Reputation: 140
Method not allowed — removing Access-Control-Request-Method from request headers in Angularjs
I'm currently trying a DELETE type of request with Angular ngResource on a Restful API located on another domain.
GET and PUT work fine.
DELETE works in the Advanced Rest Client Chrome extension but doesn't work when tried with Angular $resource.
I have noticed a difference in the headers sent, which are these two:
Access-Control-Request-Headers:accept
Access-Control-Request-Method:DELETE
When I try to add these two headers in Advanced Rest Client I get the following errors in the Chrome console:
Refused to set unsafe header "Access-Control-Request-Headers"
Refused to set unsafe header "Access-Control-Request-Method"
Finally the server (which is normally configured to accept cross-domain requests), when I try the DELETE request with Angular, sends the following response (with status 200 and method use OPTIONS):
Access-Control-Allow-Headers:*
Access-Control-Allow-Methods:*
Access-Control-Allow-Origin:*
Allow:PUT,DELETE
Cache-Control:private, must-revalidate
Connection:close
Content-Length:0
Content-Type:text/html; charset=UTF-8
Date:Thu, 12 Feb 2015 12:08:47 GMT
ETag:"d41d8cd98f00b204e9800998ecf8427e"
Server:Apache/2.2.29 (Unix) mod_ssl/2.2.29 OpenSSL/0.9.8o DAV/2 PHP/5.5.20
But I get the error:
XMLHttpRequest cannot load [URL]. Method DELETE is not allowed by Access-Control-Allow-Methods.
I suspect the first mentioned two headers to be the cause of the problem. Are they the problem and if yes how could I remove them?
If it can help, I tried configuring my $httpProvider (as seen in other questions/answers) and it currently looks like this:
delete $httpProvider.defaults.headers.common['X-Requested-With'];
delete $httpProvider.defaults.headers.common['Access-Control-Request-Method'];
delete $httpProvider.defaults.headers.common['Access-Control-Request-Headers'];
$httpProvider.defaults.headers.post['Content-Type'] = 'application/x-www-form-urlencoded;charset=utf-8';
Upvotes: 1
Views: 7241
Answers (1)
Reputation: 25797
Your server should set Access-Control-Allow-Methods header for response instead of Allow header like:
Access-Control-Allow-Methods:PUT,DELETE
Upvotes: 2
Related Questions
- Request header field Access-Control-Allow-Headers is not allowed by Access-Control-Allow-Headers
- Remove Authorization from request headers in particular http call
- Angular Rest API call returning 401 Unauthorized
- $http headers gets added under Access-Control-Request-Headers
- Request header field Authorization is not allowed (AngularJS rest api request)
- Request header field is not allowed by Access-Control-Allow-Headers with $http
- Request header field x-access-token is not allowed by Access-Control-Allow-Headers
- Request doesn't pass access control check: No 'Access-Control-Allow-Origin'
- $http.post - Request header field Authorization is not allowed by Access-Control-Allow-Headers
- access-control-header issues making an http request