CORS AWS S3和Cloudfront [英] CORS AWS S3 and cloudfront

问题描述

我看到使用curl和浏览器(FF和Chrome)从服务器返回了不同的标头.

I see different headers returned from the server using curl and browsers(FF and Chrome).

Curl返回CORS标头

Curl returns CORS headers

curl -X GET -I -H "Origin: https://qa.gameofshred.com"  https://s3-ap-southeast-1.amazonaws.com/gameofshred-qa/site/fontawesome-webfont.912ec66d7572ff821749.svg --verbose

> GET /gameofshred-qa/site/fontawesome-webfont.912ec66d7572ff821749.svg HTTP/1.1
> User-Agent: curl/7.29.0
> Host: s3-ap-southeast-1.amazonaws.com
> Accept: */*
> Origin: https://qa.gameofshred.com
> 
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< x-amz-id-2: m9oDqyGs0K+0IBnygQlGE9IEeVZQcpIf1nYSWYYu5NU5Hu3gNEUy8SfWnO/mFiK8nPIBPlDhWec=
x-amz-id-2: m9oDqyGs0K+0IBnygQlGE9IEeVZQcpIf1nYSWYYu5NU5Hu3gNEUy8SfWnO/mFiK8nPIBPlDhWec=
< x-amz-request-id: 135C9D56C2C0D604
x-amz-request-id: 135C9D56C2C0D604
< Date: Wed, 19 Apr 2017 02:37:34 GMT
Date: Wed, 19 Apr 2017 02:37:34 GMT
< Access-Control-Allow-Origin: *
Access-Control-Allow-Origin: *
< Access-Control-Allow-Methods: GET
Access-Control-Allow-Methods: GET
< Access-Control-Max-Age: 3000
Access-Control-Max-Age: 3000
< Vary: Origin, Access-Control-Request-Headers, Access-Control-Request-Method
Vary: Origin, Access-Control-Request-Headers, Access-Control-Request-Method
< Last-Modified: Tue, 18 Apr 2017 23:02:06 GMT
Last-Modified: Tue, 18 Apr 2017 23:02:06 GMT
< ETag: "912ec66d7572ff821749319396470bde"
ETag: "912ec66d7572ff821749319396470bde"
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Content-Type: image/svg+xml
Content-Type: image/svg+xml
< Content-Length: 444379
Content-Length: 444379
< Server: AmazonS3
Server: AmazonS3

另一方面，浏览器不包含任何CORS标头.

Browsers on the other hand don't contain any CORS headers.

请求:

GET /gameofshred-qa/site/fontawesome-webfont.912ec66d7572ff821749.svg HTTP/1.1
Host: s3-ap-southeast-1.amazonaws.com
Origin: https://qa.gameofshred.com
Accept: */*
User-Agent: curl/7.29.0
Cache-Control: no-cache

响应:

Accept-Ranges → bytes
Content-Length → 444379
Content-Type → image/svg+xml
Date → Wed, 19 Apr 2017 02:32:37 GMT
ETag → "912ec66d7572ff821749319396470bde"
Last-Modified → Tue, 18 Apr 2017 23:02:06 GMT
Server → AmazonS3
x-amz-id-2 → O0V/q2q9vSKQgJWKUL8LfsQghKlyBS90fTYDt9TLcgJimjeCUKg57+UwgAnWym8tJRPpGsRutG0=
x-amz-request-id → 5EA7299EC61D0E86

有什么解释吗?谢谢.

UPD: 如建议，我更新了cors配置.没有帮助

UPD: As was suggested I updated cors configuration. It didn't help

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
    <AllowedOrigin>*</AllowedOrigin>
    <AllowedMethod>GET</AllowedMethod>
    <AllowedMethod>HEAD</AllowedMethod>
    <MaxAgeSeconds>55</MaxAgeSeconds>
    <AllowedHeader>Authorization</AllowedHeader>
</CORSRule>
</CORSConfiguration>

UPD 2: 该问题显然是由两个原因引起的 1)CDN缓存 2)使用邮递员检查CORS.邮递员(浏览器版本)总是用ORIGIN代替"chrome://extensions ...."之类的东西，因此我们不能将其用于测试.

UPD 2: The problem apparently was caused by two reasons 1) CDN caching 2) Using Postman for checking CORS. Postman(browser version) always substitutes ORIGIN to something like "chrome://extensions...." so we cannot use it for testing.

推荐答案

尝试添加:<AllowedMethod>HEAD</AllowedMethod>到AWS S3中的CORS配置:

Try adding: <AllowedMethod>HEAD</AllowedMethod> to CORS configuration in AWS S3:

Bucket>权限> CORS配置

Bucket > Permissions > CORS configuration

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
    <AllowedOrigin>*</AllowedOrigin>
    <AllowedMethod>GET</AllowedMethod>
    <AllowedMethod>HEAD</AllowedMethod>
    <MaxAgeSeconds>3000</MaxAgeSeconds>
    <AllowedHeader>Authorization</AllowedHeader>
</CORSRule>
</CORSConfiguration>

然后您应该在浏览器中看到&卷曲:

Then you should see in browsers & curl:

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, HEAD
Access-Control-Max-Age: 3000

这篇关于CORS AWS S3和Cloudfront的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！