让 S3 CORS Access-Control-Allow-Origin 动态回显请求域 [英] Getting S3 CORS Access-Control-Allow-Origin to dynamically echo requesting domain

问题描述

如何设置 S3 CORS AllowedOrigin 配置，使其动态响应 Access-Control-Allow-Origin 标头中的请求域?

How can I set the S3 CORS AllowedOrigin configuration such that it dynamically echos the requesting domain in the Access-Control-Allow-Origin header?

在帖子中，"CORS with CloudFront，S3 和多个域"，建议将 AllowedOrigin 设置为 * 即可.但是，S3 会返回 Access-Control-Allow-Origin: *.

In the post, "CORS with CloudFront, S3, and Multiple Domains", it is suggested that setting AllowedOrigin to <AllowedOrigin>*</AllowedOrigin> does this. However, S3 returns Access-Control-Allow-Origin: * instead.

Access-Control-Allow-Origin: * 在我的情况下不起作用，因为我在 JavaScript 应用程序中使用 image.crossOrigin = "use-credentials".使用此选项，S3 将返回 Access-Control-Allow-Credentials: true.然后对图像的跨源访问失败，因为 不允许将通配符与凭据结合使用作为允许的来源.

Access-Control-Allow-Origin: * does not work in my case as I am using image.crossOrigin = "use-credentials" in a JavaScript app. With this option, S3 returns Access-Control-Allow-Credentials: true. Cross origin access to the image then fails because using wildcard as the allowed origin in conjunction with credentials is not permitted.

为什么需要这样做的背景:

Background for why this is needed:

在我的设置中，对 S3 上的图像的访问必须通过我们的域，需要进行身份验证以限制访问并检查帐户是否有权访问图像.如果是，服务器会返回一个 302 重定向到 S3 URL.

In my setup, access to images on S3 has to go through our domain, where authentication is required to restrict access and check if an account is authorized to access the images. If it is, the server returns a 302 redirect to an S3 URL.

为了使身份验证起作用，必须设置 image.crossOrigin = "use-credentials" 以便请求使用所需的凭据到达我的服务器.(顺便说一句，当我在 Firefox 30.0 和 Chrome 35.0.1916.153 上进行测试时，如果 crossOrigin 设置为 anonymous，凭据仍然会发送.但在 Safari 7.0.4 上不会.一致跨浏览器行为只能使用 use-credentials 获得.).

For the authentication to work, image.crossOrigin = "use-credentials" has to be set so that the request hits my server with the required credentials. (Incidentally, when I tested on Firefox 30.0 and Chrome 35.0.1916.153, if crossOrigin is set to anonymous, credentials are still sent. But not on Safari 7.0.4. Consistent cross-browser behavior could only be obtained using use-credentials.).

因为浏览器会透明地重定向到 S3 URL，所以也会发送凭据.

Because browsers transparently redirects to the S3 URL, credentials are also sent.

推荐答案

AWS 的 CORS 文档没有记录这一点，但我设法在 AWS 开发者论坛上的帖子，我发现如果 * 用于 *，AWS 改变了回显请求域的原始行为代码>允许来源.

AWS's CORS documentation does not document this, but I managed to get the answer in a thread on AWS Developer Forums, where I found that AWS changed the original behavior of echoing the requesting domain if * is being used for AllowedOrigin.

要让 S3 动态响应请求域，AllowedOrigin 必须设置为:

To get S3 to dynamically echo the requesting domain, AllowedOrigin has to be set as such:

<AllowedOrigin>http://*</AllowedOrigin>
<AllowedOrigin>https://*</AllowedOrigin>

这篇关于让 S3 CORS Access-Control-Allow-Origin 动态回显请求域的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！