AllowedHeader in Cors configuration seems to be ignored
allanlegalstart opened this issue · 2 comments
allanlegalstart commented
I have the following configuration
<CORSConfiguration>
<CORSRule>
<AllowedOrigin>*</AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<AllowedMethod>POST</AllowedMethod>
<MaxAgeSeconds>3000</MaxAgeSeconds>
<AllowedHeader>Authorization</AllowedHeader>
</CORSRule>
</CORSConfiguration>and when i do this curl request
curl 'http://172.17.0.5:5000/my-bucket' -X OPTIONS -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Access-Control-Request-Method: POST' -H 'Access-Control-Request-Headers: Authorization' -H 'Origin: http://172.17.0.6:5000' -H 'Connection: keep-alive'
(admitting my s3rver run on 172.17.0.5:5000 )
I got
<?xml version="1.0" encoding="UTF-8"?>
<Error>
<Code>CORSResponse</Code>
<Message>This CORS request is not allowed. This is usually because the evalution of Origin, request method / Access-Control-Request-Method or Access-Control-Request-Headers are not whitelisted by the resource's CORS spec.</Message>
<RequestId>1</RequestId>
</Error>
However if I remove the Access-Control-Request-Headers from the curl, then it works
kherock commented
I can't reproduce the example you gave on v2.2.8 or the next branch. Are you sure CORS is enabled with the config you gave?
allanlegalstart commented
my bad, this bug was due to my own debugging that i added in the code following my other invalid-bug report that "*" was working