Home/ Questions/Q 8514097
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-11T04:46:05+00:00

I have developed a CORS REST server and some pages with some JS code

  • 0

I have developed a CORS REST server and some pages with some JS code that invoke its urls.

I decided to refactor the JS pages, and my DELETE ajax request to server now doesn’t work anymore. Part of the refactor involves the URL that pass from http://localhost/dev to http://dev.local. I added the new url in the allowed origin for requests, in fact my GET routes still work without problems.

DELETE instead is not allowed now (403 on the preflight) and i don’t understand where my mistake is.

Here the OPTIONS and DELETE dumps from dev perspective:

Request URL:http://localhost:9292/users/101
Request Method:OPTIONS
Status Code:200 OK
Request Headers
Accept:*/*
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Access-Control-Request-Headers:origin, accept
Access-Control-Request-Method:DELETE
Cache-Control:no-cache
Connection:keep-alive
Host:localhost:9292
Origin:http://dev.local
Pragma:no-cache
Referer:http://dev.local/
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1
Response Headers
Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:origin, accept
Access-Control-Allow-Methods:PUT, OPTIONS, DELETE, GET, POST
Access-Control-Allow-Origin:http://dev.local
Access-Control-Expose-Headers:Content-Type
Access-Control-Max-Age:1728000
Connection:close
Content-Type:text/plain
Server:thin 1.3.1 codename Triple Espresso

responds with a payload that contains “Forbidden”. Here the DELETE req:

Request URL:http://localhost:9292/users/101
Request Method:DELETE
Status Code:403 Forbidden
Request Headers
DELETE /users/101 HTTP/1.1
Host: localhost:9292
Connection: keep-alive
Cache-Control: no-cache
Origin: http://dev.local
Pragma: no-cache
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1
Accept: application/json, text/javascript, */*; q=0.01
Referer: http://dev.local/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: fbsr_348362375211512=r2WOBYNXrmyP6lKJ7JVAnlU9gfLjela8jRSarGHvQ-M.eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsImNvZGUiOiJBUURSRDhOckJ2YnI0MlFLTk5vblhiOGNVcjVXTFpHTDNMcVBjYl9PXzFqd3hKS0tlWFZ1cFVVMi03OXNxOU1BcjFGV2RxTzVtV0RSTllXbkxKcndUQmtZOFpMS3VmeWt0b05xU3ctVzdqNk4zVHBFQVZOM3ZlRzFKeW5lRWpiRkxSdXlPNHpGMDNVd255RFZqZ0xOdHQwMTJCUWVvb0NSR1ZSTVUtQkVhS1ZtaGtKZGdKck5RSDUwWHhQVW5wT1MyY0EiLCJpc3N1ZWRfYXQiOjEzNDY0MjUyMzgsInVzZXJfaWQiOiIxMDI5MDk2MTIzIn0; oauth2-token=; rack.session=BAh7CUkiD3Nlc3Npb25faWQGOgZFRiJFNTc3ZTMxZGZjNWUxYWNhZDU3NWUw%0ANjJkMDBkMDRiNmMxOWI0ODE5Yjk5YjMwMWI3YTMyOTM1ZjVmZWMyMGY1ZEki%0ADXRyYWNraW5nBjsARnsISSIUSFRUUF9VU0VSX0FHRU5UBjsARiItZGY1ZDgz%0AMzMyYTg4ZjBkNGY1ZGU0MGNjNzljMDhkNTUzZDJkMjkxNUkiGUhUVFBfQUND%0ARVBUX0VOQ09ESU5HBjsARiItZWQyYjNjYTkwYTRlNzIzNDAyMzY3YTFkMTdj%0AOGIyODM5Mjg0MjM5OEkiGUhUVFBfQUNDRVBUX0xBTkdVQUdFBjsARiItY2M5%0AZjZmZWM2NTJhNDI1OGJjNmQyOTI4NzA1MjE3OWFiMWUwZDE0N0kiB2lkBjsA%0ARmlqSSIObG9nZ2VkX2luBjsARlQ%3D%0A--c1a452275c10bd0ebe0e21fe7925d1fe7349c46f
Response Headers
HTTP/1.1 403 Forbidden
X-Frame-Options: sameorigin
Content-Type: text/plain
Set-Cookie: rack.session=BAh7CkkiD3Nlc3Npb25faWQGOgZFRiJFNTc3ZTMxZGZjNWUxYWNhZDU3NWUw%0ANjJkMDBkMDRiNmMxOWI0ODE5Yjk5YjMwMWI3YTMyOTM1ZjVmZWMyMGY1ZEki%0ADXRyYWNraW5nBjsARnsISSIUSFRUUF9VU0VSX0FHRU5UBjsARiItZGY1ZDgz%0AMzMyYTg4ZjBkNGY1ZGU0MGNjNzljMDhkNTUzZDJkMjkxNUkiGUhUVFBfQUND%0ARVBUX0VOQ09ESU5HBjsARiItZWQyYjNjYTkwYTRlNzIzNDAyMzY3YTFkMTdj%0AOGIyODM5Mjg0MjM5OEkiGUhUVFBfQUNDRVBUX0xBTkdVQUdFBjsARiItY2M5%0AZjZmZWM2NTJhNDI1OGJjNmQyOTI4NzA1MjE3OWFiMWUwZDE0N0kiB2lkBjsA%0ARmlqSSIObG9nZ2VkX2luBjsARlRJIgljc3JmBjsARiJFNWRjMjdjZThkNTM0%0ANWFhMTU3OGQ2ZDk3NGJjYjZjZGMzMzEwOTFiNTg5OTk1YTMyYTYxOTMzMTgy%0AMTU0N2E2ZA%3D%3D%0A--578809491df1629d183c98a530ccbcf925000b6e; path=/; HttpOnly
Access-Control-Allow-Origin: http://dev.local
Access-Control-Allow-Methods: PUT, OPTIONS, DELETE, GET, POST
Access-Control-Expose-Headers: Content-Type
Access-Control-Max-Age: 1728000
Access-Control-Allow-Credentials: true
Vary: Origin
Connection: close
Server: thin 1.3.1 codename Triple Espresso

Any idea or suggestion to determine the problem?

Thanks, Dario.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    After a search and the advices by monsur (he helps me to realize that client side all is correct), I raised the rack log level to debug level and I’ve found an “attack
    prevented by Rack::Protection::RemoteToken”     notifing that the problem is a misconfiguration of rack-protectionused by Sinatra.

    By default, since the referrer is different, my app stumble in CSRF protection; disabling:

    set :protection, :except => [:remote_token, :frame_options]

    It works.

    • 0