CORS allow headers broken with Safari

Bug #1680062 reported by Logan V
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Glance
New
Undecided
Unassigned
oslo.middleware
Invalid
Undecided
Unassigned

Bug Description

I'm seeing Glance images failing to upload via Horizon with CORS because:
2017-04-05 07:07:33.103 7034 DEBUG oslo_middleware.cors [-] Request header 'origin' not in permitted list: ['CONTENT-MD5', 'X-IMAGE-META-CHECKSUM', 'X-STORAGE-TOKEN', 'ACCEPT-ENCODING', 'X-AUTH-TOKEN', 'X-IDENTITY-STATUS', 'X-ROLES', 'X-SERVICE-CATALOG', 'X-USER-ID', 'X-TENANT-ID', 'X-OPENSTACK-REQUEST-ID', 'ACCEPT', 'ACCEPT-LANGUAGE', 'CONTENT-TYPE', 'CACHE-CONTROL', 'CONTENT-LANGUAGE', 'EXPIRES', 'LAST-MODIFIED', 'PRAGMA'] _apply_cors_preflight_headers /openstack/venvs/glance-14.1.0/lib/python2.7/site-packages/oslo_middleware/cors.py:381

The request headers Safari is sending are:
Access-Control-Request-Headers accept, content-type, origin, x-auth-token

The same upload works fine in Chrome, where the request headers are:
Access-Control-Request-Headers: content-type,x-auth-token

Revision history for this message
Logan V (loganv) wrote :

Browser versions in the above tests are:
Safari Version 10.0.3 (12602.4.8)

Chrome Version 58.0.3029.41 beta (64-bit)

Revision history for this message
ChangBo Guo(gcb) (glongwave) wrote :
Revision history for this message
Logan V (loganv) wrote :

Yes adding allow_headers for Origin fixes it.

I also found that setting allow_headers in my glance-api.conf overrides all of the default glance headers, so I have to add back a bunch of the defaults like X-AUTH-TOKEN back to the list as well.

Since some browsers send "Origin" as a request header, shouldn't that probably be one of the defaults in the allowed_header list for the cors middleware? That's what I'm suggesting with the bug here.

Revision history for this message
Ben Nemec (bnemec) wrote :

It looks to me like this is set on a per-project basis. oslo.middleware doesn't have any default headers: https://github.com/openstack/oslo.middleware/blob/2c557312519cd368c50eaaa5448049da19cc6281/oslo_middleware/cors.py#L50

A quick search suggests that the accepted headers are being set in Glance itself: https://github.com/openstack/glance/blob/8a2d1542348e8aaaee163ba629fd37c534d469d9/glance/common/config.py#L851 I think that's where this would need to be changed.

Changed in oslo.middleware:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.