Trouble with cors

[astenuz]

Hello again,

Im having trouble using cors with tonic, the headers in the response are sent but the response form the server is a 405 Method Not Allowed, im not quite sure if this is an issue with tonic, or the apache server itself.

Im currently adding the headers directly in the response.php (source), because i dont know how to add them using something like $response->header.For example i tried this in the dispatch: $response->accessControlAllowOrigin="*"; with no luck.

As for the problem at hand, these are the request(using jquery) and the response.

Request:

OPTIONS /videoserver/chatapi/chat/some_token HTTP/1.1
Host: xxx.xxx.xxx.132:7777
User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:22.0) Gecko/20100101 Firefox/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Origin: http://xxx.xxx.xxx.130
Access-Control-Request-Method: POST
Access-Control-Request-Headers: content-type
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

Response

HTTP/1.1 405 Method Not Allowed
Date: Thu, 18 Jul 2013 15:38:22 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.3.10-1ubuntu3.7
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Max-Age: 604800
Access-Control-Allow-Headers: x-requested-with, content-type
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 57
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

Thanks in advance

[drkibitz]

This isn't a problem with tonic, you are making a POST request, which requires you to also set the Access-Control-Allow-Methods: [, ]*

The W3C spec defines POST as a "simple" request, but this is not the case for most browser vendors.

[astenuz]

So is there any other thing needed to do server side?, because in the response appears the Access-Control-Allow-Methods header

[drkibitz]

Sorry I ready that wrong, but it makes more sense now. You are allowing only the "POST" method with:

Access-Control-Allow-Methods: POST

but are making an "OPTIONS" request:

OPTIONS /videoserver/chatapi/chat/some_token HTTP/1.1

What you need is this:

Access-Control-Allow-Method: POST, OPTIONS

And any other type of request method you are planning to make with CORS. I've read a bit, and I've seen that using a wildcard here may or may not work. You can try to see if it does, but for this particular request you do need to allow the "OPTIONS" method.

[drkibitz]

Actually sorry, now I'm even confusing myself, Access-Control-Request-Method: POST is in your request not response. But your request is using the OPTIONS method. Looks like something going on in your client, or client code. How was this request made? Can you test by making this request again, but changing Access-Control-Request-Method: POST to Access-Control-Request-Method: OPTIONS?