girder / girder

A data management platform for the web, developed by Kitware
http://girder.readthedocs.io
Apache License 2.0
429 stars 177 forks source link

Validate S3 assetstore has valid CORS configuration #2186

Open danlamanna opened 7 years ago

danlamanna commented 7 years ago

See #2132 for additional context:

As part of validation we should really do some checking for the CORS requirements. We document them, but if the user fails to set them everything functions normally until upload time, when they have to check the browser console for the error message.

To get even more pedantic, these settings may have to be tested from the client side to avoid a false positive in the event of a non web-client install of Girder.

zachmullen commented 7 years ago

these settings may have to be tested from the client side

Either that, or we can just use boto to grab the CORS configuration from the bucket and then validate it. Not sure if getting the CORS policy document requires special permission on the bucket, though.

EDIT: This function is the one I'm referring to.

danlamanna commented 7 years ago

The issue is boto and server side python won't know if the client actually needs a proper CORS policy, can it? Only the web client has that stipulation.

On Fri, Jul 14, 2017 at 12:26 PM, Zach Mullen notifications@github.com wrote:

these settings may have to be tested from the client side

Either that, or we can just use boto to grab the CORS configuration from the bucket and then validate it. Not sure if getting the CORS policy document requires special permission on the bucket, though.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/girder/girder/issues/2186#issuecomment-315403729, or mute the thread https://github.com/notifications/unsubscribe-auth/AAlH5cc-pVkeXHMITbEqwV8KRall6HQzks5sN5bIgaJpZM4OYcjS .

-- Dan LaManna Kitware, Inc.

zachmullen commented 7 years ago

We can validate whether the CORS policy on the bucket is configured to allow CORS, including allowing the headers and methods needed by Girder direct-to-S3 uploads from the browser. Or am I missing something?

danlamanna commented 7 years ago

Nope, I misunderstood you.

On Fri, Jul 14, 2017 at 12:43 PM, Zach Mullen notifications@github.com wrote:

We can validate whether the CORS policy on the bucket is configured to allow CORS, including allowing the headers and methods needed by Girder direct-to-S3 uploads from the browser. Or am I missing something?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/girder/girder/issues/2186#issuecomment-315407431, or mute the thread https://github.com/notifications/unsubscribe-auth/AAlH5XR8w5eQ4OImEYaOBjn3DJgomE2Yks5sN5qpgaJpZM4OYcjS .

-- Dan LaManna Kitware, Inc.

mgrauer commented 7 years ago

+1, just ran into this