amazon s3 - Getting S3 CORS Access-Control-Allow-Origin to dynamically echo requesting domain -
how can set s3 cors allowedorigin
configuration such dynamically echos requesting domain in access-control-allow-origin
header?
in post, "cors cloudfront, s3, , multiple domains", suggested setting allowedorigin
<allowedorigin>*</allowedorigin>
this. however, s3 returns access-control-allow-origin: *
instead.
access-control-allow-origin: *
not work in case using image.crossorigin = "use-credentials"
in javascript app. option, s3 returns access-control-allow-credentials: true
. cross origin access image fails because using wildcard allowed origin in conjunction credentials not permitted.
background why needed:
in setup, access images on s3 has go through our domain, authentication required restrict access , check if account authorized access images. if is, server returns 302 redirect s3 url.
for authentication work, image.crossorigin = "use-credentials"
has set request hits server required credentials. (incidentally, when tested on firefox 30.0 , chrome 35.0.1916.153, if crossorigin
set anonymous
, credentials still sent. not on safari 7.0.4. consistent cross-browser behavior obtained using use-credentials
.).
because browsers transparently redirects s3 url, credentials sent.
aws's cors documentation not document this, managed answer in thread on aws developer forums, found aws changed original behavior of echoing requesting domain if *
being used allowedorigin
.
to s3 dynamically echo requesting domain, allowedorigin
has set such:
<allowedorigin>http://*</allowedorigin> <allowedorigin>https://*</allowedorigin>
Comments
Post a Comment