Feature #8064
open[Keep-web] Support CORS requests with Authorization headers
0%
Description
Background¶
In #7884 we needed to add minimal CORS support to keep-web (allowing simple requests that don't need pre-flight) in order to let the Workbench log viewer retrieve log data from keep-web.
However, supplying an API token in an Authorization header (where it rightfully belongs) makes it a non-simple request requiring preflight. The workaround was to do a POST request with the token supplied in a form in the request body.
Implementation¶
Proper CORS support includes:- Respond to OPTIONS requests (Allow: GET, POST) adding appropriate CORS headers (allow-methods "GET, POST"; allow-origin "*"; allow-headers "Authorization, Range", max-age 86400) if the Origin request header is present.
- Add appropriate CORS headers to GET and POST requests if the Origin request header is set (allow-origin "*"; max-age 86400; expose-headers "Accept-Ranges, Content-Disposition, Content-Length, Content-Range")
This should allow Workbench to do a GET request with an Authorization header, instead of a POST request with a form. The special case in keep-web (responding to a POST request without a redirect if the Origin request header is present) won't be needed for Workbench any more, but should probably still be supported so other clients have more options at their disposal.
Updated by Tom Morris almost 6 years ago
- Target version set to Arvados Future Sprints
Updated by Tom Morris almost 6 years ago
- Target version changed from Arvados Future Sprints to To Be Groomed
Updated by Tom Morris almost 6 years ago
- Target version changed from To Be Groomed to Arvados Future Sprints
Updated by Peter Amstutz over 3 years ago
- Target version deleted (
Arvados Future Sprints)