Amazon S3 CORS works with HTTP but not HTTPS -
i can amazon s3 pass cors headers http, not https. how work both? if we're using akamai cdn?
here's bucket configuration:
<?xml version="1.0" encoding="utf-8"?> <corsconfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <corsrule> <allowedorigin>https://*</allowedorigin> <allowedorigin>http://*</allowedorigin> <allowedmethod>get</allowedmethod> <maxageseconds>3000</maxageseconds> <allowedheader>*</allowedheader> </corsrule> </corsconfiguration>
here's test. difference between these 1 uses http, other uses https. both resources load fine in browser, use them in cors setting https.
pnore@mbp> curl -i -h "origin: http://example.com" -h "access-control-request-method: get" -h 'pragma: no-cache' --verbose http://my.custom.domain/path/to/file/in/bucket | head -n 15 * adding handle: conn: 0x7fee83803a00 * adding handle: send: 0 * adding handle: recv: 0 * curl_addhandletopipeline: length: 1 * - conn 0 (0x7fee83803a00) send_pipe: 1, recv_pipe: 0 % total % received % xferd average speed time time time current dload upload total spent left speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* connect() my.custom.domain port 80 (#0) * trying 23.23.23.23... * connected my.custom.domain (23.23.23.23) port 80 (#0) 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0> /path/to/file/in/bucket http/1.1 > user-agent: curl/7.30.0 > host: my.custom.domain > accept: */* > origin: http://example.com > access-control-request-method: > pragma: no-cache > < http/1.1 200 ok < x-amz-id-2: random < x-amz-request-id: random < access-control-allow-origin: http://example.com < access-control-allow-methods: < access-control-max-age: 3000 < access-control-allow-credentials: true < vary: origin, access-control-request-headers, access-control-request-method < last-modified: tue, 10 jun 2014 15:34:38 gmt < etag: "random" < accept-ranges: bytes < content-type: video/webm < content-length: 8981905 * server amazons3 not blacklisted < server: amazons3 < date: fri, 19 jun 2015 21:31:22 gmt < connection: keep-alive < { [data not shown] http/1.1 200 ok x-amz-id-2: random x-amz-request-id: random access-control-allow-origin: http://example.com access-control-allow-methods: access-control-max-age: 3000 access-control-allow-credentials: true vary: origin, access-control-request-headers, access-control-request-method last-modified: tue, 10 jun 2014 15:34:38 gmt etag: "random" accept-ranges: bytes content-type: video/webm content-length: 8981905 server: amazons3 date: fri, 19 jun 2015 21:31:22 gmt ... pnore@mbp> curl -i -h "origin: http://example.com" -h "access-control-request-method: get" -h 'pragma: no-cache' --verbose https://my.custom.comain/path/to/file/in/bucket | head -n 15 * adding handle: conn: 0x7fd24380c000 * adding handle: send: 0 * adding handle: recv: 0 * curl_addhandletopipeline: length: 1 * - conn 0 (0x7fd24380c000) send_pipe: 1, recv_pipe: 0 % total % received % xferd average speed time time time current dload upload total spent left speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* connect() my.custom.domain port 443 (#0) * trying 23.23.23.23... * connected my.custom.domain (23.23.23.23) port 443 (#0) * tls 1.2 connection using tls_rsa_with_aes_256_cbc_sha * server certificate: my.custom.domain * server certificate: geotrust ssl ca - g4 * server certificate: geotrust global ca > /path/to/file/in/bucket http/1.1 > user-agent: curl/7.30.0 > host: my.custom.domain > accept: */* > origin: http://example.com > access-control-request-method: > pragma: no-cache > < http/1.1 200 ok < x-amz-id-2: < x-amz-request-id: < last-modified: tue, 10 jun 2014 15:34:38 gmt < etag: "random" < accept-ranges: bytes < content-type: video/webm < content-length: 8981905 * server amazons3 not blacklisted < server: amazons3 < date: fri, 19 jun 2015 21:31:29 gmt < connection: keep-alive < { [data not shown] http/1.1 200 ok x-amz-id-2: x-amz-request-id: last-modified: tue, 10 jun 2014 15:34:38 gmt etag: "random" accept-ranges: bytes content-type: video/webm content-length: 8981905 server: amazons3 date: fri, 19 jun 2015 21:31:29 gmt connection: keep-alive ...
note first request contains desired access-control-allow-origin
header, , second not.
i've tried <allowedorigin>*</allowedorigin>
, using different <corsrule>
blocks each <allowedorigin>
.
references i've checked:
- getting s3 cors access-control-allow-origin dynamically echo requesting domain 1
- amazon s3 cors (cross-origin resource sharing) , firefox cross-domain font loading 1
- getting s3 cors access-control-allow-origin dynamically echo requesting domain
- aws s3 bucket cors configuration not saving properly
- http://blog.errorception.com/2014/11/enabling-cors-on-amazon-cloudfront-with.html
- correct s3 + cloudfront cors configuration?
- https://forums.aws.amazon.com/thread.jspa?messageid=377513
- how configure ssl amazon s3 bucket
- https amazon s3 static website
- ssl on amazon s3 "static website"
i couldn't find documentation explicitly mentioned it, appears cors configuration bucket allows 1 <allowedorigin>
per <corsrule>
element entry. allowed 100 <corsrule>
entries in configuration. therefore, in order configuration support both http
, https
should create two <corsrule>
entries, so:
<corsconfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <corsrule> <allowedorigin>https://*</allowedorigin> <allowedmethod>get</allowedmethod> <maxageseconds>3000</maxageseconds> <allowedheader>*</allowedheader> </corsrule> <corsrule> <allowedorigin>http://*</allowedorigin> <allowedmethod>get</allowedmethod> <maxageseconds>3000</maxageseconds> <allowedheader>*</allowedheader> </corsrule> </corsconfiguration>
fwiw, have not tried it, configuration may support protocol agnostic format, e.g. <allowedorigin>//*</allowedorigin>
.
Comments
Post a Comment