Bug #11509

[Keep-web] Support CORS requests with Range headers

Added by Tom Clegg 6 months ago. Updated 6 months ago.

Status:ResolvedStart date:04/17/2017
Priority:NormalDue date:
Assignee:Tom Clegg% Done:


Target version:2017-04-26 sprint
Story points-Remaining (hours)0.00 hour
Velocity based estimate-



The Workbench log viewer uses an ajax request to retrieve log data. It uses the POST method so it can include the api_token in the body. If the log is larger than the configured limit (log_viewer_max_bytes), it also adds a Range header.


Range is not a "safe" header for CORS, so the browser performs a pre-flight OPTIONS request, to which keep-web responds 405, so the request fails.


keep-web should respond to OPTIONS requests with 200 status and CORS headers:
  • Access-Control-Allow-Origin: *
  • Access-Control-Max-Age: 86400
  • Access-Control-Allow-Headers: Range
  • Access-Control-Allow-Methods: GET, POST


Task #11512: Review 11509-keep-web-cors-rangeResolvedTom Clegg

Associated revisions

Revision e3ac17f8
Added by Tom Clegg 6 months ago

Merge branch '11509-keep-web-cors-range'

closes #11509


#1 Updated by Tom Clegg 6 months ago

  • Status changed from New to In Progress

#2 Updated by Tom Clegg 6 months ago

  • Description updated (diff)

#3 Updated by Tom Clegg 6 months ago

11509-keep-web-cors-range @ cf311e8e16ba74467c77b5353afedc29b40a6a41

#4 Updated by Radhika Chippada 6 months ago

Just a nit about the TestCORSPreflight. It would be nice to add a comment for each block doing "h.ServeHTTP(resp, req)" the intent and expectation. Also, might be nice to have another block with GET method.


#5 Updated by Tom Clegg 6 months ago

  • Status changed from In Progress to Resolved

Applied in changeset arvados|commit:e3ac17f8a8aa439e21a8bf56a571f91a671313f7.

Also available in: Atom PDF