CloudFront caching interfering with CORS responses

[mbklein]

When the CorsAllowOrigin setting is set to REFLECT_ORIGIN and CloudFront caching is enabled, the first Origin to request a particular resource causes the Access-Control-Allow-Origin response header to be cached, causing CORS errors for any other origin that tries to request the same resource.

Two possible solutions come to mind, but both introduce breaking changes:

• Include Origin as part of the cache key in the CloudFront cache policy (but this interferes with the existing CachePolicyID setting)
• Include a custom viewer-response CloudFront function to handle CORS (but this interferes with the existing ability to attach custom functions)

In the end, the best compromise solution might be (pseudocode):

if CorsAllowOrigin == "REFLECT_ORIGIN" && CachePolicyID == DEFAULT
  create CorsCachePolicy that includes the Origin in the cache key
  use CorsCachePolicy ID as the default behavior's cache policy
else
  use CachePolicyID  as the default behavior's cache policy
end

Then we just need to update the documentation to stress that, if using a non-default cache policy and REFLECT_ORIGIN, the cache policy must include the Origin request header as part of the key.

[mbklein]

With the CloudFront enabled version being deprecated, this is now an issue for implementers. It might be something to document, but not something we can address directly.