Bug #15348
closedCORS: Access-Control-Allow-Origin should return * when set that way
0%
Description
When using CORS with RGW it will return a Access-Control-Allow-Origin when CORS is enabled.
The requester sends a 'Origin' header and RGW will now return the content of the 'Origin' header as a value for the 'Access-Control-Allow-Origin' response header.
For example, a client sends:
GET /bucket/object Origin: foo
RGW will respond with:
200 OK Access-Control-Allow-Origin: foo
In this case the policy might be set to * (Asterisk).
Looking at the code RGW seems to check if the origin has been set to * in the policy and return the Origin request header.
When using RGW as a CDN for Fonts this fails. If a user switches Origin a browser will not perform the request again. But since the Origin it not in Access-Control-Allow-Origin it will not load the fonts.
RGW should respond with 'Access-Control-Allow-Origin' set to * when this is set in the policy of the bucket/object.
Updated by Nathan Cutler almost 8 years ago
- Status changed from New to Fix Under Review
- Source changed from other to Community (dev)
master PR: https://github.com/ceph/ceph/pull/8441
Updated by Nathan Cutler almost 8 years ago
- Copied to Backport #15839: hammer: CORS: Access-Control-Allow-Origin should return * when set that way added
Updated by Nathan Cutler almost 8 years ago
- Backport changed from jewel to hammer,jewel
Updated by Nathan Cutler almost 8 years ago
- Status changed from Fix Under Review to Pending Backport
Updated by Nathan Cutler almost 8 years ago
- Copied to Backport #16112: jewel: CORS: Access-Control-Allow-Origin should return * when set that way added
Updated by Loïc Dachary over 7 years ago
- Status changed from Pending Backport to Resolved