I just learned about the Access-Control-Allow-Methods
header, e.g.
Access-Control-Allow-Methods: OPTIONS, HEAD, GET
I have never used this header (just Access-Control-Allow-Origin
), but I have gotten CORS to work in the past.
Is the default to allow all methods, or have I gotten lucky with undefined behavior?
Just to clarify,
Access-Control-Request-Method
is a request header that is set by the browser on CORS preflight requests, and it can only have one value. TheAccess-Control-Allow-Methods
header is a CORS response header, and it can have multiple values. I assume you are asking aboutAccess-Control-Allow-Methods
because this is the value the server specifies.The
Access-Control-Allow-Methods
header indicates which HTTP methods are allowed on a particular endpoint for cross-origin requests. If you allow all HTTP methods, then its ok to set the value to something likeAccess-Control-Allow-Methods: GET, PUT, POST, DELETE, HEAD
. However, if you want to limit the endpoint to only a few methods, you should only include those methods.As to why you haven't been seeing this before, this header is only used on CORS preflight requests. It could be that your application didn't use CORS preflight, and then something changed to trigger a preflight. Does you application use any HTTP methods other than GET/POST, or any custom HTTP headers?
You can learn more about CORS preflight requests here: http://www.html5rocks.com/en/tutorials/cors/
The default of
Access-Control-Allow-Methods
is to allow through all simple methods, even on preflight requests. As the flow on https://www.w3.org/TR/cors/#preflight-request says (step 7 of successful preflight request):And the definition of simple method is:
So if you have a preflighted POST request (due to a custom HTTP header, say), and do not send a
Access-Control-Allow-Methods
response header, the request will still go ahead okay.