Lambda function URL not respecting CORS settings
I am experimenting with using Lambda function URLs instead of API gateway. They seem to be working fine for the most part, except my browser keeps complaining about CORS. I did some testing. With CORS enabled on API gateway, I get this (expected) result.
$ curl -v https://lo1mb5fn4f.execute-api.ap-southeast-2.amazonaws.com/prod/default -X OPTIONS * Trying 22.214.171.124:443... * Connected to lo1mb5fn4f.execute-api.ap-southeast-2.amazonaws.com (126.96.36.199) port 443 (#0) * schannel: disabled automatic use of client certificate * schannel: ALPN, offering http/1.1 * schannel: ALPN, server accepted to use http/1.1 > OPTIONS /prod/default HTTP/1.1 > Host: lo1mb5fn4f.execute-api.ap-southeast-2.amazonaws.com > User-Agent: curl/7.79.1 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < Date: Wed, 27 Apr 2022 09:18:52 GMT < Content-Type: application/json < Content-Length: 0 < Connection: keep-alive < x-amzn-RequestId: 2b81917b-42e6-47ac-88dd-4211fb0b93ad < Access-Control-Allow-Origin: * < Access-Control-Allow-Headers: Content-Type,Authorization,X-Amz-Date,X-Api-Key,X-Amz-Security-Token < x-amz-apigw-id: RO6ThFTYSwMFdqg= < Access-Control-Allow-Methods: DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT < * Connection #0 to host lo1mb5fn4f.execute-api.ap-southeast-2.amazonaws.com left intact
I then do the same query against the Lambda function URL also with CORS enabled in the console, however, I do not get the CORS headers returned.
$ curl -v https://b3cdmthu62o6bqzcrb7efnw7be0ktquf.lambda-url.ap-southeast-2.on.aws/ -X OPTIONS * Trying 188.8.131.52:443... * Connected to b3cdmthu62o6bqzcrb7efnw7be0ktquf.lambda-url.ap-southeast-2.on.aws (184.108.40.206) port 443 (#0) * schannel: disabled automatic use of client certificate * schannel: ALPN, offering http/1.1 * schannel: ALPN, server accepted to use http/1.1 > OPTIONS / HTTP/1.1 > Host: b3cdmthu62o6bqzcrb7efnw7be0ktquf.lambda-url.ap-southeast-2.on.aws > User-Agent: curl/7.79.1 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < Date: Wed, 27 Apr 2022 09:20:18 GMT < Content-Type: application/json < Content-Length: 20 < Connection: keep-alive < x-amzn-RequestId: 13433ad6-7504-4054-abf5-ca53f9b39b3f < X-Amzn-Trace-Id: root=1-62690ad2-0796999b639d9a5507c42dfb;sampled=0 < "Hello from Lambda!"* Connection #0 to host b3cdmthu62o6bqzcrb7efnw7be0ktquf.lambda-url.ap-southeast-2.on.aws left intact
This does appear to be a bug in the way how Lambda reads the CORS data. I would appreciate any tips on what I might be doing wrong. If it is not me, is there a way to escalate this to AWS and report this as a bug?
When you send a preflight request using OPTIONS, you need to include the Origin that you're coming from, and which Request Method you're checking should be allowed. You can do this by including the
Try using the following curl command, which asks the Lambda Function URL whether it can make a cross origin request from
http://example.com with a HTTP request method of
curl --location --request OPTIONS '<YOUR FURL HERE>' \ --header 'Origin: http://example.com' \ --header 'Access-Control-Request-Method: DELETE' -v
The response I get from my test Function URL with the same CORS config that you've specified is:
> OPTIONS / HTTP/1.1 > Host: <My FURL> > User-Agent: curl/7.64.1 > Accept: */* > Origin: http://example.com > Access-Control-Request-Method: DELETE > < HTTP/1.1 200 OK < Date: Wed, 27 Apr 2022 14:50:31 GMT < Content-Type: application/json < Content-Length: 0 < Connection: keep-alive < x-amzn-RequestId: fd7d31ab-604a-4cd0-9bae-ad9d83a74450 < Access-Control-Allow-Origin: * < Access-Control-Allow-Headers: content-type,authorization,x-amz-date,x-api-key,x-amz-security-token < Access-Control-Allow-Methods: GET,HEAD,POST,PUT,DELETE,PATCH
Let me know if this helps!
By the way, if you're curious, Lambda implements the RFC according to the steps specified here: https://www.w3.org/TR/2020/SPSD-cors-20200602/#resource-preflight-requests
The reason Lambda does not return CORS headers in your example request is because the
Originheader was missing. In step 1, the specification says:
If the Origin header is not present terminate this set of steps. The request is outside the scope of this specification.
Since the Origin header is not present, we don't proceed to the following steps and just return a response.
Thank you for your feedback. After some more testing, I can confirm that the lack of
Origin field in my api query was the root cause.
Mutual TLS for AWS Lambda Function URLasked a month ago
Comaptibility between REST and HTTP APIasked 14 days ago
AWS console not listing Lambda Functions when trying to "register target"asked a year ago
Lamba url + .net core api, how to remove duplicate cors 'Access-Control-Allow-Origin'Accepted Answerasked a month ago
API Gateway, Lambda and CORSasked a year ago
Internal Server Error from API Gateway when sending queries through gateway to Lambda function connected to RDS databaseasked 2 months ago
can we attach the custom domain to lambda function urls ?Accepted Answerasked 25 days ago
I am having an issue in API Gateway that says " No integration defined for method" when I attempt to deployasked a month ago
Start & Stop of EC2 instance using tags in Lambda functionAccepted Answerasked 2 months ago
Lambda Function URL /ping endpointasked 5 days ago