Looks like browsers *do* send the query string in the OPTIONS request.
Change-Id: Id10e6e32890f1c9a09c91990e5a6ee729bf4d973
Related-Change: I985143bf03125a05792e79bc5e5f83722d6431b3
Unfortunately, we can't identify the user, so we can't map to an
account, so we can't respect whatever CORS metadata might be set on the
container.
As a result, the allowed origins must be configured cluster-wide. Add a
new config option, cors_preflight_allow_origin, for that; default it
to blank (ie, deny preflights from all origins, preserving existing
behavior), but allow either a comma-separated list of origins or
* (to allow all origins).
Change-Id: I985143bf03125a05792e79bc5e5f83722d6431b3
Co-Authored-By: Matthew Oliver <matt@oliver.net.au>
This adds support for presigned GET URLs, at least.
Note that there is no support yet for preflight requests, so a whole
bunch of other CORS stuff *doesn't* work (yet). This was just an easy
first step.
Change-Id: I43150a630a2a7620099e6bfecaed3bbe958ba423
