CLDSRV-881: fix missing CORS headers on 403 responses by tcarmet · Pull Request #6126 · scality/cloudserver

tcarmet · 2026-04-01T01:20:25Z

When a bucket has CORS configured, cloudserver was omitting Access-Control-* headers from 403 responses. Browsers treat such responses as opaque and block the error from the web app, even though AWS S3 returns CORS headers on error responses when a matching rule exists.

The existing collectCorsHeaders helper only runs inside an API handler, after bucket metadata has been loaded. Auth failures from Vault return before any handler runs, so the route-level error response path sent no CORS headers.

The fix wraps callApiMethod's callback: on error, when the request has an Origin header and a known bucket, it fetches the bucket's CORS config and sets the matching Access-Control-* headers directly on the HTTP response before propagating the error. The extra metadata lookup only happens on failed requests with an Origin header - no cost for non-CORS traffic or successful requests.

Fixes: CLDSRV-881

bert-e · 2026-04-01T01:20:29Z

Hello tcarmet,

My role is to assist you with the merge of this
pull request. Please type @bert-e help to get information
on this process, or consult the user documentation.

Available options

name	description	privileged	authored
`/after_pull_request`	Wait for the given pull request id to be merged before continuing with the current one.
`/bypass_author_approval`	Bypass the pull request author's approval	⭐
`/bypass_build_status`	Bypass the build and test status	⭐
`/bypass_commit_size`	Bypass the check on the size of the changeset `TBA`	⭐
`/bypass_incompatible_branch`	Bypass the check on the source branch prefix	⭐
`/bypass_jira_check`	Bypass the Jira issue check	⭐
`/bypass_peer_approval`	Bypass the pull request peers' approval	⭐
`/bypass_leader_approval`	Bypass the pull request leaders' approval	⭐
`/approve`	Instruct Bert-E that the author has approved the pull request.		✍️
`/create_pull_requests`	Allow the creation of integration pull requests.
`/create_integration_branches`	Allow the creation of integration branches.
`/no_octopus`	Prevent Wall-E from doing any octopus merge and use multiple consecutive merge instead
`/unanimity`	Change review acceptance criteria from `one reviewer at least` to `all reviewers`
`/wait`	Instruct Bert-E not to run until further notice.

Available commands

name	description	privileged
`/help`	Print Bert-E's manual in the pull request.
`/status`	Print Bert-E's current status in the pull request `TBA`
`/clear`	Remove all comments from Bert-E from the history `TBA`
`/retry`	Re-start a fresh build `TBA`
`/build`	Re-start a fresh build `TBA`
`/force_reset`	Delete integration branches & pull requests, and restart merge process from the beginning.
`/reset`	Try to remove integration branches unless there are commits on them which do not appear on the source branch.

Status report is not available.

bert-e · 2026-04-01T01:20:37Z

Incorrect fix version

The Fix Version/s in issue CLDSRV-881 contains:

None

Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:

9.2.33
9.3.6
9.4.0

Please check the Fix Version/s of CLDSRV-881, or the target
branch of this pull request.

claude · 2026-04-01T01:23:12Z

LGTM

The fix is correct: standardMetadataValidateBucketAndObj intentionally returns bucket on error (line 427 of metadataUtils.js: "still return bucket for cors headers"), but updateEncryption was dropping it by calling cb(err) without forwarding the bucket. This caused collectCorsHeaders to receive undefined and return empty headers on 403 responses. The tests cover the right cases (specific origin, wildcard, and no-origin).

Review by Claude Code

codecov · 2026-04-01T01:27:46Z

Codecov Report

❌ Patch coverage is 93.75000% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 84.40%. Comparing base (c1d3d6a) to head (7f11f3b).
⚠️ Report is 2 commits behind head on development/9.2.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
lib/api/api.js	93.10%	2 Missing ⚠️

Additional details and impacted files

Files with missing lines	Coverage Δ
lib/api/bucketGetCors.js	`100.00% <100.00%> (+3.57%)`	⬆️
lib/api/bucketGetLocation.js	`100.00% <100.00%> (+4.00%)`	⬆️
lib/api/bucketGetWebsite.js	`100.00% <100.00%> (+3.57%)`	⬆️
lib/utilities/collectCorsHeaders.js	`100.00% <ø> (ø)`
lib/api/api.js	`90.47% <93.10%> (+0.31%)`	⬆️

... and 2 files with indirect coverage changes

@@                 Coverage Diff                 @@
##           development/9.2    #6126      +/-   ##
===================================================
+ Coverage            84.29%   84.40%   +0.11%     
===================================================
  Files                  204      204              
  Lines                13151    13174      +23     
===================================================
+ Hits                 11086    11120      +34     
+ Misses                2065     2054      -11

Flag	Coverage Δ
file-ft-tests	`67.89% <93.75%> (+0.21%)`	⬆️
kmip-ft-tests	`28.24% <18.75%> (-0.01%)`	⬇️
mongo-v0-ft-tests	`69.08% <93.75%> (+0.16%)`	⬆️
mongo-v1-ft-tests	`69.12% <93.75%> (+0.22%)`	⬆️
multiple-backend	`35.28% <18.75%> (-0.02%)`	⬇️
sur-tests	`35.75% <18.75%> (-0.02%)`	⬇️
sur-tests-inflights	`37.60% <18.75%> (-0.05%)`	⬇️
unit	`70.32% <81.25%> (+0.34%)`	⬆️
utapi-v2-tests	`34.53% <18.75%> (-0.02%)`	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

bert-e · 2026-04-13T22:53:14Z

Incorrect fix version

The Fix Version/s in issue CLDSRV-881 contains:

None

Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:

9.2.36
9.3.7
9.4.0

Please check the Fix Version/s of CLDSRV-881, or the target
branch of this pull request.

claude · 2026-04-13T22:55:56Z

LGTM

The one-line fix in updateEncryption correctly passes bucket through the error path, matching the documented callback signature (err, bucket, objMD). All 5 callers already destructure (err, bucket, ...) and will benefit from receiving the bucket reference on errors, enabling collectCorsHeaders to return proper CORS headers on 403 responses. Tests cover specific origin, wildcard, and no-origin scenarios.

Review by Claude Code

claude · 2026-04-13T23:03:26Z

LGTM

The fix is minimal and correct: passing bucket in the error callback at updateEncryption.js:111 ensures all five callers (objectGet, objectHead, objectPut, objectCopy, initiateMultipartUpload) can compute CORS headers on error responses. Without it, collectCorsHeaders(origin, method, undefined) returned {}, stripping CORS headers from error responses like 403. Tests cover the key scenarios for objectGet (specific origin, wildcard, no origin) and objectHead.

Review by Claude Code

bert-e · 2026-04-21T22:05:43Z

Incorrect fix version

The Fix Version/s in issue CLDSRV-881 contains:

None

Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:

9.2.37
9.3.7
9.4.0

Please check the Fix Version/s of CLDSRV-881, or the target
branch of this pull request.

claude · 2026-04-21T22:10:34Z

LGTM — the callback-wrapping approach in api.js is clean: it only pays the extra metadata lookup on error+Origin, guards headersSent, and correctly short-circuits on success. Two minor test quality notes posted inline.

- tests/unit/api/corsErrorHeaders.js:238 — require() calls inside describe block should be at file top
- Move the two require statements to join the imports at lines 1-13
- tests/unit/api/corsErrorHeaders.js:199 — stale comment describes default CorsConfigTester rules, not the custom config from setupBucketWithCors
- Update to reflect that rule 0 was overridden and rule 1 (GET from *) still exists

Review by Claude Code

Cross-origin browser clients lost Access-Control-* headers whenever cloudserver returned 403, even though the bucket had a matching CORS rule. Responses now include the CORS headers for error responses on buckets with CORS configured, matching AWS behavior.

bert-e · 2026-04-23T06:41:18Z

Incorrect fix version

The Fix Version/s in issue CLDSRV-881 contains:

None

Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:

9.2.38
9.3.7
9.4.0

Please check the Fix Version/s of CLDSRV-881, or the target
branch of this pull request.

claude · 2026-04-23T18:20:56Z

Clean, well-structured fix. The wrapper approach correctly limits the extra metadata lookup to error + Origin scenarios, and the fast-path check via hasCorsHeaders avoids redundant lookups when handlers already computed CORS headers.

- Stale comment in collectCorsHeaders.js (lines 12-20) now contradicts the new behavior and should be updated
- It says the server opts not to return CORS headers for pre-handler errors, which is exactly what this PR fixes

Review by Claude Code

claude · 2026-04-23T18:28:46Z

LGTM — clean approach wrapping the callback at the callApiMethod boundary to inject CORS headers on pre-handler errors without touching individual API handlers.

One minor nit:
- tests/unit/api/corsErrorHeaders.js:120 — arrow function captures wrong this in newRequestLoggerFromSerializedUids (see inline comment)

Review by Claude Code

claude · 2026-04-23T18:41:20Z

LGTM

Review by Claude Code

bucketGetCors and bucketGetWebsite were passing corsHeaders at callback position 1 on AccessDenied, but both endpoints are routed through responseXMLBody which reads corsHeaders at position 2. The headers were silently dropped by the route layer, so 403 responses arrived without them.

claude · 2026-04-23T18:59:01Z

LGTM

The approach is sound: wrapping callApiMethod's callback intercepts pre-handler errors (auth failures, header-size checks) exactly where CORS headers were missing, without touching each individual route or handler. The hasCorsHeaders scan prevents redundant metadata lookups when the handler already computed CORS headers. The bucketGetCors / bucketGetWebsite changes fix a pre-existing bug where corsHeaders was passed at the wrong callback position ((err, corsHeaders) vs the success-path (null, xml, corsHeaders)). Unit and functional tests cover both the fallback path and the fast path, including negative cases (no origin, non-matching origin).

Review by Claude Code

dvasilas · 2026-04-24T10:14:51Z

+// We only pay the extra metadata lookup when an Origin header is present,
+// matching AWS behavior and the existing contract of collectCorsHeaders.
+function wrapCallbackWithErrorCorsHeaders(request, response, log, callback) {
+    return (err, ...rest) => {


If the handler computes corsHeaders and gets back {} (bucket has no CORS config), and then calls callback(err, null, {}), the wrapper will still do metadata.getBucket, right? (but it does not need to, I think).

Not sure if it's a good idea, but we could cache the bucket in request (something like request._loadedBucket) and first check there before metadata.getBucket

Was able to confirm this with a extra test, indeed there would be 2 metadata call in this case.

So yeah we could consider {} as there's no header, and skip the bucket call in this case, it seems to be implicitly true, or we cache the bucket as you stated.

I'm debating between both right now, I pushed a code with the bucket cache on request. seems like the safest option between the two. Let me know what you think.

Something I didn't consider when I suggested the cache approach: I think objectCopy and objectPutCopyPart call standardMetadataValidateBucketAndObj twice (once for the destination, once for the source), so the second call will overwrite the first, and we may not get the headers for the bucket we want.
You could confirm with a test.

yes confirmed with the tests, nice catch again. At the end I ended up droping that cache entirely and accepting up to 2 metadata.getBucket calls on the error path. I believe the trade-off is fine here because:

This only fires on failing requests with an Origin header where the handler returned without surfacing CORS headers (no rule match, no CORS config, or handler dropped the bucket between waterfall steps. Small slice of overall traffic.

Turns out going the other way and trusting {} as "no CORS to apply" would have regressed handlers that drop the bucket internally their collectCorsHeaders runs with bucket=undefined and returns {} even when a matching CORS rule exists. We'd silently lose CORS headers we currently apply.

A smarter cache (map keyed by bucketName so objectCopy doesn't overwrite the destination with the source) would have preserved the optimization without the leak you flagged. So that is an option we could arguably go this way, but I honestly felt like it was a over-optimization for an error-path issue, so I went with the simpler code.

To sum things up I removed the cache, documented the behavior in case we decide to optimize in the future and added/adapted the test cases (objectCopy and limiting number of calls to getBucket) so that if we do decide to mess with it, we ensure what we discussed is not lost and will fail if we handle it badly.

bucketGetLocation had the same AccessDenied arity mismatch as bucketGetCors and bucketGetWebsite: the error branch passed corsHeaders at callback position 1, but the GET route reads position 2. Align it with the standard three-argument error callback used elsewhere.

When a handler has already loaded the bucket, the CORS error wrapper no longer re-fetches it to compute headers.

claude · 2026-04-24T17:22:23Z

LGTM

The approach is sound: wrapping the callApiMethod callback to inject CORS headers on pre-handler failures (auth denials, header-size checks) fills the gap where the existing collectCorsHeaders call inside handlers never runs. The three-tier fallback (handler-provided headers → cached bucket → metadata lookup) avoids redundant work on the common path while still covering the edge cases.

The callback signature fix in bucketGetCors, bucketGetLocation, and bucketGetWebsite is correct — previously on error these passed corsHeaders as the second arg, but routeGET destructures as (err, xml, corsHeaders), so the headers were landing in the xml position.

Review by Claude Code

Drop the request-scoped bucket cache so CORS evaluation always uses the request's actual bucket. Pin the regression scenario with a guardrail test against objectCopy and document the 2-call ceiling on the wrapper.

claude · 2026-04-27T19:23:34Z

LGTM

The wrapper approach in wrapCallbackWithErrorCorsHeaders is clean: it only pays the extra metadata lookup on error paths with an Origin header, and the hasCorsHeaders fast path avoids redundant lookups when handlers already surface CORS headers. The callback signature normalization in bucketGetCors, bucketGetLocation, and bucketGetWebsite (callback(err, null, corsHeaders) instead of callback(err, corsHeaders)) also fixes a latent bug where corsHeaders was passed in the xml position on AccessDenied errors. Tests cover auth failures, the fast path, copy-operation bucket disambiguation, non-matching origins, and success regressions.

Review by Claude Code

tcarmet force-pushed the bugfix/CLDSRV-881-cors-headers-on-403-responses branch from d7eec24 to f073231 Compare April 13, 2026 22:53

tcarmet force-pushed the bugfix/CLDSRV-881-cors-headers-on-403-responses branch from f073231 to 66233f9 Compare April 13, 2026 23:00

tcarmet force-pushed the bugfix/CLDSRV-881-cors-headers-on-403-responses branch from 66233f9 to 196a998 Compare April 21, 2026 22:05

claude Bot reviewed Apr 21, 2026

View reviewed changes

Comment thread tests/unit/api/corsErrorHeaders.js

claude Bot reviewed Apr 21, 2026

View reviewed changes

Comment thread tests/unit/api/corsErrorHeaders.js

tcarmet force-pushed the bugfix/CLDSRV-881-cors-headers-on-403-responses branch 2 times, most recently from 44b8aa0 to 406c33e Compare April 21, 2026 22:43

tcarmet force-pushed the bugfix/CLDSRV-881-cors-headers-on-403-responses branch from 406c33e to bf9577a Compare April 21, 2026 22:58

tcarmet marked this pull request as ready for review April 21, 2026 23:16

tcarmet requested a review from a team April 21, 2026 23:16

dvasilas reviewed Apr 23, 2026

View reviewed changes

Comment thread lib/api/api.js

Comment thread lib/api/api.js Outdated

CLDSRV-881: add fast-path to cors header to avoid extra md call

b5a6a51

tcarmet requested a review from dvasilas April 23, 2026 18:19

claude Bot reviewed Apr 23, 2026

View reviewed changes

Comment thread lib/api/api.js

CLDSRV-881: refactor unit test file a bit

5ce3f67

tcarmet force-pushed the bugfix/CLDSRV-881-cors-headers-on-403-responses branch from 5d9b95f to 5ce3f67 Compare April 23, 2026 18:25

claude Bot reviewed Apr 23, 2026

View reviewed changes

Comment thread tests/unit/api/corsErrorHeaders.js

CLDSRV-881: extra review improvements

ba2362c

tcarmet requested a review from a team April 23, 2026 18:36

dvasilas reviewed Apr 24, 2026

View reviewed changes

tcarmet added 2 commits April 24, 2026 10:13

CLDSRV-881: avoid redundant metadata lookup on CORS error path

3b23679

When a handler has already loaded the bucket, the CORS error wrapper no longer re-fetches it to compute headers.

tcarmet requested a review from dvasilas April 24, 2026 18:07

CLDSRV-881: extra review improvements

7f11f3b

Drop the request-scoped bucket cache so CORS evaluation always uses the request's actual bucket. Pin the regression scenario with a guardrail test against objectCopy and document the 2-call ceiling on the wrapper.

Conversation

tcarmet commented Apr 1, 2026 • edited by atlassian Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

bert-e commented Apr 1, 2026

Hello tcarmet,

Uh oh!

bert-e commented Apr 1, 2026

Incorrect fix version

Uh oh!

claude Bot commented Apr 1, 2026

Uh oh!

codecov Bot commented Apr 1, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

bert-e commented Apr 13, 2026

Incorrect fix version

Uh oh!

claude Bot commented Apr 13, 2026

Uh oh!

claude Bot commented Apr 13, 2026

Uh oh!

bert-e commented Apr 21, 2026

Incorrect fix version

Uh oh!

Uh oh!

Uh oh!

claude Bot commented Apr 21, 2026

Uh oh!

Uh oh!

Uh oh!

bert-e commented Apr 23, 2026

Incorrect fix version

Uh oh!

Uh oh!

claude Bot commented Apr 23, 2026

Uh oh!

Uh oh!

claude Bot commented Apr 23, 2026

Uh oh!

claude Bot commented Apr 23, 2026

Uh oh!

claude Bot commented Apr 23, 2026

Uh oh!

Uh oh!

dvasilas Apr 24, 2026

Choose a reason for hiding this comment

Uh oh!

tcarmet Apr 24, 2026

Choose a reason for hiding this comment

Uh oh!

dvasilas Apr 27, 2026

Choose a reason for hiding this comment

Uh oh!

tcarmet Apr 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

claude Bot commented Apr 24, 2026

Uh oh!

claude Bot commented Apr 27, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

tcarmet commented Apr 1, 2026 •

edited by atlassian Bot

Loading

codecov Bot commented Apr 1, 2026 •

edited

Loading

tcarmet Apr 27, 2026 •

edited

Loading