starred/vaultwarden

Fork 0

mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-04-26 09:46:00 +03:00

[GH-ISSUE #629] "Method PUT is not allowed by Access-Control-Allow-Methods" #424

New issue

Closed

opened 2026-03-03 01:29:00 +03:00 by kerem · 8 comments

kerem commented

2026-03-03 01:29:00 +03:00

Owner

Originally created by @mikkelnl on GitHub (Sep 21, 2019).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/629

Getting the following error when trying to save an edit in the Bitwarden Safari extension 1.42.0, after updating Safari to 13.0, running bitwarden_rs 1.10.0-4c07f05b:

"Method PUT is not allowed by Access-Control-Allow-Methods"

Originally created by @mikkelnl on GitHub (Sep 21, 2019). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/629 Getting the following error when trying to save an edit in the Bitwarden Safari extension 1.42.0, after updating Safari to 13.0, running bitwarden_rs 1.10.0-4c07f05b: "Method PUT is not allowed by Access-Control-Allow-Methods"

kerem closed this issue

2026-03-03 01:29:00 +03:00

kerem commented

2026-03-03 01:29:01 +03:00

Author

Owner

@rotx commented on GitHub (Sep 23, 2019):

This happens when you edit and save an item in the extension.

For me, the following quick change seems to fix it (this is inspired by the original code using "AllowAnyMethod()"):

diff --git a/src/util.rs b/src/util.rs
index a3548fc..f14c2c6 100644
--- a/src/util.rs
+++ b/src/util.rs
@@ -65,7 +65,7 @@ impl Fairing for CORS {
         if request.method() == Method::Options || response.content_type() == Some(ContentType::JSON) {
             // Requests with credentials need explicit values since they do not allow wildcards.
             response.set_header(Header::new("Access-Control-Allow-Origin", req_allow_origin));
-            response.set_header(Header::new("Access-Control-Allow-Methods", req_allow_methods));
+            response.set_header(Header::new("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE"));
             response.set_header(Header::new("Access-Control-Allow-Headers", req_allow_headers));
             response.set_header(Header::new("Access-Control-Allow-Credentials", "true"));
         }

@rotx commented on GitHub (Sep 23, 2019): This happens when you edit and save an item in the extension. For me, the following quick change seems to fix it (this is inspired by the original code using "AllowAnyMethod()"): ``` diff --git a/src/util.rs b/src/util.rs index a3548fc..f14c2c6 100644 --- a/src/util.rs +++ b/src/util.rs @@ -65,7 +65,7 @@ impl Fairing for CORS { if request.method() == Method::Options || response.content_type() == Some(ContentType::JSON) { // Requests with credentials need explicit values since they do not allow wildcards. response.set_header(Header::new("Access-Control-Allow-Origin", req_allow_origin)); - response.set_header(Header::new("Access-Control-Allow-Methods", req_allow_methods)); + response.set_header(Header::new("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE")); response.set_header(Header::new("Access-Control-Allow-Headers", req_allow_headers)); response.set_header(Header::new("Access-Control-Allow-Credentials", "true")); } ```

kerem commented

2026-03-03 01:29:01 +03:00

Author

Owner

@vplme commented on GitHub (Sep 23, 2019):

Sorry for this issue. I didn't test it with editing the items.

Does https://github.com/dani-garcia/bitwarden_rs/pull/631 fix the issue?
It seems to work for me.

@vplme commented on GitHub (Sep 23, 2019): Sorry for this issue. I didn't test it with editing the items. Does https://github.com/dani-garcia/bitwarden_rs/pull/631 fix the issue? It seems to work for me.

kerem commented

2026-03-03 01:29:01 +03:00

Author

Owner

@Ayitaka commented on GitHub (Sep 24, 2019):

Same empty strings with latest build:

{"Response headers (985 B)":{"headers":[{"name":"access-control-allow-credentials","value":"true"},{"name":"access-control-allow-headers","value":""},{"name":"access-control-allow-methods","value":""},{"name":"access-control-allow-origin","value":""},{"name":"cache-control","value":"no-cache, no-store, max-age=0"}...

Edit: Do you need to set the "Access-Control-Allow-Methods" in req_headers to be "GET, POST, PUT, DELETE" somewhere?

@Ayitaka commented on GitHub (Sep 24, 2019): Same empty strings with latest build: {"Response headers (985 B)":{"headers":[{"name":"access-control-allow-credentials","value":"true"},{"name":"access-control-allow-headers","value":""},{"name":"access-control-allow-methods","value":""},{"name":"access-control-allow-origin","value":""},{"name":"cache-control","value":"no-cache, no-store, max-age=0"}... Edit: Do you need to set the "Access-Control-Allow-Methods" in req_headers to be "GET, POST, PUT, DELETE" somewhere?

kerem commented

2026-03-03 01:29:01 +03:00

Author

Owner

@vplme commented on GitHub (Sep 24, 2019):

I'm adding the headers in the preflight request. When I use mitmweb it does give me the correct OPTIONS and PUT request+response and both of them work. Extension also seems to work.

How did you get your response snippet? From Safari with the extension? What was the request?

@vplme commented on GitHub (Sep 24, 2019): I'm adding the headers in the preflight request. When I use `mitmweb` it does give me the correct OPTIONS and PUT request+response and both of them work. Extension also seems to work. How did you get your response snippet? From Safari with the extension? What was the request? <img width="798" alt="image" src="https://user-images.githubusercontent.com/1703598/65481647-5ab85000-de96-11e9-8d07-bd8fd5657997.png">

kerem commented

2026-03-03 01:29:02 +03:00

Author

Owner

@Ayitaka commented on GitHub (Sep 24, 2019):

Never mind. Upon further reading, the extension is different from web in terms of CORS I guess, sorry.

I left my web responses in the original edit of this comment, but those are from the web interface, not extension.

@Ayitaka commented on GitHub (Sep 24, 2019): Never mind. Upon further reading, the extension is different from web in terms of CORS I guess, sorry. I left my web responses in the original edit of this comment, but those are from the web interface, not extension.

kerem commented

2026-03-03 01:29:02 +03:00

Author

Owner

@seanfarley commented on GitHub (Sep 30, 2019):

Just wanted to report that #631 doesn't work for editing or deleting an item in the browser extension.

@seanfarley commented on GitHub (Sep 30, 2019): Just wanted to report that #631 doesn't work for editing or deleting an item in the browser extension.

kerem commented

2026-03-03 01:29:02 +03:00

Author

Owner

@vplme commented on GitHub (Oct 1, 2019):

I got an error trying to delete an item but editing does seem to work for me. What error did you get?

Error while trying to delete:

Returning the exact Origin as Access-Control-Allow-Origin seems ok and matches the official api except when the Origin is file:// it seems incorrect and it should return *. The .NET Core CORS Middleware seems to do this logic.

Also, it's currently adding all the CORS headers to all requests while it should only be the preflight (OPTIONS) request.

Could you check if https://github.com/dani-garcia/bitwarden_rs/pull/639 fixes things for you?

@vplme commented on GitHub (Oct 1, 2019): I got an error trying to delete an item but editing does seem to work for me. What error did you get? Error while trying to delete: <img width="385" alt="image" src="https://user-images.githubusercontent.com/1703598/65941413-42fb4180-e42b-11e9-94ab-e7522b670428.png"> Returning the exact `Origin` as `Access-Control-Allow-Origin` seems ok and matches the official api except when the `Origin` is `file://` it seems incorrect and it should return `*`. The .NET Core CORS Middleware seems to do this logic. Also, it's currently adding all the CORS headers to all requests while it should only be the preflight (OPTIONS) request. Could you check if https://github.com/dani-garcia/bitwarden_rs/pull/639 fixes things for you?

kerem commented

2026-03-03 01:29:02 +03:00

Author

Owner

@seanfarley commented on GitHub (Oct 1, 2019):

Ah, cool! Let me check it out and test it.

@seanfarley commented on GitHub (Oct 1, 2019): Ah, cool! Let me check it out and test it.