I have a CloudFront distribution with a default behavior that is configured to allow any CORS request including preflight requests. However, the OPTIONS request will fail with an HTTP 403 error (details below) which is not what I expect.
I am using the AWS-managed CORS-With-Preflight policy that should allow all CORS requests, including the preflight (OPTIONS) request:
(I am not sure why the “Origin request policy” area is highlighted in yellow.)
Policy details:
I have allowed OPTIONS requests in the Behavior:
However, when I send an options request, CloudFront will return this error:
$ curl --request OPTIONS --url https://d3qj3h7hjzomrd.cloudfront.net/ --header 'Origin: https://www.example.com'
<?xml version="1.0" encoding="UTF-8"?>
<Error>
<Code>AccessForbidden</Code>
<Message>CORSResponse: This CORS request is not allowed. This is usually because the evalution of Origin, request method / Access-Control-Request-Method or Access-Control-Request-Headers are not whitelisted by the resource's CORS spec.</Message>
<Method>OPTIONS</Method>
<ResourceType>OBJECT</ResourceType>
<RequestId>WH3SHHNDMJR03FWJ</RequestId>
<HostId>4mr77QbpdUeaN/GZvaFiwX5urzZbo7VoW2IiG3Ziq1HikqcPoTZKZZRmibuNf4590YlCf46Wu6s=</HostId>
</Error>
(I’ve formatted the XML for better readability.)
What do I need to change to allow OPTIONS requests?
0 Answers