I have tried using CORS with allowCredentials=true. The problem is that if I use the credentials=include option on the client side, I get an error message: “Failed to load https://service.domain.com/url/url2: Response to preflight request doesn’t pass access control check: The value of the ‘Access-Control-Allow-Origin’ header in the response must not be the wildcard ‘*’ when the request’s credentials mode is ‘include’. Origin ‘https://domain.com’ is therefore not allowed access.”
It seems like serverless hard-codes the wildcard ‘*’ for the preflight requests in the AWS Gateway Method. But for secure cross-origin requests, the header cannot be a wildcard. My config for the function:
cors: origin: '*' headers: - Content-Type - X-Amz-Date - Authorization - X-Api-Key - X-Amz-Security-Token - X-Amz-User-Agent allowCredentials: true
Is it bug or can I configure the desired behavior somehow?