10

I'm trying to send a cross-origin DELETE request from Chrome using jQuery.

However, that fail with the following error message being logged in the developer console:

XMLHttpRequest cannot load http://actual/url/here. Method DELETE is not allowed by Access-Control-Allow-Methods.

The javascript code is running on localhost and looks like this:

$.ajax({
    type: "DELETE",
    url: "http://actual/url/here",
    xhrFields: {
        withCredentials: true
    }
});

This results in a pre-flight request like this being sent:

OPTIONS http://actual/url/here HTTP/1.1
Host: actual
Connection: keep-alive
Access-Control-Request-Method: DELETE
Origin: null
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36
Access-Control-Request-Headers: accept
Accept: */*
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8

And the response looks like this:

HTTP/1.1 200 OK
Cache-Control: must-revalidate, private
Content-Length: 0
Server: Microsoft-HTTPAPI/2.0
Access-Control-Allow-Methods: DELETE GET HEAD POST PUT OPTIONS TRACE
Access-Control-Allow-Headers: accept
Access-Control-Max-Age: 900
Access-Control-Allow-Origin: null
Access-Control-Allow-Credentials: true
Date: Wed, 11 Mar 2015 15:03:46 GMT

As far as I can tell this is just fine. The client checks whether DELETE is allowed by sending Access-Control-Request-Method: DELETE and the server says that it is allowed by responding with Access-Control-Allow-Methods: DELETE GET HEAD POST PUT OPTIONS TRACE.

However, no DELETE request is ever sent and the error message (above) is reported instead. Why?

Mårten Wikström
  • 11,074
  • 5
  • 47
  • 87
  • Maybe you haven't handled the OPTIONS prerequisite for other verbs not properly on the server: http://stackoverflow.com/questions/20144847/slim-framework-jquery-ajax-request-method-delete-is-not-allowed-by-access – makeitmorehuman Mar 11 '15 at 15:24

2 Answers2

25

The value of Access-Control-Allow-Methods needs to be a comma separated list, not a space separated one.

From MDN:

Access-Control-Allow-Methods: <method>[, <method>]*
Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • http://www.w3.org/TR/cors/#access-control-allow-methods-response-header says that the syntax is `"Access-Control-Allow-Methods" ":" #Method`. Does the `#` tell us to separate tokens by comma? – Mårten Wikström Mar 11 '15 at 15:33
  • 3
    "A construct "#" is defined, similar to "*", for defining lists of elements. The full form is "#element" indicating at least and at most elements, each separated by one or more commas (",") and OPTIONAL linear white space (LWS)." — http://tools.ietf.org/html/rfc2616#section-2.1 – Quentin Mar 11 '15 at 15:35
0

In my case below configuration working. Hopefully this will help someone. Add this to your Web APIs "web.config" under the section <system.webServer>. I forgot where did I get this informaiton from.

<modules>
  <remove name="WebDAVModule" />
</modules>
 <httpProtocol>
  <customHeaders>
    <add name="X-Frame-Options" value="DENY" />
    <add name="Access-Control-Allow-Methods" value="*" />
    <add name="Access-Control-Allow-Headers" value="*" />
  </customHeaders>
</httpProtocol>
<handlers>
  <remove name="ExtensionlessUrlHandler-Integrated-4.0" />
  <remove name="OPTIONSVerbHandler" />
  <remove name="TRACEVerbHandler" />
  <remove name="WebDAV" />
  <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
Shakoor Hussain Attari
  • 1,641
  • 13
  • 8