CODEWITHSUNDEEP
jqueryajaxxmlhttprequestcorshttp-delete
bodokaiser
bodokaiser

Reputation: 15752

jQuery CORS delete fails

I have two domains:

  1. accounts.example.org
  2. app.example.org

Now I want to do a HTTP DELETE request from app.example.org to accounts.example.org/session.

$.ajax({
  url: "http://accounts.example.org/session",
  type: "DELETE"
});

Nothing really different. Headers from accounts.example.org to allow CORS are:

Access-Control-Allow-Origin: http://app.example.org
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: X-Requested-With, Content-Type

So the AJAX call fails now and tells me that there is a problem with the CORS headers... I took a closer look at the AJAX options and found that jQuery doesn't directly do a DELETE:

Request URL:http://accounts.example.org/session
Request Method:OPTIONS
Status Code:200 OK
Request Headersview source
Accept:*/*
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding:gzip,deflate,sdch
Accept-Language:de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
Access-Control-Request-Headers:origin, accept
Access-Control-Request-Method:DELETE
Connection:keep-alive
Host:accounts.example.org
Origin:http://app.example.org
Referer:http://app.example.org/

Does somebody know what this can be?

Server Backend is node.js with express as framework.

Regards

UPDATE

I can now specify the issue:

The problem is that the browser does an OPTIONS request before PUT and DELETE (GET and POST work). This is done because the browser wants to check the CORS policy before doing the real request. For some reason express doesn't handle this request (the response headers are empty). So the browser returns that the CORS policy forbids the request.

I alread tried:

  1. setting headers with app.use
  2. with app.all
  3. with app.options

No reactions. Sounds like that there could be a bug ...

Upvotes: 2

Views: 1972

Answers (1)

Pablo Jomer
Pablo Jomer

Reputation: 10378

What browser is it? I know it works in chrome atleast. This is what jQuery homepage states about PUT and delete.

"The type of request to make ("POST" or "GET"), default is "GET". Note: Other HTTP request methods, such as PUT and DELETE, can also be used here, but they are not supported by all browsers."

Upvotes: 2

Related Questions