[ARVADOS] updated: 1.1.0-22-g337de2e

Git user git at public.curoverse.com
Mon Oct 16 14:16:09 EDT 2017 

Summary of changes:
 services/keep-web/handler.go      | 2 +-
 services/keep-web/handler_test.go | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

       via  337de2e3dfeacc5054cb644513be61f5d35585ae (commit)
      from  1a6a840d3bad6c28d8fa4c04a7610fbb8bf8423f (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit 337de2e3dfeacc5054cb644513be61f5d35585ae
Author: Tom Clegg <tclegg at veritasgenetics.com>
Date:   Mon Oct 16 14:03:30 2017 -0400

    12216: Allow Authorization header in cross-origin requests.
    
    This allows browser-based applications to send tokens in Authorization
    headers. This is the only token-passing mechanism that neither exposes
    the token inappropriately in proxy/server logs nor interferes with
    webdav's use of request bodies.
    
    Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg at veritasgenetics.com>

diff --git a/services/keep-web/handler.go b/services/keep-web/handler.go
index 653a501..fd36218 100644
--- a/services/keep-web/handler.go
+++ b/services/keep-web/handler.go
@@ -146,7 +146,7 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
 			statusCode = http.StatusMethodNotAllowed
 			return
 		}
-		w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Range")
+		w.Header().Set("Access-Control-Allow-Headers", "Authorization, Content-Type, Range")
 		w.Header().Set("Access-Control-Allow-Methods", "GET, POST, OPTIONS, PROPFIND")
 		w.Header().Set("Access-Control-Allow-Origin", "*")
 		w.Header().Set("Access-Control-Max-Age", "86400")
diff --git a/services/keep-web/handler_test.go b/services/keep-web/handler_test.go
index a670997..6bd34d7 100644
--- a/services/keep-web/handler_test.go
+++ b/services/keep-web/handler_test.go
@@ -46,7 +46,7 @@ func (s *UnitSuite) TestCORSPreflight(c *check.C) {
 	c.Check(resp.Body.String(), check.Equals, "")
 	c.Check(resp.Header().Get("Access-Control-Allow-Origin"), check.Equals, "*")
 	c.Check(resp.Header().Get("Access-Control-Allow-Methods"), check.Equals, "GET, POST, OPTIONS, PROPFIND")
-	c.Check(resp.Header().Get("Access-Control-Allow-Headers"), check.Equals, "Content-Type, Range")
+	c.Check(resp.Header().Get("Access-Control-Allow-Headers"), check.Equals, "Authorization, Content-Type, Range")
 
 	// Check preflight for a disallowed request
 	resp = httptest.NewRecorder()

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list