According to the docs, the http.cors.allow-methods setting should default to OPTIONS,HEAD,GET,POST,PUT,DELETE, but it appears to default to no methods at all.
With the default settings:
curl -H 'Origin: http://localhost:8000' -H 'Access-Control-Request-Method: PUT' -i -X OPTIONS localhost:9200/t/t/1 -d{}
returns:
HTTP/1.1 200 OK
Access-Control-Allow-Origin: http://localhost:8000
Vary: Origin
Access-Control-Max-Age: 1728000
date: Wed, 20 Jul 2016 14:37:09 GMT
content-length: 0
If I set http.cors.allow-methods to OPTIONS,HEAD,GET,POST,PUT,DELETE, it returns:
HTTP/1.1 200 OK
Access-Control-Allow-Origin: http://localhost:8000
Vary: Origin
Access-Control-Allow-Methods: HEAD
Access-Control-Allow-Methods: DELETE
Access-Control-Allow-Methods: POST
Access-Control-Allow-Methods: GET
Access-Control-Allow-Methods: OPTIONS
Access-Control-Allow-Methods: PUT
Access-Control-Max-Age: 1728000
date: Wed, 20 Jul 2016 14:38:18 GMT
content-length: 0
According to the docs, the
http.cors.allow-methodssetting should default toOPTIONS,HEAD,GET,POST,PUT,DELETE, but it appears to default to no methods at all.With the default settings:
returns:
If I set
http.cors.allow-methodstoOPTIONS,HEAD,GET,POST,PUT,DELETE, it returns: