🍀 Trefle is a botanical JSON REST API for plants species, allowing you to search and query over all the registered species, and build the next gardening apps and farming robots.
Describe the bug
When a browser issues a CORS pre-flight request (using the OPTIONS HTTP method), all endpoints return a HTTP 404 status code and do not provide information on the allowed CORS methods.
When a website attempts to request a resource from a difference resource (ie a website using the Trefle.io API), the browser will send a pre-flight request using the OPTIONS HTTP method. This method returns information on the CORS policy of the specified resource.
As the Trefle.io API does not return a valid OPTIONS response, the browser assumes that the CORS policy does not allow the specified request and throws an error.
To Reproduce
Using Curl
Make a request to any API endpoint using the HTTP OPTIONS request:
This request will return a status code 404 with the content:
Page not found
Using the browser
Alternatively the browser can be used to simulate this functionality by executing the following JavaScript in the browser:
let request = new XMLHttpRequest(); request.addEventListener("load", console.log); request.addEventListener("error", console.log); request.open("GET", "http://trefle.io/api/plants?page_size=3?cachebust=998"); request.setRequestHeader("Authorization", "<REDACTED>") request.send();
This will result in the browser issuing a similar error message (tested in Safari 13.1):
Preflight response is not successful
Expected behaviour
When the OPTIONS HTTP method is requested on a given resource, the resource should respond with status code 204 and the standard CORS response headers. For example:
HTTP/1.1 204 No Content Connection: keep-alive Access-Control-Allow-Origin: https://foo.bar.org Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE Access-Control-Max-Age: 86400
The pre-flight (OPTIONS) request may need to take into account the API key in order to issue the correct Access-Control-Allow-Origin header. Alternatively, providing a wildcard response ("*") and issuing a separate Access-Control-Allow-Origin (and an error, if necessary) when an API key is used would also function but allow more requests than necessary to be made.
Describe the bug When a browser issues a CORS pre-flight request (using the OPTIONS HTTP method), all endpoints return a HTTP 404 status code and do not provide information on the allowed CORS methods.
When a website attempts to request a resource from a difference resource (ie a website using the Trefle.io API), the browser will send a pre-flight request using the OPTIONS HTTP method. This method returns information on the CORS policy of the specified resource.
As the Trefle.io API does not return a valid OPTIONS response, the browser assumes that the CORS policy does not allow the specified request and throws an error.
To Reproduce
Using Curl Make a request to any API endpoint using the HTTP OPTIONS request:
curl --location --request OPTIONS 'https://trefle.io/api/kingdoms' --header 'Access-Control-Request-Method: OPTIONS ' --header 'Access-Control-Request-Headers: origin, x-requested-with' --header 'Origin: https://example.com'
This request will return a status code 404 with the content:
Page not found
Using the browser
Alternatively the browser can be used to simulate this functionality by executing the following JavaScript in the browser:
let request = new XMLHttpRequest(); request.addEventListener("load", console.log); request.addEventListener("error", console.log); request.open("GET", "http://trefle.io/api/plants?page_size=3?cachebust=998"); request.setRequestHeader("Authorization", "<REDACTED>") request.send();
This will result in the browser issuing a similar error message (tested in Safari 13.1):
Preflight response is not successful
Expected behaviour When the OPTIONS HTTP method is requested on a given resource, the resource should respond with status code 204 and the standard CORS response headers. For example:
HTTP/1.1 204 No Content Connection: keep-alive Access-Control-Allow-Origin: https://foo.bar.org Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE Access-Control-Max-Age: 86400
Additional context
More information on the pre-flight request can be found here: https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request
The pre-flight (OPTIONS) request may need to take into account the API key in order to issue the correct Access-Control-Allow-Origin header. Alternatively, providing a wildcard response ("*") and issuing a separate Access-Control-Allow-Origin (and an error, if necessary) when an API key is used would also function but allow more requests than necessary to be made.