Bug #22002
closedrgw: add cors header rule check in cors option request
0%
Description
hi,
i set cors on bucket test1 as follow
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
<AllowedOrigin>*</AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<AllowedHeader>header1</AllowedHeader>
</CORSRule>
</CORSConfiguration>
and
curl -v -X OPTIONS http://10.139.13.205/test1/1.txt --header "Origin: example.com" --header "Access-Control-Request-Headers: header2" --header "Access-Control-Request-Method: GET"
and the output
- About to connect() to 10.139.13.205 port 80 (#0)
- Trying 10.139.13.205...
- Connected to 10.139.13.205 (10.139.13.205) port 80 (#0)
< HTTP/1.1 200 OKOPTIONS /test1/1.txt HTTP/1.1
User-Agent: curl/7.29.0
Host: 10.139.13.205
Accept: */*
Origin: example.com
Access-Control-Request-Headers: header2
Access-Control-Request-Method: GET
< Access-Control-Allow-Origin: example.com <===== here should not return
< Vary: Origin
< Access-Control-Allow-Methods: GET <===== here should not return
< x-amz-request-id: tx000000000000000000196-0059f1a358-3715-default
< Content-Length: 0
< Date: Thu, 26 Oct 2017 08:56:56 GMT
<
- Connection #0 to host 10.139.13.205 left intact
and follow is what aws s3 response
- Connected to testbyyly.s3.amazonaws.com (52.216.1.32) port 80 (#0)
< HTTP/1.1 403 ForbiddenOPTIONS /1.txt HTTP/1.1
User-Agent: curl/7.29.0
Host: testbyyly.s3.amazonaws.com
Accept: */*
Origin: example.com
Access-Control-Request-Headers: header2
Access-Control-Request-Method: GET
< x-amz-request-id: 013834B2B978805D
< x-amz-id-2: yOLwwhUGiNhAsI2IU4USP9cbFr5wCm/CRxOqHLZ68+0vCViq0GJ1dwlMv3spcCy9WhkIw+VEPEg=
< Content-Type: application/xml
< Transfer-Encoding: chunked
< Date: Thu, 26 Oct 2017 08:58:52 GMT
< Server: AmazonS3
<
- Connection #0 to host testbyyly.s3.amazonaws.com left intact
<Error><Code>AccessForbidden</Code><Message>CORSResponse: This CORS request is not allowed. This is usually because the evalution of Origin, request method / Access-Control-Request-Method orAccess-Control-Request-Headers are not whitelisted by the resource's CORS spec.</Message><Method>GET</Method><ResourceType>OBJECT</ResourceType><RequestId>013834B2B978805D</RequestId><HostId>yOLwwhUGiNhAsI2IU4USP9cbFr5wCm/CRxOqHLZ68+0vCViq0GJ1dwlMv3spcCy9WhkIw+VEPEg=</HostId></Error>
we need to add cors header rule check in cors option request
Updated by joke lee over 6 years ago
Updated by Casey Bodley over 6 years ago
- Status changed from New to 7
- Backport set to luminous jewel
test in https://github.com/ceph/s3-tests/pull/192 for backport as well
Updated by Yuri Weinstein over 6 years ago
Updated by Matt Benjamin over 6 years ago
- Status changed from 7 to Pending Backport
Updated by Nathan Cutler over 6 years ago
- Copied to Backport #22187: luminous: rgw: add cors header rule check in cors option request added
Updated by Nathan Cutler over 6 years ago
- Copied to Backport #22188: jewel: rgw: add cors header rule check in cors option request added
Updated by Nathan Cutler about 6 years ago
- Status changed from Pending Backport to Resolved