CORS support

[auguster]

I'm accessing videos stored by s3proxy from a page on another domain. I have security issues in my JS script because, when serving a video, the header doesn't specify any "Access-Control-Allow-Origin". I'd like s3proxy to set "Access-Control-Allow-Origin" to a value (e.g. "*" for testing), is there a way to do that as of now ?

Maybe through jclouds' configuration ?

[gaul]

S3Proxy does not support CORS today. We can address this two ways: full CORS support or just add a mechanism to inject the header into responses, possibly arbitrary headers. For a lot of test use cases I can see the latter sufficing. Does this address your use case?

Eventually S3Proxy needs full CORS support. API reference:

https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTcors.html

[auguster]

Header injection would be perfect for me. I'm only using s3proxy for testing purposes.

[ShayFB]

Hi, I tried the latest version with the header injection.
I added "s3proxy.cors-allow-all=true" to the configuration,

I tried to use the S3 AWS JS SDK.
The first attempt I try, the browser sends an OPTIONS request which always fails with 403.

Here is an example of a query (I exported it to curl)

curl 'http://192.168.33.109:8080/testbucket?acl' -X OPTIONS -H 'Access-Control-Request-Method: GET' -H 'Origin: http://192.168.33.109' -H 'Accept-Encoding: gzip, deflate, sdch' -H 'Accept-Language: en-US,en;q=0.8,he;q=0.6,ru;q=0.4,ja;q=0.2,de;q=0.2,zh;q=0.2' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36' -H 'Accept: /' -H 'Referer: http://192.168.33.109/' -H 'Connection: keep-alive' -H 'Access-Control-Request-Headers: authorization, x-amz-date, x-amz-user-agent' --compressed

The response is:

AccessDeniedAWS authentication requires a valid Date or x-amz-date header4442587FB7D0A2F9

Any idea?

[nidu]

Hi. I'm using trying to upload files into s3proxy from chrome directly using upload method and it works just fine for 2Kb file, but fails with No 'Access-Control-Allow-Origin' header is present on the requested resource. for 5Mb file.

I can see that for 2Kb upload is done with PUT and for 5Mb - with POST (URL with ?uploads). Is CORS supported for POST? I have S3PROXY_CORS_ALLOW_ALL=true in my docker-compose.yml. Maybe there's something else to set up?

[gaul]

@reimannf could you look at this?

[reimannf]

Okay. The handleInitiateMultipartUpload https://github.com/gaul/s3proxy/blob/master/src/main/java/org/gaul/s3proxy/S3ProxyHandler.java#L697-L698 is not the Standard POST handler with CORS support https://github.com/gaul/s3proxy/blob/master/src/main/java/org/gaul/s3proxy/S3ProxyHandler.java#L2122-L2128.
I think to support Multipart Uploads for CORS we need to add it to handleInitiateMultipartUpload, handleCompleteMultipartUpload, handleAbortMultipartUpload, handleUploadPart, handleListMultipartUploads.
Currently there is only support for the very simple use cases, like Object PUT or GET, but not for the more advanced ones. I could do the multipart stuff after my vacation (2 weeks), but not all the others. @gaul whats your opinion?

[Renkas]

I have stumbled upon this myself now. This really is stopping us from using S3 proxy ...

I see this issue has stalled for over a year already ... so need to find some other tool for the job again.

[gaul]

@Renkas Can you share which operations fail? Can you open a separate issue for this?

@reimannf This seems correct to me. Can you submit a pull request?

[Renkas]

@gaul issue is the same as @reimannf described. Multipart upload does not support CORS.

EDIT: I'll investigate it from my side little bit more. But at first glance it seems to be same issue he is describing. But I also see OPTIONS query has CORS headers but PUT fails somehow.

EDIT2: yes - PUT request does not have CORS headers so browser kills it.
I did same test in AWS S3 and it has CORS headers in PUT response and all works fine.