OPTIONS HTTP request support

[craigruks]

Currently whitenoise only allows GET and HEAD HTTP requests. If you put a CDN in front of whitenoise and attempt to GET an asset across domains, the browser send a preflight ORIGINS HTTP request first, to see if it can then GET the asset. Therefore it would be nice to have the ORIGINS HTTP request permitted as well.

[evansd]

Thanks for this Craig, but I don't think it should be necessary. As I understand it, preflight requests aren't needed for "simple requests" which include all GET and HEAD requests without custom headers (see docs here).

If cross-domain XHR requests aren't working for you then it may be that whatever library you're using is adding custom headers to the requests which is triggering the preflight. If you can give me a bit more detail on the issue you're seeing then I'd be happy to try to help.

In any case, if we were going to support OPTIONS requests it's not enough to just stop returning 405, we'd need to respond with the appropriate Access-Control-xxxx headers.

[craigruks]

Thanks for the response. Sounds good, missed the part about simple requests on that page when I first read.

I did some looking and found that AngularJS by default sets an 'X-Requested-With' header in all its HTTP requests, was triggering the OPTIONS request, which this helped fix.

[gavinwahl]

I'm encountering this issue when using jQuery.html with script tags inside. jQuery fetches the scripts with XHR and adds the X-Requested-With header, which triggers a preflight OPTIONS request.

[evansd]

I'm surprised by this as by default jQuery doesn't set X-Requested-With on cross-origin requests.

If you can post a link to a reproducing example perhaps I can help spot the problem.

In any case, I think this is a client error and not an issue with WhiteNoise.

[gavinwahl]

@evansd You are right. A library I'm using was doing something stupid (calling $.ajaxSetup({crossDomain: false}) (fusionbox/django-widgy#374)). Thanks for the pointer.