From 546141c94a1c5e45dcb70e2d5fd06fe1ac0b1599 Mon Sep 17 00:00:00 2001 From: Wido den Hollander Date: Tue, 5 Apr 2016 11:14:16 +0200 Subject: [PATCH] rgw: Set Access-Control-Allow-Origin to a Asterisk if allowed in a rule Before this patch the RGW would respond with the Origin send by the client in the request if a wildcard/asterisk was specified as a valid Origin. This patch makes sure we respond with a header like this: Access-Control-Allow-Origin: * This way a resource can be used on different Origins by the same browser and that browser will use the content as the asterisk. We also keep in mind that when Authorization is send by the client different rules apply. In the case of Authorization we may not respond with an Asterisk, but we do have to add the Vary header with 'Origin' as a value to let the browser know that for different Origins it has to perform a new request. More information: https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS Fixes: #15348 Signed-off-by: Wido den Hollander (cherry picked from commit 0021e224480c7164330eaa7cc1078bb8795169bf) --- src/rgw/rgw_cors.cc | 7 +++++++ src/rgw/rgw_cors.h | 1 + src/rgw/rgw_op.cc | 12 ++++++++++++ src/rgw/rgw_rest.cc | 8 ++++++++ 4 files changed, 28 insertions(+) diff --git a/src/rgw/rgw_cors.cc b/src/rgw/rgw_cors.cc index a120a6866455e..1ad5b43136cf3 100644 --- a/src/rgw/rgw_cors.cc +++ b/src/rgw/rgw_cors.cc @@ -116,6 +116,13 @@ static bool is_string_in_set(set& s, string h) { return false; } +bool RGWCORSRule::has_wildcard_origin() { + if (allowed_origins.find("*") != allowed_origins.end()) + return true; + + return false; +} + bool RGWCORSRule::is_origin_present(const char *o) { string origin = o; return is_string_in_set(allowed_origins, origin); diff --git a/src/rgw/rgw_cors.h b/src/rgw/rgw_cors.h index 239cfd7332f7e..61b352dae57ce 100644 --- a/src/rgw/rgw_cors.h +++ b/src/rgw/rgw_cors.h @@ -80,6 +80,7 @@ public: ::decode(exposable_hdrs, bl); DECODE_FINISH(bl); } + bool has_wildcard_origin(); bool is_origin_present(const char *o); void format_exp_headers(std::string& s); void erase_origin_if_present(std::string& origin, bool *rule_empty); diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc index 218526b93ae2f..a655a217a73df 100644 --- a/src/rgw/rgw_op.cc +++ b/src/rgw/rgw_op.cc @@ -637,6 +637,18 @@ bool RGWOp::generate_cors_headers(string& origin, string& method, string& header if (!rule) return false; + /* + * Set the Allowed-Origin header to a asterisk if this is allowed in the rule + * and no Authorization was send by the client + * + * The origin parameter specifies a URI that may access the resource. The browser must enforce this. + * For requests without credentials, the server may specify "*" as a wildcard, + * thereby allowing any origin to access the resource. + */ + const char *authorization = s->info.env->get("HTTP_AUTHORIZATION"); + if (!authorization && rule->has_wildcard_origin()) + origin = "*"; + /* CORS 6.2.3. */ const char *req_meth = s->info.env->get("HTTP_ACCESS_CONTROL_REQUEST_METHOD"); if (!req_meth) { diff --git a/src/rgw/rgw_rest.cc b/src/rgw/rgw_rest.cc index 826c7a9d78b9a..a6cadf79e8af3 100644 --- a/src/rgw/rgw_rest.cc +++ b/src/rgw/rgw_rest.cc @@ -539,6 +539,14 @@ void dump_access_control(struct req_state *s, const char *origin, uint32_t max_age) { if (origin && (origin[0] != '\0')) { STREAM_IO(s)->print("Access-Control-Allow-Origin: %s\r\n", origin); + /* If the server specifies an origin host rather than "*", + * then it must also include Origin in the Vary response header + * to indicate to clients that server responses will differ + * based on the value of the Origin request header. + */ + if (strcmp(origin, "*") != 0) + STREAM_IO(s)->print("Vary: Origin\r\n"); + if (meth && (meth[0] != '\0')) STREAM_IO(s)->print("Access-Control-Allow-Methods: %s\r\n", meth); if (hdr && (hdr[0] != '\0')) -- 2.39.5