I am fairly new to AWS and wanted to understand CORS behavior for various "AllowedOrigins" in the CORS policy.
- If AllowedOrigin has wildcard (*) as a part or has an explicit origin mentioned --
CORS Policy :
[
{
"AllowedHeaders": [
"*"
],
"AllowedMethods": [
"GET",
"PUT"
],
"AllowedOrigins": [
"http://local*" OR "http://localhost.com"
],
"ExposeHeaders": []
}
]
In the above CORS policy, API call : curl -i https://testawsbucket17.s3.ap-south-1.amazonaws.com/range.txt -H "Origin: http://localhost.com" returns headers as followed :
Access-Control-Allow-Origin : http://localhost.com
Access-Control-Allow-Method : GET, PUT
- If AllowedOrigin has ONLY wildcard present --
[
{
"AllowedHeaders": [
"*"
],
"AllowedMethods": [
"GET",
"PUT"
],
"AllowedOrigins": [
"*"
],
"ExposeHeaders": []
}
]
The same API call returns below CORS headers -
Access-Control-Allow-Origin : *
Access-Control-Allow-Method : GET, PUT
I wanted to understand why AWS has this discrepancy where in some scenario it sends CORS policy's origin as response header whereas in other scenarios it sends the response header as the origin which is sent in the request.
Also, as per the document linked below, returning wildcard character (*) as origin in response is not accepted in credentialed request. How is AWS handling it? https://fetch.spec.whatwg.org/#cors-protocol-and-credentials
AWS OFFICIALUpdated 2 years ago
