Comment 3 for bug 1489749

Also, please note that swift_owner_headers don't include "web-listings". Depending on the used auth middleware and implementation of a Swift owner it might be possible for a non-owner to enable web-listings, though read-acls are not editable by that user and thus leading to an information leakage.

https://github.com/openstack/swift/blob/master/etc/proxy-server.conf-sample#L204-L207
https://github.com/openstack/swift/blob/master/swift/proxy/controllers/container.py#L182-L184

However, afair this doesn't apply to tempauth and keystoneauth.