I've written a RESTful API using ExpressJS for NodeJS. I am using BackboneJS to call on this API.
Here is a sample header that my API returns via OPTIONS:
Access-Control-Allow-Headers:Content-Type
Access-Control-Allow-Origin:http://localhost
Allow:GET,PUT,DELETE
Connection:keep-alive
Content-Length:14
Content-Type:text/html; charset=utf-8
Date:Sun, 19 Aug 2012 13:52:35 GMT
X-Powered-By:Express
I've modified the header to include the two Access-Control-Allow fields that appear first. The rest is automatically generated by express, including the Allow field. I am able to GET with no issue. However, when I try to PUT or DELETE with BackboneJS, I encounter:
Method PUT is not allowed by Access-Control-Allow-Methods.
Method DELETE is not allowed by Access-Control-Allow-Methods.
Naturally, I can modify my response headers to include both of these methods to get around this.
But I wish to understand what the difference is between those and the basic 'Allow' that ExpressJS automagically adds based on what I've bound to the route. What is the difference?
The Allow
header indicates what methods you accept at all.
It is not used by the browser; it's just for reference.
Access-Control-Allow-Methods
is for cross-domain AJAX requests; the browser will check that header before allowing you to send an AJAX request from a different domain.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With