CORS for /upload with header #75

New issue

Closed

opened 2025-12-28 18:00:04 +00:00 by sami · 2 comments

sami commented

2025-12-28 18:00:04 +00:00

Owner

Originally created by @mike-petrov on GitHub (Mar 22, 2024).

Originally assigned to: @tatiana-nspcc on GitHub.

Current Behavior

Request GET https://rest.fs.neo.org/v1/upload/<container_name> with data and name body without headers works, but if I want to set an attributes (it will be header: x-attribute-filepath: 123/123) it's being blocked by browser because of "CORS Missing Allow Origin":

Expected Behavior

Panel working fine.

Steps to Reproduce

Can be reproduced with panel.fs.neo.org if you're to upload an object

Context

panel.fs.neo.org is broken because of this.

Regression

Yes, 0.7.2 handled this fine.

Your Environment

Version of the product used: 0.8.2

Originally created by @mike-petrov on GitHub (Mar 22, 2024). Originally assigned to: @tatiana-nspcc on GitHub. ## Current Behavior Request `GET https://rest.fs.neo.org/v1/upload/<container_name>` with data and name body without headers works, but if I want to set an attributes (it will be header: `x-attribute-filepath: 123/123`) it's being blocked by browser because of "CORS Missing Allow Origin": <img width="400" alt="image" src="https://github.com/nspcc-dev/neofs-rest-gw/assets/32885629/dc5948f0-f78f-4a2a-b6f4-80a1a38e1eb9"> related to https://github.com/nspcc-dev/neofs-rest-gw/issues/166, https://github.com/nspcc-dev/neofs-rest-gw/issues/180 ## Expected Behavior Panel working fine. ## Steps to Reproduce Can be reproduced with panel.fs.neo.org if you're to upload an object ## Context panel.fs.neo.org is broken because of this. ## Regression Yes, 0.7.2 handled this fine. ## Your Environment * Version of the product used: 0.8.2

sami

2025-12-28 18:00:04 +00:00

closed this issue
added the
bug

S4

I4

U0
labels

sami commented

2025-12-28 18:00:04 +00:00

Author

Owner

@roman-khimov commented on GitHub (Mar 22, 2024):

We need to try Access-Control-Allow-Headers: "*", but per specification it's not compatible with authenticated requests.

@roman-khimov commented on GitHub (Mar 22, 2024): We need to try `Access-Control-Allow-Headers: "*"`, but per specification it's not compatible with authenticated requests.

sami commented

2025-12-28 18:00:04 +00:00

Author

Owner

@roman-khimov commented on GitHub (Mar 22, 2024):

The core issue here, btw, its that upload can have any X-Attribute-*. We can limit it of course to some set of standard values, but it's not the best option for this interface.

@roman-khimov commented on GitHub (Mar 22, 2024): The core issue here, btw, its that `upload` can have _any_ X-Attribute-*. We can limit it of course to some set of standard values, but it's not the best option for this interface.