diff options
author | Michael Krotscheck <krotscheck@gmail.com> | 2015-11-02 08:49:47 -0800 |
---|---|---|
committer | Michael Krotscheck <krotscheck@gmail.com> | 2015-11-02 09:13:31 -0800 |
commit | b4ad4f9073136298294ee9ba10c23ebb2f77a705 (patch) | |
tree | a40d761ae8abc5c4ef8c4a079f7b194a16202330 | |
parent | 6c58c6c1bc497b6ab0a5e5ba6908ca6ef08e6e9c (diff) | |
download | oslo-middleware-b4ad4f9073136298294ee9ba10c23ebb2f77a705.tar.gz |
Revert "Add 'X-Auth-Token' default header to CORS middleware"
The existence of this header is not tested, and therefore can
create fragility downstream as operators deploying an API
may not realize that this setting is needed. If the upstream
library is ever updated to remove this, all downstream projects
will silently fail.
Furthermore, the addition of openstack-specific headers as
defaults in this library makes oslo_middleware less useful
outside of openstack.
The correct way to address this issue is to enable latent
configuration from paste.ini. This way, each service can
include their default headers in their packaged paste file.
This reverts commit 562173aeb7839eaca6274531b0e91147941af6df.
Change-Id: I401011ed055fea49268686deb5c25f02d2ca6164
-rw-r--r-- | oslo_middleware/cors.py | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/oslo_middleware/cors.py b/oslo_middleware/cors.py index 891dd99..65d7be0 100644 --- a/oslo_middleware/cors.py +++ b/oslo_middleware/cors.py @@ -35,7 +35,7 @@ CORS_OPTS = [ 'credentials'), cfg.ListOpt('expose_headers', default=['Content-Type', 'Cache-Control', 'Content-Language', - 'Expires', 'Last-Modified', 'Pragma', 'X-Auth-Token'], + 'Expires', 'Last-Modified', 'Pragma'], help='Indicate which headers are safe to expose to the API. ' 'Defaults to HTTP Simple Headers.'), cfg.IntOpt('max_age', @@ -47,7 +47,7 @@ CORS_OPTS = [ 'request.'), cfg.ListOpt('allow_headers', default=['Content-Type', 'Cache-Control', 'Content-Language', - 'Expires', 'Last-Modified', 'Pragma', 'X-Auth-Token'], + 'Expires', 'Last-Modified', 'Pragma'], help='Indicate which header field names may be used during ' 'the actual request.') ] |