Why is my patch request being blocked despite PATCH being allowed by the server's CORS policy?
The Gist API explicitly allows any * host and the PATCH method:
access-control-allow-origin: *
access-control-allow-methods: GET,PUT,PATCH,OPTIONS,POST
However, when a PATCH request is issued from a development app running on http://localhost via browser fetch API to a private Gist with a valid token, Chrome blocks it due to:
Access to fetch at
'https://api.github.com/gists/c4c...86d'from origin'http://localhost'has been blocked by CORS policy: Method patch is not allowed by Access-Control-Allow-Methods in preflight response.
- I have tried non-localhost names such as
http://127.0.0.1,http://local.hostetc. - As I understand it the HTTP/HTTPS crossover should also not be a problems since
*is defined as the allowed origin.
Interestingly the pre-flight request appears after my blocked PATCH request:
- Why is Chrome claiming
PATCHis not allowed, when it clearly is? - Why is Chrome doing a pre-flight request after my PATCH?
Why is Chrome claiming
PATCHis not allowed, when it clearly is?
Check again. The CORS error you're observing is caused by a case mismatch. Your request uses patch(lowercase) as its method, but the server's CORS configuration happens to allow PATCH (uppercase), not patch.
HTTP methods are case-sensitive. Fetch-compliant browsers do normalise "standard" methods to uppercase before sending a request, but patch is not one of them.
The solution is simple: rather than patch, use PATCH as the method of your request.
Why is Chrome doing a pre-flight request after my PATCH?
It's not. See Why does the preflight (OPTIONS) request get listed after the actual (GET) request?
- Chrome failed to start in docker container using Selenium after upgrading to ChromeDriver v80 and Chrome v80
- How to make Chrome always launch with remote-debugging-port flag
- Selenium 4.25 opens Chrome 136 with existing profile to "New Tab" instead of navigating with driver.get()
- Indexing array values in an object in an IndexedDB
- Why is my patch request being blocked despite PATCH being allowed by the server's CORS policy?
- SSL Localhost Privacy error
- Is Chrome /json/version feature deprecated?
- Chrome blocks FastAPI file download using FileResponse due to using HTTP instead of HTTPS
- How to launch html using Chrome at "--allow-file-access-from-files" mode?
- Mobile Chrome: Wrong 'font-size' when using 'height' property
- Remote Debugging for Chrome iOS (and Safari)
- I lost my userscripts in Tampermonkey. How do I recover them?
- Chrome/Safari blocking JavaScript (user originated) blob URL downloads (sandbox blocking download)
- How to display alt text for an image in chrome
- Can I set the filename of a PDF object displayed in Chrome?
- Why is the section displayed as generic in the Google accessibility tree? Shouldn't it be assigned the 'section' role?
- Decrypt Google Cookies in c# .Net Framework?
- Flutter - Failed to launch browser. Make sure you are using an up-to-date Chrome or Edge
- Can't run flutter web project in Release or Profile (Cannot read properties of null (reading 'isAsync'))
- How to maximize Google Chrome Window without using SendKeys?
- How to let the chrome forget the page scroll position?
- Laravel Dusk: Facebook\WebDriver\Exception\UnknownErrorException: unknown error: net::ERR_CONNECTION_REFUSED
- Include icon when Add to Home Screen from Android Chrome
- How to prevent "jerking" of page in browser
- Chrome extension to modify page's script includes and JS
- How to avoid "-internal-autofill-selected" style to be applied?
- Google Chrome net::ERR_TOO_MANY_RETRIES
- Jupyter Notebook not saving: '_xsrf' argument missing from post
- Chrome redirects and makes 2 requests of the same page (307 Internal Redirect), how to prevent?
- Uncaught (in promise) DOMException: Failed to execute 'texImage2D' on 'WebGL2RenderingContext': Tainted canvases may not be loaded