Correct S3 + Cloudfront CORS Configuration?

My application stores images on S3 and then proxies them through Cloudfront. I'm excited to use the new S3 CORS support so that I can use HTML5 canvas methods (which have a cross-origin policy) but can't seem to configure my S3 and Cloudfront correctly. Still running into "Uncaught Error: SECURITY_ERR: DOM Exception 18" when I try to convert an image to a canvas element.

Here's what I have so far:

S3

<CORSConfiguration>
  <CORSRule>
    <AllowedOrigin>MY_WEBSITE_URL</AllowedOrigin>
    <AllowedMethod>GET</AllowedMethod>
    <MaxAgeSeconds>3000</MaxAgeSeconds>
    <AllowedHeader>*</AllowedHeader>
  </CORSRule>
  <CORSRule>
    <AllowedOrigin>MY_CLOUDFRONT_URL</AllowedOrigin>
    <AllowedMethod>GET</AllowedMethod>
    <AllowedHeader>*</AllowedHeader>
    </CORSRule>
  </CORSConfiguration>

Cloudfront

Origins

Origin Protocol Policy: Match Viewer

HTTP Port: 80

HTTPS Port: 443

Behaviors

Origin: MY_WEBSITE_URL

Object Caching: Use Origin Cache Headers

Forward Cookies: None

Forward Query Strings: Yes

Is there something I'm missing here?

UPDATE : Just tried changing the headers to

<AllowedHeader>Content-*</AllowedHeader>
<AllowedHeader>Host</AllowedHeader>

based on this question Amazon S3 CORS (Cross-Origin Resource Sharing) and Firefox cross-domain font loading

Still no go.

UPDATE: MORE INFO ON REQUEST

Request
URL:https://d1r5nr1emc2xy5.cloudfront.net/uploaded/BAhbBlsHOgZmSSImMjAxMi8wOS8xMC8xOC81NC80Mi85NC9ncmFzczMuanBnBjoGRVQ/32c0cee8
Request Method:GET
Status Code:200 OK (from cache)

UPDATE

I think maybe my request wasn't correct, so I tried enabling CORS with

img.crossOrigin = '';

but then the image doesn't load and I get the error: Cross-origin image load denied by Cross-Origin Resource Sharing policy.


Solution 1:

On June 26, 2014 AWS released proper Vary: Origin behavior on CloudFront so now you just

  1. Set a CORS Configuration for your S3 bucket including

    <AllowedOrigin>*</AllowedOrigin>

  2. In CloudFront -> Distribution -> Behaviors for this origin

    • Allowed HTTP Methods: +OPTIONS
    • Cached HTTP Methods +OPTIONS
    • Cache Based on Selected Request Headers: Whitelist the Origin header.
  3. Wait for ~20 minutes while CloudFront propagates the new rule

Now your CloudFront distribution should cache different responses (with proper CORS headers) for different client Origin headers.

Solution 2:

To complement @Brett's answer. There are AWS documentation pages detailing CORS on CloudFront and CORS on S3.

The steps detailed there are as follows:

  1. In your S3 bucket go to Permissions -> CORS configuration
  2. Add rules for CORS in the editor, the <AllowedOrigin> rule is the important one. Save the configuration. enter image description here
  3. In your CloudFront distribution go to Behavior -> choose a behavior -> Edit
  4. Depending on whether you want OPTIONS responses cached or not, there are two ways according to AWS:
  • If you want OPTIONS responses to be cached, do the following:
    • Choose the options for default cache behavior settings that enable caching for OPTIONS responses.
    • Configure CloudFront to forward the following headers: Origin, Access-Control-Request-Headers, and Access-Control-Request-Method.
  • If you don't want OPTIONS responses to be cached, configure CloudFront to forward the Origin header, together with any other headers required by your origin

enter image description here

And with that CORS from CloudFront with S3 should work.

Solution 3:

UPDATE: this is no longer true with recent changes on CloudFront. Yippee! See the other responses for the details. I'm leaving this here for context/history.

Problem

CloudFront does not support CORS 100%. The problem is how CloudFront caches the response to the request. Any other request for the same URL after that will result in the cached request no matter the origin. The key part about that is that it includes the response headers from the origin.

First request before CloudFront has anything cached from Origin: http://example.com has a response header of:

Access-Control-Allow-Origin: http://example.com

Second request from Origin: https://example.com (note that it is HTTPS not HTTP) also has the response header of:

Access-Control-Allow-Origin: http://example.com

Because that is what CloudFront cached for the URL. This is invalid -- the browser console (in Chrome at least) will show a CORS violation message and things will break.

Workaround

The suggested work around is to use different URLs for different origins. The trick is to append a unique query string that is different so that there is one cached record per origin.

So our URLs would be something like:

http://.../some.png?http_mysite.com
https://.../some.png?https_mysite.com

This kind of works but anyone can make your site work poorly by swapping the querystrings. Is that likely? Probably not but debugging this issue is a huge hassle.

The right workaround is to not use CloudFront with CORS until they fully support CORS.

In Practice

If you use CloudFront for CORS, have a fallback to another method that will work when CORS does not. This isn't always an option but right now I'm dynamically loading fonts with JavaScript. If the CORS-based request to CloudFront fails, I fall back to a server-side proxy to the fonts (not cross origin). This way, things keep working even though CloudFront somehow got a bad cached record for the font.