AWS API Gateway-CORS“访问控制允许来源" -多个条目 [英] AWS API Gateway - CORS "access-control-allow-origin" - multiple entries
问题描述
我有一个连接到已定义的AWS API网关的AWS Lambda实例.如果启用CORS并为access-control-allow-origin
定义http://example.com
,则可以从http://example.com
访问Lambda实例.但是,如果使用https://example.com
,它将无法正常工作.
I have a AWS Lambda instance that connects to a defined AWS API Gateway. If I enable CORS and give the access-control-allow-origin
a definition of http://example.com
, then I am able to access the Lambda instance from http://example.com
. However, if I use https://example.com
, it doesn't work.
因此在AWS中,如何在不使用通配符的情况下使用多个access-control-allow-origin
值进行定义?我尝试使用类似*.example.com
的方法,但这不起作用.
So in AWS, how can I define using multiple access-control-allow-origin
values without using a wildcard? I tried using something like *.example.com
, but that doesn't work.
如果我在API网关上使用'*'
作为我的值,但是在我的S3存储桶上设置了CORS规则,那会安全吗?存储桶规则示例:
If I use '*'
as my value on the API gateway, but setup CORS rules on my S3 bucket, would that be secure? Example for bucket rules:
<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
<AllowedOrigin>http://example.com</AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<AllowedMethod>POST</AllowedMethod>
<AllowedMethod>PUT</AllowedMethod>
<MaxAgeSeconds>3000</MaxAgeSeconds>
<AllowedHeader>*</AllowedHeader>
</CORSRule>
<CORSRule>
<AllowedOrigin>https://example.com</AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<AllowedMethod>POST</AllowedMethod>
<AllowedMethod>PUT</AllowedMethod>
<MaxAgeSeconds>3000</MaxAgeSeconds>
<AllowedHeader>*</AllowedHeader>
</CORSRule>
<CORSRule>
<AllowedOrigin>https://www.example.com</AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<AllowedMethod>POST</AllowedMethod>
<AllowedMethod>PUT</AllowedMethod>
<MaxAgeSeconds>3000</MaxAgeSeconds>
<AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>
推荐答案
不幸的是,今天这不可能. CORS规范不允许使用部分通配符,并且当前API Gateway仅允许标头使用单个静态值.
Unfortunately this is not possible today. The CORS spec does not allow for partial wild cards and currently API Gateway only allows a single static value for the header.
您也许可以重载OPTIONS方法,以根据传入的主机标头动态返回此值.
You may be able to overload your OPTIONS method to return this value dynamically based on the incoming host header.
这篇关于AWS API Gateway-CORS“访问控制允许来源" -多个条目的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!