Bug #15348
closedCORS: Access-Control-Allow-Origin should return * when set that way
0%
Description
When using CORS with RGW it will return a Access-Control-Allow-Origin when CORS is enabled.
The requester sends a 'Origin' header and RGW will now return the content of the 'Origin' header as a value for the 'Access-Control-Allow-Origin' response header.
For example, a client sends:
GET /bucket/object Origin: foo
RGW will respond with:
200 OK Access-Control-Allow-Origin: foo
In this case the policy might be set to * (Asterisk).
Looking at the code RGW seems to check if the origin has been set to * in the policy and return the Origin request header.
When using RGW as a CDN for Fonts this fails. If a user switches Origin a browser will not perform the request again. But since the Origin it not in Access-Control-Allow-Origin it will not load the fonts.
RGW should respond with 'Access-Control-Allow-Origin' set to * when this is set in the policy of the bucket/object.