AWS API Gateway-CORS“访问控制允许来源" -多个条目 [英] AWS API Gateway - CORS "access-control-allow-origin" - multiple entries

查看:94
本文介绍了AWS API Gateway-CORS“访问控制允许来源" -多个条目的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我有一个连接到已定义的AWS API网关的AWS Lambda实例.如果启用CORS并为access-control-allow-origin定义http://example.com,则可以从http://example.com访问Lambda实例.但是,如果使用https://example.com,它将无法正常工作.

I have a AWS Lambda instance that connects to a defined AWS API Gateway. If I enable CORS and give the access-control-allow-origin a definition of http://example.com, then I am able to access the Lambda instance from http://example.com. However, if I use https://example.com, it doesn't work.

因此在AWS中,如何在不使用通配符的情况下使用多个access-control-allow-origin值进行定义?我尝试使用类似*.example.com的方法,但这不起作用.

So in AWS, how can I define using multiple access-control-allow-origin values without using a wildcard? I tried using something like *.example.com, but that doesn't work.

如果我在API网关上使用'*'作为我的值,但是在我的S3存储桶上设置了CORS规则,那会安全吗?存储桶规则示例:

If I use '*' as my value on the API gateway, but setup CORS rules on my S3 bucket, would that be secure? Example for bucket rules:

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
    <CORSRule>
        <AllowedOrigin>http://example.com</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
        <AllowedMethod>POST</AllowedMethod>
        <AllowedMethod>PUT</AllowedMethod>
        <MaxAgeSeconds>3000</MaxAgeSeconds>
        <AllowedHeader>*</AllowedHeader>
    </CORSRule>
    <CORSRule>
        <AllowedOrigin>https://example.com</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
        <AllowedMethod>POST</AllowedMethod>
        <AllowedMethod>PUT</AllowedMethod>
        <MaxAgeSeconds>3000</MaxAgeSeconds>
        <AllowedHeader>*</AllowedHeader>
    </CORSRule>
    <CORSRule>
        <AllowedOrigin>https://www.example.com</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
        <AllowedMethod>POST</AllowedMethod>
        <AllowedMethod>PUT</AllowedMethod>
        <MaxAgeSeconds>3000</MaxAgeSeconds>
        <AllowedHeader>*</AllowedHeader>
    </CORSRule>
</CORSConfiguration>

推荐答案

不幸的是,今天这不可能. CORS规范不允许使用部分通配符,并且当前API Gateway仅允许标头使用单个静态值.

Unfortunately this is not possible today. The CORS spec does not allow for partial wild cards and currently API Gateway only allows a single static value for the header.

您也许可以重载OPTIONS方法,以根据传入的主机标头动态返回此值.

You may be able to overload your OPTIONS method to return this value dynamically based on the incoming host header.

这篇关于AWS API Gateway-CORS“访问控制允许来源" -多个条目的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆