Bug #11509
closed
[Keep-web] Support CORS requests with Range headers
Description
Background¶
The Workbench log viewer uses an ajax request to retrieve log data. It uses the POST method so it can include the api_token in the body. If the log is larger than the configured limit (log_viewer_max_bytes), it also adds a Range header.
Problem¶
Range is not a "safe" header for CORS, so the browser performs a pre-flight OPTIONS request, to which keep-web responds 405, so the request fails.
Solution¶
keep-web should respond to OPTIONS requests with 200 status and CORS headers:- Access-Control-Allow-Origin: *
- Access-Control-Max-Age: 86400
- Access-Control-Allow-Headers: Range
- Access-Control-Allow-Methods: GET, POST
Related issues
Updated by Tom Clegg about 7 years ago
11509-keep-web-cors-range @ cf311e8e16ba74467c77b5353afedc29b40a6a41
Updated by Radhika Chippada about 7 years ago
Just a nit about the TestCORSPreflight. It would be nice to add a comment for each block doing "h.ServeHTTP(resp, req)" the intent and expectation. Also, might be nice to have another block with GET method.
LGTM
Updated by Tom Clegg about 7 years ago
- Status changed from In Progress to Resolved
Applied in changeset arvados|commit:e3ac17f8a8aa439e21a8bf56a571f91a671313f7.
Updated by Tom Morris about 5 years ago
- Related to Idea #11065: [API] Delete rows from logs table when they exceed a configured threshold added