Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1646606 - Getting CORS error while creating quotas via javascript
Summary: Getting CORS error while creating quotas via javascript
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: API
Version: 5.9.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: GA
: 5.9.6
Assignee: Joe Vlcek
QA Contact: Parthvi Vala
Depends On: 1599259
Blocks: 1622587
TreeView+ depends on / blocked
Reported: 2018-11-05 18:35 UTC by Satoe Imaishi
Modified: 2018-12-13 15:15 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1599259
Last Closed: 2018-12-13 15:15:44 UTC
Category: ---
Cloudforms Team: CFME Core
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3649141 None None None 2018-11-05 18:35:53 UTC
Red Hat Product Errata RHSA-2018:3816 None None None 2018-12-13 15:15:54 UTC

Comment 2 CFME Bot 2018-11-05 18:44:15 UTC
New commit detected on ManageIQ/manageiq-api/gaprindashvili:
commit 9cc1ee9d5a8e6ad34c6e8846228f78cdd181a57c
Author:     Alberto Bellotti <>
AuthorDate: Thu Oct 18 16:14:04 2018 -0400
Commit:     Alberto Bellotti <>
CommitDate: Thu Oct 18 16:14:04 2018 -0400

    Merge pull request #495 from jvlcek/bz_1599259_CORS

    Add subcollection options support for CORS prefilghted requests

    (cherry picked from commit 3502e51181ce92c28866a4626fdfadf0d31bd591)

 app/controllers/api/base_controller.rb | 6 +-
 config/routes.rb | 3 +
 spec/requests/tenant_quotas_spec.rb | 6 +
 3 files changed, 14 insertions(+), 1 deletion(-)

Comment 3 Parthvi Vala 2018-11-22 06:23:32 UTC
FIXED. Verified on

Steps taken to verify the BZ:
1) Create `tenant` using API.
Request: POST /api/tenants
Query: {
  "name" : "Test Tenant",
  "description" : "Test Tenant Description",
  "parent" : { "href" : "http://<ip_address>/api/tenants/:id" }

2) Create quota for the tenant.
Request: POST /api/tenants/:id/quotas
Query: {
  "name" : "cpu_allocated",
  "value" : 1

3) Send `OPTIONS` to /api/tenants/:id/quotas and check HEADER.
Date: Thu, 22 Nov 2018 06:20:06 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips mod_auth_kerb/5.4
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: origin, content-type, authorization, x-auth-token
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS
Content-Type: application/json; charset=utf-8
Content-Security-Policy: default-src 'self'; connect-src 'self'; frame-src 'self'; script-src 'unsafe-eval' 'unsafe-inline' 'self'; style-src 'unsafe-inline' 'self'; report-uri /dashboard/csp_report
Strict-Transport-Security: max-age=631152000
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache
X-Request-Id: dd4ff3b4-d2a4-4eae-978d-c8f598280192
X-Runtime: 0.006549
Content-Length: 0

These are headers from the request sent to a 5.9.2 appliance.
Date: Thu, 22 Nov 2018 06:22:45 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips mod_auth_kerb/5.4
Content-Type: text/html; charset=utf-8
X-Request-Id: cde690b3-f0d4-4032-9a5d-534d8c698d18
X-Runtime: 0.015369
Content-Length: 728

I checked via CURL and verified that `Access-Control-Allow-Origin` is present in the HEADER, it was not verified via AJAX Request.

Comment 5 errata-xmlrpc 2018-12-13 15:15:44 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

Note You need to log in before you can comment on or make changes to this bug.