CORS issue when posting to URI produced by Google.Cloud.Storage.V1.StorageClient.CreateObjectUploader in browser #5715
Comments
shawnshaddock
changed the title
|
Here is relevant client and server code Angular client code const result = await this.storageObjectService.startUpload({
bucket: 'BUCKET-NAME',
name: file.name,
contentType: 'application/pdf'
});
this.httpClient.post(result.uploadUri, file).subscribe(() => {
console.log(`Uploaded ${file.name}`)
});ASP.NET Core in .NET 5 var upload = StorageClient.CreateObjectUploader("BUCKET-NAME", "FILE-NAME", "application/pdf", Stream.Null, new UploadObjectOptions
{
Origin = "*"
});
var uploadUri = await upload.InitiateSessionAsync(cancellationToken);
return uploadUri;This is a sample of the URI that is returned |
|
Thanks - will look at this when I get a chance. It's just possible it'll be before January, but probably not I'm afraid. |
jskeet
added
api: storage
|
@jskeet does Google.Cloud.Storage.V1.StorageClient use the Cloud Storage JSON API? |
|
Yes. |
|
I should point out that even though the browser is throwing a CORS error the files do get successfully uploaded into the bucket. This is still an issue though because it prevents me from getting the JSON response from the storage api and also prevents me from being able to handle actual upload errors. |
|
Just as an FYI, I'm now back to work, and trying to get my head round this. I've hardly done anything with CORS, so I don't yet understand all the details... I'll need to plod through it. Out of interest, are you able to share what the browser request and response look like in terms of headers etc? I don't know enough about what I'm looking at to say whether that's going to be relevant, but it may well be :) |
|
Okay, I've had a look now... and with In your application, are you able to specify a particular origin in the |
jskeet
added
the
needs more info
|
I can provide an actual origin, I was using * as a desperate attempt to fix the issue and also so that I didn't have to manage different origins in development/testing/production. But if that's how to solve it I can do it. |
|
Right - I don't know whether there is any other way of doing it, but I believe that approach will work, and hopefully isn't too hard. |
|
I will try it and report back my results. I'm busy with something else ATM so I don't think it will be today, but hopefully sometime this week. |
|
@shawnshaddock: Great, thanks. I'll leave the issue open for the moment, in the hope that we'll be able to close it when you've been able to try it. |
|
hi here, We have the same problem on our project :
Fyi CORS configuration on the bucket is ok and matches the origin header for our requests. Setting the origin header to something particular rather than I hope we can find a solution for this problem together |
|
@doubbz: I initially thought you were describing a somewhat different issue, but I'm now not sure. Could you give some more details of your situation and show the code you're using? |
|
@jskeet sure and thank you for your answer. I should maybe open a new issue because, here's the thing, we are working with a ReactJS frontend client and a PHP backend. IMO the problem might be the same because the scenario is identical as shawnshaddock's one. My js client needs an auth signature in order to perform the first POST request initiating the resumable upload session. Scenario:
$bucket->object($path)->signedUploadUrl(new \DateTimeImmutable('+100 minute'), ['Origin' => <host of my JS client>])2/ JS client performs the "initiating POST request" to the Google JSON API successfully
3/ JS performs a PUT request to the Google JSON API with the file to upload
I could open an issue on the google-cloud-php repo instead but people is already starting to be impatient around me 😅 asking me to bypass all this and PUT the files from the backend (Pod Kubernetes with low memory) instead :/ 🤷♂️ |
|
@doubbz: I don't believe the URL in the original question is a signed one. If it were, I'd expect it to use Given that .NET isn't involved at all in your scenario, I think it would be better to either ask in one of the language-neutral Storage support routes or the google-cloud-php repo... as I don't work in either Javascript or PHP, it's going to be hard for me to reproduce the issue (without basically translating that code to .NET, where the issue may not occur). If you were really doing the same requests as in the rest of this issue, it wouldn't be a problem - but the URL signing is a potentially-significant difference here. |
|
@jskeet I think you're right, it may not be the same use case because of this first step for the signature. Thank you anyway |
I tested setting a specific Origin in the UploadObjectOptions and it does indeed add the access-control-allow-origin header and works without error. |
|
Great - thanks for getting back to us. |
@shawnshaddock: Everyone on the team is now on vacation until January, but if you could provide all the parts for me to reproduce this when we're back at work, I'll definitely have a look. Please open a new issue for this rather than using this one, just to keep things clearer.
Originally posted by @jskeet in #2755 (comment)
My scenario is an Angular 10 client and .NET 5 (ASP .NET) API. The angular client calls the API to get a Cloud Storage resumable upload link. The API uses Google.Cloud.Storage.V1.StorageClient.CreateObjectUploader to initiate the upload. I also set UploadObjectOptions.Orgin to "*" in the request.
The API then returns the URI back to the angular client, where it attempts to use angulars HttpClient to do a POST to the URL with the file to upload. This is when I get the error:
Access to XMLHttpRequest at 'https://storage.googleapis.com/upload/storage/v1/b/BUCKET_NAME_REMOVED/o?uploadType=resumable&upload_id=UPLOAD_ID_REMOVED' from origin 'http://localhost:4200' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
The text was updated successfully, but these errors were encountered: