Uploaded image for project: 'CouchDB'
  1. CouchDB
  2. COUCHDB-3090

Error when handling empty "Access-Control-Request-Headers" header

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: HTTP Interface
    • Labels:
      None

      Description

      Sending an empty "Access-Control-Request-Headers" header as part of a pre-flight request (as opposed to excluding it) causes CouchDB to respond with a 405 Method Not Allowed:

      With the header excluded:

      $ curl 'http://localhost:15984/_session' -H "Access-Control-Request-Headers:" -H "Access-Control-Request-Method: POST" -H "Origin:https://something.com" -XOPTIONS -v
      Mon  1 Aug 2016 13:48:26 BST
      *   Trying ::1...
      * connect to ::1 port 15984 failed: Connection refused
      *   Trying 127.0.0.1...
      * Connected to localhost (127.0.0.1) port 15984 (#0)
      > OPTIONS /_session HTTP/1.1
      > Host: localhost:15984
      > User-Agent: curl/7.43.0
      > Accept: */*
      > Access-Control-Request-Method: POST
      > Origin:https://something.com
      > 
      < HTTP/1.1 204 No Content
      < Access-Control-Allow-Credentials: true
      < Access-Control-Allow-Headers: 
      < Access-Control-Allow-Methods: GET, PUT, POST, HEAD, DELETE
      < Access-Control-Allow-Origin: https://something.com
      < Access-Control-Max-Age: 600
      < Content-Length: 0
      < Date: Mon, 01 Aug 2016 12:48:25 GMT
      < Server: CouchDB/b49d069 (Erlang OTP/18)
      < X-Couch-Request-ID: c68c601375
      < X-CouchDB-Body-Time: 0
      < 
      * Connection #0 to host localhost left intact
      

      With an empty header:

      $ curl 'http://localhost:15984/_session' -H "Access-Control-Request-Headers;" -H "Access-Control-Request-Method: POST" -H "Origin:https://something.com" -XOPTIONS -v
      Mon  1 Aug 2016 13:48:21 BST
      *   Trying ::1...
      * connect to ::1 port 15984 failed: Connection refused
      *   Trying fe80::1...
      * connect to fe80::1 port 15984 failed: Connection refused
      *   Trying 127.0.0.1...
      * Connected to localhost (127.0.0.1) port 15984 (#0)
      > OPTIONS /_session HTTP/1.1
      > Host: localhost:15984
      > User-Agent: curl/7.43.0
      > Accept: */*
      > Access-Control-Request-Headers:
      > Access-Control-Request-Method: POST
      > Origin:https://something.com
      > 
      < HTTP/1.1 405 Method Not Allowed
      < Access-Control-Allow-Credentials: true
      < Access-Control-Allow-Origin: https://something.com
      < Access-Control-Expose-Headers: content-type, cache-control, accept-ranges, etag, server, x-couch-request-id, x-couch-update-newrev, x-couchdb-body-time
      < Allow: GET,HEAD,POST,DELETE
      < Cache-Control: must-revalidate
      < Content-Length: 76
      < Content-Type: application/json
      < Date: Mon, 01 Aug 2016 12:48:21 GMT
      < Server: CouchDB/b49d069 (Erlang OTP/18)
      < 
      {"error":"method_not_allowed","reason":"Only GET,HEAD,POST,DELETE allowed"}
      * Connection #0 to host localhost left intact
      

      A recent release of Chrome (52) has resulted in the browser sending this empty header instead of excluding it, resulting in CORS breaking against CouchDB (both 1.6 and 2.0/master) - see https://github.com/nolanlawson/pouchdb-authentication/issues/111

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                wilhol Will Holley
              • Votes:
                1 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: