Mixing
AWS CloudFront Signed Cookies CORS Issue
I am getting following error with cloudfront signed cookies implementation
Access to XMLHttpRequest at 'https://a.xyz.com/test.html' from origin
'https://b.xyz.com' has been blocked by CORS policy: No
'Access-Control-Allow-Origin' header is present on the requested
resource.
I am accessing a file at a.xyz.com (Domain 1) from b.xyz.com (Domain 2).
This was working fine before restricting viewer access(using Signed cookie) for cloud front (Domain 1) distribution.
My S3 CORS configuration for bucket having domain 1 assets is
<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
<AllowedOrigin>*</AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<AllowedMethod>PUT</AllowedMethod>
<AllowedMethod>POST</AllowedMethod>
<AllowedMethod>HEAD</AllowedMethod>
<MaxAgeSeconds>3000</MaxAgeSeconds>
<AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>
I have tried setting following whitelist headers in cloudfront behavior settings
Access-Control-Request-Headers
Access-Control-Request-Method
Origin
But I am still getting the above error.
Note: If I open the file https://a.xyz.com/test.html in new tab it is working fine i.e. signed cookies are created successfully.
How can I fix this ?
javascript ajax amazon-web-services amazon-s3 cors
asked Nov 22 '18 at 5:53
Yamini ChhabraYamini Chhabra
71116
add a comment |
I am getting following error with cloudfront signed cookies implementation
Access to XMLHttpRequest at 'https://a.xyz.com/test.html' from origin
'https://b.xyz.com' has been blocked by CORS policy: No
'Access-Control-Allow-Origin' header is present on the requested
resource.
I am accessing a file at a.xyz.com (Domain 1) from b.xyz.com (Domain 2).
This was working fine before restricting viewer access(using Signed cookie) for cloud front (Domain 1) distribution.
My S3 CORS configuration for bucket having domain 1 assets is
<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
<AllowedOrigin>*</AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<AllowedMethod>PUT</AllowedMethod>
<AllowedMethod>POST</AllowedMethod>
<AllowedMethod>HEAD</AllowedMethod>
<MaxAgeSeconds>3000</MaxAgeSeconds>
<AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>
I have tried setting following whitelist headers in cloudfront behavior settings
Access-Control-Request-Headers
Access-Control-Request-Method
Origin
But I am still getting the above error.
Note: If I open the file https://a.xyz.com/test.html in new tab it is working fine i.e. signed cookies are created successfully.
How can I fix this ?
javascript ajax amazon-web-services amazon-s3 cors
asked Nov 22 '18 at 5:53
Yamini ChhabraYamini Chhabra
71116
add a comment |
I am getting following error with cloudfront signed cookies implementation
Access to XMLHttpRequest at 'https://a.xyz.com/test.html' from origin
'https://b.xyz.com' has been blocked by CORS policy: No
'Access-Control-Allow-Origin' header is present on the requested
resource.
I am accessing a file at a.xyz.com (Domain 1) from b.xyz.com (Domain 2).
This was working fine before restricting viewer access(using Signed cookie) for cloud front (Domain 1) distribution.
My S3 CORS configuration for bucket having domain 1 assets is
<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
<AllowedOrigin>*</AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<AllowedMethod>PUT</AllowedMethod>
<AllowedMethod>POST</AllowedMethod>
<AllowedMethod>HEAD</AllowedMethod>
<MaxAgeSeconds>3000</MaxAgeSeconds>
<AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>
I have tried setting following whitelist headers in cloudfront behavior settings
Access-Control-Request-Headers
Access-Control-Request-Method
Origin
But I am still getting the above error.
Note: If I open the file https://a.xyz.com/test.html in new tab it is working fine i.e. signed cookies are created successfully.
How can I fix this ?
javascript ajax amazon-web-services amazon-s3 cors
asked Nov 22 '18 at 5:53
Yamini ChhabraYamini Chhabra
71116
I am getting following error with cloudfront signed cookies implementation
Access to XMLHttpRequest at 'https://a.xyz.com/test.html' from origin
'https://b.xyz.com' has been blocked by CORS policy: No
'Access-Control-Allow-Origin' header is present on the requested
resource.
I am accessing a file at a.xyz.com (Domain 1) from b.xyz.com (Domain 2).
This was working fine before restricting viewer access(using Signed cookie) for cloud front (Domain 1) distribution.
My S3 CORS configuration for bucket having domain 1 assets is
<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
<AllowedOrigin>*</AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<AllowedMethod>PUT</AllowedMethod>
<AllowedMethod>POST</AllowedMethod>
<AllowedMethod>HEAD</AllowedMethod>
<MaxAgeSeconds>3000</MaxAgeSeconds>
<AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>
I have tried setting following whitelist headers in cloudfront behavior settings
Access-Control-Request-Headers
Access-Control-Request-Method
Origin
But I am still getting the above error.
Note: If I open the file https://a.xyz.com/test.html in new tab it is working fine i.e. signed cookies are created successfully.
How can I fix this ?
javascript ajax amazon-web-services amazon-s3 cors
javascript ajax amazon-web-services amazon-s3 cors
asked Nov 22 '18 at 5:53
Yamini ChhabraYamini Chhabra
71116
asked Nov 22 '18 at 5:53
Yamini ChhabraYamini Chhabra
71116
edited Nov 22 '18 at 8:22
Yamini Chhabra
asked Nov 22 '18 at 5:53
Yamini ChhabraYamini Chhabra
71116
asked Nov 22 '18 at 5:53
Yamini ChhabraYamini Chhabra
71116
asked Nov 22 '18 at 5:53
Yamini ChhabraYamini Chhabra
71116
71116
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
For CORS to be used with cookies, you need to use Access-Control-Allow-Credentials
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials
Also Access-Control-Allow-Origin must not be *, and XHR need to be fired with withCredentials
https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials
answered Nov 22 '18 at 8:51
William ChongWilliam Chong
919416
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53424655%2faws-cloudfront-signed-cookies-cors-issue%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
For CORS to be used with cookies, you need to use Access-Control-Allow-Credentials
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials
Also Access-Control-Allow-Origin must not be *, and XHR need to be fired with withCredentials
https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials
answered Nov 22 '18 at 8:51
William ChongWilliam Chong
919416
add a comment |
For CORS to be used with cookies, you need to use Access-Control-Allow-Credentials
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials
Also Access-Control-Allow-Origin must not be *, and XHR need to be fired with withCredentials
https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials
answered Nov 22 '18 at 8:51
William ChongWilliam Chong
919416
add a comment |
For CORS to be used with cookies, you need to use Access-Control-Allow-Credentials
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials
Also Access-Control-Allow-Origin must not be *, and XHR need to be fired with withCredentials
https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials
answered Nov 22 '18 at 8:51
William ChongWilliam Chong
919416
For CORS to be used with cookies, you need to use Access-Control-Allow-Credentials
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials
Also Access-Control-Allow-Origin must not be *, and XHR need to be fired with withCredentials
https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials
answered Nov 22 '18 at 8:51
William ChongWilliam Chong
919416
answered Nov 22 '18 at 8:51
William ChongWilliam Chong
919416
answered Nov 22 '18 at 8:51
William ChongWilliam Chong
919416
answered Nov 22 '18 at 8:51
William ChongWilliam Chong
919416
919416
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53424655%2faws-cloudfront-signed-cookies-cors-issue%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
