I have tried using CORS with allowCredentials=true. The problem is that if I use the credentials=include option on the client side, I get an error message: “Failed to load https://service.domain.com/url/url2: Response to preflight request doesn’t pass access control check: The value of the ‘Access-Control-Allow-Origin’ header in the response must not be the wildcard ‘*’ when the request’s credentials mode is ‘include’. Origin ‘https://domain.com’ is therefore not allowed access.”
It seems like serverless hard-codes the wildcard ‘*’ for the preflight requests in the AWS Gateway Method. But for secure cross-origin requests, the header cannot be a wildcard. My config for the function:
Not really. I decided not to use cookies for my use case. I think you may work around it by specifying origin to be your domain if you have a single domain (instead of origin: '*'). In general, I’d suggest not to use serverless’ api gateway integration if you need fine-grained control over CORS. It’s better to use a lambda to respond to the options request and respond with dynamic origins.
But if you’d need to allow credentials for any origin, serverless cannot do that for you (AFAIK). In that case you need to handle the OPTIONS request by yourself and set the Access-Control-Allow-Origin to same value as request Origin header. Remember to set all other cors headers as well.
authEcho:
handler: src/users/me.handler
events:
- http:
path: me
method: get
cors:
origin: https://my.domain.es
allowCredentials: true
The neat thing is that you don’t need to add all the extra headers or other complex stuff. The problem is that, as other has stated, you can not specify dynamic origins, and you can not use * if the allowCredentials is set to true.