When using the REFLECT_ORIGIN CORS setting, The Origin request header needs to be part of CloudFront's cache key to prevent different origins getting each other's CORS responses.
The better way to handle this would be with a viewer-response function, but since we currently allow those to be configurable at deploy time, overriding that would be a breaking change. We can consider that for a future major release.
When using the
REFLECT_ORIGIN
CORS setting, TheOrigin
request header needs to be part of CloudFront's cache key to prevent different origins getting each other's CORS responses.The better way to handle this would be with a
viewer-response
function, but since we currently allow those to be configurable at deploy time, overriding that would be a breaking change. We can consider that for a future major release.