使用AJAX从CloudFront加载文件会导致403（禁止）错误

Question

I have an SVG file sitting in Amazon S3 and a Cloud Front distribution which points to my bucket as the origin. 我有一个坐在Amazon S3中的SVG文件和一个Cloud Front发行版，它指向我的存储桶作为原点。

I have enabled CORS on the bucket like below : 我已经在下面启用了CORS：

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
    <AllowedOrigin>*</AllowedOrigin>
    <AllowedMethod>GET</AllowedMethod>
    <MaxAgeSeconds>3000</MaxAgeSeconds>
</CORSRule>
</CORSConfiguration>

I also white listed below headers in the options of the behaviors of my cloud front distribution. 我还在我的云端分发行为的选项中列出了以下标题。

Access-Control-Request-Headers
Access-Control-Request-Method
Origin

In a single standalone HTML file, I can easily load the SVG like: 在一个独立的HTML文件中，我可以轻松加载SVG，如：

$(document).ready(function () {
            var settings = {
                "crossDomain": true,
                "url": "https://mycloudfront.cloudfront.net/images/one-TEST_1140924280.svg",
                "method": "GET"
            };

            $.ajax(settings).done(function (response) {
                var svg = document.importNode(response.documentElement,true);
                $("#svg").append(svg);
            });
        });

When I do this in standalone HTML, the origin of the request header is null . 当我在独立HTML中执行此操作时，请求标头的原点为空。 But when I try to do this in my project (Spring Boot 1.5.3) The origin of the request header is http://localhost:8080 and I get 403 response as a result : 但是当我尝试在我的项目中执行此操作时（Spring Boot 1.5.3）请求标头的来源是http：// localhost：8080 ，结果我得到403响应：

XMLHttpRequest cannot load https://mycloudfront.cloudfront.net/images/one-TEST_1140924280.svg . XMLHttpRequest无法加载https://mycloudfront.cloudfront.net/images/one-TEST_1140924280.svg 。 Response to the preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. 对预检请求的响应未通过访问控制检查：请求的资源上不存在“Access-Control-Allow-Origin”标头。 Origin ' http://localhost:8080 ' is therefore not allowed access. 因此，不允许来源“ http：// localhost：8080 ”访问。 The response had HTTP status code 403. 响应具有HTTP状态代码403。

Also, there is a header being added to the AJAX request access-control-request-headers:x-csrf-token 此外，还有一个标头被添加到AJAX请求access-control-request-headers：x-csrf-token

The exact same thing happens in my test environment on EC2. 完全相同的事情发生在EC2的测试环境中。 I thought localhost:8080 in origin is somehow the problem. 我认为localhost：8080的起源是某种程度上的问题。

Am I missing a configuration somewhere in CloudFront or S3? 我在CloudFront或S3的某个地方错过了配置吗？

Answer 1

According to this : 根据这个：

For a preflight request, if the request includes an Access-Control-Request-Headers header, verify that the CORSRule includes the AllowedHeader entries for each value in the Access-Control-Request-Headers header. 对于预检请求，如果请求包含Access-Control-Request-Headers标头，请验证CORSRule是否包含Access-Control-Request-Headers标头中每个值的AllowedHeader条目。

I chose GET, HEAD, OPTIONS of Allowed HTTP Methods of the Cloud Front behavior and added below configuration to my S3 CORS configuration and it worked fine. 我选择了GET，HEAD， Cloud Front行为的允许HTTP方法的选项，并将下面的配置添加到我的S3 CORS配置中，它运行正常。

<AllowedHeader>x-csrf-token</AllowedHeader>

In my situation that x-csrf-token was being added to the headers cause the page in my project was in a protected area by spring security, It worked but just be aware that any other custom headers being added to the request, Cloud Front will return 403. So easier option would be allowing all headers in your CORS configuration. 在我的情况下， x-csrf-token被添加到标题中导致我的项目中的页面被Spring安全保护在一个受保护的区域，它工作但只是要知道任何其他自定义标头被添加到请求，Cloud Front将返回403.如此简单的选项将允许您的CORS配置中的所有标头。

<AllowedHeader>*</AllowedHeader>

使用AJAX从CloudFront加载文件会导致403（禁止）错误

问题描述

1 个解决方案

解决方案1
3 已采纳 2017-08-02 00:05:37

使用AJAX从CloudFront加载文件会导致403（禁止）错误

问题描述

1 个解决方案

解决方案1 3 已采纳 2017-08-02 00:05:37

解决方案1
3 已采纳 2017-08-02 00:05:37