By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Wildcard in Cloudfront Access-Control-Allow-Origin response policy

0

Several months back we created a Cloudfront Response Policy with a CORS header setting that included a Access-Control-Allow-Origin of https://*-myorg.vercel.app. The docs state that "The wildcard character () is allowed as the leftmost part of the domain (.example.org).". While it doesn't give an example of that wildcard being a part of a subdomain, it allowed me to create this policy.

Fast forward to today and the user interface and api will not allow me to edit this policy or create a new one with the wildcard in this position. It does allow it if it's the entire subdomain such as *.example.org but not *-test.example.org or *anything.example.org.

The error we receive is "The parameter Access-Control-Allow-Origin contains *a.example.org which is not a valid URL."

Is this a purposeful change in behavior? Is there a way to recreate this policy or edit the old one?

Note: The policy that is in place DOES work. When a request is made that matches that wildcard, the response contains the header with the full domain. This is how AWS has always handled wildcards. It wildcards on the server side, and returns the full domain.

response headers

Topics
Networking & Content Delivery
Tags
Amazon CloudFront
Language
English
locuester
asked a year ago1966 views
1 Answer
0

I have just tested this and I have same result. However, I believe you can only use a wild card to specifcy ALL and not part of a word. You cant use a wild card as as a catch all i.e. *-myhosts.example.com but you can use *.example.com

I even tried 4 Subdomains deep with *.level3.level2.level1.example.com and works fine.

I suggest you change the Paramter to All Orgins, then save, then update again with the correct values sticking to the correct standard. I am not sure why AWS let you before, however that is not supported I believe in CORS. Wildcards are *. not *something.

profile picture
EXPERT
Gary Mclean
answered a year ago
  • locuester
    a year ago

    It's not a CORS standard to wildcard anywhere (except entire thing ala "*"). Amazon matches the incoming request and if it is a match then it responds in the allow-origin with the full domain that was requested. That's part of the problem I have - it's working as desired right now. Updated question to include this, and provided screenshot of headers.

    So the functionality works, but I can't enter it as a value (anymore!).

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content