)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":7233,"name":"Matthew Oliver","email":"matt@oliver.net.au","username":"mattoliverau"},"change_message_id":"9728c748b0532e1ad4dab8e20fd48f9a05a86b55","unresolved":true,"context_lines":[{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Unfortunately, we can\u0027t identify the user, so we can\u0027t map to an"},{"line_number":10,"context_line":"account, so we can\u0027t respect whatever CORS metadata might be set on the"},{"line_number":11,"context_line":"container."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"As a result, the allowed origins must be configured cluster-wide. Add a"},{"line_number":14,"context_line":"new config option, cors_preflight_allow_origin, for that; default it"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":22,"id":"1de8f38a_6499505d","line":11,"updated":"2021-02-24 06:29:58.000000000","message":"I\u0027m still learning s3 api, but I wonder if we could make people use the `x-amz-expected-bucket-owner` if they want to privide their own Origin info from their container. We\u0027d probably have to default the header to be returned in all s3 based cors Access-Control-Allow-Header field though.\n\nIf they don\u0027t then it defaults to what you say. It might mean we can still give some usefulness.. though I\u0027m not sure how the s3 clients will allow users to do this. Just random brain storming.","commit_id":"625a004c574e144bbc0c6b99f352df665a589fe0"},{"author":{"_account_id":15343,"name":"Tim Burke","email":"tburke@nvidia.com","username":"tburke"},"change_message_id":"c1f607c0e7bd49e8726ebd3b38787e374d28be6a","unresolved":true,"context_lines":[{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Unfortunately, we can\u0027t identify the user, so we can\u0027t map to an"},{"line_number":10,"context_line":"account, so we can\u0027t respect whatever CORS metadata might be set on the"},{"line_number":11,"context_line":"container."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"As a result, the allowed origins must be configured cluster-wide. Add a"},{"line_number":14,"context_line":"new config option, cors_preflight_allow_origin, for that; default it"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":22,"id":"9f52204c_27c7b856","line":11,"in_reply_to":"1de8f38a_6499505d","updated":"2021-02-24 19:56:00.000000000","message":"The trouble is that devs have no control over the OPTIONS request -- the browser is responsible for making it before even attempting to to send any dev-specified data.\n\nI guess *maybe* we could try to push devs to always include a header like\n\n x-bucket-owner-\u003caccess-id\u003e: \u003csome ignored value\u003e\n\nso the preflight always includes something like\n\n access-control-allow-headers: ..., x-bucket-owner-\u003caccess-id\u003e, ...\n\nbut that knee-caps \"simple\" CORS requests that wouldn\u0027t otherwise need a preflight (or pushes a bunch of complexity on the client to know when the header is necessary and when it isn\u0027t).\n\nThe *right* fix looks a lot more like globally-unique bucket names. (Probably with some alternate s3 endpoint, like http://unique-buckets.fqdn instead of http://swift.fqdn, even if both host names resolve to the same pool of proxies.)","commit_id":"625a004c574e144bbc0c6b99f352df665a589fe0"}],"swift/common/middleware/s3api/s3api.py":[{"author":{"_account_id":7847,"name":"Alistair Coles","email":"alistairncoles@gmail.com","username":"acoles"},"change_message_id":"0af5bb138aeb843b60354f81855c7ddce6ba4d2a","unresolved":true,"context_lines":[{"line_number":295,"context_line":"                env[\u0027REQUEST_METHOD\u0027] \u003d\u003d \u0027OPTIONS\u0027 and \\"},{"line_number":296,"context_line":"                \u0027authorization\u0027 in acrh and \\"},{"line_number":297,"context_line":"                not env[\u0027PATH_INFO\u0027].startswith((\u0027/v1/\u0027, \u0027/v1.0/\u0027)):"},{"line_number":298,"context_line":"            # I guess it\u0027s likely going to be an S3 request? *shrug*"},{"line_number":299,"context_line":"            if self.conf.cors_preflight_allow_origin !\u003d [\u0027*\u0027] and \\"},{"line_number":300,"context_line":"                    origin not in self.conf.cors_preflight_allow_origin:"},{"line_number":301,"context_line":"                start_response(\u0027401 Unauthorized\u0027, ["}],"source_content_type":"text/x-python","patch_set":23,"id":"45bfff96_f1ac138a","line":298,"updated":"2021-02-24 16:53:09.000000000","message":"why isn\u0027t this handled by making a request instance and catching NotS3Request as below for other methods?","commit_id":"7bea8b65d38c82aee938c3ee716a680f36cb2897"},{"author":{"_account_id":15343,"name":"Tim Burke","email":"tburke@nvidia.com","username":"tburke"},"change_message_id":"c1f607c0e7bd49e8726ebd3b38787e374d28be6a","unresolved":true,"context_lines":[{"line_number":295,"context_line":"                env[\u0027REQUEST_METHOD\u0027] \u003d\u003d \u0027OPTIONS\u0027 and \\"},{"line_number":296,"context_line":"                \u0027authorization\u0027 in acrh and \\"},{"line_number":297,"context_line":"                not env[\u0027PATH_INFO\u0027].startswith((\u0027/v1/\u0027, \u0027/v1.0/\u0027)):"},{"line_number":298,"context_line":"            # I guess it\u0027s likely going to be an S3 request? *shrug*"},{"line_number":299,"context_line":"            if self.conf.cors_preflight_allow_origin !\u003d [\u0027*\u0027] and \\"},{"line_number":300,"context_line":"                    origin not in self.conf.cors_preflight_allow_origin:"},{"line_number":301,"context_line":"                start_response(\u0027401 Unauthorized\u0027, ["}],"source_content_type":"text/x-python","patch_set":23,"id":"94398e6a_b35bf4d8","line":298,"in_reply_to":"45bfff96_f1ac138a","updated":"2021-02-24 19:56:00.000000000","message":"The OPTIONS request will never \"look like\" an S3 request -- it won\u0027t have an Authorization header or any query params. (Note that Access-Control-Allow-Headers may mention an Authorization header, though.)\n\nSpeaking of query params, this probably still won\u0027t allow pre-signed PUTs 🤔","commit_id":"7bea8b65d38c82aee938c3ee716a680f36cb2897"},{"author":{"_account_id":7847,"name":"Alistair Coles","email":"alistairncoles@gmail.com","username":"acoles"},"change_message_id":"0af5bb138aeb843b60354f81855c7ddce6ba4d2a","unresolved":true,"context_lines":[{"line_number":317,"context_line":"        try:"},{"line_number":318,"context_line":"            req_class \u003d get_request_class(env, self.conf.s3_acl)"},{"line_number":319,"context_line":"            req \u003d req_class(env, self.app, self.conf)"},{"line_number":320,"context_line":"            resp \u003d self.handle_request(req)"},{"line_number":321,"context_line":"        except NotS3Request:"},{"line_number":322,"context_line":"            resp \u003d self.app"},{"line_number":323,"context_line":"        except InvalidSubresource as e:"}],"source_content_type":"text/x-python","patch_set":23,"id":"09546119_50ba6734","line":320,"updated":"2021-02-24 16:53:09.000000000","message":"what happened to OPTIONS requests before the change above?","commit_id":"7bea8b65d38c82aee938c3ee716a680f36cb2897"},{"author":{"_account_id":15343,"name":"Tim Burke","email":"tburke@nvidia.com","username":"tburke"},"change_message_id":"c1f607c0e7bd49e8726ebd3b38787e374d28be6a","unresolved":true,"context_lines":[{"line_number":317,"context_line":"        try:"},{"line_number":318,"context_line":"            req_class \u003d get_request_class(env, self.conf.s3_acl)"},{"line_number":319,"context_line":"            req \u003d req_class(env, self.app, self.conf)"},{"line_number":320,"context_line":"            resp \u003d self.handle_request(req)"},{"line_number":321,"context_line":"        except NotS3Request:"},{"line_number":322,"context_line":"            resp \u003d self.app"},{"line_number":323,"context_line":"        except InvalidSubresource as e:"}],"source_content_type":"text/x-python","patch_set":23,"id":"fcc18b68_33ad540a","line":320,"in_reply_to":"09546119_50ba6734","updated":"2021-02-24 19:56:00.000000000","message":"They\u0027d raise NotS3Request, continue down the pipeline, and fail with a 400: https://github.com/openstack/swift/blob/2.26.0/swift/proxy/server.py#L524-L526","commit_id":"7bea8b65d38c82aee938c3ee716a680f36cb2897"}]}