Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change the default CORS to allow http://*.amazonaws.com instead of HTTPS #105

Open
1 task done
shinglyu opened this issue Aug 1, 2020 · 2 comments
Open
1 task done

Change the default CORS to allow http://*.amazonaws.com instead of HTTPS #105

shinglyu opened this issue Aug 1, 2020 · 2 comments
Labels
enhancement help wanted

Comments

@shinglyu
Copy link

shinglyu commented Aug 1, 2020

This is a:

  • Feature request or change

For feature requests or changes:

Current behavior (if any)

The default CORS setting is allowing PUT, POST and DELETE from https://*amazonaws.com

Proposed behavior

Change it from https://*amazonaws.com to http://*.amazonaws.com (no SSL)

Proposed implementation deatils (optional)

Justification

As far as I know, only EC2 exposes https://*.amazonaws.com URLs. But since we are using serverless, it's quite weird to host part of the website on EC2 and let it make CORS call to the S3 bucket, which hosts the other part of the static website.
I do have a valid use case that needs HTTP, and I believe it's more common than the EC2 case:
I have a static website hosted on S3. Then I want to upload files to the same S3 using a pre-signed PUT URL. So I build an API Gateway => Lambda REST endpoint that generates the pre-signed URL, then my frontend can use that URL to directly upload to S3. But since S3 only supports HTTP (no S) for static web hosting, the frontend page that makes the PUT request is most likely served under the URL http://mybucket.s3-website.eu-central-1.amazonaws.com/. So using HTTP make the whole flow complete.
@fernando-mc
Copy link
Owner

Sorry for the delay and thank you for the suggestion @shinglyu!

This use case makes sense to me simplifies the workflow for a lot of folks currently manually adding CORS config to a custom bucket that they're POSTing/PUTing files into with presigned URLs. Appreciate you brining this up.

As we would be changing the old default CORS policy I'd be open to this as part of a new breaking change version. If we do want to make an update to this I'd like to ask @linusmarco or some others folks to evaluate the default CORS policy to something more respectable. (If we're going to be making a breaking change here I'd rather do it once)

@shinglyu would you be open to taking this on as a PR?

@fernando-mc
Copy link
Owner

I think there's actually a related PR that I'd want to merge at the same time that could help address this too:

https://github.com/fernando-mc/serverless-finch/pull/103/files

@mikejpeters mikejpeters mentioned this issue Mar 2, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@shinglyu @fernando-mc