)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":15343,"name":"Tim Burke","email":"tburke@nvidia.com","username":"tburke"},"change_message_id":"5edde326149de0e6adc41803feaf0887dc21e49c","unresolved":true,"context_lines":[{"line_number":11,"context_line":"unless a `Access-Control-Allow-Credentials: true` header is included"},{"line_number":12,"context_line":"in the response."},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"Always allow such requests -- Swift does not use the credential"},{"line_number":15,"context_line":"mechanisms CORS is designed around anyway."},{"line_number":16,"context_line":""},{"line_number":17,"context_line":"Change-Id: I6463b54daa51152b3166357c743c3d662204d4bf"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"699fde16_e735b376","line":14,"range":{"start_line":14,"start_character":0,"end_line":14,"end_character":26},"updated":"2024-05-08 19:01:24.000000000","message":"Should maybe make it configurable, in part because it\u0027s a change from prior behavior.","commit_id":"893f50c1681843ad51dfef908e27acab1fd53d2b"},{"author":{"_account_id":15343,"name":"Tim Burke","email":"tburke@nvidia.com","username":"tburke"},"change_message_id":"966ad876987e2ffd9c40efc987219fa504af93af","unresolved":false,"context_lines":[{"line_number":11,"context_line":"unless a `Access-Control-Allow-Credentials: true` header is included"},{"line_number":12,"context_line":"in the response."},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"Always allow such requests -- Swift does not use the credential"},{"line_number":15,"context_line":"mechanisms CORS is designed around anyway."},{"line_number":16,"context_line":""},{"line_number":17,"context_line":"Change-Id: I6463b54daa51152b3166357c743c3d662204d4bf"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"3fd77083_66e289ab","line":14,"range":{"start_line":14,"start_character":0,"end_line":14,"end_character":26},"in_reply_to":"699fde16_e735b376","updated":"2024-05-15 18:33:39.000000000","message":"Done - went for per-container config.","commit_id":"893f50c1681843ad51dfef908e27acab1fd53d2b"},{"author":{"_account_id":15343,"name":"Tim Burke","email":"tburke@nvidia.com","username":"tburke"},"change_message_id":"5edde326149de0e6adc41803feaf0887dc21e49c","unresolved":true,"context_lines":[{"line_number":11,"context_line":"unless a `Access-Control-Allow-Credentials: true` header is included"},{"line_number":12,"context_line":"in the response."},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"Always allow such requests -- Swift does not use the credential"},{"line_number":15,"context_line":"mechanisms CORS is designed around anyway."},{"line_number":16,"context_line":""},{"line_number":17,"context_line":"Change-Id: I6463b54daa51152b3166357c743c3d662204d4bf"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"a28c9e50_4b01c069","line":15,"range":{"start_line":14,"start_character":49,"end_line":15,"end_character":34},"updated":"2024-05-08 19:01:24.000000000","message":"From https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials\n\n\u003e Credentials are cookies, TLS client certificates, or authentication headers containing a username and password.","commit_id":"893f50c1681843ad51dfef908e27acab1fd53d2b"},{"author":{"_account_id":1179,"name":"Clay Gerrard","email":"clay.gerrard@gmail.com","username":"clay-gerrard"},"change_message_id":"a2829a0bf64f7fe4e41b63a97306b3b301a965f2","unresolved":true,"context_lines":[{"line_number":14,"context_line":"See https://fetch.spec.whatwg.org/#cors-protocol-and-credentials for"},{"line_number":15,"context_line":"more information."},{"line_number":16,"context_line":""},{"line_number":17,"context_line":"Look for X-Container-Meta-Access-Control-Allow-Credentials on the"},{"line_number":18,"context_line":"container to decide whether to allow such requests, similar to how"},{"line_number":19,"context_line":"other CORS behaviors may be configured."},{"line_number":20,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":3,"id":"1a17114f_960781fd","line":17,"updated":"2024-05-16 14:21:27.000000000","message":"ok I don\u0027t think I knew that CORS configuration shared the user metadata namespace!  GTK!\n\nthat explains why this patch doesn\u0027t include any updates in the *write* path ;)\n\nI wonder if some user *accidently* already set \"X-Container-Meta-Access-Control-Allow-Credentials\" and a new swift version that makes it significant causes them some surprise/failure 😊\n\n\u003e If credentials mode is not \"include\", then `Access-Control-Allow-Credentials` is ignored.\n\nsounds like we\u0027re probaby good on the access path, if it was working before they weren\u0027t sending include - if they start making requests with include the repsonse value MUST be `true`","commit_id":"87c2dfb3dc45bc02b017bbe4a6d9623a285b2040"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":7233,"name":"Matthew Oliver","email":"matt@oliver.net.au","username":"mattoliverau"},"change_message_id":"cc30e2c032b1bc133230cb5c860ce9ea724b6152","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"ccd9f5fd_672ff6ec","updated":"2024-05-13 06:51:05.000000000","message":"OK, so spend some time re-learning CORs. At first I was thinking we should only return `Access-Control-Allow-Credentials: true` when there is a Cookie header or the like. However, it is mentioned that pre-flight requests can\u0027t send creds but we should respond if we allow them.. so this basically means we probably should just always return `Access-Control-Allow-Credentials: true`.\n\nWe could get all fancy with OPTION calls always returning true, and only add a header when a basic GET, HEAD, POST (non-preflight calls) have credentials with them. But that might be overkill.\n\nI do think however, we need to let people know that swift doesn\u0027t and won\u0027t use credentials even if you send them. We basically ingore them. So at least some DOC somewhere, or if we make it an option in the sample config.\n\nUnless someone writes a middleware out there that returns `Set-Cookie` :hmm: \nMaybe a global to enable a blanket `Access-Control-Allow-Credentials: true` would be best so people can lock it down.. we can always extend our cors creds support later.\n\nMy 2 cents.","commit_id":"893f50c1681843ad51dfef908e27acab1fd53d2b"},{"author":{"_account_id":15343,"name":"Tim Burke","email":"tburke@nvidia.com","username":"tburke"},"change_message_id":"42c2aab7812b880ef84ebb292c910b102ca22004","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"4f174141_4940db48","updated":"2024-05-09 16:35:27.000000000","message":"recheck\n\ncentos-nfv-openvswitch mirror should be better now.","commit_id":"893f50c1681843ad51dfef908e27acab1fd53d2b"},{"author":{"_account_id":15343,"name":"Tim Burke","email":"tburke@nvidia.com","username":"tburke"},"change_message_id":"3f1967a99dac74ac1dbb62d73808f78c3903d5af","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"ee77872f_3c168436","in_reply_to":"ccd9f5fd_672ff6ec","updated":"2024-05-15 16:08:16.000000000","message":"\u003e Unless someone writes a middleware out there that returns `Set-Cookie` :hmm:\n\nI\u0027ve definitely seen such a middleware before. It was an auth middleware, looking to play well with a web-console middleware for interacting with the cluster. I don\u0027t know of anything like that that\u0027s still in use, however.\n\n\u003e Maybe a global to enable a blanket `Access-Control-Allow-Credentials: true` would be best so people can lock it down.. we can always extend our cors creds support later.\n\nYeah, I was debating about having it driven off container metadata, similar to other CORS config. S3 API and preflights will probably still require a global config option, though.","commit_id":"893f50c1681843ad51dfef908e27acab1fd53d2b"},{"author":{"_account_id":1179,"name":"Clay Gerrard","email":"clay.gerrard@gmail.com","username":"clay-gerrard"},"change_message_id":"a2829a0bf64f7fe4e41b63a97306b3b301a965f2","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"aaada2e0_941fa8ed","updated":"2024-05-16 14:21:27.000000000","message":"I\u0027m not sure how reasonable it is for Swift to respond with this header, certainly it should default to off to help developers of CORS applications that use swift spot bugs when they\u0027re *accidentilly* sending their users sensitive session data to the object store.\n\nhttps://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/crossorigin\nhttps://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials\n\nGenerally I understand CORS requests in swift to work on anonymous requests - if the browser has been configured to send credentials, it\u0027s *probaby* not necessary and a somewhat dubious leap of trust to say \"I know you don\u0027t need them, but accept them anyway - just please don\u0027t write them down and impersonate my users\"\n\nThe only way I could imagine this feature making sense is with a custom middleware that can do user authentication via session/cookies.  I\u0027m not aware of any open source middlewares that do that currently - but if some existed perhaps THEY should take on the roll of annotating responses to include a header that says \"yes, you can send your users session - and in fact I will need you to unless it\u0027s an anonymous request\"\n\ni.e. any pre-flight response can say \"Access-Control-Allow-Credentials: true\" as well as any response to a request that included credentials *and they were useful*.  If a user sends creds we don\u0027t need/understand I believe we probably should NOT respond with Access-Control-Allow-Credentials and it would make more sense to change the calling application to make anonymous requests (which is the default).","commit_id":"87c2dfb3dc45bc02b017bbe4a6d9623a285b2040"}],"swift/proxy/controllers/base.py":[{"author":{"_account_id":1179,"name":"Clay Gerrard","email":"clay.gerrard@gmail.com","username":"clay-gerrard"},"change_message_id":"a2829a0bf64f7fe4e41b63a97306b3b301a965f2","unresolved":true,"context_lines":[{"line_number":371,"context_line":"                        resp.headers[\u0027Vary\u0027] \u003d \u0027Origin\u0027"},{"line_number":372,"context_line":""},{"line_number":373,"context_line":"            if config_true_value(cors_info.get(\u0027allow_credentials\u0027)) and \\"},{"line_number":374,"context_line":"                    resp.headers[\u0027Access-Control-Allow-Origin\u0027] !\u003d \u0027*\u0027 and \\"},{"line_number":375,"context_line":"                    \u0027Access-Control-Allow-Credentials\u0027 not in resp.headers:"},{"line_number":376,"context_line":"                resp.headers[\u0027Access-Control-Allow-Credentials\u0027] \u003d \u0027true\u0027"},{"line_number":377,"context_line":""}],"source_content_type":"text/x-python","patch_set":3,"id":"2de0a629_9a1c747e","line":374,"updated":"2024-05-16 14:21:27.000000000","message":"so this is like a belts and braces thing - in-case we can\u0027t trust the browser to disallow `origin \u003d \u0027*\u0027 + credentials \u003d true`???\n\nI assume the .js test would still fail even if we returned this header w/o checking the origin policy.","commit_id":"87c2dfb3dc45bc02b017bbe4a6d9623a285b2040"},{"author":{"_account_id":1179,"name":"Clay Gerrard","email":"clay.gerrard@gmail.com","username":"clay-gerrard"},"change_message_id":"a2829a0bf64f7fe4e41b63a97306b3b301a965f2","unresolved":true,"context_lines":[{"line_number":372,"context_line":""},{"line_number":373,"context_line":"            if config_true_value(cors_info.get(\u0027allow_credentials\u0027)) and \\"},{"line_number":374,"context_line":"                    resp.headers[\u0027Access-Control-Allow-Origin\u0027] !\u003d \u0027*\u0027 and \\"},{"line_number":375,"context_line":"                    \u0027Access-Control-Allow-Credentials\u0027 not in resp.headers:"},{"line_number":376,"context_line":"                resp.headers[\u0027Access-Control-Allow-Credentials\u0027] \u003d \u0027true\u0027"},{"line_number":377,"context_line":""},{"line_number":378,"context_line":"            return resp"}],"source_content_type":"text/x-python","patch_set":3,"id":"f0e35abd_2569634d","line":375,"updated":"2024-05-16 14:21:27.000000000","message":"is this just being extra defensive?","commit_id":"87c2dfb3dc45bc02b017bbe4a6d9623a285b2040"}],"test/cors/harness.js":[{"author":{"_account_id":1179,"name":"Clay Gerrard","email":"clay.gerrard@gmail.com","username":"clay-gerrard"},"change_message_id":"a2829a0bf64f7fe4e41b63a97306b3b301a965f2","unresolved":true,"context_lines":[{"line_number":37,"context_line":"    })"},{"line_number":38,"context_line":"    req.open(method, url.toString())"},{"line_number":39,"context_line":"    if (withCredentials) {"},{"line_number":40,"context_line":"      req.withCredentials \u003d withCredentials"},{"line_number":41,"context_line":"    }"},{"line_number":42,"context_line":"    if (headers) {"},{"line_number":43,"context_line":"      for (const name of Object.keys(headers)) {"}],"source_content_type":"text/javascript","patch_set":3,"id":"6a3dd571_3dfd8478","line":40,"updated":"2024-05-16 14:21:27.000000000","message":"https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials","commit_id":"87c2dfb3dc45bc02b017bbe4a6d9623a285b2040"}],"test/cors/main.py":[{"author":{"_account_id":1179,"name":"Clay Gerrard","email":"clay.gerrard@gmail.com","username":"clay-gerrard"},"change_message_id":"a2829a0bf64f7fe4e41b63a97306b3b301a965f2","unresolved":true,"context_lines":[{"line_number":133,"context_line":"    conn.put_container(\u0027public-with-cors-allow-credentials\u0027, {"},{"line_number":134,"context_line":"        \u0027X-Container-Read\u0027: \u0027.r:*,.rlistings\u0027,"},{"line_number":135,"context_line":"        \u0027X-Container-Meta-Access-Control-Allow-Origin\u0027: \u0027*\u0027,"},{"line_number":136,"context_line":"        \u0027X-Container-Meta-Access-Control-Allow-Credentials\u0027: \u0027true\u0027,"},{"line_number":137,"context_line":"    })"},{"line_number":138,"context_line":"    conn.put_container(\u0027private-with-cors\u0027, {"},{"line_number":139,"context_line":"        \u0027X-Container-Read\u0027: \u0027\u0027,"}],"source_content_type":"text/x-python","patch_set":3,"id":"812af340_be1e82b0","line":136,"updated":"2024-05-16 14:21:27.000000000","message":"so it seems like this header is only returned on a per-bucket basis if configured via metadata\n\nDoes \"public-with-allow-credentials\" make ANY sense at all?\n\nspiolier alert it does NOT and this container is setup so that Tim can add a test that proves this won\u0027t work - footgun!\n\nmaybe \"public-with-cors-allow-credentials-does-not-work\"?","commit_id":"87c2dfb3dc45bc02b017bbe4a6d9623a285b2040"}],"test/cors/test-object.js":[{"author":{"_account_id":1179,"name":"Clay Gerrard","email":"clay.gerrard@gmail.com","username":"clay-gerrard"},"change_message_id":"a2829a0bf64f7fe4e41b63a97306b3b301a965f2","unresolved":true,"context_lines":[{"line_number":136,"context_line":"      .then(HasHeaders([\u0027X-Object-Meta-Mtime\u0027]))"},{"line_number":137,"context_line":"      .then(BodyHasLength(1024))],"},{"line_number":138,"context_line":"  [\u0027GET referrer allowed, but not credentials\u0027,"},{"line_number":139,"context_line":"    () \u003d\u003e MakeRequest(\u0027GET\u0027, \u0027referrer-allowed/obj\u0027, {}, null, {}, true)"},{"line_number":140,"context_line":"      .then(CorsBlocked)],"},{"line_number":141,"context_line":"  [\u0027GET referrer and credentials allowed\u0027,"},{"line_number":142,"context_line":"    () \u003d\u003e MakeRequest(\u0027GET\u0027, \u0027referrer-and-credentials-allowed/obj\u0027, {}, null, {}, true)"}],"source_content_type":"text/javascript","patch_set":3,"id":"4d089f3c_9235296a","line":139,"updated":"2024-05-16 14:21:27.000000000","message":"and sense we *send* credentials the GET response is blocked in the browser","commit_id":"87c2dfb3dc45bc02b017bbe4a6d9623a285b2040"},{"author":{"_account_id":1179,"name":"Clay Gerrard","email":"clay.gerrard@gmail.com","username":"clay-gerrard"},"change_message_id":"a2829a0bf64f7fe4e41b63a97306b3b301a965f2","unresolved":true,"context_lines":[{"line_number":144,"context_line":"      .then(HasCommonResponseHeaders)"},{"line_number":145,"context_line":"      .then(HasHeaders({"},{"line_number":146,"context_line":"        \u0027Content-Type\u0027: \u0027application/octet-stream\u0027,"},{"line_number":147,"context_line":"        Etag: \u00270f343b0931126a20f133d67c2b018a3b\u0027"},{"line_number":148,"context_line":"      }))"},{"line_number":149,"context_line":"      .then(HasHeaders([\u0027X-Object-Meta-Mtime\u0027]))"},{"line_number":150,"context_line":"      .then(BodyHasLength(1024))],"}],"source_content_type":"text/javascript","patch_set":3,"id":"7970f532_d0671190","line":147,"updated":"2024-05-16 14:21:27.000000000","message":"I assume this response on the wire must also have the access-control-allow-origin header - does the browser machinary remove it?  or did we just not assert on it?","commit_id":"87c2dfb3dc45bc02b017bbe4a6d9623a285b2040"},{"author":{"_account_id":1179,"name":"Clay Gerrard","email":"clay.gerrard@gmail.com","username":"clay-gerrard"},"change_message_id":"a2829a0bf64f7fe4e41b63a97306b3b301a965f2","unresolved":true,"context_lines":[{"line_number":153,"context_line":"      // `Access-Control-Allow-Origin: *` and `Access-Control-Allow-Credentials: true`"},{"line_number":154,"context_line":"      // will block sharing."},{"line_number":155,"context_line":"      // See https://fetch.spec.whatwg.org/#cors-protocol-and-credentials"},{"line_number":156,"context_line":"      .then(CorsBlocked)],"},{"line_number":157,"context_line":"  [\u0027HEAD referrer allowed\u0027,"},{"line_number":158,"context_line":"    () \u003d\u003e MakeRequest(\u0027HEAD\u0027, \u0027referrer-allowed/obj\u0027)"},{"line_number":159,"context_line":"      .then(HasStatus(200, \u0027OK\u0027))"}],"source_content_type":"text/javascript","patch_set":3,"id":"b9eb756f_19772989","line":156,"updated":"2024-05-16 14:21:27.000000000","message":"nice!  The chart there is *very* helpful - gtk.\n\n\u003e Generally speaking, both sharing responses and allowing requests with credentials is rather unsafe, and extreme care has to be taken to avoid the confused deputy problem.","commit_id":"87c2dfb3dc45bc02b017bbe4a6d9623a285b2040"},{"author":{"_account_id":1179,"name":"Clay Gerrard","email":"clay.gerrard@gmail.com","username":"clay-gerrard"},"change_message_id":"a2829a0bf64f7fe4e41b63a97306b3b301a965f2","unresolved":true,"context_lines":[{"line_number":192,"context_line":"      // `Access-Control-Allow-Origin: *` and `Access-Control-Allow-Credentials: true`"},{"line_number":193,"context_line":"      // will block sharing."},{"line_number":194,"context_line":"      // See https://fetch.spec.whatwg.org/#cors-protocol-and-credentials"},{"line_number":195,"context_line":"      .then(CorsBlocked)],"},{"line_number":196,"context_line":"  [\u0027GET attempt to spoof referer\u0027,"},{"line_number":197,"context_line":"    () \u003d\u003e MakeRequest(\u0027GET\u0027, \u0027referrer-allowed/obj\u0027, { Referer: \u0027https://other-host\u0027 })"},{"line_number":198,"context_line":"      // new header gets ignored, no preflight, get succeeds"}],"source_content_type":"text/javascript","patch_set":3,"id":"3258803a_d26bec09","line":195,"updated":"2024-05-16 14:21:27.000000000","message":"I don\u0027t think any of these tests cover the case where a pre-flight request is required?  Maybe Swift\u0027s CORS support is limited to GET and HEAD - that seems to be all we test here?","commit_id":"87c2dfb3dc45bc02b017bbe4a6d9623a285b2040"},{"author":{"_account_id":15343,"name":"Tim Burke","email":"tburke@nvidia.com","username":"tburke"},"change_message_id":"f2797b5941c56411d3fad06e06f46b7bc85ae8c9","unresolved":true,"context_lines":[{"line_number":192,"context_line":"      // `Access-Control-Allow-Origin: *` and `Access-Control-Allow-Credentials: true`"},{"line_number":193,"context_line":"      // will block sharing."},{"line_number":194,"context_line":"      // See https://fetch.spec.whatwg.org/#cors-protocol-and-credentials"},{"line_number":195,"context_line":"      .then(CorsBlocked)],"},{"line_number":196,"context_line":"  [\u0027GET attempt to spoof referer\u0027,"},{"line_number":197,"context_line":"    () \u003d\u003e MakeRequest(\u0027GET\u0027, \u0027referrer-allowed/obj\u0027, { Referer: \u0027https://other-host\u0027 })"},{"line_number":198,"context_line":"      // new header gets ignored, no preflight, get succeeds"}],"source_content_type":"text/javascript","patch_set":3,"id":"4f7ae3d7_1caba3e2","line":195,"in_reply_to":"3258803a_d26bec09","updated":"2024-09-12 01:25:44.000000000","message":"The `Range: bytes\u003d-100` requests do.\n\nSome history: it used to be that *all* `Range` requests triggered pre-flights; that\u0027s why I\u0027d added them. With the introduction of the fetch spec, though, they started allowing headers of the form `bytes\u003d\u003cN\u003e-\u003cM\u003e` and `bytes\u003d\u003cN\u003e-`. It explicitly calls out\n\n\u003e As web browsers have historically not emitted ranges such as \\`bytes\u003d-500\\` this algorithm does not safelist them.\n\nhowever","commit_id":"87c2dfb3dc45bc02b017bbe4a6d9623a285b2040"}]}