5

My use case is simple, I have static files (JS, images) in S3 that I want to share to multiple origins via CloudFront CDN.

I only want to publicly allow GET from S3 and my actual configuration is the following:

<CORSRule>
    <ID>BucketCORSRules</ID>
    <AllowedOrigin>*</AllowedOrigin>
    <AllowedMethod>HEAD</AllowedMethod>
    <AllowedMethod>GET</AllowedMethod>
    <MaxAgeSeconds>3600</MaxAgeSeconds>
</CORSRule>

Everything works nicely except that sometimes I randomly get a "no 'Access-Control-Allow-Origin' header is present" error when I put new S3 objects.

My question is about AllowedHeader.

I've read everywhere (here on SO, again on SO and here on AWS) that AllowedHeader should be set to * or Authorization, but why?

Shouldn't this CORS configuration be working with CORS simple requests without any AllowedHeader? What could possibly drive to random "no 'Access-Control-Allow-Origin' header is present" errors?

The AllowedHeader element specifies which headers are allowed in a preflight request through the Access-Control-Request-Headers header. Each header name in the Access-Control-Request-Headers header must match a corresponding entry in the rule. Amazon S3 will send only the allowed headers in a response that were requested. For a sample list of headers that can be used in requests to Amazon S3, go to Common Request Headers in the Amazon Simple Storage Service API Reference guide.

Source: http://docs.aws.amazon.com/AmazonS3/latest/dev/cors.html#cors-allowed-headers

Yves M.
  • 29,855
  • 23
  • 108
  • 144
  • 1
    Can you capture the request and response of one of these failed requests? I wonder if you aren't encountering a [timing issue with CloudFront](http://stackoverflow.com/a/35541525/1695906) that can be resolved by setting the error caching minimum ttl for 403/404 errors to `0`. – Michael - sqlbot Apr 24 '17 at 23:39
  • @Michael-sqlbot `AllowedHeader` = request headers, and `ExposeHeader` = response headers – Yves M. May 14 '17 at 09:09
  • I am not sure what I was thinking. You are of course, correct. Removed the comment. – Michael - sqlbot May 14 '17 at 19:19
  • Did you clarify when and why `AllowedHeader` is needed? I've found the documentation about it very confusing. Another way to phrase the question would be: *which headers should be allowed in a preflight request? And when/why?* – Fabien Snauwaert Jan 04 '19 at 17:07

0 Answers0