Question

CORS headers are not the same if using CDN or direct access

Posted January 21, 2021 275 views
CDNDigitalOcean Spaces

Hi I’m getting strange errors from my websites when I try to make HEAD request using fetch() API.

My CORS configuration should be fine:

# Output from AWS CLI
{
    "CORSRules": [
        {
            "AllowedHeaders": [
                "*"
            ],
            "AllowedMethods": [
                "GET",
                "HEAD"
            ],
            "AllowedOrigins": [
                "https://*.gvs-staging.dev"
            ],
            "MaxAgeSeconds": 0
        }
    ]
}

When I run curl I get a different response using the CDN url and direct access URL:

# Direct access
curl -I https://gvs-dev-storage.fra1.digitaloceanspaces.com/page-images/seo-general-settings/seo-image/seo-images/202012171140-5904fe1b45774336/og_image_fallback.png -H "Origin:https://www.gvs-staging.dev" -X HEAD

HTTP/1.1 200 OK
Content-Length: 3173
Accept-Ranges: bytes
Last-Modified: Tue, 19 Jan 2021 00:43:11 GMT
x-rgw-object-type: Normal
ETag: "9597b3630f58987f424f9bfa895bd585"
Cache-Control: max-age=604800
x-amz-request-id: tx00000000000001fb5aa19-0060097637-2e1cef0-fra1b
Access-Control-Allow-Origin: https://www.gvs-staging.dev
Vary: Origin
Access-Control-Allow-Methods: HEAD
Access-Control-Max-Age: 0
Content-Type: image/png
Date: Thu, 21 Jan 2021 12:40:23 GMT
Strict-Transport-Security: max-age=15552000; includeSubDomains; preload
Vary: Origin, Access-Control-Request-Headers, Access-Control-Request-Method
# CDN
curl -I https://gvs-dev-storage.fra1.cdn.digitaloceanspaces.com/page-images/seo-general-settings/seo-image/seo-images/202012171140-5904fe1b45774336/og_image_fallback.png -H "Origin:https://www.gvs-staging.dev" -X HEAD

HTTP/1.1 200 OK
Date: Thu, 21 Jan 2021 12:40:05 GMT
Connection: Keep-Alive
Accept-Ranges: bytes
Content-Length: 3173
Content-Type: image/png
X-HW: 1611232805.dop021.ml1.t,1611232805.cds207.ml1.shn,1611232805.dop021.ml1.t,1611232805.cds007.ml1.p
x-rgw-object-type: Normal
ETag: "9597b3630f58987f424f9bfa895bd585"
Cache-Control: max-age=604800
x-amz-request-id: tx00000000000001fbf2889-0060097625-2e63dbc-fra1b
Access-Control-Allow-Origin: https://www.gvs-staging.dev
Access-Control-Allow-Methods: GET
Access-Control-Max-Age: 0
Strict-Transport-Security: max-age=15552000; includeSubDomains; preload
Last-Modified: Tue, 19 Jan 2021 00:43:11 GMT

Shouldn’t Access-Control-Allow-Methods always be HEAD?

Thank you for your time.

Submit an answer

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!