1

Is it possible to have a wildcard sub-domain for the CORS headers in AWS Api Gateway?

E.g. (Mock Integration excerpt)

"ResponseParameters":{
              "method.response.header.Access-Control-Allow-Origin": "'http:\/\/*.example.com'",
              "method.response.header.Access-Control-Allow-Headers": "'Content-Type, X-Amz-Date, Authorization, X-Api-Key, X-Amz-Security-Token'",
              "method.response.header.Access-Control-Allow-Methods": "'GET', 'OPTIONS'"
            }

Currently, I'm getting the error saying that CORS header does not match with what I have in Access-Control-Allow-Origin.

Pavithra Weerasinghe
  • 15
  • 1
  • 6

2 Answers2

3

API Gateway will return the value in the Access-Control-Allow-Origin to the browser, so it will return a wildcard as shown in your example; however, this will not do anything useful since partial wildcards are not supported by the CORS specification and thus not processed by the browser. The CORS specification does allow returning an asterisk ('*') to allow all origins.

Obviously, if you only need to allow one origin, you just specify it completely. Some customers which need to allow multiple origins return an asterisk and thus allow all origins. If you must only allow a subset of origins, then it can be done, but you won't be able to used static values for your headers (as the CORS wizard in the API Gateway console does). You would have to implement the HEAD method using either a Lambda or http integration, pass the "Referer" header to your integration, have your integration compare the "Referer" header to the list of origins you wich to all, and conditionally respond back with a value that you map to the "Access-Control-Allow-Origin" header. You would also have to include similar functionality on any of the other methods (GET, POST, etc) that you call on the resource.

MikeD at AWS
  • 3,565
  • 16
  • 15
  • Do you mean something like this? http://stackoverflow.com/questions/14003332/access-control-allow-origin-wildcard-subdomains-ports-and-protocols Do you have any examples of implementing a HEAD method? Also, thanks for your answer – Pavithra Weerasinghe Oct 26 '16 at 01:35
0

If it's specific to AWS, then API gateway Service enables CORS only when complete name of the origin is specified in Access-Control-Allow-Origin.

  • For example if you've to allow requests coming from example.com then specify the allow origin in the format of 'https://example.com'
  • It doesn't support other wildcards, except (*) but supports more than 1 origin with a comma delimited.
Kran
  • 69
  • 1
  • 3