0

We have a Cloudfront distribution in front of a HTTP API Gateway.

Cloudfront:

  • Caching disabled
  • AllViewerExceptHostHeader
  • Response Header policy, custom
  • Adds Access-Control-Allow-Origin: <list>, Access-Control-Allow-Headers: *, Access-Control-Expose-Headers: *

When a preflight request contains the access-control-request-headers with authorization as a value, the response headers omits any CORS headers, but without authorization, it works. Any ideas?

I was expecting the CORS headers to be defined in the response, because our Response Header policy adds them.

Improve this question
2
  • authorization isn't listed as an allowed request-header name in your CORS configuration; be aware that this name is special insofar as it's not covered by the wildcard (*). The behaviour you observe isn't surprising to me: many CORS middleware (for better or worse) omit all CORS response headers when preflight fails.
    – jub0bs
    Commented Jul 5 at 16:29
  • 1
    Thank you @jub0bs - these are very valuable links to learn from! I wasn't aware of the non-wildcard headers
    – omairvaiyani
    Commented Jul 8 at 9:06
Related questions
3325
Why does my JavaScript code receive a "No 'Access-Control-Allow-Origin' header is present on the requested resource" error, while Postman does not?
1306
No 'Access-Control-Allow-Origin' header is present on the requested resource—when trying to get data from a REST API
731
Response to preflight request doesn't pass access control check - No 'Access-Control-Allow-Origin' header
Load 7 more related questions Show fewer related questions

0

Reset to default

Browse other questions tagged or ask your own question.