Fix CORS headers on planet.osm.org and S3 redirect

Question

Fix CORS headers on planet.osm.org and S3 redirect

Closed this issue 4 months ago · 5 comments

Firefishy commented 4 months ago

It was reported that CORS was not enabled for changesset post the redirect to s3.

gravitystorm commented 4 months ago

Thanks!

👍1

Answer 1 · 2024-03-07T10:27:14.000Z

Quick check it seems to work: https://cors-test.codehappy.dev/?url=https%3A%2F%2Fplanet.osm.org%2Freplication%2Fchangesets%2F005%2F911%2F899.osm.gz&origin=https%3A%2F%2Fcors-test.codehappy.dev%2F&method=get

Answer 2 · 2024-03-07T10:27:28.000Z

@gravitystorm ^^ could you check when you have a chance.

Answer 3 · 2024-03-07T11:05:51.000Z

The site I was having problems with is https://jwestman.gitlab.io/osm-in-realtime/ . In my firefox console I see:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://planet.openstreetmap.org/replication/changesets/state.yaml. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 302.

$ curl -I https://planet.openstreetmap.org/replication/changesets/state.yaml
HTTP/2 302 
strict-transport-security: max-age=31536000; includeSubDomains; preload
location: https://osm-planet-eu-central-1.s3.dualstack.eu-central-1.amazonaws.com/changesets/replication/minute/state.yaml
content-type: text/html; charset=iso-8859-1
date: Thu, 07 Mar 2024 10:57:33 GMT
server: Apache/2.4.54 (Ubuntu)

$ curl -I https://osm-planet-eu-central-1.s3.dualstack.eu-central-1.amazonaws.com/changesets/replication/minute/state.yaml
HTTP/1.1 200 OK
x-amz-id-2: AadaKTePQXH9bjDFGRscaPxe5wfVQRyrCwi8nMkuNbVj4yCfUpaqmRJ7WpEQ+4+RLU1urjxIov0=
x-amz-request-id: J3HMXRQGA8CB49GB
Date: Thu, 07 Mar 2024 10:58:02 GMT
x-amz-replication-status: COMPLETED
Last-Modified: Thu, 07 Mar 2024 10:57:28 GMT
ETag: "6e06c1d3b76474509b4ebfaf801d7cf0"
x-amz-storage-class: INTELLIGENT_TIERING
x-amz-server-side-encryption: AES256
x-amz-version-id: fKiCjr.kvD9t8bQK.Hm4PP5sYPBwrw64
Accept-Ranges: bytes
Content-Type: binary/octet-stream
Server: AmazonS3
Content-Length: 69

I don't see any CORS headers in those responses. It's not clear to me why the list of headers from curl is so different from the headers that https://cors-test.codehappy.dev/?url=https%3A%2F%2Fplanet.openstreetmap.org%2Freplication%2Fchangesets%2Fstate.yaml reports, so maybe I'm missing something obvious here?

Answer 4 · 2024-03-07T11:21:31.000Z

Fixed. The issue was the 302 redirect required a CORS allow header for some clients.

$ curl -I -H "Origin: http://example.com" https://planet.openstreetmap.org/replication/changesets/state.yaml
HTTP/2 302
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
location: https://osm-planet-eu-central-1.s3.dualstack.eu-central-1.amazonaws.com/changesets/replication/minute/state.yaml
content-type: text/html; charset=iso-8859-1
date: Thu, 07 Mar 2024 11:20:52 GMT
server: Apache/2.4.54 (Ubuntu)