Closed strogonoff closed 4 years ago
If it’s deployed does it go away?
I believe this will be the case even if site is deployed to a proper domain and API is deployed on a subdomain within that domain, and a header probably has to be returned anyway.
This can probably be done either on Lambda@Edge level or on Ruby level
No, it is not deployed to sub domain for now, I am working on it It can be done on API Gateway level @ronaldtse
@phuonghuynh can you help deploy it to subdomain? We need this done ASAP..
Just to clarify, deployment to a subdomain will not help with the CORS error. If CORS headers are returned, though, it doesn’t matter where it is deployed. Sorry if my previous comment was vaguely phrased
The quickest fix to address it right now should be to just return Access-Control-Allow-Origin: * with all API responses
(And possibly Access-Control-Allow-Methods: POST, GET, OPTIONS)
We still need to deploy to a subdomain because www.interscript.com points to the s3 bucket. In any case, CORS header needs to be supplied.
Sure. It doesn’t matter where it points though, from user perspective it should work
@phuonghuynh, ping—let’s return CORS headers with API response (this is an issue that prevents this API from being called from client-side browser JS)
@strogonoff fixed now, bellow is testing cURL cmd return 200.
API_URL="https://api.interscript.com"
curl -XPOST ${API_URL} \
-H 'Origin: http://sample.com' \
-H "Access-Control-Request-Method: POST" \
--verbose \
--data-raw '{transliterate(systemCode: "bgnpcgn-arm-Armn-Latn-1981", input: "Հայերէն")}'
@phuonghuynh can you limit CORS to only allow www.interscript.com
? Thanks.
@ronaldtse done, rite now, it is hard-code in lambda ruby api
curl -i -X OPTIONS https://api.interscript.com \
-H 'Access-Control-Request-Method: POST' \
-H 'Access-Control-Request-Headers: Content-Type, Accept' \
-H 'Origin: https://www.interscript.com'
@phuonghuynh are we using API Gateway with Lambda? https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-develop-integrations-lambda.html
CORS is definitely an infrastructure configuration thing, not a code thing.
We should use terraform to set the CORS headers using API Gateway: https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-cors.html
Yes, but proxy to lambda requires lambda functions also response cors header.
But API gateway allows setting CORS headers? https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-cors.html
Thanks, works. It restricts origin to interscript.com so I can’t test it from localhost easily (dev environment requires Host to be “localhost” so I can’t just set an entry in /etc/hosts) but that’s fine for now
@ronaldtse yes, our gateway implemented a mock to response to OPTIONS request (preflight) ; due to AWS document, lambda proxy is required to return CORS also
https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-cors.html
Enabling CORS support for Lambda or HTTP proxy integrations For a Lambda proxy integration or HTTP proxy integration, you can still set up the required OPTIONS response headers in API Gateway. However, your backend is responsible for returning the Access-Control-Allow-Origin and Access-Control-Allow-Headers headers, because a proxy integration doesn't return an integration response.
@strogonoff could we use proxy config in webpack? https://webpack.js.org/configuration/dev-server/#devserverproxy ,
I did not use it but there is a proxy feature in Angular could solve this issue, https://angular.io/guide/build#proxying-to-a-backend-server
It’d be definitely possible to work around dev server limitation, webpack or not.
(CORS could whitelist localhost as well, but not strictly necessary)
On 13 Aug 2020, at 3:50 AM, phuong notifications@github.com wrote:
@strogonoff could we use proxy config in webpack? https://webpack.js.org/configuration/dev-server/#devserverproxy ,
I did not use it but there is a proxy feature in Angular could solve this issue, https://angular.io/guide/build#proxying-to-a-backend-server
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.
Here is an error I get when accessing the “list codes” endpoint from browser:
The server probably just needs to pass “Access-Control-Allow-Origin” in response. For now it’d be nice if it was a wildcard (in future it could be limited to “interscript.com”).
cURL equivalent of browser request (this works from Terminal, which does not do CORS checks):