search

openstreetmap / operations

OSMF Operations Working Group issue tracking
https://operations.osmfoundation.org/
98 stars 13 forks source link

Fix CORS headers on planet.osm.org and S3 redirect #1038

Closed Firefishy closed 7 months ago

Firefishy commented 7 months ago

It was reported that CORS was not enabled for changesset post the redirect to s3.

Firefishy commented 7 months ago

Quick check it seems to work: https://cors-test.codehappy.dev/?url=https%3A%2F%2Fplanet.osm.org%2Freplication%2Fchangesets%2F005%2F911%2F899.osm.gz&origin=https%3A%2F%2Fcors-test.codehappy.dev%2F&method=get

Firefishy commented 7 months ago

@gravitystorm ^^ could you check when you have a chance.

gravitystorm commented 7 months ago

The site I was having problems with is https://jwestman.gitlab.io/osm-in-realtime/ . In my firefox console I see:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://planet.openstreetmap.org/replication/changesets/state.yaml. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 302.

$ curl -I https://planet.openstreetmap.org/replication/changesets/state.yaml
HTTP/2 302 
strict-transport-security: max-age=31536000; includeSubDomains; preload
location: https://osm-planet-eu-central-1.s3.dualstack.eu-central-1.amazonaws.com/changesets/replication/minute/state.yaml
content-type: text/html; charset=iso-8859-1
date: Thu, 07 Mar 2024 10:57:33 GMT
server: Apache/2.4.54 (Ubuntu)

$ curl -I https://osm-planet-eu-central-1.s3.dualstack.eu-central-1.amazonaws.com/changesets/replication/minute/state.yaml
HTTP/1.1 200 OK
x-amz-id-2: AadaKTePQXH9bjDFGRscaPxe5wfVQRyrCwi8nMkuNbVj4yCfUpaqmRJ7WpEQ+4+RLU1urjxIov0=
x-amz-request-id: J3HMXRQGA8CB49GB
Date: Thu, 07 Mar 2024 10:58:02 GMT
x-amz-replication-status: COMPLETED
Last-Modified: Thu, 07 Mar 2024 10:57:28 GMT
ETag: "6e06c1d3b76474509b4ebfaf801d7cf0"
x-amz-storage-class: INTELLIGENT_TIERING
x-amz-server-side-encryption: AES256
x-amz-version-id: fKiCjr.kvD9t8bQK.Hm4PP5sYPBwrw64
Accept-Ranges: bytes
Content-Type: binary/octet-stream
Server: AmazonS3
Content-Length: 69

I don't see any CORS headers in those responses. It's not clear to me why the list of headers from curl is so different from the headers that https://cors-test.codehappy.dev/?url=https%3A%2F%2Fplanet.openstreetmap.org%2Freplication%2Fchangesets%2Fstate.yaml reports, so maybe I'm missing something obvious here?

Firefishy commented 7 months ago

Fixed. The issue was the 302 redirect required a CORS allow header for some clients.

$ curl -I -H "Origin: http://example.com" https://planet.openstreetmap.org/replication/changesets/state.yaml
HTTP/2 302
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
location: https://osm-planet-eu-central-1.s3.dualstack.eu-central-1.amazonaws.com/changesets/replication/minute/state.yaml
content-type: text/html; charset=iso-8859-1
date: Thu, 07 Mar 2024 11:20:52 GMT
server: Apache/2.4.54 (Ubuntu)
gravitystorm commented 7 months ago

Thanks!