CORS requests against encrypted objects don't expose x-object-meta-* headers
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Object Storage (swift) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
This is because access-
Note that this leaks information about whether encryption is turned on or not in a cluster. I don't think this is a security concern per se, but certainly one of the design goals of encryption was to have it be completely transparent to the client.
I see two ways to fix it:
Easy lift - have the decrypter update the exposed headers after decrypting user meta, as in https:/
Heavy lift - pull CORS handling out to middleware, as in https:/
Reviewed: https:/ /review. opendev. org/c/openstack /swift/ +/712237 /opendev. org/openstack/ swift/commit/ cd693e519e71dfc 95a0de389293a2d f2523a7d70
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit cd693e519e71dfc 95a0de389293a2d f2523a7d70
Author: Tim Burke <email address hidden>
Date: Mon Mar 9 13:45:58 2020 -0700
encryption: Expose decrypted metadata via CORS
Normally, the proxy object controller would be adding these, but when
encrypted, there won't be any headers in the x-object-meta-* namespace.
Closes-Bug: #1868045 79056300fc9d682 27e46d605e8
Change-Id: I8e708a60ee63f6