From f6e29b81d03508deabd43a48e5e417d8ba9a7f1a Mon Sep 17 00:00:00 2001
From: David Goetz <dpgoetz@gmail.com>
Date: Wed, 13 Mar 2013 13:43:19 -0700
Subject: [PATCH] Remove check for valid Origin for the "actual request".

The only place in the spec that I could see the Origin being checked was
during the pre-flight OPTIONS request. If it gets to the actual request
let auth decide. Please correct me if this is wrong.

Change-Id: Ic31b71746ec056091c7778ebff3db7becc32bd9c
---
 swift/proxy/controllers/base.py |  3 ---
 test/unit/proxy/test_server.py  | 48 ---------------------------------
 2 files changed, 51 deletions(-)

diff --git a/swift/proxy/controllers/base.py b/swift/proxy/controllers/base.py
index b3af8e99a2..209313a25b 100644
--- a/swift/proxy/controllers/base.py
+++ b/swift/proxy/controllers/base.py
@@ -165,9 +165,6 @@ def cors_validation(func):
                 controller.container_info(controller.account_name,
                                           controller.container_name)
             cors_info = container_info.get('cors', {})
-            if not controller.is_origin_allowed(cors_info, req_origin):
-                # invalid CORS request
-                return Response(status=HTTP_UNAUTHORIZED)
 
             # Call through to the decorated method
             resp = func(*a, **kw)
diff --git a/test/unit/proxy/test_server.py b/test/unit/proxy/test_server.py
index 96cd3bda15..04a1b85650 100644
--- a/test/unit/proxy/test_server.py
+++ b/test/unit/proxy/test_server.py
@@ -4060,30 +4060,6 @@ class TestObjectController(unittest.TestCase):
                 'x-auth-token, x-foo',
                 sortHeaderNames(resp.headers['access-control-allow-headers']))
 
-    def test_CORS_invalid_origin(self):
-        with save_globals():
-            controller = proxy_server.ObjectController(self.app, 'a', 'c', 'o')
-
-            def stubContainerInfo(*args):
-                return {
-                    'cors': {
-                        'allow_origin': 'http://baz'
-                    }
-                }
-            controller.container_info = stubContainerInfo
-
-            def objectGET(controller, req):
-                return Response()
-
-            req = Request.blank(
-                '/a/c/o.jpg',
-                {'REQUEST_METHOD': 'GET'},
-                headers={'Origin': 'http://foo.bar'})
-
-            resp = cors_validation(objectGET)(controller, req)
-
-            self.assertEquals(401, resp.status_int)
-
     def test_CORS_valid(self):
         with save_globals():
             controller = proxy_server.ObjectController(self.app, 'a', 'c', 'o')
@@ -4913,30 +4889,6 @@ class TestContainerController(unittest.TestCase):
                 'x-auth-token, x-foo',
                 sortHeaderNames(resp.headers['access-control-allow-headers']))
 
-    def test_CORS_invalid_origin(self):
-        with save_globals():
-            controller = proxy_server.ContainerController(self.app, 'a', 'c')
-
-            def stubContainerInfo(*args):
-                return {
-                    'cors': {
-                        'allow_origin': 'http://baz'
-                    }
-                }
-            controller.container_info = stubContainerInfo
-
-            def containerGET(controller, req):
-                return Response()
-
-            req = Request.blank(
-                '/a/c/o.jpg',
-                {'REQUEST_METHOD': 'GET'},
-                headers={'Origin': 'http://foo.bar'})
-
-            resp = cors_validation(containerGET)(controller, req)
-
-            self.assertEquals(401, resp.status_int)
-
     def test_CORS_valid(self):
         with save_globals():
             controller = proxy_server.ContainerController(self.app, 'a', 'c')