[Hidden-tech] Problems with AWS API and CORS

David Marshall marshall62 at gmail.com
Mon Jun 8 17:54:01 UTC 2020


Typically you need to alter your server API so that it handles CORS
requests correctly.
For example with a Python/Flask REST API I defined:

CORS(app, resources={r"/rest/*":
                        {"origins": app.config['CORS_WHITELIST'],
                        "supports_credentials": True
                        },
                    r"/api/*":
                        {"origins": app.config['CORS_WHITELIST'],
                        "supports_credentials": True}
                        });


This allows requests with URIs of /rest or /api to be accepted from a
different origin than the server.

I do remember reading that some of the Javascript functions have
various levels of CORS support. There's a full discussion

of how to do it with XMLHttpRequest here
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

I've done it with the Fetch API like:

fetch(url, {
    method: 'get',
    mode: 'cors',
    credentials: 'include'
  }).then(x => x.json())
  .then(json => console.log("JSON in response to GET is " , json));
}


I struggled for a while with this on Heroku.  It is important that you
verify that your server side API is going to allowllow your

requests coming from your Javascript origin.




On Mon, Jun 8, 2020 at 11:58 AM Rich at tnr via Hidden-discuss <
hidden-discuss at lists.hidden-tech.net> wrote:

> I've seen this problem when trying to get images using javascript, the
> answer tends to be add the option no-cors.
> I've done it using fetch - don't see that xhttp has the option, like this:
>
> options = {
>     method: 'GET', mode: 'no-cors' };
>
> fetch(url, options).then(response => response.blob())
>
>                ......
>
> However since you are saying it's a server you control at AWS then more
> specific detail is needed to be more help.
> Esp since there are many AWS services, which one is important.
>
> Here is a more detailed explanation of cors itself, which I'll guess
> you've already seen:
> https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
>
> Rich
> On 6/8/2020 10:34 AM, Alan Frank via Hidden-discuss wrote:
>
> Hi,
>
> I am a newbie with AWS (learning it via acloudguru.com, where I posted my
> question a few days ago and have gotten no responses) and am running into
> problems with CORS; specifically, I am getting an error when my JS code
> attempts to call my API: "Access to XMLHttpRequest at 'https://<redacted>.
> execute-api.us-east-1.amazonaws.com/default' from origin '
> https://s3.amazonaws.com' has been blocked by CORS policy: No
> 'Access-Control-Allow-Origin' header is present on the requested resource."
>
> There is a huge amount of information out there, but most of it appears to
> be either irrelevant or over my head.  I did figure out that I might be
> able to look at an access log to see what is going on.  I found the
> instructions on setting this up (
> https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html#set-up-access-logging-using-console),
> but they tell me to "Sign in to the API Gateway console, select an API,
> choose Settings from the primary navigation panel, and enter an ARN in
> CloudWatch log role ARN."  However, this field does not seem to exist.  I
> have provided this feedback to AWS, but am not expecting a timely response.
>
> I'd be grateful for any help.
>
> --Alan
> _______________________________________________
> Hidden-discuss mailing list - home page: http://www.hidden-tech.net
> Hidden-discuss at lists.hidden-tech.net
>
> You are receiving this because you are on the Hidden-Tech Discussion list.
> If you would like to change your list preferences, Go to the Members
> page on the Hidden Tech Web site.
> http://www.hidden-tech.net/members
>
> --
> Rich Roth
> CEO TnR Global
>
> Bio and personal blog: http://rizbang.com
> Building the really big sites:      http://www.tnrglobal.com
> Small/Soho business in the PV:        http://www.hidden-tech.net
> Places to meet for business:        http://www.meetmewhere.com
> And for relaxation:        http://www.welovemuseums.com
>      http://www.artonmytv.com/
> Helping move the world:             http://www.earththrives.com
>
> _______________________________________________
> Hidden-discuss mailing list - home page: http://www.hidden-tech.net
> Hidden-discuss at lists.hidden-tech.net
>
> You are receiving this because you are on the Hidden-Tech Discussion list.
> If you would like to change your list preferences, Go to the Members
> page on the Hidden Tech Web site.
> http://www.hidden-tech.net/members
>


-- 
David Marshall
http://davidmarshall.us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.hidden-tech.net/pipermail/hidden-discuss/attachments/20200608/2c2f580f/attachment.html>


Google

More information about the Hidden-discuss mailing list