7

When I send a delete request to a certain endpoint, for example with httpie from terminal like

http delete http://localhost:8181/admin/applications/uspecs

I get a valid behavior, as in { success: true } as response body. But when I do 

fetch (
  'http://localhost:8181/admin/applications/uspecs',
  { method: 'DELETE' }
)
.then(res => doSomethingWithResponse())
.catch(err => console.error(err))

In javascript code, then I get a 

Fetch API cannot load http://localhost:8181/admin/applications/uspecs.
Method DELETE is not allowed by Access-Control-Allow-Methods in preflight response.

error on the console. What am I missing? I am getting a valid methods list on options request.

nabn
  • 2,324
  • 24
  • 26
  • Read about cross-origin resource sharing (CORS) - http://stackoverflow.com/questions/25845203/understanding-cors. – Ondrej Svejdar Feb 22 '16 at 08:39
  • In the OPTIONS response, I am getting `allow: DELETE, HEAD, GET, OPTIONS, POST` list. That should do it, no? @OndrejSvejdar – nabn Feb 22 '16 at 08:45
  • Can you use fiddler composer to send OPTIONS request to the endpoint and post the response you're getting. Also the post is confusing - make sure the OPTIONS and DELETE request are send to the same endpoint (in your post those are different). – Ondrej Svejdar Feb 22 '16 at 08:51
  • updated. @OndrejSvejdar – nabn Feb 22 '16 at 09:06
  • 2
    I don't see any OPTIONS response in your post. please post the full response headers to that request. – ThiefMaster Feb 22 '16 at 09:09
  • When you do a http request from a browser, it automatically sends the OPTIONS request. Here's what it looks like: http://imgur.com/YQ0jVQR – nabn Feb 22 '16 at 09:44
  • @ThiefMaster http://imgur.com/YQ0jVQR – nabn Feb 22 '16 at 09:45
  • Assuming you have a node/express backend, you need to add this in a middleware to allow CORS: `res.header('Access-Control-Allow-Origin', 'domainToAllow.com:port');` `res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE');` `res.header('Access-Control-Allow-Headers', 'Content-Type');` – eAbi Feb 22 '16 at 11:19

1 Answers1

5

You need to send the Access-Control-Allow-Methods header containing the allowed methods. Currently your header is named methods.

ThiefMaster
  • 310,957
  • 84
  • 592
  • 636