Consul: CORS requests fail with a 405 method not allow for OPTIONS

Created on 15 Apr 2015 · 15Comments · Source: hashicorp/consul

Hi,

I tried to setup CORS headers:

{
  "http_api_response_headers": {
    "Access-Control-Allow-Origin": "*",
    "Access-Control-Allow-Methods": "POST, GET, OPTIONS, DELETE, PUT"
  }
}

I verified that those headers are return during a XHR request. However, when I tried to do PUT, browser send an OPTIONS request first (http://stackoverflow.com/questions/8153832/xmlhttprequest-changes-post-to-option) and consul return a 405 method not allow.

My request looks like this:

curl 'http://192.168.111.30:8500/v1/kv/lb/extra_hosts/opi' -X OPTIONS -H 'Host: 192.168.111.30:8500' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:39.0) Gecko/20100101 Firefox/39.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'DNT: 1' -H 'Origin: http://local.dev:8101' -H 'Access-Control-Request-Method: PUT' -H 'Connection: keep-alive'

and response

screen shot 2015-04-15 at 9 43 06 am

So I think the issue comes from consul itself when denied OPTIONS method?

themapi typenhancement

Source

v9n

👍6

Most helpful comment

I am also attempting to develop browser application to interact with the Consul HTTP API, and am blocked by this issue. It also effects DELETE requests. Here's what it looks like on the raw HTTP header level:

$ curl -v -X OPTIONS http://localhost:8500/v1/kv/
*   Trying ::1...
* Connected to localhost (::1) port 8500 (#0)
> OPTIONS /v1/kv/ HTTP/1.1
> Host: localhost:8500
> User-Agent: curl/7.48.0
> Accept: */*
> 
< HTTP/1.1 405 Method Not Allowed
< Access-Control-Allow-Origin: *
< Date: Sat, 16 Apr 2016 07:18:42 GMT
< Content-Length: 0
< Content-Type: text/plain; charset=utf-8
< 
* Connection #0 to host localhost left intact

langston-barrett on 16 Apr 2016

👍4

All 15 comments

I think to properly run cross domain with non POST/GET methods, we do need to respond to the OPTIONS preflight request. POST and GET don't send a preflight, and to my knowledge there's no way to skip preflight with headers.

So, we'll need to respond to OPTIONS, basically.

pearkes on 15 Apr 2015

It could be great if the CORS headers could be inferred and settled automatically to avoid issues in browsers. Following the W3C spec this could be done easily based on the existent HTTP request headers.

Probably adding a new Consul config field to enable it would be fine, or alternatively as sort of plugin/addon. The config field could be:

enableFullCORS: true

h2non on 3 May 2015

I'm running into this too. Is there any reason we wouldn't want "enableFullCORS: true" to be default ?

teaforthecat on 23 Jun 2015

IMO Consul should implement CORS support by default inferring it based on the request HTTP, unless it's explicitly defined that you don't want enable it.

h2non on 23 Jun 2015

This is becoming quite a problem when developing against Consul Agent running locally. The browser app I'm working on cannot make PUTs due to blocked OPTIONS.

DarrenN on 8 Jul 2015

same here, it should be able to handle OPTIONS request.

marconi on 8 Mar 2016

UPDATE: I opened a PR https://github.com/hashicorp/consul/pull/1807, note this is only for kv.

marconi on 8 Mar 2016

👍3

$ curl -v -X OPTIONS http://localhost:8500/v1/kv/
*   Trying ::1...
* Connected to localhost (::1) port 8500 (#0)
> OPTIONS /v1/kv/ HTTP/1.1
> Host: localhost:8500
> User-Agent: curl/7.48.0
> Accept: */*
> 
< HTTP/1.1 405 Method Not Allowed
< Access-Control-Allow-Origin: *
< Date: Sat, 16 Apr 2016 07:18:42 GMT
< Content-Length: 0
< Content-Type: text/plain; charset=utf-8
< 
* Connection #0 to host localhost left intact

langston-barrett on 16 Apr 2016

👍4

Hi,
Same issue with 'v1/event/fire' api endpoint