I have a static s3 website hosted through CloudFront. In it, I make a request that will result in a redirect if the user is not logged in. Preflight then fails because of a 302:
Access to fetch at 'https://saml-provided.not.real' (redirected from 'https://my-site.not.real') from origin 'https://my-cloudfront.not.real' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.
I setup my CORS in s3 to allow all origins:
And following some other threads setup my CloudFront like so:
I have ran invalidations to no end, yet I cannot seem to get the headers to allow all hosts, they only allow my CloudFront origin:
Access-Control-Allow-Origin
response header, when the problem appears to be that you shouldn't expect CORS to work when the target site is redirecting you elsewhere: "Redirect is not allowed for a preflight request." Redirects are never allowed in response to a preflight request, and there is not anything you can change to allow them.