From 27a734c78aabdbf04977a01039004e471feae30c Mon Sep 17 00:00:00 2001 From: Tim Burke Date: Thu, 27 Feb 2020 16:25:44 -0800 Subject: s3api: Allow CORS preflight requests Unfortunately, we can't identify the user, so we can't map to an account, so we can't respect whatever CORS metadata might be set on the container. As a result, the allowed origins must be configured cluster-wide. Add a new config option, cors_preflight_allow_origin, for that; default it to blank (ie, deny preflights from all origins, preserving existing behavior), but allow either a comma-separated list of origins or * (to allow all origins). Change-Id: I985143bf03125a05792e79bc5e5f83722d6431b3 Co-Authored-By: Matthew Oliver --- etc/proxy-server.conf-sample | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'etc') diff --git a/etc/proxy-server.conf-sample b/etc/proxy-server.conf-sample index b474b27a3..434ed9c62 100644 --- a/etc/proxy-server.conf-sample +++ b/etc/proxy-server.conf-sample @@ -629,6 +629,12 @@ use = egg:swift#s3api # AWS allows clock skew up to 15 mins; note that older versions of swift/swift3 # allowed at most 5 mins. # allowable_clock_skew = 900 +# +# CORS preflight requests don't contain enough information for us to +# identify the account that should be used for the real request, so +# the allowed origins must be set cluster-wide. (default: blank; all +# preflight requests will be denied) +# cors_preflight_allow_origin = # You can override the default log routing for this filter here: # log_name = s3api -- cgit v1.2.1