0

I have a static s3 website hosted through CloudFront. In it, I make a request that will result in a redirect if the user is not logged in. Preflight then fails because of a 302:

Access to fetch at 'https://saml-provided.not.real' (redirected from 'https://my-site.not.real') from origin 'https://my-cloudfront.not.real' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.

I setup my CORS in s3 to allow all origins: cors s3 setup

And following some other threads setup my CloudFront like so: cloudfront cache policy

I have ran invalidations to no end, yet I cannot seem to get the headers to allow all hosts, they only allow my CloudFront origin: response headers

Improve this question
2
  • It isn't clear why you appear to believe that this is related to the Access-Control-Allow-Origin response header, when the problem appears to be that you shouldn't expect CORS to work when the target site is redirecting you elsewhere: "Redirect is not allowed for a preflight request." Redirects are never allowed in response to a preflight request, and there is not anything you can change to allow them.
    – Michael - sqlbot
    Nov 14 at 2:30
  • @Michael-sqlbot if I proxy the request through a local ngrok instance with ``` const corsOptions = { origin: process.env.CORS_ALLOW_ORIGIN || '*', methods: ['GET', 'PUT', 'POST', 'DELETE', 'OPTIONS'], allowedHeaders: ['Content-Type', 'Authorization'] }; ``` then it works, leading me to believe it's the s3/cloudfront conf not taking the configuration properly
    – Demian Licht
    Nov 14 at 9:15

1 Answer 1

Reset to default
0

There is a similar question here which would likely help you answer your question: https://stackoverflow.com/questions/42168773/how-to-resolve-preflight-is-invalid-redirect-or-redirect-is-not-allowed-for

You want to ensure that when your browser is making a cors pre-flight request that the response comes back with a 200. If the server tries to redirect for any reason when the preflight request is sent, then you will get an error, which is enforced by your browser.

Your error message says: 'https://saml-provided.not.real' (redirected from 'https://my-site.not.real')

I would recommend using CURL to construct a preflight request to see how the server responds when you make the request. If you get back a 3xx status code, follow that thread.

However, this is typically only an issue when attempting to use fetch api, or the older XMLHttpRequest api from within a web app. Since your error message says that SAML is somehow involved I would also look in to why you are trying to do a saml authentication using something other than plain old HTTP posts from <form> elements which do not do preflight requests.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .