Arvados

Background¶

In #7884 we needed to add minimal CORS support to keep-web (allowing simple requests that don't need pre-flight) in order to let the Workbench log viewer retrieve log data from keep-web.

However, supplying an API token in an Authorization header (where it rightfully belongs) makes it a non-simple request requiring preflight. The workaround was to do a POST request with the token supplied in a form in the request body.

Implementation¶

• Respond to OPTIONS requests (Allow: GET, POST) adding appropriate CORS headers (allow-methods "GET, POST"; allow-origin "*"; allow-headers "Authorization, Range", max-age 86400) if the Origin request header is present.
• Add appropriate CORS headers to GET and POST requests if the Origin request header is set (allow-origin "*"; max-age 86400; expose-headers "Accept-Ranges, Content-Disposition, Content-Length, Content-Range")

This should allow Workbench to do a GET request with an Authorization header, instead of a POST request with a form. The special case in keep-web (responding to a POST request without a redirect if the Origin request header is present) won't be needed for Workbench any more, but should probably still be supported so other clients have more options at their disposal.