anyone here have a good grasp on CORS? because I don’t. 😅

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at <https://xxx.execute-api.us-east-1.amazonaws.com/signed-cookie>. (Reason: header 'authorization' is not allowed according to header 'Access-Control-Allow-Headers' from CORS preflight response).

the preflight request is sending back the header

access-control-allow-headers: *

. so I don’t understand why it says the ‘authorization’ header is not allowed

The value “`*`” only counts as a special wildcard value for requests without credentials (requests without HTTP cookies or HTTP authentication information). In requests with credentials, it is treated as the literal header name “`*`” without special semantics. Note that the 

Authorization

 header can’t be wildcarded and always needs to be listed explicitly.

ahh ok! got it

Don’t you also need to provide the

Access-Control-Allow-Credentials

in the server CORS policy to allow reading responses with credentials? If the above suggestion from @Omi Chowdhury alone doesn’t work, you might look at that.

Y’know its weird everything I read suggests

Access-Control-Allow-Credentials

is required…but I don’t see it coming back on my own API, and it all works … 🤔