OPTIONS requests on presigned URL's wrongly check signature, causing failure for client-side requests

[mmezei]

When a browser based application uses a pre-signed URL to s3proxy (typically generated by its API), it would issue a CORS preflight OPTIONS request first. This request wrongly causes the entire operation to fail as browser does not include content-md5 and x-amz-acl headers that are required for successful signature validation. The OPTIONS request failure is a SignatureDoesNotMatch error. Amazon and Digital Ocean do not check the signature on a preflight OPTIONS request. I was able to see this by sending them a request with a bogus signature..