3

I have a CloudFront distribution with a default behavior that is configured to allow any CORS request including preflight requests. However, the OPTIONS request will fail with an HTTP 403 error (details below) which is not what I expect.

I am using the AWS-managed CORS-With-Preflight policy that should allow all CORS requests, including the preflight (OPTIONS) request:

(I am not sure why the “Origin request policy” area is highlighted in yellow.)

Policy details:

I have allowed OPTIONS requests in the Behavior:

However, when I send an options request, CloudFront will return this error:

$ curl --request OPTIONS --url https://d3qj3h7hjzomrd.cloudfront.net/ --header 'Origin: https://www.example.com'

<?xml version="1.0" encoding="UTF-8"?>
<Error>
    <Code>AccessForbidden</Code>
    <Message>CORSResponse: This CORS request is not allowed. This is usually because the evalution of Origin, request method / Access-Control-Request-Method or Access-Control-Request-Headers are not whitelisted by the resource's CORS spec.</Message>
    <Method>OPTIONS</Method>
    <ResourceType>OBJECT</ResourceType>
    <RequestId>WH3SHHNDMJR03FWJ</RequestId>
    <HostId>4mr77QbpdUeaN/GZvaFiwX5urzZbo7VoW2IiG3Ziq1HikqcPoTZKZZRmibuNf4590YlCf46Wu6s=</HostId>
</Error>

(I’ve formatted the XML for better readability.)

What do I need to change to allow OPTIONS requests?

aaronk6
  • 284
  • 1
  • 11
  • Does [this](https://serverfault.com/questions/619699/setting-access-control-allow-origin-on-cloudfront) help? Do you need to allow some headers to be passed back and forth? – shearn89 Mar 14 '22 at 10:14
  • 1
    My understanding is that now that [CORS is configurable in CloudFront](https://aws.amazon.com/about-aws/whats-new/2021/11/amazon-cloudfront-supports-cors-security-custom-http-response-headers/), it should work out of the box. What would be the purpose of the managed `CORS-With-Preflight` policy if you would still have to create your policy to get the most basic request working? – aaronk6 Mar 14 '22 at 10:27

0 Answers0