0

I'm trying to send a PUT-request to a Philips Hue bridge, so I can change the current state in which the lamp is. I do this from a webserver on my PC. With CORS I already managed to send GET and POST- request, but if I send a PUT I get an error that tells "method not found in Access-Control-Allow-Methods". I'm pretty sure that would make no sense to block just that method.

I'm using that code to do so, it is the same as the code for GET and POST, just the if clause is not needed.

var lightReq = new XMLHttpRequest();

  if ("withCredentials" in lightReq) {
   lightReq.open('PUT',stringChange,true);
   if (value == false) {
    lightReq.send("{\"on\":true}");
   } 
   else {
    lightReq.send("{\"on\":false}");
   }
  }

Maybe someone had a similar problem and got a solution, or there are steps I should check. I'm glad for every help.

EDIT: Here is a screenshot of the header, it shows that the PUT-method should be accepted. Screenshot of the header

EDIT2: For roryhewitt here is what you asked for, i think: enter image description here

Best Regards, Adrian

AdrianL
  • 335
  • 2
  • 18
  • 2
    That error means that the server (the Hue bridge, I suppose) is returning an `Access-Control-Allow-Methods` header that does not include the "PUT" method. You should be able to verify that via your browser's developer tools, where you'll see the pre-flight CORS request that will automatically be done (by the browser) before your "PUT" is attempted. – Pointy Dec 05 '17 at 22:02
  • The reason your GET and POST requests worked is probably just that they were simple requests that didn’t have any custom requests headers and so didn’t trigger a CORS preflight OPTIONS request from your browser. But cross-origin PUT requests *always* trigger browsers to do a preflight — which as @Pointy says will fail if the Access-Control-Allow-Methods response header doesn’t include "PUT". – sideshowbarker Dec 05 '17 at 22:34
  • as added to my post, the networkscanner of the browser shows that the PUT-method should be accepted. Or am I missleaded? – AdrianL Dec 05 '17 at 22:40
  • What browser are you using? It sure looks like the preflight CORS response does in fact contain "PUT". – Pointy Dec 05 '17 at 22:53
  • I'm using Firefox in Version 51 (PC) and 43 (Laptop), the old versions are needed as I use a Plugin called FireHbbTV to simulate an HbbTV application on the PC. In the future the setup will go on a TV. Today evening I'll try to set it up on a third system, but I somehow doubt it will change anything... But what could be the causes that it won't work, when it is supported? – AdrianL Dec 06 '17 at 09:07

1 Answers1

0

It looks from your screenshot as if that's the response to a POST request (I'm looing at the Anfragemethode field)?

Most of those CORS response headers (except ACAC) should only be returned in the response to a preflight OPTIONS request - they have no 'meaning' if they are returned in the response to any other request. That's the 'fault' of the bridge, though, not of anything you're doing in the browser code.

Anyway, when your JS code makes a PUT request via XMLHttpRequest, if you look at the network traffic from your browser, you should see an OPTIONS requests (CORS preflight) followed by your PUT request. If you only see the OPTIONS request, can you provide the response headers for that request?

roryhewitt
  • 4,097
  • 3
  • 27
  • 33
  • I added a new picture in my main post. As far as I understand it, it should be allowed, or am I mistaken? – AdrianL Dec 08 '17 at 15:29
  • If I'm understanding your second screenshot, the top section is the request headers for the PUT, and the lower section is the response headers followed by the request headers for the OPTIONS, correct? So the PUT request IS being made (which wouldn't happen if the preflight OPTIONS didn't allow it). I THINK the problem here is that you're using credentials, but you're returning `Access-Control-Allow-Origin: *` - if you use credentials, you need to mirror back the EXACT origin request header, e.g. `Access-Control-Allow-Origin: http://localhost`. Can you try sending that back instead of *? – roryhewitt Dec 11 '17 at 02:13
  • Sending it back would mean I have to change the parameters on the Philips Hue bridge, as I understand you right. But that is not an option, i have no access on the bridge config. Or am I misunderstanding you? Furthermore I tried it from a simple HTML on a webserver and it works, so I guess it has to do with restrictions that the FireHbbTV-Plugin has on CORS. – AdrianL Dec 11 '17 at 13:07