0

I have checked everywhere and cannot find a straightforward answer to this question - I have a google cloud function that can be called by AllUsers (I do not want it authenticated, it's a function that triggers onload for pages on my site that do not require authentication).

How can I only allow it to be called from my domain? I have tried adding my domain as a principal with role Cloud Functions Invoker and this still returns [Error] Origin [myDomain] is not allowed by Access-Control-Allow-Origin. Status code: 403

John
  • 1
  • What do you mean by "called from your domain"? By users having an email like xxxx@mydomain.com? By other website/API that have a dns name in "xxxx.mydomain.com"? – guillaume blaquiere Apr 19 '23 at 18:53
  • Yes, to clarify by other website/API that have a dns name in "xxxx.mydomain.com" – John Apr 19 '23 at 18:56
  • The short answer is, no, you can't entirely stop access to a function based on how it was invoked from your web site. The best you can do is allow all access, then in the code, check the headers of the request before going further, as the duplicate question explains. But that is not 100% reliable (the header can be faked), so you ideally you should make the caller of the function provide some credentials that identifies them and says that they are allowed to invoke your function code. It's not super straightforward, but it's a very common strategy. – Doug Stevenson Apr 19 '23 at 19:04
  • Question is not a duplicate - I specified that it's a function that triggers onload for pages on my site that do not require authentication. Providing authentication credentials isnt a valid solution. – John Apr 19 '23 at 20:26

0 Answers0