Feature #8064

[Keep-web] Support CORS requests with Authorization headers

Added by Tom Clegg over 3 years ago. Updated about 20 hours ago.

Assigned To:
Target version:
Start date:
Due date:
% Done:


Estimated time:
Story points:



In #7884 we needed to add minimal CORS support to keep-web (allowing simple requests that don't need pre-flight) in order to let the Workbench log viewer retrieve log data from keep-web.

However, supplying an API token in an Authorization header (where it rightfully belongs) makes it a non-simple request requiring preflight. The workaround was to do a POST request with the token supplied in a form in the request body.


Proper CORS support includes:
  • Respond to OPTIONS requests (Allow: GET, POST) adding appropriate CORS headers (allow-methods "GET, POST"; allow-origin "*"; allow-headers "Authorization, Range", max-age 86400) if the Origin request header is present.
  • Add appropriate CORS headers to GET and POST requests if the Origin request header is set (allow-origin "*"; max-age 86400; expose-headers "Accept-Ranges, Content-Disposition, Content-Length, Content-Range")

This should allow Workbench to do a GET request with an Authorization header, instead of a POST request with a form. The special case in keep-web (responding to a POST request without a redirect if the Origin request header is present) won't be needed for Workbench any more, but should probably still be supported so other clients have more options at their disposal.

Related issues

Related to Arvados - Bug #7884: [Workbench] log viewer does not handle "redirect to keep-web" responseResolved2015-12-01


#1 Updated by Tom Morris 8 days ago

  • Target version set to Arvados Future Sprints

#2 Updated by Tom Morris 8 days ago

  • Target version changed from Arvados Future Sprints to To Be Groomed

#3 Updated by Tom Morris about 20 hours ago

  • Target version changed from To Be Groomed to Arvados Future Sprints

Also available in: Atom PDF