Null origin header during amp-list and amp-form requests from Yahoo Mail

[stephenmorrell]

My amp-list and amp-form requests from Yahoo Mail are failing and I believe the issue is related to the Origin HTTP header on the request being null. The status of the calls in my browser's network tab read "Cross-Origin Resource Sharing error: InvalidAllowCredentials".

According to AMP's documentation on CORS, the value of the Origin header must be included in the Access-Control-Allow-Origin HTTP response header. I'm assuming the call is designed to fail when that response header's value is null. Both versions of the mechanism are being supported server-side per the documentation. I believe Yahoo Mail is using version 1 because they are not setting an AMP-Email-Sender header during the request. Additionally, they are setting an Origin header and a __amp_source_origin query string on the URL. The Origin header is null but the __amp_source_origin query string value is https%3A%2F%2Fmail.yahoo.com.

It's worth noting this same AMP email works without issue in Gmail, including the amp-listand amp-form calls.

Any advice on this topic would be greatly appreciated.

[stephenmorrell]

Adding Access-Control-Allow-Credentials to true in the response fixed this issue for both Yahoo and Aol Mail. I don't see this mentioned in the documentation so it might be worth adding to save someone else the trouble.