"Method PUT is not allowed by Access-Control-Allow-Methods" #424

New Issue

OVERLORD · 2026-02-04T20:27:36+03:00

OVERLORD commented

2026-02-04 20:27:36 +03:00

Originally created by @mikkelnl on GitHub (Sep 21, 2019).

Getting the following error when trying to save an edit in the Bitwarden Safari extension 1.42.0, after updating Safari to 13.0, running bitwarden_rs 1.10.0-4c07f05b:

"Method PUT is not allowed by Access-Control-Allow-Methods"

Originally created by @mikkelnl on GitHub (Sep 21, 2019). Getting the following error when trying to save an edit in the Bitwarden Safari extension 1.42.0, after updating Safari to 13.0, running bitwarden_rs 1.10.0-4c07f05b: "Method PUT is not allowed by Access-Control-Allow-Methods"

OVERLORD closed this issue

2026-02-04 20:27:40 +03:00

OVERLORD commented

2026-02-04 20:27:43 +03:00

@rotx commented on GitHub (Sep 23, 2019):

This happens when you edit and save an item in the extension.

For me, the following quick change seems to fix it (this is inspired by the original code using "AllowAnyMethod()"):

diff --git a/src/util.rs b/src/util.rs
index a3548fc..f14c2c6 100644
--- a/src/util.rs
+++ b/src/util.rs
@@ -65,7 +65,7 @@ impl Fairing for CORS {
         if request.method() == Method::Options || response.content_type() == Some(ContentType::JSON) {
             // Requests with credentials need explicit values since they do not allow wildcards.
             response.set_header(Header::new("Access-Control-Allow-Origin", req_allow_origin));
-            response.set_header(Header::new("Access-Control-Allow-Methods", req_allow_methods));
+            response.set_header(Header::new("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE"));
             response.set_header(Header::new("Access-Control-Allow-Headers", req_allow_headers));
             response.set_header(Header::new("Access-Control-Allow-Credentials", "true"));
         }

@rotx commented on GitHub (Sep 23, 2019): This happens when you edit and save an item in the extension. For me, the following quick change seems to fix it (this is inspired by the original code using "AllowAnyMethod()"): ``` diff --git a/src/util.rs b/src/util.rs index a3548fc..f14c2c6 100644 --- a/src/util.rs +++ b/src/util.rs @@ -65,7 +65,7 @@ impl Fairing for CORS { if request.method() == Method::Options || response.content_type() == Some(ContentType::JSON) { // Requests with credentials need explicit values since they do not allow wildcards. response.set_header(Header::new("Access-Control-Allow-Origin", req_allow_origin)); - response.set_header(Header::new("Access-Control-Allow-Methods", req_allow_methods)); + response.set_header(Header::new("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE")); response.set_header(Header::new("Access-Control-Allow-Headers", req_allow_headers)); response.set_header(Header::new("Access-Control-Allow-Credentials", "true")); } ```

OVERLORD commented

2026-02-04 20:27:46 +03:00

@vplme commented on GitHub (Sep 23, 2019):

Sorry for this issue. I didn't test it with editing the items.

Does https://github.com/dani-garcia/bitwarden_rs/pull/631 fix the issue?
It seems to work for me.

@vplme commented on GitHub (Sep 23, 2019): Sorry for this issue. I didn't test it with editing the items. Does https://github.com/dani-garcia/bitwarden_rs/pull/631 fix the issue? It seems to work for me.

OVERLORD commented

2026-02-04 20:27:51 +03:00

@Ayitaka commented on GitHub (Sep 24, 2019):

Same empty strings with latest build:

{"Response headers (985 B)":{"headers":[{"name":"access-control-allow-credentials","value":"true"},{"name":"access-control-allow-headers","value":""},{"name":"access-control-allow-methods","value":""},{"name":"access-control-allow-origin","value":""},{"name":"cache-control","value":"no-cache, no-store, max-age=0"}...

Edit: Do you need to set the "Access-Control-Allow-Methods" in req_headers to be "GET, POST, PUT, DELETE" somewhere?

@Ayitaka commented on GitHub (Sep 24, 2019): Same empty strings with latest build: {"Response headers (985 B)":{"headers":[{"name":"access-control-allow-credentials","value":"true"},{"name":"access-control-allow-headers","value":""},{"name":"access-control-allow-methods","value":""},{"name":"access-control-allow-origin","value":""},{"name":"cache-control","value":"no-cache, no-store, max-age=0"}... Edit: Do you need to set the "Access-Control-Allow-Methods" in req_headers to be "GET, POST, PUT, DELETE" somewhere?

OVERLORD commented

2026-02-04 20:27:52 +03:00

@vplme commented on GitHub (Sep 24, 2019):

I'm adding the headers in the preflight request. When I use mitmweb it does give me the correct OPTIONS and PUT request+response and both of them work. Extension also seems to work.

How did you get your response snippet? From Safari with the extension? What was the request?

@vplme commented on GitHub (Sep 24, 2019): I'm adding the headers in the preflight request. When I use `mitmweb` it does give me the correct OPTIONS and PUT request+response and both of them work. Extension also seems to work. How did you get your response snippet? From Safari with the extension? What was the request? <img width="798" alt="image" src="https://user-images.githubusercontent.com/1703598/65481647-5ab85000-de96-11e9-8d07-bd8fd5657997.png">

OVERLORD commented

2026-02-04 20:27:54 +03:00

@Ayitaka commented on GitHub (Sep 24, 2019):

Never mind. Upon further reading, the extension is different from web in terms of CORS I guess, sorry.

I left my web responses in the original edit of this comment, but those are from the web interface, not extension.

@Ayitaka commented on GitHub (Sep 24, 2019): Never mind. Upon further reading, the extension is different from web in terms of CORS I guess, sorry. I left my web responses in the original edit of this comment, but those are from the web interface, not extension.

OVERLORD commented

2026-02-04 20:27:57 +03:00

@seanfarley commented on GitHub (Oct 1, 2019):

Just wanted to report that #631 doesn't work for editing or deleting an item in the browser extension.

@seanfarley commented on GitHub (Oct 1, 2019): Just wanted to report that #631 doesn't work for editing or deleting an item in the browser extension.

OVERLORD commented

2026-02-04 20:27:59 +03:00

@vplme commented on GitHub (Oct 1, 2019):

I got an error trying to delete an item but editing does seem to work for me. What error did you get?

Error while trying to delete:

Returning the exact Origin as Access-Control-Allow-Origin seems ok and matches the official api except when the Origin is file:// it seems incorrect and it should return *. The .NET Core CORS Middleware seems to do this logic.

Also, it's currently adding all the CORS headers to all requests while it should only be the preflight (OPTIONS) request.

Could you check if https://github.com/dani-garcia/bitwarden_rs/pull/639 fixes things for you?

@vplme commented on GitHub (Oct 1, 2019): I got an error trying to delete an item but editing does seem to work for me. What error did you get? Error while trying to delete: <img width="385" alt="image" src="https://user-images.githubusercontent.com/1703598/65941413-42fb4180-e42b-11e9-94ab-e7522b670428.png"> Returning the exact `Origin` as `Access-Control-Allow-Origin` seems ok and matches the official api except when the `Origin` is `file://` it seems incorrect and it should return `*`. The .NET Core CORS Middleware seems to do this logic. Also, it's currently adding all the CORS headers to all requests while it should only be the preflight (OPTIONS) request. Could you check if https://github.com/dani-garcia/bitwarden_rs/pull/639 fixes things for you?

OVERLORD commented

2026-02-04 20:28:09 +03:00

@seanfarley commented on GitHub (Oct 1, 2019):

Ah, cool! Let me check it out and test it.

@seanfarley commented on GitHub (Oct 1, 2019): Ah, cool! Let me check it out and test it.

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#424