How do Allowed Headers for CORS preflight requests work?

[bdon]

On this part of the docs: https://github.com/tigrisdata/tigris-os-docs/blob/main/docs/buckets/cors.md?plain=1#L73

For pre-flight requests, it compares the allowed headers with those specified
by the Access-Control-Request-Headers header.

The UI specifies Enter comma separated values. (Accept,Accept-Language,Authorization or *).

Are we expected to exhaustively specify all headers in the request like Accept,Origin,Pragma that the browser attaches automatically?

I am having trouble specifying an allowlist of headers with my UI setting to X-Custom-Header. You can see the repro page here: https://bdon.github.io/tigris-cors/ (repository: https://github.com/bdon/tigris-cors)

The second CORS request fails because it needs a preflight for the custom header X-Custom-Header.

It seems to work when the allowed headers are set to * in the UI.

(Maybe this is better as a forum support ticket instead of a docs issue)

[JigarJoshi]

Hi @bdon

Yes the full list of headers is required. Here is a the cURL equivalent of your bucket's prefilght request

curl -v 'https://tigris-cors.protomaps.dev/blank.txt' -X OPTIONS -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:133.0) Gecko/20100101 Firefox/133.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate, br, zstd' -H 'Access-Control-Request-Method: GET' -H 'Access-Control-Request-Headers: x-custom-header' -H 'Referer: https://bdon.github.io/' -H 'Origin: https://bdon.github.io' -H 'Connection: keep-alive' -H 'Sec-Fetch-Dest: empty' -H 'Sec-Fetch-Mode: cors' -H 'Sec-Fetch-Site: cross-site' -H 'Priority: u=4' -H 'TE: trailers'

Your bucket has cors setup to allow * origin and method, for header you have only x-custom-header allowed. So if you make this modify this preflight request to

 curl -v 'https://tigris-cors.protomaps.dev/blank.txt' -X OPTIONS   -H 'Origin: https://bdon.github.io'

It will serve the right CORS headers. Ofcourse you can't control yours or your user's browser to only send these headers. So you need to provide full set of headers that a typical browser will send. Maybe this will help https://www.whatismybrowser.com/detect/what-http-headers-is-my-browser-sending/

[bdon]

It could be better ergonomics if the invisible default was to include all the CORS-safelisted headers, though I understand it may also need to include some browser specific ones like Pragma so it is difficult to be exhaustive. In any case perhaps the docs could reflect the default allowlist being empty? (I think other S3 implementations have a default list, so the way Tigris works was surprising)