Why is CloudFront varying CORS headers response based on Accept-Encoding?

Question

I'm trying to get CORS to work properly with Amazon S3 + CloudFront.

After setting my CORS Configuration, it seems to work properly:

$ curl -H "Origin: https://app.close.io" -I "https://d4389n07pf8cq.cloudfront.net/built/app.9e1f9ee9.js" -s | grep Access  
Access-Control-Allow-Origin: https://app.close.io
Access-Control-Allow-Methods: GET, HEAD
Access-Control-Max-Age: 3000
Access-Control-Allow-Credentials: true

But when the resource is requested with Accept-Encoding: gzip then the CORS headers aren't returned properly.

$ curl -H "Origin: https://app.close.io" -H "Accept-Encoding: gzip" -I "https://d4389n07pf8cq.cloudfront.net/built/app.9e1f9ee9.js" -s | grep Access 
(nothing)

Why is that?

My CORS configuration looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
    <CORSRule>
        <AllowedOrigin>https://app.close.io</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
        <AllowedMethod>HEAD</AllowedMethod>
        <MaxAgeSeconds>3000</MaxAgeSeconds>
        <AllowedHeader>Authorization</AllowedHeader>
        <AllowedHeader>Content-*</AllowedHeader>
        <AllowedHeader>Host</AllowedHeader>
        <AllowedHeader>Accept-Encoding</AllowedHeader>
    </CORSRule>
</CORSConfiguration>

(I've also tried a CORS configuration with the Accent-Encoding header removed.)

The S3 object itself is gzipped, and has "Metadata" of Content-Encoding: gzip , Cache-Control: public, max-age=31536000 , and Content-Type: application/javascript .

I don't understand why CloudFront+S3 CORS isn't working properly when requesting gzip.

Answer 1

I think that the problem you are having is caused by CloudFront's lack of native support for CORS. At this time they do not support Vary on the Origin header so it's possible that CloudFront delivered an old cached response that did not have the correct CORS headers for your second request (with accept encoding: gzip).

Have a look at this thread on the AWS forum for a workaround to this missing CORS support:

https://forums.aws.amazon.com/message.jspa?messageID=422504#422532

Answer 2

2014年6月26日，AWS 在CloudFront上发布了适当的Vary：Origin行为，因此我在此问题上添加了一些说明，反映了我们如何正确设置它。

Answer 3

This might help for you as I've successfully gotten CORS to work on S3 and Cloudfront. I noticed the first time S3 and Cloudfront pull files they pretty much cache the headers, even after you've changed them. Be sure "query param" versioning is enabled and you can add ?v=1 to the end of your file. This "updated" the headers for us and CORS was all good.