Cloudfront security headers causes CORS issues

Carel

7/8/23, 9:14 PM

I have two different Vue.JS apps deployed to AWS S3 + Cloudfront. The first has the domain set up in Route53, while the second has the domain set up in Google's domain service.

Both of the apps works completely fine. Recently I tried using the cloudfront predefined security headers under the "behavior" settings:

The header policy has all of the following:

The first app (with the domain configured in Route53) continues to work perfectly fine, but for the second app I started getting CORS issues.

This boggles the mind a little bit, because I'm getting CORS errors from within the same domain.

0 + 0

amazon-cloudfront

Louis Waweru

7/8/23, 9:20 PM

I think it's complaining about your scripts not having the right MIME type (expects `application/javascript`). Does this help? https://stackoverflow.com/a/67928269

Carel

7/8/23, 9:41 PM

@LouisWaweru - This is a Vue.JS single page application with no manually linked js files - the whole thing compiles into an `index.html` file and a bunch of js and css files when it's built, all handled by the vue CLI. Inspecting the `index.html` file shows that the generated script files are added with: `<script src="/js/app.ecba88eb.js"></script>`. Just to be sure, I manually added `type="application/javascript"` and updated S3 and invalidated the cloudfront cache, but I'm still getting the same result.

Carel

7/8/23, 9:45 PM

@LouisWaweru - wait, I only read your message before and somehow missed the link you provided. There is hope, I am attempting this now.

Carel

7/8/23, 9:50 PM

@LouisWaweru yes that's it, it works, unbelievable

Score:2

Server

Louis Waweru

7/8/23, 9:53 PM

I think it's complaining about your scripts not having the right MIME type (expects application/javascript). Does this help?

manually change the system-defined content-type in the S3 console for the individual js objects from text/plain to application/javascript, then make sure the cache was invalidated and refreshed

source: schquestionasker

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Cloudfront security headers causes CORS issues

TH: ส่วนหัวการรักษาความปลอดภัย Cloudfront ทำให้เกิดปัญหา CORS

RO: Antetele de securitate Cloudfront cauzează probleme CORS

RU: Заголовки безопасности Cloudfront вызывают проблемы CORS

VI: Tiêu đề bảo mật trên nền tảng đám mây gây ra sự cố CORS

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.