[api-quick-start]Make cors work better.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openstack-api-site |
Triaged
|
Medium
|
Unassigned |
Bug Description
https:/
commit 2abb829a5dd965b
Author: David Goetz <email address hidden>
Date: Wed Jan 15 14:49:31 2014 -0800
Make cors work better.
CORS doesn't really work with swift right now. OPTIONS calls for the most part
work but for so called "simple cross-site requests" (i.e. those that don't
require a pre-flight OPTIONS request) Swift always returns the Origin it was
given as the Access-
"work" for these requests but if you actually wanted the javascript user agent
to restrict anything for you it wouldn't be able to!
You can duplicate the issue with updated CORS test page:
http://
And a public container with an 'X-Container-
that does NOT match the webserver hosting the test-cors-page.
e.g.
with a public container that accepts cross-site requests from "example.com":
`swift post cors-container -m access-
You could point your browser at a copy of the test-cors-page on your
filesystem (the browser will will send 'Origin: null')
Without a token the XMLHttpRequest will not request any custom headers (i.e.
Access-
with-out a preflight OPTIONS request (which Swift would have denied anyway
because the origin's don't match)
i.e. fill in "http://
leave "Token" blank.
You would expect that the browser would not complete the request because
"Origin: null" does not match the configured "Access-
example.com" on the container metadata, and indeed with this patch - it won't!
Also:
The way cors is set up does not play well with certain applications for swift.
If you are running a CDN on top of swift and you have the
Access-
to be cached on the the CDN, not the Origin that happened to result in an
origin request.
Also:
If you were unfortunate enough to allow cors headers to be saved directly
onto objects then this allows them to supersede the headers coming from the
container.
NOTE: There is a change is behavior with this patch. Because its cors, a
spec that was created only to cause annoyance to all, I'll write out
what's being changed and hopefully someone will speak up if it breaks
there stuff.
previous behavior: When a request was made with a Origin header set the
new behavior: If strict_cors_mode is set to True in the proxy-server.conf
previous: If you had X-Container-
and you passed in Origin: http://
both OPTIONS and regular reqs.
new: With X-Container-
for both OPTIONS and regular reqs.
previous: cors headers saved directly onto objects (by allowing them to be
saved via the allowed_headers config in the object-server conf)
would be overridden by whatever container cors you have set up.
new: For regular (non-OPTIONS) calls the object headers will be kept. The
container cors will only be applied to objects without the
This behavior doesn't make a whole lot of sense for OPTIONS calls so I
left that as is. I don't think that allowing cors headers to be saved
directly onto objects is a good idea and it should be discouraged.
DocImpact
Change-Id: I9b0219407e77c7
Changed in openstack-manuals: | |
milestone: | none → icehouse |
status: | New → Confirmed |
importance: | Undecided → Medium |
Changed in openstack-api-site: | |
status: | New → Confirmed |
importance: | Undecided → Medium |
milestone: | none → icehouse |
Changed in openstack-api-site: | |
milestone: | icehouse → juno |
Changed in openstack-manuals: | |
milestone: | icehouse → juno |
tags: | added: icehouse |
Changed in openstack-api-site: | |
milestone: | juno → kilo |
Changed in openstack-manuals: | |
milestone: | juno → kilo |
Changed in openstack-manuals: | |
milestone: | kilo → liberty |
Changed in openstack-api-site: | |
milestone: | kilo → liberty |
affects: | openstack-api-site → swift |
Changed in swift: | |
milestone: | liberty → none |
affects: | swift → openstack-api-site |
tags: | added: api-quick-start |
affects: | openstack-api-site → swift |
affects: | swift → openstack-api-site |
summary: |
- Make cors work better. + [api-quick-start]Make cors work better. |
no longer affects: | openstack-manuals |
I think CORS mechanism is not related to api-reference.
It should be systematically documented (how to) on api-guide, or somthing.
Ref. www.html5rocks. com/en/ tutorials/ cors/
http://