New commit detected on ManageIQ/manageiq-api/gaprindashvili: https://github.com/ManageIQ/manageiq-api/commit/9cc1ee9d5a8e6ad34c6e8846228f78cdd181a57c commit 9cc1ee9d5a8e6ad34c6e8846228f78cdd181a57c Author: Alberto Bellotti <abellotti.github.com> AuthorDate: Thu Oct 18 16:14:04 2018 -0400 Commit: Alberto Bellotti <abellotti.github.com> CommitDate: Thu Oct 18 16:14:04 2018 -0400 Merge pull request #495 from jvlcek/bz_1599259_CORS Add subcollection options support for CORS prefilghted requests (cherry picked from commit 3502e51181ce92c28866a4626fdfadf0d31bd591) https://bugzilla.redhat.com/show_bug.cgi?id=1646606 app/controllers/api/base_controller.rb | 6 +- config/routes.rb | 3 + spec/requests/tenant_quotas_spec.rb | 6 + 3 files changed, 14 insertions(+), 1 deletion(-)
FIXED. Verified on 5.9.6.2.20181119175512_3a18916. Steps taken to verify the BZ: 1) Create `tenant` using API. Request: POST /api/tenants Query: { "name" : "Test Tenant", "description" : "Test Tenant Description", "parent" : { "href" : "http://<ip_address>/api/tenants/:id" } } 2) Create quota for the tenant. Request: POST /api/tenants/:id/quotas Query: { "name" : "cpu_allocated", "value" : 1 } 3) Send `OPTIONS` to /api/tenants/:id/quotas and check HEADER. HEADERS: Date: Thu, 22 Nov 2018 06:20:06 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips mod_auth_kerb/5.4 Access-Control-Allow-Origin: * Access-Control-Allow-Headers: origin, content-type, authorization, x-auth-token Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS Content-Type: application/json; charset=utf-8 Content-Security-Policy: default-src 'self'; connect-src 'self'; frame-src 'self'; script-src 'unsafe-eval' 'unsafe-inline' 'self'; style-src 'unsafe-inline' 'self'; report-uri /dashboard/csp_report Strict-Transport-Security: max-age=631152000 X-Content-Type-Options: nosniff X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 1; mode=block Cache-Control: no-cache X-Request-Id: dd4ff3b4-d2a4-4eae-978d-c8f598280192 X-Runtime: 0.006549 Content-Length: 0 These are headers from the request sent to a 5.9.2 appliance. HEADERS: Date: Thu, 22 Nov 2018 06:22:45 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips mod_auth_kerb/5.4 Content-Type: text/html; charset=utf-8 X-Request-Id: cde690b3-f0d4-4032-9a5d-534d8c698d18 X-Runtime: 0.015369 Content-Length: 728 I checked via CURL and verified that `Access-Control-Allow-Origin` is present in the HEADER, it was not verified via AJAX Request.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:3816