mirror of
https://git.deuxfleurs.fr/Deuxfleurs/garage.git
synced 2026-05-16 17:26:09 +02:00
54c63387cb
The OPTIONS placeholder for buckets without a resolvable global alias returns` Access-Control-Allow-Origin: *` and `Access-Control-Allow-Methods: *` but omits `Access-Control-Allow-Headers`. Bug verified against Garage v2.2.0 with a local-aliased bucket: OPTIONS placeholder doesn't have `Access-Control-Allow-Headers`, causes the browser to reject signed PUT preflights The current placeholder fails open for unsigned simple requests but blocks every signed request, undermining the design intent flagged in the FIXME: ```rs // We take the permissive approach of allowing everything, // because we don't want to prevent web apps that use // local bucket names from making API calls. ``` Adds `Access-Control-Allow-Headers: *` so the permissive default is actually permissive for the request shapes that exist in practice. Refs #258. Does not address the broader FIXME (CORS rule resolution for local-aliased buckets); the placeholder approach is preserved. All tests are fine locally: ```bash ▲ ~/opensource/garage cargo test -p garage_api_common cors:: running 5 tests test cors::tests::preflight_with_single_allowed_origin_returns_request_origin ... ok test cors::tests::preflight_with_multiple_allowed_origins_reflects_request_origin ... ok test cors::tests::preflight_with_wildcard_allowed_origin_returns_wildcard ... ok test xml::cors::tests::test_deserialize_norules ... ok test xml::cors::tests::test_deserialize ... ok test result: ok. 5 passed; 0 failed; 0 ignored; 0 measured; 16 filtered out; finished in 0.00s ``` Co-authored-by: smattymatty <smattymatt@gmail.com> Reviewed-on: https://git.deuxfleurs.fr/Deuxfleurs/garage/pulls/1450 Reviewed-by: Alex <lx@deuxfleurs.fr>