带有选项请求的 AWS S3 CORS 403 错误 [英] AWS S3 CORS 403 Error with OPTIONS request

问题描述

我试图通过 ajax 请求访问驻留在 S3 中的 html 文件，但出现 403 错误.

I am trying to access a html file which reside in the S3 from an ajax request and I got 403 error.

我在网上阅读了 AWS，如果我这样做，我需要设置 AWS CORS 规则来修复 403 错误.

I read the AWS online that if I do such thing, I need to setup AWS CORS rules to fix the 403 error.

然而，我已经尝试了两天，我没有任何运气.这是我的 CORS 配置:

However, I have been trying two days and I don't have any luck. Here is my CORS configuration:

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
    <AllowedOrigin>*</AllowedOrigin>
    <AllowedMethod>GET</AllowedMethod>
    <MaxAgeSeconds>3000</MaxAgeSeconds>
    <ExposeHeader>XMLHttpRequest</ExposeHeader>
    <AllowedHeader>x-csrftoken</AllowedHeader>
 </CORSRule>
 </CORSConfiguration>

我的 HTTP 请求如下所示:

And my HTTP request looks like:

Accept  text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding gzip, deflate
Accept-Language en-US,en;q=0.5
Access-Control-Request-He...    x-csrftoken
Access-Control-Request-Me...    GET
Connection  keep-alive
Host    xxxxxxxxx.cloudfront.net
Origin  http://localhost:8000
User-Agent  Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0

谁能帮我看看我错过了什么?

Can anyone help me to see what I have missed?

谢谢！

推荐答案

对于那些因 403 on OPTIONS request of cross origin s3 access 而没有找到他们想要的东西的人，也许我在这方面的经验会有所帮助.

For those who came here for 403 on OPTIONS request of cross origin s3 access and didn't find what they were looking for, perhaps my experience with this can help.

tldr;浏览器旨在将 origin 设置为 null 来自不同来源的 302 重定向

tldr; browsers are designed to set the origin to null on 302 redirects from a different origin

我还遇到了对存储桶上资源的预检请求的 CORS 问题，如果直接浏览该资源，则该资源可用.

I also experienced a CORS issue on the preflight request to a resource on a bucket, a resource which was otherwise available if browsed to directly.

我在存储桶上配置了 CORS，并带有正确的接受标头和来源.类似于以下内容.

I had CORS configured on the bucket with the proper accepted headers and origin. Something like the following.

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
    <AllowedOrigin>http://localhost:8080</AllowedOrigin>
    <AllowedMethod>GET</AllowedMethod>
    <AllowedMethod>HEAD</AllowedMethod>
    <MaxAgeSeconds>3000</MaxAgeSeconds>
    <AllowedHeader>authorization</AllowedHeader>
</CORSRule>
</CORSConfiguration>

然后我收到了一个错误

Access to XMLHttpRequest at 'https://[REDACTED].s3.amazonaws.com/[REDACTED]?AWSAccessKeyId=[REDACTED]' (redirected from '[REDACTED]') from origin 'null' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

在检查请求标头后，很明显，一个可疑的事情是 Origin 的值为null".

After inspecting the request headers, it was clear that the one suspect thing was the Origin having a value of "null".

Access-Control-Request-Headers: authorization
Access-Control-Request-Method: GET
Origin: null
Referer: [REDACTED]
User-Agent: [REDACTED]

事实证明，由于安全问题，浏览器旨在将 origin 设置为 null 来自不同来源的 302 重定向.更多信息这里.

As it turns out, browsers are designed to set the origin to null on 302 redirects from a different origin due to security issues. More info here.

除了不进行重定向之外，没有解决此问题的方法.我不得不重新设计进行重定向的后端资源，以提供直接访问 s3 对象的链接.

There is no fix to this issue other than to not do a redirect. I had to redesign the backend resource that was doing a redirect to instead provide a link for direct access to the s3 bbject.

这篇关于带有选项请求的 AWS S3 CORS 403 错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！