使用Lambda,API Gateway和Cloudfront时,尽管在Lambda响应中指定了“ Access-Control-Allow-Origin”,但CORS错误
[英]CORS error despite 'Access-Control-Allow-Origin' specified in Lambda response when using Lambda, API Gateway and Cloudfront
问题描述
I have a deployed web app, it's built with a React & Redux frontend hosted on S3, and a several backend micro-services hosted on AWS Lambda and exposed over API Gateway that were deployed with Serverless. 
我有一个已部署的Web应用程序,它由在S3上托管的React&Redux前端以及在AWS Lambda上托管并通过API网关公开的几个后端微服务构建而成,这些微服务已与Serverless一起部署。 The site is also distributed via a CloudFront CDN. 该站点还通过CloudFront CDN分发。
The micro-services interact with several external services but the primary one I am concerned with is the get-products service which queries the Stripe product database and returns the products to my React app from there. 微服务与多个外部服务交互,但是我关心的主要服务是get-products服务,该服务查询Stripe产品数据库并将产品从那里返回到我的React应用程序。
The site has been working fine until yesterday when I deployed some new (basically cosmetic) changes to front end, and added some more SKUs to the Stripe database. 直到昨天,当我在前端部署了一些新的(基本上是修饰性的)更改,并向Stripe数据库添加了更多SKU时,该站点一直运行良好。 Since adding these changes I have started to experience CORS errors where previously there were none. 自添加这些更改以来,我开始遇到以前没有的CORS错误。
Initially I got the following error: 最初我遇到以下错误:
Access to XMLHttpRequest at 'https://XXXXXXXXXX.execute-api.eu-west-1.amazonaws.com/dev/products' from origin 'https://www.superfunwebsite.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
This was despite my Lambda response including the following headers: 尽管我的Lambda响应包括以下标头,但这仍然是:
'Access-Control-Allow-Origin': '*',
At this point I updated my Lambdas response headers to the following: 此时,我将Lambdas响应标头更新为以下内容:
'Access-Control-Allow-Origin': 'https://www.superfunwebsite.com/',
'Access-Control-Allow-Credentials': true
The error has largely persisted, except for on one random page load where instead I got an error stating that the Origin https://www.superfunwebsite.com and 'Access-Control-Allow-Origin' https://www.superfunwebsite.com/ didn't match. 该错误在很大程度上一直存在,除了在一个随机页面加载中,相反,我收到一条错误消息,指出起源https://www.superfunwebsite.com和“ Access-Control-Allow-Origin” https://www.superfunwebsite.com/不匹配。
I've since changed the Lambda response headers to this: 此后,我将Lambda响应标头更改为此:
'Access-Control-Allow-Origin': 'https://www.superfunwebsite.com',
'Access-Control-Allow-Credentials': true
Which seems as though it may have solved that anomalous second error. 似乎好像已经解决了异常的第二个错误。
However, error one persists even when I am testing using a HTTP client like Insomnia. 但是,即使我正在使用HTTP客户端(例如Insomnia)进行测试,错误仍然存在。 I get the following in the response. 我得到以下回应。
// status code
403
// response
{
"message": "Forbidden"
}
// headers
Content-Type: application/json
Content-Length: 23
Connection: keep-alive
Date: Tue, 18 Sep 2018 13:22:41 GMT
x-amzn-RequestId: eb691541-bb45-11e8-82ff-6d1b542dffb9
x-amzn-ErrorType: ForbiddenException
x-amz-apigw-id: NaxVLGJgjoEF5Fg=
X-Cache: Error from cloudfront
Via: 1.1 08037e15a3c6f503f39825efeb7f0210.cloudfront.net (CloudFront)
X-Amz-Cf-Id: cbNtb4xKWc48VPFon-Cl9y27KmXRVLIN5SWuYwNWlWsTXeaAXx3z-Q==
Based on the above Insomnia output it seems that my issue is somehow related to CloudFront although I don't understand exactly how. 根据上述失眠的输出,尽管我不知道具体如何,但我的问题似乎与CloudFront有关。 This other S/O post seems to indicate that there should be options for me in the CloudFront behaviours section that would allow me to whitelist headers for the response, however these options are not visible to me in the console, I've seen suggestions this is because the origin is on S3. 另一篇S / O帖子似乎表明,CloudFront行为部分中应该为我提供一些选项,使我可以将响应的标头列入白名单,但是这些选项在控制台中对我不可见,我已经看到了一些建议是因为原点在S3上。
My question is simply if anyone knows how I can fix this issue or if there is something else I've not considered that I should be looking at? 我的问题是,是否有人知道如何解决此问题,或者是否还有其他我不认为应该考虑的问题?
2 个解决方案
解决方案1
2 2018-09-18 14:23:49
Here you have to Whitelist the respective CORS headers in the behaviour section of the cloudfront distribution. 在这里,您必须在cloudfront发行版的行为部分中将相应的CORS标头列入白名单。
- Open your distribution from the Amazon CloudFront console 从Amazon CloudFront控制台打开您的分配
- Choose the Behaviors view. 选择“行为”视图。
- Choose Create Behavior, or choose an existing behavior and then choose Edit. 选择创建行为,或选择一个现有的行为,然后选择编辑。
- For option
Cache Based on Selected Request Headers, choose Whitelist.对于选项“ Cache Based on Selected Request Headers,选择“白名单”。 - Under Whitelist Headers, choose headers (
Access-Control-Request-HeadersandAccess-Control-request-methods,Origin) from the menu on the left, and then choose Add.在“白名单标题”下,从左侧菜单中选择标题( Access-Control-Request-Headers和Access-Control-request-methods,Origin),然后选择“添加”。 - Choose Yes, Edit. 选择是,编辑。
The above settings should work for you (as its mainly for GET and HEAD ) but if it doesn't, enable OPTIONS method as well using below article. 上面的设置应该对您有效(因为它主要用于GET和HEAD ),但是如果不起作用,请使用下面的文章启用OPTIONS方法。 Please check the below article from aws: 请检查以下来自aws的文章:
no-access-control-allow-origin-error 没有访问控制允许来源错误
解决方案2
0 已采纳 2018-09-19 11:50:25
This issue has now been solved. 该问题现已解决。 In the end it was not in fact a CORS issue but a staging one. 最后,这实际上不是CORS问题,而是分期问题。 My query was failing because I was querying an endpoint stage that did not exist. 我的查询失败,因为我正在查询不存在的终结点阶段。
It appears that in the set up I had using CloudFront and API Gateway, when querying an endpoint that didn't exist I was returned a 403 response without CORS headers. 看来,在我使用CloudFront和API Gateway的设置中,当查询不存在的端点时,我返回了一个没有CORS标头的403响应。
The browser/CloudFront (not sure which) then identified the absence of CORS headers and threw an error in response to that. 然后,浏览器/ CloudFront(不确定是哪个)识别出缺少CORS标头,并对此做出了响应。
In my case simply changing my endpoint from the dev stage (which did not exist on the associated AWS account associated with the live stage): 在我的情况下,只需从开发阶段更改我的终端节点(与实时阶段关联的关联AWS账户中不存在):
https://XXXXXXXXXX.execute-api.eu-west-1.amazonaws.com/dev/products
To the live stage: 进入现场阶段:
https://XXXXXXXXXX.execute-api.eu-west-1.amazonaws.com/live/products
Resolved the issue immediately. 立即解决了该问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.