0

I've installed Luracast's Restler API framework and am having marvelous success with it all except when sending PUT or DELETE across domains. The below works fine when all on the same server, but when I cross domains, Firebug shows the the PUT or GET as OPTIONS, and it is not found on the server. Am baffled how to stop "OPTIONS" being sent instead of PUT or DELETE.

$.ajax({
    url: url,
    type: 'PUT',
    data: "thename="+ $('#TheName').val(),
    success: function(xhr, status) {
        console.info(xhr);
    },
    error: function(xhr, status) {
        console.info(xhr.responseText);
    },
    complete: function(xhr, status) {
        $('#showResponse').val(xhr.responseText);
    }
});

Per another thread somewhere, I've added the below to the Restler output:

    header('Access-Control-Allow-Origin: *');
    header('Access-Control-Allow-Methods: GET, POST, DELETE, PUT, OPTIONS');

PUT/GET/POST/DELETE on localhost and on crossdomain

GDP
  • 8,109
  • 6
  • 45
  • 82

1 Answers1

0

You've got the right response headers, but you have to have your server respond to an OPTIONS request with those headers, too.

This is a cross-origin request, and is subject to something called preflighting. Before making the PUT or DELETE request the browser asks the target web server if it's safe to do so from a web page at another domain. It asks that using the OPTIONS method. Unless the target server says it's okay, the web browser will never make the PUT or DELETE request. It has to preflight the request, because once it's made the PUT or DELETE, it's too late to honor the response; sensitive information may have been leaked.

GET and POST are a bit more complicated, as sometimes the browser decides they are safe without asking first, while other times the browser will also do a preflight check. It depends on whether certain headers are used in the request.

The CORS spec has the gory details. The bottom line is that the code on your web page will not be allowed to make these requests unless the target web server supports the OPTIONS method, and the response to the OPTIONS method includes the headers saying that such requests are allowed.

Charles Engelke
  • 5,569
  • 1
  • 29
  • 26
  • Okay, that makes sense. Having never knowingly dealt with preflighting, do you happen to have a simple example of how to properly handle/implement the first OPTION call, and presumably, the following PUT call? – GDP Jan 21 '13 at 19:25
  • I guess I'm confused about how to setup the target web server to allow OPTIONS (I just added that to the allowed options, but with the same result), and then to recognize/handle a response that says such requests are allowed. – GDP Jan 21 '13 at 19:39
  • Sorry, I don't know anything about the Luracast Restler API framework. Does it run under Apache? – Charles Engelke Jan 21 '13 at 19:56
  • Yes, it does. It works wonderfully, I just can't get the Apache side right. Details at http://restler3.luracast.com/examples/_007_crud/readme.html – GDP Jan 21 '13 at 19:59
  • Sorry, I think you're going to have to figure out how to make it run in that specific framework. – Charles Engelke Jan 21 '13 at 21:38