-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(aws-apigateway): CORS list always picks first element #30453
Comments
Hi @pviolette3 , thanks for reporting this and sharing the detailed steps for Repro. I can confirm that it always picks the first element as I tested with these parameters and it was dafaulted to localhost
in Typescript language- |
Seems to be related to #25923 |
@khushail / @pviolette3
NOTE:Both the testing was done from Console, In Console, Testing is case sensitive. For the same URL, When tested with CURL, Giving spaces doesn't make any issue. But in Console-UI, on Integration Response Tab, providing headers with space affects this Expected output. (Look for spaces below). In CURL, it working as expected without any issue.
But when same is tested in UI, it shows different response.
In Short, I feel, this particular functionality is working as it intended (and needs to be). Please correct me / give me exact details to reproduce.When I tried by myself, I can see, When When Present
When Not present
TS Code
|
Thanks for the research @stm29! You figured it out exactly. It's not entirely clear from the UI, but the API Gateway console expects no space between header name and header value: This means that if you do include a space:
That the value of the This is not the behavior of the HTTP protocol, where the spaces are stripped, so it will work properly there. That the console doesn't behave the way HTTP behaves can be considered surprising. I recommend you report this as a bug to the API Gateway team (for example by using the Feedback button at the bottom of the screen). Closing this issue as a non-issue. |
Comments on closed issues and PRs are hard for our team to see. |
Describe the bug
When specifying a list of
allowed_origins
to the RestApi;sdefault_cors_preflight_options
then we always get back the first element of the list when the API runs the preflight OPTIONS method. Even though the mapping template looks like it would correctly allow the specified list of origins, the header seems to override the mapping template so the mapping template is not used.Expected Behavior
CORS preflight should return the origin from the request, not the hard-coded header, when the header matches the mapping template.
Current Behavior
The Access-Control-Allow-Origin is hard-coded to the first element of the list, and doesn't seem to run the mapping template.
Example from the console
with the response
Possibly buggy code:
https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-apigateway/lib/resource.ts#L214-L217
Reproduction Steps
Deploy this API. Then use the OPTIONS request tester with the following headers.
You will get back
Access-Control-Allow-Origin: http://locahost:8080
and not the origin from the request (https://google.com)Possible Solution
Remove this code to set the header if the user has passed in a list of origins.
This code will work by accident if the user passes
["*"]
because that will set theAccess-Control-Allow-Origin
header to*
but it will not work for a hard-coded list where the first element islocalhost:8080
https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-apigateway/lib/resource.ts#L214-L217
Additional Information/Context
No response
CDK CLI Version
2.144.0 (build 5fb15bc)
Framework Version
No response
Node.js Version
v20.12.0
OS
WSL ( 5.15.146.1-microsoft-standard-WSL2 #1 SMP Thu Jan 11 04:09:03 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux)
Language
Python
Language Version
aws-cdk-lib==2.138.0
Other information
No response
The text was updated successfully, but these errors were encountered: