Accessing Object Storage from multiple domains, caching and CORS

asked 2018-04-02 05:54:27 -0500

rapoport gravatar image

updated 2018-04-02 05:56:27 -0500

The way how Object Storage manages CORS headers doesn't play well with the caching strategies of common browsers.

I have a file in the Object Storage. On the container I set following headers:


X-Container-Meta-Access-Control-Expose-Headers: Access-Control-Allow-Origin

X-Container-Read: .r:*

Let's say my file is accessible from

I have two websites that access that file using a GET method. Whenever the file is requested OpenStack checks the Origin header and replies with the CORS header having one domain (from the Origin and only if it is allowed), for example:


The problem is that such a GET response is cached by common browsers. It means if I open the first site then the response will be cached with the CORS-Header being Next, if I open the second website then the browser will take the response from the cache, compare CORS header (it will not match) and block the website from accessing the resource.

Can I disable the logic that dynamically calculates the Access-Control-Allow-Origin on each request and make it always send all allowed domains?

As a solution I can artificially make requests from different websites be different in order to make them cache separately (e.g. /data.xml? and /data.xml? But I don't want the file to be cached twice.

I am using an OpenStack hosting, it has Object Storage version 2.15.1.dev61


edit retag flag offensive close merge delete