CORS config options

[davekaro]

I'm trying to use rclone serve s3 to replace minio. Working well so far but found a few issues around CORS preflight requests from the browser. For one, in my presign request I am passing the content-md5 header, but that is not listed in

gofakes3/cors.go

Line 9 in ef642ce

corsHeaders = []string{

. I see the forked repo recently added support for insecure CORS that would allow everything. That would work well for me in this case, or just adding the content-md5 to the list of allowed headers.

But, I have a second somewhat related problem, which is depending on how you start rclone serve s3, I get different CORS behavior. I'm guessing this is a better issue for the actual rclone repo, but it's hard for me to draw the lines of how these interact.

If I start like rclone serve s3 --allow-origin '*' s3, then run curl -v -X OPTIONS http://127.0.0.1:8080, I see this relevant output:

< Access-Control-Allow-Headers: Accept, Accept-Encoding, Authorization, Content-Disposition, Content-Length, Content-Type, X-Amz-Date, X-Amz-User-Agent, X-CSRF-Token, x-amz-acl, x-amz-content-sha256, x-amz-meta-filename, x-amz-meta-from, x-amz-meta-private, x-amz-meta-to, x-amz-security-token
< Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE, HEAD
< Access-Control-Allow-Origin: *
< Access-Control-Expose-Headers: ETag
< Access-Control-Max-Age: 86400

But, if I start like rclone serve s3 --auth-key access,secret --allow-origin "*" s3 and run curl -v -X OPTIONS http://127.0.0.1:8080, I see different output:

< Access-Control-Allow-Headers: authorization, Content-Type
< Access-Control-Allow-Methods: COPY, DELETE, GET, HEAD, LOCK, MKCOL, MOVE, OPTIONS, POST, PROPFIND, PROPPATCH, PUT, TRACE, UNLOCK
< Access-Control-Allow-Origin: *
< Access-Control-Max-Age: 86400