We have a Cloudfront distribution in front of a HTTP API Gateway.
Cloudfront:
- Caching disabled
- AllViewerExceptHostHeader
- Response Header policy, custom
- Adds
Access-Control-Allow-Origin: <list>, Access-Control-Allow-Headers: *, Access-Control-Expose-Headers: *
When a preflight request contains the access-control-request-headers
with authorization
as a value, the response headers omits any CORS headers, but without authorization
, it works. Any ideas?
I was expecting the CORS headers to be defined in the response, because our Response Header policy adds them.
authorization
isn't listed as an allowed request-header name in your CORS configuration; be aware that this name is special insofar as it's not covered by the wildcard (*
). The behaviour you observe isn't surprising to me: many CORS middleware (for better or worse) omit all CORS response headers when preflight fails.