swift/doc/source
David Goetz 2abb829a5d Make cors work better.
CORS doesn't really work with swift right now. OPTIONS calls for the most part
work but for so called "simple cross-site requests" (i.e. those that don't
require a pre-flight OPTIONS request) Swift always returns the Origin it was
given as the Access-Control-Allow-Origin in the response. This makes CORS
"work" for these requests but if you actually wanted the javascript user agent
to restrict anything for you it wouldn't be able to!

You can duplicate the issue with updated CORS test page:

http://docs.openstack.org/developer/swift/cors.html#test-cors-page

And a public container with an 'X-Container-Meta-Access-Control-Allow-Origin'
that does NOT match the webserver hosting the test-cors-page.

e.g.

with a public container that accepts cross-site requests from "example.com":

`swift post cors-container -m access-control-allow-origin:example.com -r .r:*`

You could point your browser at a copy of the test-cors-page on your
filesystem (the browser will will send 'Origin: null')

Without a token the XMLHttpRequest will not request any custom headers (i.e.
Access-Control-Request-Headers: x-auth-token) and the request will be made
with-out a preflight OPTIONS request (which Swift would have denied anyway
because the origin's don't match)

i.e. fill in "http://saio:8080/v1/AUTH_test/cors-container" for "URL" and
leave "Token" blank.

You would expect that the browser would not complete the request because
"Origin: null" does not match the configured "Access-Control-Allow-Origin:
example.com" on the container metadata, and indeed with this patch - it won't!

Also:

The way cors is set up does not play well with certain applications for swift.
If you are running a CDN on top of swift and you have the
Access-Control-Allow-Origin cors header set to * then you probably want the *
to be cached on the the CDN, not the Origin that happened to result in an
origin request.

Also:

If you were unfortunate enough to allow cors headers to be saved directly
onto objects then this allows them to supersede the headers coming from the
container.

NOTE: There is a change is behavior with this patch. Because its cors, a
      spec that was created only to cause annoyance to all, I'll write out
      what's being changed and hopefully someone will speak up if it breaks
      there stuff.

previous behavior: When a request was made with a Origin header set the
                   cors_validation decorator would always add that origin as
                   the Access-Control-Allow-Origin header in the response-
                   whether the passed origin was a match with the container's
                   X-Container-Meta-Access-Control-Allow-Origin or not, or even
                   if the container did not have CORS set up at all.
new behavior: If strict_cors_mode is set to True in the proxy-server.conf
              (which is the default) the cors_validation decorator will only
              add the Access-Control-Allow-Origin header to the response when
              the request's Origin matches the value set in
              X-Container-Meta-Access-Control-Allow-Origin. NOTE- if the
              container does not have CORS set up it won't just magically start
              working. Furthremore, if the Origin doesn't match the
              Access-Control-Allow-Origin - a successfully authorized request
              (either by token or public ACL) won't be *denied* - it just
              won't include the Access-Control-Allow-Origin header (it's up
              to the security model in the browser to cancel the request
              if the response doesn't include a matching Allow-Origin
              header).  On the other hand, if you want to restrict requests
              with CORS, you can actually do it now.

              If you are worried about breaking current functionality you
              must set:

              strict_cors_mode = False

              in the proxy-server.conf. This will continue with returning the
              passed in Origin as the Access-Control-Allow-Origin in the
              response.

previous: If you had X-Container-Meta-Access-Control-Allow-Origin set to *
          and you passed in Origin: http://hey.com you'd get
          Access-Control-Allow-Origin: http://hey.com back. This was true for
          both OPTIONS and regular reqs.
new: With X-Container-Meta-Access-Control-Allow-Origin set to * you get * back
     for both OPTIONS and regular reqs.

previous: cors headers saved directly onto objects (by allowing them to be
          saved via the allowed_headers config in the object-server conf)
          would be overridden by whatever container cors you have set up.
new: For regular (non-OPTIONS) calls the object headers will be kept. The
     container cors will only be applied to objects without the
     'Access-Control-Allow-Origin' and 'Access-Control-Expose-Headers' headers.
     This behavior doesn't make a whole lot of sense for OPTIONS calls so I
     left that as is. I don't think that allowing cors headers to be saved
     directly onto objects is a good idea and it should be discouraged.

DocImpact

Change-Id: I9b0219407e77c77a9bb1133cbcb179a4c681c4a8
2014-03-11 18:41:46 -07:00
..
_ga Replaces Copyright statements for LLC with Foundation, removes date. 2013-02-11 16:32:33 -06:00
_static Adding a box to each page that gives readers links to 1.1 and 1.2 Swift docs sites 2011-03-09 23:14:38 -06:00
_theme Update auto-generated docs 2013-01-22 15:24:06 -08:00
account.rst Alphabetized items under other sections in source documentation 2014-02-21 10:59:29 -07:00
admin_guide.rst Fix misspellings in swift 2014-02-20 16:15:48 +08:00
apache_deployment_guide.rst Revert "docfix apache2 now supports client chunked encodin" 2013-07-02 22:18:32 +00:00
associated_projects.rst Add Swift-account-stats as a related project. 2014-01-08 10:06:22 +01:00
conf.py Replaces Copyright statements for LLC with Foundation, removes date. 2013-02-11 16:32:33 -06:00
container.rst Alphabetized items under other sections in source documentation 2014-02-21 10:59:29 -07:00
cors.rst Make cors work better. 2014-03-11 18:41:46 -07:00
crossdomain.rst Fix misspellings in swift 2014-02-20 16:15:48 +08:00
db.rst Initial commit of Swift code 2010-07-12 17:03:45 -05:00
deployment_guide.rst Fix misspellings in swift 2014-02-20 16:15:48 +08:00
development_auth.rst Adding CORS support 2012-10-23 14:48:59 -05:00
development_guidelines.rst Add documentation about flake8+hacking. 2013-07-15 17:14:16 +02:00
development_middleware.rst Add documentation for GateKeeper 2014-01-23 15:04:23 -05:00
development_ondisk_backends.rst clarify the current state of the DiskFile API 2013-12-09 10:33:53 -08:00
development_saio.rst Fix misspellings in swift 2014-02-20 16:15:48 +08:00
getting_started.rst Doc changes for new pip-requirements 2013-05-06 19:21:53 +03:00
howto_installmultinode.rst Fix numbering of steps in proxy section of install_multinode 2014-02-04 11:20:56 -07:00
index.rst Merge "Documentation of the logs formats used in Swift" 2014-02-04 10:47:39 +00:00
logs.rst Added docs about the swift_source log field 2014-02-12 16:59:35 -08:00
middleware.rst Alphabetized items under "Middleware" in source documentation 2014-02-23 15:03:57 -07:00
misc.rst Alphabetized items under "Misc" in source documentation 2014-02-20 19:24:33 -07:00
object.rst Alphabetized items under other sections in source documentation 2014-02-21 10:59:29 -07:00
overview_architecture.rst Spell check for .rst files 2010-10-13 11:28:27 -05:00
overview_auth.rst tabs to spaces 2014-02-23 10:22:34 -08:00
overview_container_sync.rst Fix misspellings in swift 2014-02-20 16:15:48 +08:00
overview_expiring_objects.rst Add parallelism to object expirer daemon. 2013-06-07 20:49:47 +00:00
overview_large_objects.rst Added docs about the swift_source log field 2014-02-12 16:59:35 -08:00
overview_object_versioning.rst Add x-remove-versions-location for feature: disable versioning 2013-03-17 07:30:00 +08:00
overview_reaper.rst account-reaper warns if not making progress 2013-05-22 15:07:17 +01:00
overview_replication.rst Object replication ssync (an rsync alternative) 2013-11-07 16:52:01 +00:00
overview_ring.rst Add a region tier to Swift's ring. 2013-03-13 10:00:58 -07:00
proxy.rst Alphabetized items under other sections in source documentation 2014-02-21 10:59:29 -07:00
ratelimit.rst Fix misspellings in swift 2014-02-20 16:15:48 +08:00
replication_network.rst Implementation of replication servers 2013-04-21 18:14:42 -04:00
ring.rst Initial commit of Swift code 2010-07-12 17:03:45 -05:00