I have set a Cloudfront origin request policy with no cookie.
But Cloudfront is sending the cookies to the origin anyways.
Here is the data obtained on Webpagetest for request (https://www.webpagetest.org/result/220816_BiDcWR_ACG/1/details/#waterfall_view_step1):
:authority: fisiculturismo.com.br
:method: GET
:path: /applications/core/interface/font/fontawesome-webfont.woff2?v=4.7.0
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: AWSALB=V+qLZCNbjEfbsPzZCvXjy8lR1d7lJw+6Qz1bNnwYg3ri9BdDQEtMndfBsf/Hz6jHSj9ffTMEA4MsyUU2es6+KXvX4j590g0Rnn2XevQuROzwR/vyxmaPt32qn142; AWSALBCORS=V+qLZCNbjEfbsPzZCvXjy8lR1d7lJw+6Qz1bNnwYg3ri9BdDQEtMndfBsf/Hz6jHSj9ffTMEA4MsyUU2es6+KXvX4j590g0Rnn2XevQuROzwR/vyxmaPt32qn142; ips4_IPSSessionFront=fi6hu5jv1pl00tp6jshi3uf2ka
origin: https://fisiculturismo.com.br
referer: https://fisiculturismo.com.br/
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="104", "Google Chrome";v="104"
sec-ch-ua-mobile: ?1
sec-ch-ua-platform: "Android"
sec-fetch-dest: font
sec-fetch-mode: cors
sec-fetch-site: same-origin
user-agent: Mozilla/5.0 (Linux; Android 8.1.0; Moto G (4)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.79 Mobile Safari/537.36 PTST/220727.131331
customize waterfall • Vie
===
As long as there is a session cookie, the response miss the Cloudfront cache:
accept-ranges: bytes
cache-control: max-age=2592000, public
content-length: 77160
content-type: application/font-woff2
date: Tue, 16 Aug 2022 14:33:40 GMT
etag: "12d68-5e3c8209e1ce0"
expires: Thu, 15 Sep 2022 14:33:40 GMT
last-modified: Thu, 14 Jul 2022 18:32:43 GMT
server: Apache/2.4.54 (Ubuntu)
set-cookie: AWSALB=ldcCFgF+iJ0E/9dkC7wI4cjnuEVQbpZIdhNTudEvrd2RNGyXq1KOUVxtocvI6fgV6ZgUUbC34vikqmDhDGNxJuswDudtAo0P8RpZDyi/k2/Njzu5uQUSS0REf8QM; Expires=Tue, 23 Aug 2022 14:33:40 GMT; Path=/
set-cookie: AWSALBCORS=ldcCFgF+iJ0E/9dkC7wI4cjnuEVQbpZIdhNTudEvrd2RNGyXq1KOUVxtocvI6fgV6ZgUUbC34vikqmDhDGNxJuswDudtAo0P8RpZDyi/k2/Njzu5uQUSS0REf8QM; Expires=Tue, 23 Aug 2022 14:33:40 GMT; Path=/; SameSite=None; Secure
:status: 200
===
Why Cloudfront is forwarding the cookies to the origin (ELB cookies and APP cookie) if it was set not to?
Cache policy was also no cookie. To leave no doubt, I have tested again with Managed-CachingOptimized for caching and no policy for origin request and response headers. Same issue with cookies being fowarded.