lift
lift copied to clipboard
Add Access-Control-Request-Method to the list of forwarded headers - CORS problem
I (with help from @t-richard) found this small thing that could be a massive improvement.
I am running a API and want to allow request from my React app. I obviously get issues with CORS but no matter how much I try I failed to solve it...
It turned out to be that Chrome is doing a "preflight" to check CORS headers with an OPTION request. The NelmioCorsBundle is checking for the Access-Control-Request-Method. If that header does not exist, the preflight will fail.
I am not sure if this is needed for CORS or if it is needed for CORS with NelmioCorsBundle. I thought I would share it here and hopefully it will help other developers in the same situation.
The workaround would be to configure forward headers yourself like:
constructs:
website:
type: server-side-website
# ...
forwardedHeaders:
- Accept
- Accept-Language
- Authorization
- Content-Type
- Origin
- Referer
- User-Agent
- X-Forwarded-Host
- X-Requested-With
- Access-Control-Request-Method
Thanks for opening this PR.
This is a pain and there is no correct way to handle this. For correct CORS handling, we would probably need to also add access-control-request-headers
to the list but we would go above the 10 headers limit.
There has been a discussion about possibly increasing the limlit via the AWS support but it never worked on my side :frowning_face: https://github.com/getlift/lift/issues/136
I really wish AWS Cloudfront would be more flexible here...
In the current situation, I'm not sure if this PR helps because we can't add access-control-request-headers
It did help me. I also managed to squeeze in an extra header that I didn’t show in my workaround example.