Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Accessing Object Storage from multiple domains, caching and CORS

The way how Object Storage manages CORS headers doesn't play well with the caching strategies of common browsers.

I have a file in the Object Storage. On the container I set following headers:

X-Container-Meta-Access-Control-Allow-Origin: http://example.org http://sample.com

X-Container-Meta-Access-Control-Expose-Headers: Access-Control-Allow-Origin

X-Container-Read: .r:*

Let's say my file is accessible from https://mysite.com/os/v1/AAA/mycont1/data.xml

I have two websites that access that file using a GET method. Whenever the file is requested OpenStack checks the Origin header and replies with the CORS header having one domain (from the Origin and only if it is allowed), for example:

Access-Control-Allow-Origin: http://example.org

The problem is that such a GET response is cached by common browsers. It means if I open the first site http://example.org then the response will be cached with the CORS-Header being http://example.org. Next, if I open the second website http://sample.com then the browser will take the response from the cache, compare CORS header (it will not match) and block the website from accessing the resource.

Can I disable the logic that dynamically calculates the Access-Control-Allow-Origin on each request and make it always send all allowed domains?

As a solution I can artificially make requests from different websites be different in order to make them cache separately (e.g. /data.xml?example.org and /data.xml?sample.com). But I don't want the file to be cached twice.

I am using an OpenStack hosting, it has Object Storage version 2.15.1.dev61

Thanks!

Accessing Object Storage from multiple domains, caching and CORS

The way how Object Storage manages CORS headers doesn't play well with the caching strategies of common browsers.

I have a file in the Object Storage. On the container I set following headers:

X-Container-Meta-Access-Control-Allow-Origin: http://example.org http://sample.comhttps://example.org https://sample.com

X-Container-Meta-Access-Control-Expose-Headers: Access-Control-Allow-Origin

X-Container-Read: .r:*

Let's say my file is accessible from https://mysite.com/os/v1/AAA/mycont1/data.xml

I have two websites that access that file using a GET method. Whenever the file is requested OpenStack checks the Origin header and replies with the CORS header having one domain (from the Origin and only if it is allowed), for example:

Access-Control-Allow-Origin: http://example.org

The problem is that such a GET response is cached by common browsers. It means if I open the first site http://example.orghttps://example.org then the response will be cached with the CORS-Header being http://example.orghttps://example.org. Next, if I open the second website http://sample.com then the browser will take the response from the cache, compare CORS header (it will not match) and block the website from accessing the resource.

Can I disable the logic that dynamically calculates the Access-Control-Allow-Origin on each request and make it always send all allowed domains?

As a solution I can artificially make requests from different websites be different in order to make them cache separately (e.g. /data.xml?example.org and /data.xml?sample.com). But I don't want the file to be cached twice.

I am using an OpenStack hosting, it has Object Storage version 2.15.1.dev61

Thanks!

Accessing Object Storage from multiple domains, caching and CORS

The way how Object Storage manages CORS headers doesn't play well with the caching strategies of common browsers.

I have a file in the Object Storage. On the container I set following headers:

X-Container-Meta-Access-Control-Allow-Origin: https://example.org https://sample.com

X-Container-Meta-Access-Control-Expose-Headers: Access-Control-Allow-Origin

X-Container-Read: .r:*

Let's say my file is accessible from https://mysite.com/os/v1/AAA/mycont1/data.xmlhttps://openstack.hosting.com/os/v1/AAA/mycont1/data.xml

I have two websites that access that file using a GET method. Whenever the file is requested OpenStack checks the Origin header and replies with the CORS header having one domain (from the Origin and only if it is allowed), for example:

Access-Control-Allow-Origin: http://example.org

The problem is that such a GET response is cached by common browsers. It means if I open the first site https://example.org then the response will be cached with the CORS-Header being https://example.org. Next, if I open the second website http://sample.com then the browser will take the response from the cache, compare CORS header (it will not match) and block the website from accessing the resource.

Can I disable the logic that dynamically calculates the Access-Control-Allow-Origin on each request and make it always send all allowed domains?

As a solution I can artificially make requests from different websites be different in order to make them cache separately (e.g. /data.xml?example.org and /data.xml?sample.com). But I don't want the file to be cached twice.

I am using an OpenStack hosting, it has Object Storage version 2.15.1.dev61

Thanks!

Accessing Object Storage from multiple domains, caching and CORS

The way how Object Storage manages CORS headers doesn't play well with the caching strategies of common browsers.

I have a file in the Object Storage. On the container I set following headers:

X-Container-Meta-Access-Control-Allow-Origin: https://example.org https://sample.com

X-Container-Meta-Access-Control-Expose-Headers: Access-Control-Allow-Origin

X-Container-Read: .r:*

Let's say my file is accessible from https://openstack.hosting.com/os/v1/AAA/mycont1/data.xmlhttps://openstack.hosting.com/v1/AAA/mycont1/data.xml

I have two websites that access that file using a GET method. Whenever the file is requested OpenStack checks the Origin header and replies with the CORS header having one domain (from the Origin and only if it is allowed), for example:

Access-Control-Allow-Origin: http://example.org

The problem is that such a GET response is cached by common browsers. It means if I open the first site https://example.org then the response will be cached with the CORS-Header being https://example.org. Next, if I open the second website http://sample.com then the browser will take the response from the cache, compare CORS header (it will not match) and block the website from accessing the resource.

Can I disable the logic that dynamically calculates the Access-Control-Allow-Origin on each request and make it always send all allowed domains?

As a solution I can artificially make requests from different websites be different in order to make them cache separately (e.g. /data.xml?example.org and /data.xml?sample.com). But I don't want the file to be cached twice.

I am using an OpenStack hosting, it has Object Storage version 2.15.1.dev61

Thanks!