Cross Origin configuration not working

[abstractalchemist]

Description

I'm attempting to use CouchDB directly from a browser-based application. I have configured CORs as directed in the documentation, and via the Fauxton Administrative interface, verified it is enabled. However, when I run an XMLHttpRequest in Chrome, it fails with a denial saying that "Http did not return with status code 200".

When running an "OPTIONS" request with curl, it also fails with
{"error":"method_not_allowed","reason":"Only DELETE,GET,HEAD,POST allowed"}

Steps to Reproduce

Expected Behaviour

After configuring CORs configuration, OPTIONS request respond correctly with appropriate headers.

Your Environment

• CouchDB version used: 2.3
• Browser name and version: Chrome 80.0.3987.116
• Operating system and version: Fedora 31

Additional Context

[wohali]

Looks like a reprise of https://issues.apache.org/jira/browse/COUCHDB-2027 .

[wohali]

Is this a useful workaround for you?

My problem was solved by:

1. adding headers= accept, authorization, content-type, origin into [cors] section of local.ini // the docs were not clear to me about this
2. Adding an Authorization header in my AJAX request :

$.ajax({
type: "GET",
contentType: "application/json",
dataType: "json",
url: myUrl
beforeSend: setHeader,
error: function (error)
{ console.log(error); }

,
success: function (remoteAppInfo)
{ ... }

});

function setHeader(xhr)
{ console.log("setHeader"); xhr.setRequestHeader('Authorization',"Basic " + btoa("estanteuser:Dnbatfydnkwadm6f")); } 

[wohali]

Also see https://github.com/pouchdb/add-cors-to-couchdb

[ronnieroyston]

CORS Issue here too. Chrome Browser Version 113.0.5672.93 (Official Build) (64-bit)

Is it possible to configure CouchDB to respond to an HTTP OPTIONS request with a status 200 / response.ok true?

JavaScript Fetch API. CouchDB server fails "blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status."

I have tried using 127.0.0.1, localhost, a domain name, with and without https. Configuration below.

[chttpd]
enable_cors = true
[cors]
origins = *
credentials = true
methods = GET, POST, PUT, DELETE, OPTIONS, HEAD, TRACE, PATCH
headers = accept, authorization, content-type, origin, referer, cache-control, x-requested-with, X-Couch-Id, X-Couch-Rev

JavaScript fetch options:

{
  "headers": {
    "Content-Type": "application/json",
    "method": "GET",
    "credentials": "include",
    "mode": "cors"
  }
}

[big-r81]

Does this help? https://stackoverflow.com/questions/30161843/cors-error-in-pouchdb-with-cors-enabled-in-couchdb#comments-30210932

[ronnieroyston]

No. I'm simply trying to do basic authentication to CouchDB.

After more testing, the CORS issue surfaces only when I add the 'credentials': 'include' header. ...?

[janl]

CORS does not allow * origins and credentials use at the same time

[benel]

Please check also: https://stackoverflow.com/questions/50914196/cors-requests-with-preflight-on-couchdb/50914749#50914749

[ronnieroyston]

I can't make a call to CouchDB with basic authentication whatsoever. I just tried adding the if-match to cors headers. Once you add credentials:include CORS fails. I'm going to try and sniff the HTTP from Fauxton to see what their requests look like.

Seems like a simple working example of a client-side HTTP fetch could be included in the documentation.

Maybe CouchDB is not supposed to respond directly to web browsers? 3 days on this and at some point I suppose I'll have to move on to another DB alltogether.

{
  "headers": {
    "Authorization": "Basic W29iamVjdCBIVE1MSW5wdXRFbGVtZW50XTpbb2JqZWN0IEhUTUxJbnB1dEVsZW1lbnRd",
    "credentials": "include"
  }
}