Describe the bug
When a browser issues a CORS pre-flight request (using the OPTIONS HTTP method), all endpoints return a HTTP 404 status code and do not provide information on the allowed CORS methods.
When a website attempts to request a resource from a difference resource (ie a website using the Trefle.io API), the browser will send a pre-flight request using the OPTIONS HTTP method. This method returns information on the CORS policy of the specified resource.
As the Trefle.io API does not return a valid OPTIONS response, the browser assumes that the CORS policy does not allow the specified request and throws an error.
To Reproduce
Using Curl
Make a request to any API endpoint using the HTTP OPTIONS request:
curl --location --request OPTIONS 'https://trefle.io/api/kingdoms' --header 'Access-Control-Request-Method: OPTIONS ' --header 'Access-Control-Request-Headers: origin, x-requested-with' --header 'Origin: https://example.com'
This request will return a status code 404 with the content:
Page not found
Using the browser
Alternatively the browser can be used to simulate this functionality by executing the following JavaScript in the browser:
let request = new XMLHttpRequest(); request.addEventListener("load", console.log); request.addEventListener("error", console.log); request.open("GET", "http://trefle.io/api/plants?page_size=3?cachebust=998"); request.setRequestHeader("Authorization", "<REDACTED>") request.send();
This will result in the browser issuing a similar error message (tested in Safari 13.1):
Preflight response is not successful
Expected behaviour
When the OPTIONS HTTP method is requested on a given resource, the resource should respond with status code 204 and the standard CORS response headers. For example:
HTTP/1.1 204 No Content Connection: keep-alive Access-Control-Allow-Origin: https://foo.bar.org Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE Access-Control-Max-Age: 86400
Additional context
More information on the pre-flight request can be found here: https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request
The pre-flight (OPTIONS) request may need to take into account the API key in order to issue the correct Access-Control-Allow-Origin header. Alternatively, providing a wildcard response ("*") and issuing a separate Access-Control-Allow-Origin (and an error, if necessary) when an API key is used would also function but allow more requests than necessary to be made.