(aws-cloudfront): Cannot set header which includes 'authorization' in origin request policy

[5t111111]

CloudFront origin request policies prevent Authorization header, but CDK prevents you from setting headers which include authorization in their values as well.

That means that in some situations you are not be able to set required headers, for example x-wp-access-authorization header required on WordPress site. This should be an unexpected CDK issue because you can set them on management console.

Reproduction Steps

1. Create new cloudfront.OriginRequestPolicy with *-authorization-* in its headerBehavior's allowList
2. Deploy it and you see an error "you cannot pass Authorization or Accept-Encoding as header values; use a CachePolicy to forward these headers instead"

What did you expect to happen?

• You cannot set the exact Authorization header
• You can set headers which just include authorization string in them

What actually happened?

• You cannot set either Authorization or headers include authorization

Environment

• CDK CLI Version : 1.102.0
• Framework Version:
• Node.js Version: v14.17.1
• OS : macOS 11.4
• Language (Version): TypeScript 3.9.9

Other

This problem occurs because of this regexp matching:

https://github.com/aws/aws-cdk/blob/4330fe82f6200499dae8fd614679eeac0db67f0b/packages/%40aws-cdk/aws-cloudfront/lib/origin-request-policy.ts#L187-L189

---

This is :bug: Bug Report

[njlynch]

Thanks for the bug report!

I've created a quick fix for this here: https://github.com/aws/aws-cdk/pull/15327

[github-actions[bot]]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.