CORS requests with preflight on CouchDB

Question

We are trying to send HTTP cross domain requests to CouchDB.

To achieve this, we set up CouchDB with the following settings (inspired from the add-cors-to-couchdb tool ):

[HTTPD]
enable_cors = true

[CORS]
origins = *
credentials = true
methods = GET, PUT, POST, HEAD, DELETE
headers = accept, authorization, content-type, origin, referer, x-csrf-token

And wrote code similar to this (but not hardcoded of course):

<html>
  <body>
    <script>
      fetch("http://acme.org:5984/mydb/323958d9b42be0aaf811a3c96b4e5d9c", {
        method: 'DELETE',
        headers: {'If-Match': "1-0c2099c9793c2f4bf3c9fd6751e34f95"}
      }).then(x => {
        if (x.ok) return x.json().then(console.log);
        console.error(x.statusText);
      });
    </script>
   </body>
 </html>

While it works fine with GET and POST , we get 405 Method not allowed on DELETE . The browser tells that the preflight response (to the OPTIONS request) was not successful, while the server indicates {"error":"method_not_allowed","reason":"Only DELETE,GET,HEAD,POST,PUT,COPY allowed"} .

We tried both with CouchDB 2.1.1 and 1.6.1. We also tried to replace origins: * with origins: http://localhost:8080 (where 8080 is the port serving the HTML above). We tried also to set credentials to false .

Answer 1

From a comment by @Ingo Radatz to a related question, I finally got that EVERY header used in the request must be included in CouchDB CORS settings.

In my personal case, I had to include if-match in the accepted headers:

[HTTPD]
enable_cors = true

[CORS]
origins = *
methods = GET, PUT, POST, HEAD, DELETE
headers = accept, authorization, content-type, origin, referer, if-match