CORS OPTIONS requests not supported, breaking usage with SPDY

[thomasbachem]

When enabled SPDY support in nginx, Chrome sends an OPTIONS request to e.g. /progress first, before requesting it via GET.

This results in a 405 Method Not Allowed response right now:

Request URL: https://example.com/progress Request Method: OPTIONS Status Code: 405 OK

Request Headers: accept:/ accept-encoding:gzip,deflate,sdch accept-language:de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4 access-control-request-headers:accept, origin, x-progress-id, x-requested-with, content-type access-control-request-method:GET host:example.com method:OPTIONS origin:http://example.com referer:http://example.com/ scheme:https url:/progress user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.81 Safari/537.36 version:HTTP/1.1

Response Headers content-length:568 content-type:text/html date:Mon, 03 Jun 2013 09:04:03 GMT server:nginx status:405 version:HTTP/1.1

Instead, something like the following response should be returned by the upload progress module:

Access-Control-Allow-Origin: $request_origin Access-Control-Allow-Methods: GET, HEAD, OPTIONS Access-Control-Allow-Headers: $access_control_request_headers Access-Control-Max-Age: 86400

Possibly somehow related to http://forum.nginx.org/read.php?29,236251,236251.

[PHPGangsta]

I can confirm that the progress does not work when SPDY is enabled. Please fix it, we would like to enable SPDY!

[masterzen]

Well to my knowledge (didn't try it), the problem is that OPTIONS is not supported by Nginx (nor this plugin). But I believe this can be worked-around with something like that:

location /progress {
        ...
        if ($request_method = OPTIONS ) {
            add_header Access-Control-Allow-Origin *;
            add_header Access-Control-Allow-Methods "GET, OPTIONS";
            add_header Access-Control-Allow-Headers "origin, authorization, accept";
            add_header Access-Control-Allow-Credentials "true";
            add_header Content-Length 0;
            add_header Content-Type text/plain;
            return 200;
        }
        ...
}

If that's working, please let me know.

I'll see how I can fix this issue in the plugin itself.

[masterzen]

Can someone confirm the above work-around works?

[SnijderC]

Can someone confirm the above work-around works?

@masterzen No unfortunately it does not..

[PHPGangsta]

I tried this workaround a few month ago, and it was not working...

[pulse00]

@masterzen fyi: this is working for us:

# upload progress
location ^~ /progress {

  if ($request_method = OPTIONS ) {
    add_header Access-Control-Allow-Origin allowed-host.example.com;
    add_header Access-Control-Allow-Methods "GET, OPTIONS";
    add_header Access-Control-Allow-Headers "origin, authorization, accept, X-Progress-ID";
    add_header Access-Control-Allow-Credentials "true";
    add_header Content-Length 0;
    add_header Content-Type text/plain;
    return 204;
  }

  add_header Access-Control-Allow-Origin allowed-host.example.com;
  add_header 'Access-Control-Allow-Credentials' 'true';

  upload_progress_json_output;
  report_uploads proxied;
}

[fabriziosalmi]

@pulse00 TY for this snippet, this solved problems in the Nginx + Symfony 4.1.x CORS context for me.

I used this snippet inside a specific Nginx location to avoid 405 method not allowed for CORS preflight requests

  if ($request_method = OPTIONS ) {
                add_header Access-Control-Allow-Origin "https://mydomain.ext";
                return 200;
        }