Bug 1646606 - Getting CORS error while creating quotas via javascript
Summary: Getting CORS error while creating quotas via javascript
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: API
Version: 5.9.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: GA
: 5.9.6
Assignee: Joe Vlcek
QA Contact: Parthvi Vala
Depends On: 1599259
Blocks: 1622587
TreeView+ depends on / blocked
Reported: 2018-11-05 18:35 UTC by Satoe Imaishi
Modified: 2018-12-13 15:15 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1599259
Last Closed: 2018-12-13 15:15:44 UTC
Category: ---
Cloudforms Team: CFME Core
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3649141 None None None 2018-11-05 18:35:53 UTC
Red Hat Product Errata RHSA-2018:3816 None None None 2018-12-13 15:15:54 UTC

Comment 2 CFME Bot 2018-11-05 18:44:15 UTC
New commit detected on ManageIQ/manageiq-api/gaprindashvili:

commit 9cc1ee9d5a8e6ad34c6e8846228f78cdd181a57c
Author:     Alberto Bellotti <abellotti@users.noreply.github.com>
AuthorDate: Thu Oct 18 16:14:04 2018 -0400
Commit:     Alberto Bellotti <abellotti@users.noreply.github.com>
CommitDate: Thu Oct 18 16:14:04 2018 -0400

    Merge pull request #495 from jvlcek/bz_1599259_CORS

    Add subcollection options support for CORS prefilghted requests

    (cherry picked from commit 3502e51181ce92c28866a4626fdfadf0d31bd591)


 app/controllers/api/base_controller.rb | 6 +-
 config/routes.rb | 3 +
 spec/requests/tenant_quotas_spec.rb | 6 +
 3 files changed, 14 insertions(+), 1 deletion(-)

Comment 3 Parthvi Vala 2018-11-22 06:23:32 UTC
FIXED. Verified on

Steps taken to verify the BZ:
1) Create `tenant` using API.
Request: POST /api/tenants
Query: {
  "name" : "Test Tenant",
  "description" : "Test Tenant Description",
  "parent" : { "href" : "http://<ip_address>/api/tenants/:id" }

2) Create quota for the tenant.
Request: POST /api/tenants/:id/quotas
Query: {
  "name" : "cpu_allocated",
  "value" : 1

3) Send `OPTIONS` to /api/tenants/:id/quotas and check HEADER.
Date: Thu, 22 Nov 2018 06:20:06 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips mod_auth_kerb/5.4
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: origin, content-type, authorization, x-auth-token
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS
Content-Type: application/json; charset=utf-8
Content-Security-Policy: default-src 'self'; connect-src 'self'; frame-src 'self'; script-src 'unsafe-eval' 'unsafe-inline' 'self'; style-src 'unsafe-inline' 'self'; report-uri /dashboard/csp_report
Strict-Transport-Security: max-age=631152000
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache
X-Request-Id: dd4ff3b4-d2a4-4eae-978d-c8f598280192
X-Runtime: 0.006549
Content-Length: 0

These are headers from the request sent to a 5.9.2 appliance.
Date: Thu, 22 Nov 2018 06:22:45 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips mod_auth_kerb/5.4
Content-Type: text/html; charset=utf-8
X-Request-Id: cde690b3-f0d4-4032-9a5d-534d8c698d18
X-Runtime: 0.015369
Content-Length: 728

I checked via CURL and verified that `Access-Control-Allow-Origin` is present in the HEADER, it was not verified via AJAX Request.

Comment 5 errata-xmlrpc 2018-12-13 15:15:44 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.