Access-Control-Allow-Methods wildcard failing for PUT request
Reported by
philip.r...@gmail.com,
Dec 22 2017
|
||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36 Steps to reproduce the problem: 1. Setup a CORS enabled server request that responds with a Access-Control-Allow-Methods: * header 2. Make a PUT request with preflight to this API What is the expected behavior? Preflight response is interpreted as allowing PUT requests What went wrong? Browser denies the PUT request with the following error: Method PUT is not allowed by Access-Control-Allow-Methods in preflight response. Did this work before? N/A Does this work in other browsers? N/A Chrome version: 63.0.3239.84 Channel: n/a OS Version: OS X 10.12.6 Flash Version:
,
Dec 26 2017
@Reporter: It would be highly helpful if provided with the URL which is causing the issue, that helps us to triage it in a better way.
,
Jan 3 2018
,
Jan 4 2018
the value * is not allowed with a credentialed request
,
Jan 11 2018
I see this in the spec now. Thanks! However, when a Access-Control-Allow-Credentials header with value 'true' is accompanied by a wildcard Access-Control-Allow-Origin header, there is a helpful error message indicating explicitly that this is not allowed. It might be a good idea to show a similar error for a wildcard Access-Control-Allow-Methods header (as well as Access-Control-Allow-Headers and Access-Control-Expose-Headers). |
||||
►
Sign in to add a comment |
||||
Comment 1 by lgrey@chromium.org
, Dec 22 2017