Process CORS earlier in pipeline #254
No reviewers
Labels
No Label
AdminAPI
Bug
Check AWS
CI
Correctness
Critical
Documentation
Ideas
Improvement
Low priority
Newcomer
Performance
S3 Compatibility
Testing
Usability
No Milestone
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: Deuxfleurs/garage#254
Loading…
Reference in New Issue
No description provided.
Delete Branch "better-cors"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
OPTIONS
before checking if request is authenticated, because when a browser preflights an authenticated request, theOPTIONS
itself is not authenticatedOPTIONS
onListBuckets
(the only endpoint that doesn't have a bucket name)CAVEAT: We can't handle
OPTIONS
on local bucket names... this will possibly be a blocker for making a web UI that talks to garageHere is a (temporary) solution:
OPTIONS
calls do not match local bucket names, since these requests are not authenticated. CORS parameters of a global bucket with the same name will overshadow CORS parameters of the bucket with the local name. If there is no bucket in the global namespace with that name, CORS headers that allow everything are returned, so as to not prevent us from developping web apps that makes use of local bucket aliases.Security notice: CORS cannot be relied for as a security measure for bucket with local aliases. Make sure you handle your S3 API keys properly, that's the only way to properly secure access to the API.