How to Fix CORS Issues with Access-Control-Allow-Origin Headers in AWS CloudFront for Firefox


1 views

When serving static assets through AWS CloudFront, you might notice that Chrome handles requests perfectly while Firefox throws CORS errors. This happens because Firefox enforces CORS (Cross-Origin Resource Sharing) policies more strictly for certain file types like fonts.

// Example of CORS error in Firefox console:
Access to font at 'https://yourcloudfront.net/font.woff' from origin 'https://yourdomain.com' 
has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present 
on the requested resource.

Here's how to properly set up CORS headers in your CloudFront distribution:

1. Go to AWS CloudFront Console
2. Select your distribution
3. Open the "Behaviors" tab
4. Create or edit a behavior pattern
5. Set the following values:
   - Allowed HTTP Methods: GET, HEAD, OPTIONS
   - Cache Based on Selected Request Headers: Whitelist
   - Whitelist Headers: Add 'Origin'
6. Save changes

Your origin S3 bucket needs proper CORS configuration. Create or modify the CORS policy:

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
    <AllowedOrigin>*</AllowedOrigin>
    <AllowedMethod>GET</AllowedMethod>
    <AllowedMethod>HEAD</AllowedMethod>
    <MaxAgeSeconds>3000</MaxAgeSeconds>
    <AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>

For more granular control over CORS headers, you can use Lambda@Edge:

exports.handler = (event, context, callback) => {
    const response = event.Records[0].cf.response;
    const headers = response.headers;
    
    headers['access-control-allow-origin'] = [
        { key: 'Access-Control-Allow-Origin', value: '*' }
    ];
    
    headers['access-control-allow-methods'] = [
        { key: 'Access-Control-Allow-Methods', value: 'GET, HEAD, OPTIONS' }
    ];
    
    callback(null, response);
};

After implementing these changes, verify your headers with curl:

curl -I -H "Origin: http://example.com" https://yourcloudfront.net/asset.ext

HTTP/1.1 200 OK
Content-Type: application/x-font-opentype
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, HEAD, OPTIONS
X-Cache: Hit from cloudfront

Remember to invalidate your CloudFront cache after making changes to ensure the new headers are served:

aws cloudfront create-invalidation --distribution-id YOUR_DISTRIBUTION_ID --paths "/*"




Recently while serving static assets (particularly font files) through AWS CloudFront, I noticed Firefox was throwing CORS errors while Chrome worked perfectly. The curl response showed missing Access-Control-Allow-Origin headers:



HTTP/1.1 200 OK
Content-Type: application/x-font-opentype
...
X-Cache: Hit from cloudfront



Modern browsers implement CORS differently. Chrome may cache CORS headers more aggressively or apply different security policies for font loading. Firefox strictly enforces CORS for cross-origin font requests.


Here's the complete fix using AWS resources:


# S3 CORS Configuration (JSON)
[
    {
        "AllowedHeaders": ["*"],
        "AllowedMethods": ["GET"],
        "AllowedOrigins": ["*"],
        "ExposeHeaders": []
    }
]



Then configure CloudFront:


# CloudFront Behavior Settings
1. Create new Behavior for font extensions (*.woff, *.ttf, etc.)
2. Set "Cache Based on Selected Request Headers" to "Whitelist"
3. Add "Origin" to whitelisted headers
4. Set "Object Caching" to "Use Origin Cache Headers"



For more control, use Lambda@Edge to inject headers:


exports.handler = (event, context, callback) => {
    const response = event.Records[0].cf.response;
    response.headers['access-control-allow-origin'] = [{
        key: 'Access-Control-Allow-Origin',
        value: '*'
    }];
    callback(null, response);
};



Verify with curl:


curl -I https://your-distribution.cloudfront.net/font.ttf \
-H "Origin: https://yourdomain.com"



Should now include:


Access-Control-Allow-Origin: *