![]() Hope this helps! Hit me up on Twitter: if you have any issues/questions. In the end, I formatted my script tag like and Chrome's CORS issue when serving from cache went away. Overview Overview Easily add (Access-Control-Allow-Origin: ) rule to the response header. Adding a response header to CloudFront is a bit tedious as you need to use which to me felt like overkill. If you're using something like Nginx, this is pretty simple as you can add a response header. There are loads of unit tests in Chrome that perform cross-origin requests from/to localhost, all of them. The Solutionīy far, the quickest way is adding the attribute crossorigin="anonymous" to the script tag-the crossorigin attribute, among other things, hints to the browser that it shouldn't cache the CORS headers.Ī possibly more involved approach, depending on your setup, is to have the server respond with a Vary: Origin header. It drops the request as Access-Control-Allow-Origin violation since the location is from the (disk cache) instead of. However, in Chrome, when the browser served the script file from its cache, I was getting the classic CORS error: "No `access-control-allow-origin` header is present on the requested resource."Īs it turns out, the cached version does not contain the CORS headers in Chrome. It appeared that everything was working fine in FireFox, Safari, and Chrome. CORS, or Cross Origin Resource Sharing, is a mechanism for browsers to let a site running at origin A to request resources from origin B. You need to configure cors at your server side. The CloudFront distribution also had the correct headers whitelisted: Access-Control-Allow-Origin is a CORS header. If Access-Control-Allow-Origin not available in response header, browser will disallow to use response in your JavaScript code and throw exception at network level. We're just allowing the GET and HEAD methods, letting any origin access it, and setting a max-age. ![]() The S3 Bucket permissions had CORS configured like this: So the call stack looked something like this: That script also dynamically loaded another script. However to secure against attacks, the server can maintain a list of allowed origins and whenever server gets a cross origin request, it can validate the ORIGIN. ![]() I wrote a static script file hosted in an S3 bucket and then served via CloudFront on a different subdomain. 'Credential is not supported if the CORS header ‘Access-Control-Allow-Origin’ is ‘’' So in most scenarios setting ‘Access-Control-Allow-Origin’ to will not be a problem. CORS issues are always a treat! Especially when the issue appeared to be random and only affects Chromium-based browsers.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |