hi Radoslaw,

i am also curious about this because i had thought we had CORS issued solved for uWSGI in the past, i will need to look around to find the conversations i was having.

thanks for sharing your investigation, i think this is interesting.

peace o/

On Fri, Jan 17, 2020 at 1:45 PM Radosław Piliszek <radoslaw.piliszek@gmail.com> wrote:
Fellow Devs,

as you might have noticed I started taking care of openstack/js-openstack-lib,
now under the openstacksdk umbrella [1].
First goal is to modernize the CI to use Zuul v3, current devstack and
nodejs, still WIP [2].

As part of the original suite of tests, the unit and functional tests
are run from browsers as well as from node.
And, as you may know, browsers care about CORS [3].
js-openstack-lib is connecting to various OpenStack APIs (currently
limited to keystone, glance, neutron and nova) to act on behalf of the
user (just like openstacksdk/client does).
oslo.middleware, as used by those APIs, provides a way to configure
CORS by setting params in the [cors] group but uWSGI seemingly ignores
that completely [4].
I had to switch to mod_wsgi+apache instead of uwsgi+apache to get past
that issue.
I could not reproduce locally because kolla (thankfully) uses mostly
mod_wsgi atm.

The issue I see is that uWSGI is proposed as the future and mod_wsgi
is termed deprecated.
However, this means the future is broken w.r.t. CORS and so any modern
web interface with it if not sitting on the exact same host and port
(which is usually different between OpenStack APIs and any UI).

[1] https://review.opendev.org/701854
[2] https://review.opendev.org/702132
[3] https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
[4] https://github.com/unbit/uwsgi/issues/1550

-yoctozepto