Project

General

Profile

Bug #15348

CORS: Access-Control-Allow-Origin should return * when set that way

Added by Wido den Hollander over 3 years ago. Updated about 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
04/01/2016
Due date:
% Done:

0%

Source:
Community (dev)
Tags:
Backport:
hammer,jewel
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:

Description

When using CORS with RGW it will return a Access-Control-Allow-Origin when CORS is enabled.

The requester sends a 'Origin' header and RGW will now return the content of the 'Origin' header as a value for the 'Access-Control-Allow-Origin' response header.

For example, a client sends:

GET /bucket/object
Origin: foo

RGW will respond with:

200 OK
Access-Control-Allow-Origin: foo

In this case the policy might be set to * (Asterisk).

Looking at the code RGW seems to check if the origin has been set to * in the policy and return the Origin request header.

When using RGW as a CDN for Fonts this fails. If a user switches Origin a browser will not perform the request again. But since the Origin it not in Access-Control-Allow-Origin it will not load the fonts.

RGW should respond with 'Access-Control-Allow-Origin' set to * when this is set in the policy of the bucket/object.


Related issues

Copied to rgw - Backport #15839: hammer: CORS: Access-Control-Allow-Origin should return * when set that way Resolved
Copied to rgw - Backport #16112: jewel: CORS: Access-Control-Allow-Origin should return * when set that way Resolved

Associated revisions

Revision 0021e224 (diff)
Added by Wido den Hollander over 3 years ago

rgw: Set Access-Control-Allow-Origin to a Asterisk if allowed in a rule

Before this patch the RGW would respond with the Origin send by the client in the request
if a wildcard/asterisk was specified as a valid Origin.

This patch makes sure we respond with a header like this:

Access-Control-Allow-Origin: *

This way a resource can be used on different Origins by the same browser and that browser
will use the content as the asterisk.

We also keep in mind that when Authorization is send by the client different rules apply.
In the case of Authorization we may not respond with an Asterisk, but we do have to
add the Vary header with 'Origin' as a value to let the browser know that for different
Origins it has to perform a new request.

More information: https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

Fixes: #15348

Signed-off-by: Wido den Hollander <>

Revision ed4ca7c9 (diff)
Added by Wido den Hollander about 3 years ago

rgw: Set Access-Control-Allow-Origin to a Asterisk if allowed in a rule

Before this patch the RGW would respond with the Origin send by the client in the request
if a wildcard/asterisk was specified as a valid Origin.

This patch makes sure we respond with a header like this:

Access-Control-Allow-Origin: *

This way a resource can be used on different Origins by the same browser and that browser
will use the content as the asterisk.

We also keep in mind that when Authorization is send by the client different rules apply.
In the case of Authorization we may not respond with an Asterisk, but we do have to
add the Vary header with 'Origin' as a value to let the browser know that for different
Origins it has to perform a new request.

More information: https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

Fixes: #15348

Signed-off-by: Wido den Hollander <>
(cherry picked from commit 0021e224480c7164330eaa7cc1078bb8795169bf)

Conflicts:
src/rgw/rgw_rest.cc
hammer still uses s->cio->print() where master uses STREAM_IO(s)->print()

Revision 546141c9 (diff)
Added by Wido den Hollander about 3 years ago

rgw: Set Access-Control-Allow-Origin to a Asterisk if allowed in a rule

Before this patch the RGW would respond with the Origin send by the client in the request
if a wildcard/asterisk was specified as a valid Origin.

This patch makes sure we respond with a header like this:

Access-Control-Allow-Origin: *

This way a resource can be used on different Origins by the same browser and that browser
will use the content as the asterisk.

We also keep in mind that when Authorization is send by the client different rules apply.
In the case of Authorization we may not respond with an Asterisk, but we do have to
add the Vary header with 'Origin' as a value to let the browser know that for different
Origins it has to perform a new request.

More information: https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

Fixes: #15348

Signed-off-by: Wido den Hollander <>
(cherry picked from commit 0021e224480c7164330eaa7cc1078bb8795169bf)

History

#1 Updated by Nathan Cutler over 3 years ago

  • Status changed from New to Need Review
  • Source changed from other to Community (dev)

#2 Updated by Nathan Cutler over 3 years ago

  • Copied to Backport #15839: hammer: CORS: Access-Control-Allow-Origin should return * when set that way added

#3 Updated by Orit Wasserman over 3 years ago

  • Backport set to jewel

#4 Updated by Nathan Cutler over 3 years ago

  • Backport changed from jewel to hammer,jewel

#5 Updated by Nathan Cutler about 3 years ago

  • Status changed from Need Review to Pending Backport

#6 Updated by Nathan Cutler about 3 years ago

  • Copied to Backport #16112: jewel: CORS: Access-Control-Allow-Origin should return * when set that way added

#7 Updated by Loic Dachary about 3 years ago

  • Status changed from Pending Backport to Resolved

Also available in: Atom PDF