Control-Request-Headers" header is omitted from the request entirely. Fixes COUCHDB-3090 You can merge this pull request into a Git repository by running: $ git pull https://github.com/willholley/couchdb-chttpd 3090-handle-empty-access-control-request-headers Alternatively you can review and apply these changes as the patch at: https://github.com/apache/couchdb-chttpd/pull/135.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #135 commit 232bfe6d37b079096d1db4f786ff9c3c403c1fba Author: Will Holley <willholley@gmail.com> Date: 2016-08-01T16:57:44Z Handle empty "Access-Control-Request-Headers" header When "Access-Control-Request-Headers" is empty, return an empty "Access-Control-Allow-Headers" in the response. This is the same behaviour as when the "Access-Control-Request-Headers" header is omitted from the request entirely. Fixes COUCHDB-3090
          Hide
          nolanlawson Nolan Lawson added a comment -
          Show
          nolanlawson Nolan Lawson added a comment - I've filed an issue on Chromium: https://bugs.chromium.org/p/chromium/issues/detail?id=633729
          Hide
          jira-bot ASF subversion and git services added a comment -

          Commit 086567c962a3a99cefd1dd97706cd9db8522b27a in couchdb-chttpd's branch refs/heads/master from Will Holley
          [ https://git-wip-us.apache.org/repos/asf?p=couchdb-chttpd.git;h=086567c ]

          Handle empty "Access-Control-Request-Headers" header

          When "Access-Control-Request-Headers" is empty, return an empty
          "Access-Control-Allow-Headers" in the response. This is the same
          behaviour as when the "Access-Control-Request-Headers" header is
          omitted from the request entirely.

          Fixes COUCHDB-3090

          Show
          jira-bot ASF subversion and git services added a comment - Commit 086567c962a3a99cefd1dd97706cd9db8522b27a in couchdb-chttpd's branch refs/heads/master from Will Holley [ https://git-wip-us.apache.org/repos/asf?p=couchdb-chttpd.git;h=086567c ] Handle empty "Access-Control-Request-Headers" header When "Access-Control-Request-Headers" is empty, return an empty "Access-Control-Allow-Headers" in the response. This is the same behaviour as when the "Access-Control-Request-Headers" header is omitted from the request entirely. Fixes COUCHDB-3090
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user asfgit closed the pull request at:

          https://github.com/apache/couchdb-chttpd/pull/135

          Show
          githubbot ASF GitHub Bot added a comment - Github user asfgit closed the pull request at: https://github.com/apache/couchdb-chttpd/pull/135
          Hide
          nolanlawson Nolan Lawson added a comment -

          FWIW I've found the same bug in Safari. It's now officially a browser bug and not a CouchDB bug, because they changed the spec to work around CouchDB's behavior 🙃 https://github.com/w3c/web-platform-tests/pull/4556

          WebKit bug: https://bugs.webkit.org/show_bug.cgi?id=169851

          Show
          nolanlawson Nolan Lawson added a comment - FWIW I've found the same bug in Safari. It's now officially a browser bug and not a CouchDB bug, because they changed the spec to work around CouchDB's behavior 🙃 https://github.com/w3c/web-platform-tests/pull/4556 WebKit bug: https://bugs.webkit.org/show_bug.cgi?id=169851

            People

            • Assignee:
              Unassigned
              Reporter:
              wilhol Will Holley
            • Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:

                Development