0

I have a static s3 website hosted through CloudFront. In it, I make a request that will result in a redirect if the user is not logged in. Preflight then fails because of a 302:

Access to fetch at 'https://saml-provided.not.real' (redirected from 'https://my-site.not.real') from origin 'https://my-cloudfront.not.real' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.

I setup my CORS in s3 to allow all origins: cors s3 setup

And following some other threads setup my CloudFront like so: cloudfront cache policy

I have ran invalidations to no end, yet I cannot seem to get the headers to allow all hosts, they only allow my CloudFront origin: response headers

Demian Licht
  • 51

1 Answers1

0

There is a similar question here which would likely help you answer your question: https://stackoverflow.com/questions/42168773/how-to-resolve-preflight-is-invalid-redirect-or-redirect-is-not-allowed-for

You want to ensure that when your browser is making a cors pre-flight request that the response comes back with a 200. If the server tries to redirect for any reason when the preflight request is sent, then you will get an error, which is enforced by your browser.

Your error message says: 'https://saml-provided.not.real' (redirected from 'https://my-site.not.real')

I would recommend using CURL to construct a preflight request to see how the server responds when you make the request. If you get back a 3xx status code, follow that thread.

However, this is typically only an issue when attempting to use fetch api, or the older XMLHttpRequest api from within a web app. Since your error message says that SAML is somehow involved I would also look in to why you are trying to do a saml authentication using something other than plain old HTTP posts from <form> elements which do not do preflight requests.

Steve Owens
  • 117