Glance

CORS allow headers broken with Safari

Bug #1680062 reported by Logan V on 2017-04-05

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Glance	New	Undecided	Unassigned
	oslo.middleware	Invalid	Undecided	Unassigned

Bug Description

I'm seeing Glance images failing to upload via Horizon with CORS because:
2017-04-05 07:07:33.103 7034 DEBUG oslo_middleware.cors [-] Request header 'origin' not in permitted list: ['CONTENT-MD5', 'X-IMAGE-META-CHECKSUM', 'X-STORAGE-TOKEN', 'ACCEPT-ENCODING', 'X-AUTH-TOKEN', 'X-IDENTITY-STATUS', 'X-ROLES', 'X-SERVICE-CATALOG', 'X-USER-ID', 'X-TENANT-ID', 'X-OPENSTACK-REQUEST-ID', 'ACCEPT', 'ACCEPT-LANGUAGE', 'CONTENT-TYPE', 'CACHE-CONTROL', 'CONTENT-LANGUAGE', 'EXPIRES', 'LAST-MODIFIED', 'PRAGMA'] _apply_cors_preflight_headers /openstack/venvs/glance-14.1.0/lib/python2.7/site-packages/oslo_middleware/cors.py:381

The request headers Safari is sending are:
Access-Control-Request-Headers accept, content-type, origin, x-auth-token

The same upload works fine in Chrome, where the request headers are:
Access-Control-Request-Headers: content-type,x-auth-token

Revision history for this message

Logan V (loganv) wrote on 2017-04-05:

Browser versions in the above tests are:
Safari Version 10.0.3 (12602.4.8)

Chrome Version 58.0.3029.41 beta (64-bit)

Revision history for this message

ChangBo Guo(gcb) (glongwave) wrote on 2017-04-05:

This hits the exceptions in https://github.com/openstack/oslo.middleware/blob/master/oslo_middleware/cors.py#L382

Have you tried config option 'allow_headers' in https://github.com/openstack/oslo.middleware/blob/master/oslo_middleware/cors.py#L50 ?

Revision history for this message

Logan V (loganv) wrote on 2017-04-05:

Yes adding allow_headers for Origin fixes it.

I also found that setting allow_headers in my glance-api.conf overrides all of the default glance headers, so I have to add back a bunch of the defaults like X-AUTH-TOKEN back to the list as well.

Since some browsers send "Origin" as a request header, shouldn't that probably be one of the defaults in the allowed_header list for the cors middleware? That's what I'm suggesting with the bug here.

Revision history for this message

Ben Nemec (bnemec) wrote on 2018-04-25:

It looks to me like this is set on a per-project basis. oslo.middleware doesn't have any default headers: https://github.com/openstack/oslo.middleware/blob/2c557312519cd368c50eaaa5448049da19cc6281/oslo_middleware/cors.py#L50

A quick search suggests that the accepted headers are being set in Glance itself: https://github.com/openstack/glance/blob/8a2d1542348e8aaaee163ba629fd37c534d469d9/glance/common/config.py#L851 I think that's where this would need to be changed.

Changed in oslo.middleware:
status:	New → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.