From 1a373b5f2c37cead0fe41482805fdb93ca871e37 Mon Sep 17 00:00:00 2001 From: Tom Clegg Date: Mon, 20 Aug 2018 09:42:59 -0400 Subject: [PATCH] 14020: Allow WebDAV headers in CORS requests. Arvados-DCO-1.1-Signed-off-by: Tom Clegg --- services/keep-web/handler.go | 7 ++++++- services/keep-web/handler_test.go | 2 +- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/services/keep-web/handler.go b/services/keep-web/handler.go index bb77e58594..912398fa64 100644 --- a/services/keep-web/handler.go +++ b/services/keep-web/handler.go @@ -135,6 +135,11 @@ func (uos *updateOnSuccess) WriteHeader(code int) { } var ( + corsAllowHeadersHeader = strings.Join([]string{ + "Authorization", "Content-Type", "Range", + // WebDAV request headers: + "Depth", "Destination", "If", "Lock-Token", "Overwrite", "Timeout", + }, ", ") writeMethod = map[string]bool{ "COPY": true, "DELETE": true, @@ -206,7 +211,7 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { statusCode = http.StatusMethodNotAllowed return } - w.Header().Set("Access-Control-Allow-Headers", "Authorization, Content-Type, Range") + w.Header().Set("Access-Control-Allow-Headers", corsAllowHeadersHeader) w.Header().Set("Access-Control-Allow-Methods", "COPY, DELETE, GET, MKCOL, MOVE, OPTIONS, POST, PROPFIND, PUT, RMCOL") w.Header().Set("Access-Control-Allow-Origin", "*") w.Header().Set("Access-Control-Max-Age", "86400") diff --git a/services/keep-web/handler_test.go b/services/keep-web/handler_test.go index 68ed062160..bced67ed20 100644 --- a/services/keep-web/handler_test.go +++ b/services/keep-web/handler_test.go @@ -48,7 +48,7 @@ func (s *UnitSuite) TestCORSPreflight(c *check.C) { c.Check(resp.Body.String(), check.Equals, "") c.Check(resp.Header().Get("Access-Control-Allow-Origin"), check.Equals, "*") c.Check(resp.Header().Get("Access-Control-Allow-Methods"), check.Equals, "COPY, DELETE, GET, MKCOL, MOVE, OPTIONS, POST, PROPFIND, PUT, RMCOL") - c.Check(resp.Header().Get("Access-Control-Allow-Headers"), check.Equals, "Authorization, Content-Type, Range") + c.Check(resp.Header().Get("Access-Control-Allow-Headers"), check.Equals, "Authorization, Content-Type, Range, Depth, Destination, If, Lock-Token, Overwrite, Timeout") // Check preflight for a disallowed request resp = httptest.NewRecorder() -- 2.30.2