-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
CorsPreflightOptions: allow_origins does not work with more than 1 value #25923
Comments
Would be a bug with the service API and CloudFormation as well, the header certainly can't contain multiple values. In the expected behavior section of your report, why would you pass in multiple values to this parameter and expect only one to show up in the header? |
@peterwoodworth Well, it's a clear need in many projects to allow multiple origins. (worth mentioning the parameter is called I would say that even CloudFormation is just fine, because this has to be evaluated by the API Gateway itself. Any Ideas? |
Works correctly for me. TypeScript const api = new apigatewayv2.HttpApi(this, 'HttpApi', {
corsPreflight: {
allowMethods: [
apigatewayv2.CorsHttpMethod.GET,
apigatewayv2.CorsHttpMethod.PUT,
apigatewayv2.CorsHttpMethod.OPTIONS,
],
allowOrigins: ['https://app.example.com', 'http://localhost:3000'],
allowHeaders: ['content-type', 'authorization'],
allowCredentials: true,
},
}); Template "HttpApiXXXXXXXX": {
"Type": "AWS::ApiGatewayV2::Api",
"Properties": {
"CorsConfiguration": {
"AllowCredentials": true,
"AllowHeaders": [
"content-type",
"authorization"
],
"AllowMethods": [
"GET",
"PUT",
"OPTIONS"
],
"AllowOrigins": [
"https://app.example.com",
"http://localhost:3000"
]
},
"Name": "HttpApi",
"ProtocolType": "HTTP"
}
}, Actual response of OPTIONS $ curl -v https://xxxxxxxxx.execute-api.ap-northeast-1.amazonaws.com/ -X OPTIONS ...
OPTIONS / HTTP/2
access-control-request-method: PUT
origin: http://localhost:3000
...
HTTP/2 204
access-control-allow-origin: http://localhost:3000
access-control-allow-methods: GET,OPTIONS,PUT
access-control-allow-headers: authorization,content-type
access-control-allow-credentials: true
... |
@Tietew Well, that's actually great news! |
Sorry, I'm not super familiar with API Gateway as a service, I don't see a key difference between the snippet posted that works and the one that doesn't. I don't see how these two use @gabriels1234 if your template appears to look good and you're still running into the error, please let me know. |
This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled. |
Describe the bug
The Setup I have to use requires CORS, and allow_credentials:true. That means that allow_origins cannot be ["*"].
The problem is, given that we want to allow originS (more than one), the HttpApi returns both origins as allowed.
BUT, the browsers' specification requires only one value.
Every Backend framework knows that the accepted value for
Access-Control-Allow-Origin
is only one.example: cors js library:
example: starlette library (used by fastApi):
Expected Behavior
when setting
allow_origins = ["https://sitea.com", "https://siteb.com"]
the response headers when calling from sitea should be:
Access-Control-Allow-Origin:https://sitea.com
Current Behavior
when setting
allow_origins = ["https://sitea.com", "https://siteb.com"]
the response headers when calling from sitea is actually:
Access-Control-Allow-Origin:https://sitea.com,https://siteb.com
Reproduction Steps
requirements.txt:
Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.83.0 (build 0fd7f2b)
Framework Version
No response
Node.js Version
v16.17.0
OS
Mac OS 13.4
Language
Python
Language Version
Python 3.10
Other information
No response
The text was updated successfully, but these errors were encountered: