I have a SPA (fronted by CloundFront) which calls a GET endpoint which I have set up on APIGateway. Domain of the spa is different than the domain of API Gateway. Am getting Same Origin policy exceptions like below when I my SPA tries to do a GET on a resource
"No Access-Control-Allow-Origin header is present on requested resource"
Here is my setup on API Gateway. I have an Options resource which returns the following
Access-Control-Allow-Methods: 'GET, OPTIONS'
Access-Control-Allow-Headers: 'Content-Type,X-Api-Key,X-Requested-With'
Access-Control-Origin: '*'
I have a Get Resource, which in turn calls my backend service (proxies to my service). I have setup the resource to return these headers as part of the response
Access-Control-Allow-Headers
Access-Control-Allow-Methods
Access-Control-Allow-Origin
Browser's Options call returns in a 200, with all the necessary Access Control Stuff. But when the browser makes the GET call, I get the same origin policy exception. Any ideas whats happening here? Is it because my GET response does not explicitly set a value for Access-Control-Origin?
Thanks Kay
I have an Options resource which returns the following
The header you need is Access-Control-Allow-Origin: '*'.
But, yes, you do need to return it, because a simple GET doesn't do a pre-flight OPTIONS *.