[Hidden-tech] Problems with AWS API and CORS

Jeff Brand jeff at deltafactory.com
Mon Jun 8 18:00:58 UTC 2020


The documentation around CORS is wildly complex. The short version:

Certain types of page elements require "permission" from the third party resource (the XHR target) in order to use their data. The page on which the script is called/referenced is the Origin. The fix is to add the header to the API response, either within the code or within the API endpoint handler (if that's an option - I don't recall.)

Access-Control-Allow-Origin: *

The browser sees the header when making the XHR request and knows that the answer is * = Anybody. This is all that's needed for the remote resource (your API) to "grant" access to the origin (the page being rendered by your browser, hosted at the S3 domain.)

If you would like to whitelist a specific domain then you could respond with that domain instead of *. Allowing a limited but set of multiple domains would require a little more dev.


Google

More information about the Hidden-discuss mailing list