-1

I am making the following HTTP request from my frontend. All of my GET requests made in the same way work, but the following UPDATE fails:

Access to fetch at '127.0.0.1/backend/path' from origin 'http://localhost:3000' has been blocked by CORS policy: Method UPDATE is not allowed by Access-Control-Allow-Methods in preflight response.

Frontend Request

return fetch(
      `127.0.0.1/backend/path`,
      {
        method: "UPDATE",
        body: JSON.stringify(newClass),
        headers: {
          "Access-Control-Allow-Origin": "*",
          "Access-Control-Allow-Methods":
            "GET, POST, PUT, DELETE, OPTIONS, UPDATE",
          "Access-Control-Allow-Headers": "Origin, Content-Type, X-Auth-Token",
          "Content-Type": "application/json",
          Authorization: "Bearer " + getState().authToken
        }
      }
    )

Backend Flask endpoint

@app.route('/backend/path', methods=['UPDATE'])
@authenticate
def update_data():
    return {"data": "has been updated"}

This answer suggests adding an Access-Control-Allow-Methods header, but this is already present on my request! I also don't just want to turn off CORS for my browser, as I need it implemented correctly.

David Ferris
  • 2,215
  • 6
  • 28
  • 53
  • 2
    The backend has to send CORS headers lol. I’ve also never heard of an UPDATE http method. – Mike Doe Jan 06 '20 at 20:53
  • `Access-Control-Allow-Methods` must be in the `OPTIONS` **response** header. Adding it to the request header doesn't affect the backend's permissions. – Code-Apprentice Jan 06 '20 at 20:53
  • 2
    Those headers are **response** headers, not request headers. See the many, many, questions about CORS. – Heretic Monkey Jan 06 '20 at 20:53
  • Does this answer your question? [Always got Method DELETE is not allowed by Access-Control-Allow-Methods in preflight response](https://stackoverflow.com/questions/36374247/always-got-method-delete-is-not-allowed-by-access-control-allow-methods-in-prefl) Read the answer again, closely. The answer is discussing adding the header to the server-side code. – Heretic Monkey Jan 06 '20 at 20:55

1 Answers1

1

Access-Control-Allow-Methods must be in the OPTIONS response header. Remember that the backend controls how it is accessed. You cannot add allowed methods simply by requesting them.

Also, UPDATE isn't a standard HTTP verb. Do you mean PUT or PATCH?

Code-Apprentice
  • 81,660
  • 23
  • 145
  • 268
  • Thank you for cleaning up my CORS confusion. `flask-cors` already adds these headers to the responses, so I just needed to delete them from my requests. And I definitely meant `PUT`, not sure where `UPDATE` came from. In fact, just switching UPDATE->PUT fixed the error entirely. Thanks again! – David Ferris Jan 06 '20 at 21:01