Wildcard in Cloudfront Access-Control-Allow-Origin response policy
Several months back we created a Cloudfront Response Policy with a CORS header setting that included a Access-Control-Allow-Origin of https://*-myorg.vercel.app. The docs state that "The wildcard character () is allowed as the leftmost part of the domain (.example.org).". While it doesn't give an example of that wildcard being a part of a subdomain, it allowed me to create this policy.
Fast forward to today and the user interface and api will not allow me to edit this policy or create a new one with the wildcard in this position. It does allow it if it's the entire subdomain such as *.example.org but not *-test.example.org or *anything.example.org.
The error we receive is "The parameter Access-Control-Allow-Origin contains *a.example.org which is not a valid URL."
Is this a purposeful change in behavior? Is there a way to recreate this policy or edit the old one?
Note: The policy that is in place DOES work. When a request is made that matches that wildcard, the response contains the header with the full domain. This is how AWS has always handled wildcards. It wildcards on the server side, and returns the full domain.
- 最新
- 最多得票
- 最多評論
I have just tested this and I have same result. However, I believe you can only use a wild card to specifcy ALL and not part of a word. You cant use a wild card as as a catch all i.e. *-myhosts.example.com but you can use *.example.com
I even tried 4 Subdomains deep with *.level3.level2.level1.example.com and works fine.
I suggest you change the Paramter to All Orgins, then save, then update again with the correct values sticking to the correct standard. I am not sure why AWS let you before, however that is not supported I believe in CORS. Wildcards are *. not *something.
相關內容
- 已提問 7 個月前
AWS 官方已更新 2 年前- AWS 官方已更新 2 年前
- AWS 官方已更新 2 年前
It's not a CORS standard to wildcard anywhere (except entire thing ala "*"). Amazon matches the incoming request and if it is a match then it responds in the allow-origin with the full domain that was requested. That's part of the problem I have - it's working as desired right now. Updated question to include this, and provided screenshot of headers.
So the functionality works, but I can't enter it as a value (anymore!).