Difference between 'Allow' and 'Access-Control-Allow-Methods' in HTTP response header?

Question

I've written a RESTful API using ExpressJS for NodeJS. I am using BackboneJS to call on this API.

Here is a sample header that my API returns via OPTIONS:

Access-Control-Allow-Headers:Content-Type
Access-Control-Allow-Origin:http://localhost
Allow:GET,PUT,DELETE
Connection:keep-alive
Content-Length:14
Content-Type:text/html; charset=utf-8
Date:Sun, 19 Aug 2012 13:52:35 GMT
X-Powered-By:Express

I've modified the header to include the two Access-Control-Allow fields that appear first. The rest is automatically generated by express, including the Allow field. I am able to GET with no issue. However, when I try to PUT or DELETE with BackboneJS, I encounter:

Method PUT is not allowed by Access-Control-Allow-Methods.
Method DELETE is not allowed by Access-Control-Allow-Methods.

Naturally, I can modify my response headers to include both of these methods to get around this.

But I wish to understand what the difference is between those and the basic 'Allow' that ExpressJS automagically adds based on what I've bound to the route. What is the difference?

Answer 1

The Allow header indicates what methods you accept at all.
It is not used by the browser; it's just for reference.

Access-Control-Allow-Methods is for cross-domain AJAX requests; the browser will check that header before allowing you to send an AJAX request from a different domain.