how do you guys have CORS configured to only allow...
# helpa
Adrian Schweizer
04/01/2022, 2:32 PMhow do you guys have CORS configured to only allow your prod URL and local dev environment? Adding "localhost" to the config doesn't seem to work.
Adrian Schweizer
04/01/2022, 2:33 PMOr do you just allow origin "*" for non-prod stage somehow? If so, how?
k
Kristian Lake
04/01/2022, 4:07 PMimport * as apig from "@aws-cdk/aws-apigatewayv2-alpha"
...
this.api = new sst.Api(this, "Api", {
...
cors: {
allowOrigins: [process.env.ORIGINS],
allowHeaders: ["*"],
allowMethods: [apig.CorsHttpMethod.POST, apig.CorsHttpMethod.GET, apig.CorsHttpMethod.PUT, apig.CorsHttpMethod.DELETE],
},
you can set proces.env.ORIGINS to a secret or however your pulling secrets.
a
Adrian Schweizer
04/01/2022, 5:27 PM@Kristian Lake so for local dev environment you have
ORIGINS="*"ORIGINS="<http://myapp.com|myapp.com>"k
Kristian Lake
04/01/2022, 5:28 PMORIGINS=http://localhost:3000
a
Adrian Schweizer
04/01/2022, 5:29 PMah, I see...but why not just put both into allowOrigins array and remove the env var?
k
Kristian Lake
04/01/2022, 5:29 PMyou can do that. I have to refactor my origins soon 🙂
a
Adrian Schweizer
04/01/2022, 7:47 PMbut does that localhost config really work? I tried just "localhost" yesterday, and it didn't work. Not sure why yours should work and mine shouldn't. Either both should, or none, imo. "localhost" is a valid host name.
Adrian Schweizer
04/01/2022, 7:52 PMah, I think I see the problem
Adrian Schweizer
04/01/2022, 7:52 PMI didn't have "OPTIONS" method in allowedMethods array, and S3 is doing an OPTIONS request first
Adrian Schweizer
04/01/2022, 7:53 PMweird that setting the hosts to * solved that problem, though
Adrian Schweizer
04/01/2022, 7:53 PMactually, no, scratch that, you can't put OPTIONS in that array, it's not allowed
Adrian Schweizer
04/01/2022, 8:02 PMwhat the heck, it seems to work now by just having localhost there in the array. I must have messed up something else yesterday. Or maybe there was a cache issue somehow. But it works now
Adrian Schweizer
04/01/2022, 8:10 PMaaah, how frustrating. I cleared the cache and it stopped working. So it actually was a cache issue, but an inverse one, so that it doesn't work until the browser has the response already cached
Adrian Schweizer
04/01/2022, 8:10 PMwhich obviously only happened now because I added * yesterday as a text, which then made it work and the browser cached it
Adrian Schweizer
04/01/2022, 8:11 PMso it now also worked with localhost, but only because it was still cached from yesterday
Adrian Schweizer
04/01/2022, 8:24 PM@Kristian Lake
<http://localhost:3000>Adrian Schweizer
04/01/2022, 8:24 PMI don't understand why localhost alone or even localhost:3000 doesn't work, but whatever
Adrian Schweizer
04/01/2022, 8:31 PMok it seems the protocol is always needed in allowedOrigins
Adrian Schweizer
04/01/2022, 8:31 PMnot just for localhost, but also other domains
f
Frank
04/03/2022, 3:15 AM
@Adrian Schweizer just confirming on this, according to their doc,
ORIGIN