I'm trying to send a cross-origin DELETE
request from Chrome using jQuery.
However, that fail with the following error message being logged in the developer console:
XMLHttpRequest cannot load
http://actual/url/here
. Method DELETE is not allowed by Access-Control-Allow-Methods.
The javascript code is running on localhost and looks like this:
$.ajax({
type: "DELETE",
url: "http://actual/url/here",
xhrFields: {
withCredentials: true
}
});
This results in a pre-flight request like this being sent:
OPTIONS http://actual/url/here HTTP/1.1
Host: actual
Connection: keep-alive
Access-Control-Request-Method: DELETE
Origin: null
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36
Access-Control-Request-Headers: accept
Accept: */*
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
And the response looks like this:
HTTP/1.1 200 OK
Cache-Control: must-revalidate, private
Content-Length: 0
Server: Microsoft-HTTPAPI/2.0
Access-Control-Allow-Methods: DELETE GET HEAD POST PUT OPTIONS TRACE
Access-Control-Allow-Headers: accept
Access-Control-Max-Age: 900
Access-Control-Allow-Origin: null
Access-Control-Allow-Credentials: true
Date: Wed, 11 Mar 2015 15:03:46 GMT
As far as I can tell this is just fine. The client checks whether DELETE
is allowed by sending Access-Control-Request-Method: DELETE
and the server says that it is allowed by responding with Access-Control-Allow-Methods: DELETE GET HEAD POST PUT OPTIONS TRACE
.
However, no DELETE
request is ever sent and the error message (above) is reported instead. Why?