CORS defeats AWS LAMBDA :(

4
votes

I've been reading a lot on CORS/Lambda/AWS API Gateway configuration, including AWS's setup help: http://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-cors.html And this great article: https://serverless.com/framework/docs/providers/aws/events/apigateway/

However, CORS is still defeating my API Gateway / Lambda function and I can't figure it out. Would love some help.

The meat of it seems to be that API Gateway proxies the request onto Lambda and you need to set "Access-Control-Allow-Origin": "*" headers in your Lambda function in addition to enabling CORS in the API Gateway, which I've done. I am getting a 200 response and can see the header being sent back correctly from my Lambda function. However, Chrome/FF still give me a CORS error. Any idea why?

Here are my request headers:

Host: myawshost.execute-api.us-west-2.amazonaws.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:50.0) Gecko/20100101 Firefox/50.0 Accept: application/json, text/javascript Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Origin: null DNT: 1 Connection: keep-alive

And the 200 response headers:

Access-Control-Allow-Origin: * Connection: keep-alive Content-Length: 74 Content-Type: application/json Date: Fri, 23 Dec 2016 08:35:02 GMT ...

That all looks nice and successful right? But yet, I get no JSON back from Lambda and this error message in console:

"Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://myawshost.execute-api.us-west-2.amazonaws.com/prod/view?id=272. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). (unknown)"

But Access-Control-Allow-Origin is not missing! I can see it there in the response.

Any thoughts?

2
amazon-web-servicesaws-lambdaaws-api-gateway
Chrome is talking to API Gateway and not directly to Lambda. So setting CORS in API Gateway is necessary, which probably you haven't done yet. - Nirmal
Yes, have done that - followed instructions here: docs.aws.amazon.com/apigateway/latest/developerguide/…, to add CORS to API. Tried adding it on ANY and also then creating a separate GET and adding CORS to just the GET. I think that that part is working correctly, since it's returning a 200. - Brig
Edited original post to reflect the CORS on API Gateway work done. - Brig
Have you setup CORS on the OPTIONS method? The browser could be making a preflight request (for OPTIONS) which doesn't return the Access-Control-Allow-Origin: * - Abhigna Nagaraja
Clarification: was the 200 OK with CORS the response to the exact same request that threw the error, or was it a response to a previous test you made? Also, are you testing your site on localhost or on a real domain? Origin: null in the request seems unexpected if you are testing against a real domain name. - Michael - sqlbot

2 Answers

2
votes

I've also spent quite some time researching this, and what made it work for me was returning the following in the lambda handler (Python):

return {
        'statusCode': status_code,
        'headers': {
            'Content-Type': 'application/json',
            'Access-Control-Allow-Origin': '*'
        },
        'body': status_message if status_code == 200 else 'Failure'
    }
0
votes

Hello, i fixed that problem by setting cors and requested headers in Api Gateway

On the resources menu, in my method

first i set the headers i will want in my Method Request after that i want to include them in the enable CORS menu

i added Authorization as u can see

after that dont forget to deploy the api to public the new changes in the api

enable CORS

I hope it will fix it Regards