CORS with included credentials

OrKoN · January 28, 2018, 12:10pm

Hey,

I have tried using CORS with allowCredentials=true. The problem is that if I use the credentials=include option on the client side, I get an error message: “Failed to load https://service.domain.com/url/url2: Response to preflight request doesn’t pass access control check: The value of the ‘Access-Control-Allow-Origin’ header in the response must not be the wildcard ‘*’ when the request’s credentials mode is ‘include’. Origin ‘https://domain.com’ is therefore not allowed access.”

It seems like serverless hard-codes the wildcard ‘*’ for the preflight requests in the AWS Gateway Method. But for secure cross-origin requests, the header cannot be a wildcard. My config for the function:

 cors:
        origin: '*'
        headers:
          - Content-Type
          - X-Amz-Date
          - Authorization
          - X-Api-Key
          - X-Amz-Security-Token
          - X-Amz-User-Agent
        allowCredentials: true

Is it bug or can I configure the desired behavior somehow?

Borduhh · February 22, 2019, 7:55pm

Any luck with this? I am running into the same exact problem trying to save a JWT in a HTTPOnly Cookie.

OrKoN · February 22, 2019, 8:15pm

Not really. I decided not to use cookies for my use case. I think you may work around it by specifying origin to be your domain if you have a single domain (instead of origin: '*'). In general, I’d suggest not to use serverless’ api gateway integration if you need fine-grained control over CORS. It’s better to use a lambda to respond to the options request and respond with dynamic origins.

stephencrowe · March 14, 2019, 5:15pm

I have this same problem and have not found a solution yet either.

ronkot · February 3, 2020, 6:06am

I also encountered the same problem. If you know exactly the origins that can access your api, then you can configure the allowed origins using serverless’ cors feature: https://serverless.com/framework/docs/providers/aws/events/apigateway#enabling-cors

But if you’d need to allow credentials for any origin, serverless cannot do that for you (AFAIK). In that case you need to handle the OPTIONS request by yourself and set the Access-Control-Allow-Origin to same value as request Origin header. Remember to set all other cors headers as well.

danielo515 · June 1, 2020, 10:28am

So sad this is not properly supported.

This is what I’m doing:

  authEcho:
    handler: src/users/me.handler
    events:
      - http:
          path: me
          method: get
          cors:
            origin: https://my.domain.es
            allowCredentials: true

The neat thing is that you don’t need to add all the extra headers or other complex stuff. The problem is that, as other has stated, you can not specify dynamic origins, and you can not use * if the allowCredentials is set to true.

Topic		Replies	Views
No 'Access-Control-Allow-Origin' header is present on the requested resource Serverless Framework aws	5	6158	November 15, 2017
CORS setting has no effect - not necessary when using lambda proxy default? Serverless Framework	3	795	March 10, 2019
Api gateway cors - Headers not set Serverless Framework	0	554	October 5, 2020
API Gateway and Lambda Integration CORS issue Serverless Framework aws	1	3496	September 16, 2017
Cors problem when using custom authorizer Serverless Framework lambda , api-gateway	1	3063	April 26, 2020

CORS with included credentials

Related Topics