Allow all origins for presigned URL

[duynguyen]

One of the biggest advantages of presigned URL for files is to allow uploading files directly from the client / browser. The client could be the Firefly SPA (React spectrum) or a 3rd party site. However, it is currently not possible to make fetch requests from client-side javascript to the presigned URL (on storage CDN: https://firefly.azureedge.net/) due to CORS blocking.

const response = await fetch(
  url,
  {
    method: 'PUT',
    body: file,
    headers: {
      'Content-Type': 'image/png'
    }
  }
)

Expected Behaviour

The file should be uploaded to the presigned URL.

Actual Behaviour

Access to fetch at 'https://firefly.azureedge.net/...' from origin 'https://my-namespace.adobeio-static.net' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

[aiojbot]

JIRA issue created: https://jira.corp.adobe.com/browse/ACNA-1159

[shelly-goel]

Is there any update on this issue? Can this be expedited please? We need it on priority.

[meryllblanchet]

Hi @shellygoelisobar , we are still evaluating the request and will not expedite anything until that.
Behind this ask there are underlying implications that we want and need to assess first.

What is the concrete use-case behind the request, and have you evaluated any possible workaround meanwhile?

cc @sarahxxu

[shelly-goel]

@meryllblanchet
The use case is we need to do a file upload to an external api from firefly app and if we use presigned URL to initially upload the file to it , we're getting CORS and completely blocked. There's no other alternative for file upload functionality and so we would like to expedite this.

[meryllblanchet]

@shellygoelisobar this is already part of the technical solution to me.
What about uploading the images via an I/O Runtime action directly? This shouldn't be any issue if the files are compatible with Runtime's payload limitations of 1 MB.

If we speak about larger files, I am afraid that you might consider aio-lib-files as a content storage or repository, which is not what we have designed it for - rather for files computation needs, e.g. Asset Compute Microservices.

[shelly-goel]

@meryllblanchet We get a server error on uploading directly through the runtime action and seems like the file is lost even though smaller than 1MB size. Let me give it a try again and come back to you.

[meryllblanchet]

@shellygoelisobar, let's also ping @duynguyen in case you need some more feedback related to the issue you're facing.

[honstar]

@meryllblanchet : we have a different use-case where we want previously uploaded files via aio-lib-files to be retrievable client-side using corresponding presigned URLs. We're running into the same CORS error as mentioned in the original comment.

[amol-anand]

Same issue as other posters.. What's the latest on this?

Response size of 1 MB is not enough - so we can use presigned urls instead. But CORS prevents us from using presigned urls. So how do I get access to the contenst of my file (if >1MB)? At that point, what is the purpose of presigned urls anyways if you cannot access it outside the app builder ecosystem like within another action?

[arjuncooliitr]

Hi @amol-anand,
We recently allowed a few domains for CORS to support multiple use cases. Can you share the domains that you want to access pre-signed URLs from?
cc: @pru55e11