Access-Control-Allow-Methods: GET, POST, HEAD, OPTIONS - refs #1922

datasette/utils/__init__.py

@@ -1131,6 +1131,7 @@ def add_cors_headers(headers):
     headers["Access-Control-Allow-Origin"] = "*"
     headers["Access-Control-Allow-Headers"] = "Authorization"
     headers["Access-Control-Expose-Headers"] = "Link"
+    headers["Access-Control-Allow-Methods"] = "GET, POST, HEAD, OPTIONS"
 
 
 _TILDE_ENCODING_SAFE = frozenset(

docs/json_api.rst

@@ -15,6 +15,7 @@ served with the following additional HTTP headers::
     Access-Control-Allow-Origin: *
     Access-Control-Allow-Headers: Authorization
     Access-Control-Expose-Headers: Link
+    Access-Control-Allow-Methods: GET, POST, HEAD, OPTIONS
 
 This means JavaScript running on any domain will be able to make cross-origin
 requests to fetch the data.

tests/test_api.py

@@ -914,6 +914,7 @@ def test_cors(
     assert response.headers["Access-Control-Allow-Origin"] == "*"
     assert response.headers["Access-Control-Allow-Headers"] == "Authorization"
     assert response.headers["Access-Control-Expose-Headers"] == "Link"
+    assert response.headers["Access-Control-Allow-Methods"] == "GET, POST, HEAD, OPTIONS"
     # Same request to app_client_two_attached_databases_one_immutable
     # should not have those headers - I'm using that fixture because
     # regular app_client doesn't have immutable fixtures.db which means
@@ -923,6 +924,7 @@ def test_cors(
     assert "Access-Control-Allow-Origin" not in response.headers
     assert "Access-Control-Allow-Headers" not in response.headers
     assert "Access-Control-Expose-Headers" not in response.headers
+    assert "Access-Control-Allow-Methods" not in response.headers
 
 
 @pytest.mark.parametrize(