AWS S3 not returning Origin as Access-Control-Allow-Origin value

Question

I am trying to get an object from AWS S3 via Cloudfront but I'm running into CORS problems.

As far as I understand it, my request to Cloudfront includes a header entitled Origin which tells the server where the request is coming from. When Cloudfront requests the object, S3 returns the object along with headers based upon S3's CORS configuration. Among these headers is Access-Control-Allow-Origin , which specifies to the browser which origins are allowed to access the object.

My problem is that I need to support dynamic subdomains in my CORS configuration, so I've configured CORS in S3 like so:

<AllowedOrigin>*</AllowedOrigin>

But since I'm using the Access-Control-Allow-Credentials: true header, wildcards are not permitted.

Now, according to this article , which states:

In other words, there are 2 ways for resources to be shared with multiple Origins:

1. Server returns Access-Control-Allow-Origin: * in HTTP response header
2. Server dynamically generates Access-Control-Allow-Origin based on the Origin specified in the HTTP request header (this is what S3 does)

S3 should be able to look at my Origin header and return it's value as Access-Control-Allow-Origin , thus preventing any errors regarding the wildcard character. But all I get back from S3 is Access-Control-Allow-Origin: * .

What Can I do to get S3 to mirror my Origin as the value of Access-Control-Allow-Origin ?

The article is a little old so I imagine S3 has updated how they handle these headers since 2013, but is there still a way to do this?

NOTE: This is a rails application using aws-sdk-ruby V2

Answer 1

I found the answer in another question here . S3 has updated how this works and you must now use the following configuration to have S3 mirror your Origin .

<AllowedOrigin>http://*</AllowedOrigin>
<AllowedOrigin>https://*</AllowedOrigin>