DELETE is not allowed by Access-Control-Allow-Methods

Question

I'm trying to send a cross-origin DELETE request from Chrome using jQuery.

However, that fail with the following error message being logged in the developer console:

XMLHttpRequest cannot load http://actual/url/here. Method DELETE is not allowed by Access-Control-Allow-Methods.

The javascript code is running on localhost and looks like this:

$.ajax({
    type: "DELETE",
    url: "http://actual/url/here",
    xhrFields: {
        withCredentials: true
    }
});

This results in a pre-flight request like this being sent:

OPTIONS http://actual/url/here HTTP/1.1
Host: actual
Connection: keep-alive
Access-Control-Request-Method: DELETE
Origin: null
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36
Access-Control-Request-Headers: accept
Accept: */*
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8

And the response looks like this:

HTTP/1.1 200 OK
Cache-Control: must-revalidate, private
Content-Length: 0
Server: Microsoft-HTTPAPI/2.0
Access-Control-Allow-Methods: DELETE GET HEAD POST PUT OPTIONS TRACE
Access-Control-Allow-Headers: accept
Access-Control-Max-Age: 900
Access-Control-Allow-Origin: null
Access-Control-Allow-Credentials: true
Date: Wed, 11 Mar 2015 15:03:46 GMT

As far as I can tell this is just fine. The client checks whether DELETE is allowed by sending Access-Control-Request-Method: DELETE and the server says that it is allowed by responding with Access-Control-Allow-Methods: DELETE GET HEAD POST PUT OPTIONS TRACE.

However, no DELETE request is ever sent and the error message (above) is reported instead. Why?

Answer 1

The value of Access-Control-Allow-Methods needs to be a comma separated list, not a space separated one.

From MDN:

Access-Control-Allow-Methods: <method>[, <method>]*