254 comments

[ 3.3 ms ] story [ 264 ms ] thread
What is the author trying to say, it is very hard to recognize the answer of the article.

Is it to point requests to sub path of the main domain to reduce OPTIONS requests? eg: api.example.com ---> example.com/api

In that case why not use proper "Access-Control-Max-Age" headers?

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Ac...

Yes I believe the article is suggesting exactly that.

Even with that header users will still hit that latency on the first request. If the goal is to lower latency on first page load then that won’t help. Although it should definitely help after that.

Is it still that much important with http2 for most webapps?

You can answer the options request at the webserver level or even Varnish which should be quick enough and the http connection reused.

> Is it still that much important with http2 for most webapps?

Yes? The overhead of a full request/response cycle is still overhead, even if it's lowered by not having to duplicate establishing the connection itself.

Sometimes it's very difficult to use same domain if e.g. API is on different tech stack. IIRC you could then do something like

<link rel=preconnect crossorigin=anonymous href="https://api.example.com">

or

<link rel=preload crossorigin=anonymous href="https://api.example.com/emptyendpoint">

just to initiate the connection/CORS dance early one before your JS kicks in. In my prev job we'd do a request to empty endpoint from inlined JS. Poor hack but it worked.

Note that if you send any non standard request headers, for the CORS response to be cached and reused, you need to make an initial request with exactly same set of headers, which means it is only possible via JS (preload request can't have extra headers). Hence inlined JS to send the "warmup" request. You can wrap it in a promise which resolves on response, and only then do the actual app request.
Just because they are on different tech stacks doesn't mean you can't do this.
I'm having trouble thinking of a web stack where you can't set up a reverse proxy either via Nginx colocated with the frontend web server, through any of the usual suspects for termination (e.g. CDNs or load balancers), or worst case scenario, through the frontend web server itself.

Can you share any examples?

I'm not an expert because I only work on front-end but scale ops folks in my prev job had their reasons.

We had legacy www http/1 monolith and api http/2 geodistributed in the cloud. Making the two go through the common proxy wouldn't probably make sense and/or would be quite expensive.

Chrome imposes a limit of 2h on Access-Control-Max-Age (other browsers may differ).

Anyway, today we have the tools to expose different backends through the same domain. Reverse proxies, k8s ingress, … a separate domain may not add much value in most situations.

Even then, most often your backend API service runs off one domain, so it needs only one OPTION request ever two hours for the user session.

If your users make only one request per two hours, that still doubles the requests, so in that case caching'll hardly help. But in more typical cases, where one session does 20+ requests, it's a meagre 5% of the requests. In which case 'resolving that n+1 request' or 'speeding up that 1200ms response' is far better low hanging fruit than removing the single OPTIONS request.

It depends on your case, though.

Subdomains absolutely have value! It doesn't matter that we have those tools "today" (it's not like we didn't have reverse proxies many years ago), different domains are still the only way to truly split up traffic. A reverse proxy by definition doubles your total bandwidth requirement, which is expensive and inefficient if you aren't running everything in one datacenter. You'd need to not only get servers with enough bandwidth to cover their traffic, but another server with the sum of all individual server bandwidths to handle proxying. And if you want to do geographic sharing, you either need to shard all services, or be fine with an increase in latency for non-sharded services.
Caching is one solution and it work fine, not perfect.

Another thing to consider is avoid hitting your api application with those requests.

You quite probably don't need authorization or any other business logic in that preflight. You can just catch any OPTION or OPTION+preflight headers in your proxy, webserver or balancer and handle it there.

You certainly don't want to handle them in Rails/Rack, nodejs, lambda, django, spring or such.

This makes them so much faster for users, and so much lighter for servers that the once per 2 hours cached request hardly is measurable, even.

(comment deleted)
Try doing this with Heroku and you’ll decide that you want CORS after a few hours.
Why?
If you don't have an edge proxy (additional compute) you then accept all requests, or accept that a simple header is telling the truth.
You can have 2 Heroku apps, one for frontend with little resources since it's all static and one for API with more resources. Then create a custom Nginx config on the static app to redirect API requests and it should work fine.
Doesn’t that create a single point of failure for both the services?
For most services, if the static server is down, the service is down as far as the user is concerned.

Therefore the added dependency may not reduce end-user-percieved reliability.

I reckon that most software services in the world are B2B rather than B2C (guessing from the fact that most users spend most of their time on a handful of services).
CORS is such an ugly web standard. It's not only a pain in you butt, but it also makes your requests slow through these extra pre-flight round-trips.

I have hope that we can remove it, though, in new versions of HTTP.

CORS only exists because XMLHTTPRequest broke the assumptions of web 1.0 servers. Suddenly any web browser loading any page anywhere could make a request to your server without the user's explicit permission, and a ton of web servers had already been built and were running under the assumption that users would only hit their endpoints by explicitly typing in a URL or clicking on a link.

But each time we design a new version of HTTP, we get an opportunity to remove CORS restrictions for it, because there aren't any servers running the new version yet.

And with Braid (https://braid.org), we're making changes that are big enough that I think it really warrants taking a fresh look at all of this stuff. So I have hope that we can eliminate CORS and all this ugliness.

Cross-Origin Resource Sharing (CORS)
> CORS only exists because XMLHTTPRequest broke the assumptions of web 1.0 servers. Suddenly any web browser loading any page anywhere could make a request to your server without the user's explicit permission

This had always been true; making cross-origin requests with e.g. <img> tags is still very much a thing.

This is why we can make GET and POST requests without an OPTIONS preflight...

Apparently, since developers should already have been protecting against cross-origin requests on GET and POST via other means (CSRF tokens), there was no need for the additional preflight protection.

They only added preflights to requests that browsers couldn't make previously.

Source: https://stackoverflow.com/a/39736697/114855

I'd rather deal with stateless CORS than having to muck around with CSRF again, though.
True. CORS exists because the web browser would send the user's cookies (ie auth) for your site to you, when the user doesn't think they are on your site, but it's really malicious code from another site the user was visiting, acting as the user on your site without the user's knowledge.

Thats the threat model CORS is meant to address. Not just in general that a web host might not want a request from "anywhere" happening, but that site B might not want an authenticated request on behalf of User X to site B being made by code from site A.

That still doesn't distinguish the XmlHttpRequest from the <img> tag. They both send cookies.

You're right that sending cookies is the problem CORS addresses, but XmlHttpRequest didn't break any assumptions that were valid before.

It is much more difficult (perhaps impossible on a properly-implemented site?) to interact with a site on behalf of a user in harmful ways through an img tag -- Like, say, getting their checking account number, or transfering money from their checking account to yours, or resetting their password or email address. It's difficult/impossible to do that kind of attack only through an <img> tag, because Javascript can't see the body response of the URL in an <img> tag even if you point it at a non-image, and additionally an img tag can only be used for GET requests.

I didn't say that XmlHttpRequests "broke any assumptions that were valid before", I don't know exactly what that means.

If an XmlHttpRequest were allowed to do arbitrary cross-site requests, Javascrpt could use them do some of the kind of attacks mentioned above. Which is why XmlHttpRequests can't do cross-site requests. CORS exists to let XmlHttpRequests do cross-site requests only in an opt-in way, so a site can opt-in to it in ways that it knows/believes are secure from attacks like above.

I'm not saying the overall web security story is perfect (nobody would ever say that!), but that's where CORS comes from, and why it's different than img tag.

The common misconception is that CORS exists as some kind of general access control to your website. It only exists to keep the user of a well-behaved browser safe (in certain ways) from malicious Javascript on a site they are visiting. CORS has nothing at all to do with any scenarios involving malicious browsers, which are of course free to ignore CORS.

> (perhaps impossible on a properly-implemented site?)

Well, "proper implementation" would prevent a lot of attacks. But there's nothing stopping you, as a web server, from making state changes in response to GET requests, and it's far from unheard of.

I don't understand what you're trying to argue about.
The thing XHR added was:

1) POST.

2) Of arbitrary content.

3) With an arbitrary Content-Type header.

You don't get an OPTIONS for the sort of XHR request that you could do with an <img> tag (always GET). You don't get an OPTIONS for the sort of XHR request that you could do with a <form> tag (GET or POST). You only get OPTIONS if one of the following is true:

* Your request method is not GET/HEAD/POST

* You set a header value for a header other than Accept, Accept-Language, Content-Language, or Content-Type.

* You set Content-Type to a value other than "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain".

* You have upload listeners on the XHR upload.

* You use ReadableStream in the request.

True, though POST requests claiming to send form data are among the most threatening requests (and still would be if they weren't immune to CORS). It's a weird hole from a security perspective, though as you note it makes perfect sense from a historical-development perspective.
Also 4) ability to see the text results of your request.

No way for JS to do that with an IMG tag, I don't think.

If the XHR is same-origin then you control that text anyway, so know what it is (and there is no OPTIONS anything going on), and if it's cross-origin then the text results are not exposed by default (unless the server jumps through the other CORS hoops to expose them). The OPTIONS bits are not relevant to this part.
Besides loading resources which was mentioned by sibling comment, some websites still rely on submiting forms cross origin, even with cookies! XMLHTTPRequest is not required. iframes exist, so the user doesn't even have to see their browser make those requests.
No, it's not ugly. It's necessary. And we don't need any additional tooling around it or yet another thing that "fixes" what doesn't need to be fixed.

If you control domain.com and api.domain.com, then you can create a proxy that glues the two to the same domain, getting rid of any CORS annoyances forever. And you use the tech that exists. The whole problem takes less than 1 minute to type, test, deploy and there's no need for yet another big thing invented to solve a small problem that occurs due to ignorance of self-proclaimed "developers".

I think it has some ugliness to it, but the idea behind it is necessary. The restrictions it places on front-end scripts are currently very challenging to work around, particularly if you're trying to implement a strict CORS policy on an existing website.

It's difficult enough to implement that it probably won't be implemented on the majority of the web - and maybe that's okay.

Yes it is ugly. How many learners have been stumpped by CORS errors over the years?

But it's also necessary.

> And we don't need any additional tooling around it or yet another thing that "fixes" what doesn't need to be fixed

This is what CORS is though.

Instead of sending a request before every defined case in the CORS policy, it could be implemented requesting only one GET to a plain file (fully cacheable) with the domain policy definition.

Like robots.txt for the search engines.

This is how Macromedia Flash handled it a lifetime ago
Flash was 20 years ahead of its time (even though it already had its share of fame).

Apple killed it to pave way for the App Store. It was a shame because around that time Flash was at its peak of innovation, with stuff like Alchemy (whose modern day equivalent could be WebAssembly) and Flex (no-code thingy that was TRULY catching up, only 10 years ago). It was also starting to implement features like atomics, shared data buffers, app bundles, hardware-accelerated 3D, etc... They also went to great lenghts to open their VM, and the ecosystem that was being generated around that was awesome (anyone here used haXe back then?). It was also present on like 99% of devices already and it was the only thing at the time that truly felt like "write once, run anywhere" (HTML wasn't as feature-rich and still quite fragmented between browsers).

Flash was the single biggest threat to Apple's planned business model, and with it gone, Apple's road to becoming a trillion-dollar company has been a walk in the park.

(comment deleted)
Except CORS policies can be dynamic, depending on the request context.
It doesn't seem impossible that the static file could have an indicator for "send an OPTIONS in this case". 95% of CORS setups don't need to look at the request beyond the origin requesting it (and I'd wager that almost all CORS-enabled APIs just blindly allow everything).
What is braid? I just get a blank page.
Try loading again, seems to be working now. Braid is an IETF draft proposal (and larger ecosystem) around bringing state synchronization to HTTP.
The author mentions Cloudflare as having the ability to rewrite requests from `api.website.com/*` to `website.com/api/*`. Is that functionality available as a page rule or would we have to use workers and pay for every request rewritten?

I remember taking a look at this a while ago and only found ways to do this through workers, so was turned off by the potential cost scaling. Ended up just setting a high `Access-Control-Max-Age` and calling it a day. But maybe I've missed a more cost effective way to accomplish this?

(comment deleted)
(comment deleted)
I also can't find a way to do this with page or transform rules. Trying to create a rule which modifies the Host header is met with an error message. Apparently only Enterprise customers can do this [1] [2].

[1] https://support.cloudflare.com/hc/en-us/articles/206652947-U...

[2] https://community.cloudflare.com/t/rewrite-host-header-in-pa...

Ah yes that has been the story of my life on Cloudflare. Anything remotely interesting is gated behind what I can only assume is a thousands of dollars per month Enterprise plan.
Before you start rearchitecting your app, be sure to check if the only reason you're seeing preflights on GET is that someone added a dumb X-Requested-By header.

(You can even do POSTs without preflight if you use a whitelisted content-type.)

> You don’t need that CORS request

…if you’re using a proxy like Cloudflare.

The short version of this post is that if your api is hidden behind Cloudflare, you can have it proxy requests to you api that lives on a subdomain.

A reverse proxy using Nginx would work just as well.
My favorite way to avoid preflights is to have Next.js handle the reverse proxy. It fits my mental model better to have it code-side instead of putting Cloudflare/Fastly in front.
(comment deleted)
That does avoid preflight, but it just adds additional requests for all static assets. It seems like it's just trading one type of overhead for another.
Aren’t `OPTION` requests useful when you want to build an actual REST API and not what most devs call everything having an HTTP interface? The clients can use the requests to understand which actions they can apply to the resources.
Or just declare JSON as text, simple cors supports authentication, no need to mess with routes.
The irony in this is that with CloudFront at least, it can't strip the "/api" prefix before sending it to your backend, so you have to have your backend server understand /api/xyz rather than just /xyz calls like when it was on a dedicated api subdomain.

But don't worry! AWS thought of this! They invented Another Cloud Thing, namely Lambda@Edge, to solve this. Now you can run a JS function for every single request that hits your CloudFront Distribution so that you can run logic in there to strip the prefix before it gets passed to your origin. You read that right! Execute code every time a request hits your proxy! But wait, doesn't executing code for every single request sound insane AND doesn't it also add latency which this was trying to remove? Yes! Isn't cloud just lovely?

Similar to Lambda@Edge, Cloudflare also offers Workers (https://workers.cloudflare.com/) which is the same thing, but only with a JavaScript runtime (no nodejs, they use V8), so I believe that it's significantly faster.
CloudFront has CloudFront Functions now which is similar; a very stripped-down JS environment that runs at the edge locations.
CloudFront Distributions cannot pass the request to CloudFront Functions before sending to the origin. In other words, they cannot be used to modify origin request/responses. They can only modify the viewer request/responses. [0]

Only Lambda@Edge can help the scenario which I provided, which is also AWS's recommended solution. [1]

[0] https://docs.aws.amazon.com/AmazonCloudFront/latest/Develope...

[1] https://aws.amazon.com/blogs/architecture/serving-content-us...

A viewer request function can, of course, be used to modify the request before it is sent to the origin. The difference is only related to caching — viewer request happens before the cache lookup, origin request happens after the cache lookup when CF has decided to make an origin request.

For the stated purpose, either function is fine:

With Lambda@Edge you'd use origin request if you were caching these paths, because your function would be called less often so your costs would be lower.

With CF Functions you can only do the pre-cache-lookup modification, so it will be called for every request, but the cost is much lower than Lambda@Edge so it may not matter, and maybe you were not caching these paths anyway in which case it's virtually identical.

Modifying the URL in a viewer request results in the viewer request changing accordingly. If you look at my other responses to other comments, I explained that in detail.

Basically, using the Viewer Request trigger and modifying the URI there causes CloudFront to force a 301 to the user to the new URI, because it's for the viewer. Therefore, in the example of /api/users, if you modify the viewer to remove /api, CloudFront literally removes /api from your request URI, meaning the client accesses /api/users but the server instead sends you to /users (read: server returns 301 location: /users when you hit /api/users) because of your viewer rewrite. You end up hitting your frontend instead of your backend because in order for it to hit your backend, the viewer request has to have /api in it. Therefore you cannot strip it in the viewer request. You must do it in the origin request, which is not supported by CloudFront functions.

I don't want to argue that the feature should be built in (and most importantly free, because that's something you forgot to mention, those lamdba functions are paid for each run) but

> doesn't executing code for every single request sound insane

How would you strip some url path without executing code for every single request? It could be code you did not write, but some code is always needed to do something. If latency of lamdba@edge is an issue, you can try CloudFront functions, which should be better for small tasks like this (though I don't have any experience with them as we switched to a similar competitor)

I don't know. This doesn't feel like something that should require edge logic. nginx handles this with a single rewrite directive, so I'd expect some part of the AWS routing layer to have a setting to rewrite the URL accordingly. OTOH, AWS can't and shouldn't account for every edge case, probably.
A rewrite directive is just writing code.
Rewrite directives handled by low-level routing logic of the web server are definitely different to a container image that gets spun up in a distributed network and queried for each request, don't you think?
Not really, no. In fact the only significant difference (that the Lambda@Edge function is run at the closest geolocation to the client, rather than on the origin server) is an advantage to Lambda@Edge.

What difference are you alluding to?

A HTTP URI path prefix mapping is done in nginx, in the same process, no context switching, no buffering, I think it is even done without any allocation.

Of course it doesn't matter, basically logging takes more resources than whatever routing is needed. (Especially because even if it requires running a Cloudflare worker it's just a NodeJS V8 isolate, very lightweight. As far as I know. But I have no idea of its costs.)

But AWS Lambdas are pretty pricey compared to a free nginx rewrite.

> But AWS Lambdas are pretty pricey

Kind of why CloudFront Functions we're invented for this use case, AWS Lambda@Edge is the more general purpose edge computing facility.

> Rewrite directives handled by low-level routing logic of the web server are definitely different to a container image that gets spun up in a distributed network and queried for each request, don't you think?

I’m pretty sure Lambda@Edge is not a container image like regular Lambda (why it only supports JS and not the broader set of Lambda runtimes) and is relatively local to the edge environments serving CloudFront anyway (why it is support in CloudFront the way regular Lambda isn't, and what the @Edge part refers to.)

> (...) are definitely different to a container image that gets spun up (...)

I'm not sure you're making a informed observation. "Spinning up a container image" is just fancy jargon/handwaving to refer to launching a process, which is something nginx already does under the hood in a myriad usecases without warranting complains from users.

> and queried for each request, don't you think?

I'm not sure if either you framed your sentence poorly or you don't have a clear idea about what you're talking about. In AWS lambda, you don't "spin up containers" at each request. You launch your lambda once it's deployed or when it scales up, and it stays up as long as you see traffic.

Poor phrasing, then. Meant to say a container is started once, then queried on every subsequent request. And what I’m talking about is not the user-facing lambda, but what AWS does on the infrastructure layer below, which involves running a containerised process on firecracker VMs, communicating via HTTP. There was a great summary of how AWS works a while ago, going into way more detail, that I sadly can’t find anymore. But there’s definitely more work involved in calling a lambda function than forking a process in nginx.
CloudFront Distributions cannot pass the request to CloudFront Functions before sending to the origin. In other words, they cannot be used to modify origin request/responses. They can only modify the viewer request/responses. [0]

Only Lambda@Edge can help the scenario which I provided, which is also AWS's recommended solution. [1]

[0] https://docs.aws.amazon.com/AmazonCloudFront/latest/Develope...

[1] https://aws.amazon.com/blogs/architecture/serving-content-us...

Personally, I did it with templates in api gateway, as at least then I'm not paying for the cpu time to do these sorts of manipulation. But yes, stuff like this made me really shake my head at 'the cloud'
From your link [0] "URL redirects or rewrites" is a supported use case.

For stripping /api/ from the path, I don't know what would be the benefit of doing it at the origin request, rather than at the viewer request?

Cloudfront functions are pretty new, so some older docs might still reference lamdba@edge only.

The origin request is your backend. The viewer request is the one you're requesting from the client. You want the viewer to have /api. You want the origin to not have /api.

Therefore stripping must be performed on the origin request, which is not supported by CloudFront Functions.

Both the viewer request and origin request hook both happen early enough that you can update the path

See https://docs.aws.amazon.com/AmazonCloudFront/latest/Develope...

I have used lamdba@edge and our primary use case was to rewrite url (to add languages information for example) so I'm sure it works in viewer request events.

No. Please see the many other responses I gave to other comments. It does not work because the viewer request is the request the viewer views. If you change the URL of the viewer request, CloudFront sends a 301 accordingly. In other words, changing /api/blah to /blah in the "Viewer Request" part results in CloudFront injecting a `301 location: /blah` and the client doesn't hit your backend because they got redirected. The client instead hits your frontend as a result of your URL rewrite. There is a very clear difference between viewer and origin. If you could rewrite origin requests at the viewer level there would not be any difference between the two. This is the difference. Viewer is what the client sees. Origin is what the backend sees.
My understanding is that you would need to rewrite the url and update the origin.

I could be wrong as I did this lambda@edge a while ago, but the main difference between the two request event is that viewer request is done in all cases, while origin request is done only in case of cache miss.

[EDIT] you are right, updating the origin is indeed something that cannot be done on the viewer side. My bad, I should have checked earlier.

CloudFront is a CDN, it should cache static resources, not so much manipulate incoming requests - that's more a job for a load balancer / proxy like Elastic Load Balancer.
CloudFront is CDN with limited features, other CDNs (Akamai, Fastly etc) are more than capable of manipulating incoming requests
Fully agree here: I don’t expect anything else but reliable and performant HTTP caching from a CDN like CloudFront.

Request manipulation is not the duty of a cache - even though other CDN providers mix request manipulation functionality with caching. In my opinion, they don’t need to be in the same product.

If you still need request manipulation, because you don’t control the origin or you don’t want to introduce another service between CloudFront and the origin, you would use CloudFront Functions, which is cheaper than Lambda@Edge and easy to set up.

Which is why CloudFront and Lambda are separate products. Lambda@Edge simply combines them.
Not sure why you cannot strip in your backend, and it's a huge deal. Code needs to be run somewhere though. While Lambda@Edge sucks, Cloudfront runs functions now which is not Lambda@Edge, and faster because it executes on the PoP location. https://aws.amazon.com/blogs/aws/introducing-cloudfront-func...
CloudFront Distributions cannot pass the request to CloudFront Functions before sending to the origin. In other words, they cannot be used to modify origin request/responses. They can only modify the viewer request/responses. [0]

Only Lambda@Edge can help the scenario which I provided, which is also AWS's recommended solution. [1]

[0] https://docs.aws.amazon.com/AmazonCloudFront/latest/Develope...

[1] https://aws.amazon.com/blogs/architecture/serving-content-us...

I've just tried it. The following function works exactly as-is when the function is configured as Viewer request. I changed it to append some text to URL.

See: https://github.com/aws-samples/amazon-cloudfront-functions/b...

That MODIFIES a viewer request, resulting in a viewer redirect. We want to keep the viewer request the same, i.e. with /api, and strip it only from the backend origin request.

The viewer request is the one you make from the client, with /api. The origin request is the one CloudFront sends to your backend, which, without using Lambda@Edge via the origin request, will get sent as-is with the /api prefix. You have to strip it from the origin request.

If you strip /api from the viewer request, your `domain.com/api/users` request becomes a redirect to `domain.com/users` which results in a call to your frontend instead of your backend.

The example you referenced solves a completely different issue, not the one we are talking about.

Crafty alternative: just.. don't strip it? It seems like a perfectly reasonable and simple route that avoids complexity and cost to just keep /api.
It's just one of the many things unexpectedly out of your control when using a cloud provider.
Well, we've all read this thread so it's not unexpected anymore.
We ran into the same issue and we had to use API gateway to rewrite urls. but it had the added benefit of handling CORS there and the preflight requests never hits the application servers. Additionally preflight requests are cached at cloudfront and at browser with "Access-Control-Max-Age" and for the first request we do pre connect during the main domain load so the users never notice the small latency it may have.

I agree that AWS products are all over the place.

"AWS products are all over the place."

It's the customers. They run into issues using something against all advice in the docs and then request features and services or AWS sees all the clamor around a perceived issue and they create a "solution."

Developers are really averse to reading and understanding documentation. It's why they all jumped on the cloud. But it turns out it isn't all just magical infinite performance.

Is your lambda awake?

>But don't worry!

I don't, I can just teach my backend to process /api. The backend is running code under my control anyway. This seems like one of the least difficult "problems" to solve in any non-trivial codebase.

>doesn't executing code for every single request sound insane AND doesn't it also add latency which this was trying to remove? Yes!

but surely executing code at the source of your web app is more efficient than having the client and server attempt to perform it? faster than 40-90ms per request at least

In asp.net we just use:

app.UsePathBase("/api");

And we have 0 issues.

> They invented Another Cloud Thing, namely Lambda@Edge, to solve this.

Yes, designed for usecases like those handled by Cloudflare Workers, which boil down to updating data cached in edge servers without requiring global redeployments or pinging a central server. We're talking about stuff like adding timestamps to images or adding headers to HTTP responses or pre-rendering some HTML or emit CDN-aware metrics.

> Now you can run a JS function for every single request that hits your CloudFront Distribution

Not exactly. Lambda@Edge are event handlers from CDN events. You use them when they suit your needs.

> so that you can run logic in there to strip the prefix before it gets passed to your origin.

Your strawman example doesn't even feature among the dozen examples provided by AWS regarding how to use Lambda@Edge.

Everyone is free to come up with silly ideas and absurd examples, but if you design systems around braindead ideas then that says a lot about you and nothing about the tools you chose to abuse

> You read that right! Execute code every time a request hits your proxy!

Yes, that's what web servers do. What exactly is your point?

> But wait, doesn't executing code for every single request sound insane

It doesn't. That's what a web server does. Moreso, Lambda@Edge (and Cloudflare Workers too) only do it if you explicitly decide to make them do it, to match precisely what you tell them to do.

What point are you trying to make, exactly?

> AND doesn't it also add latency which this was trying to remove?

It does. It adds tens of milliseconds when the alternatives can add hundreds of milliseconds. You're also expected to do basic engineering work and do basic performance work when seeking performance improvements, such as measuring things instead of mindlessly jumping on bandwagons without caring for the outcome.

> Isn't cloud just lovely?

I feel your comment manifests too much cinicism to cover too much ignorance on a topic you are not familiar nor understand the basic premise.

You shouldn't be so stern. The use case I provided is AWS's recommended way to solve this problem[0]. :)

> Yes, designed for usecases like those handled by Cloudflare Workers, which boil down to updating data cached in edge servers without requiring global redeployments or pinging a central server. We're talking about stuff like adding timestamps to images or adding headers to HTTP responses or pre-rendering some HTML or emit CDN-aware metrics.

> Not exactly. Lambda@Edge are event handlers from CDN events. You use them when they suit your needs

> Your strawman example doesn't even feature among the dozen examples provided by AWS regarding how to use Lambda@Edge.

For all of these counterpoints, see [0].

> Everyone is free to come up with silly ideas and absurd examples, but if you design systems around braindead ideas then that says a lot about you and nothing about the tools you chose to abuse

I take it you are directing this particular comment at AWS considering they are recommending this solution? [0]

> Yes, that's what web servers do. What exactly is your point?

Don't be daft. You know what I mean. Obviously web servers execute code. In this case the web server (CloudFront Distribution) is passing the request to yet another "thing" which happens to be a JS function that is invoked specifically to handle something web servers like nginx were built to do extremely efficiently on their own. CloudFront could easily support this without additional dependencies that add complexity to your system design and introduce additional failure modes. In this case, I am making your point for you: using Lambda@Edge for this IS ridiculous, but that's the AWS way.

> It doesn't. That's what a web server does. Moreso, Lambda@Edge (and Cloudflare Workers too) only do it if you explicitly decide to make them do it, to match precisely what you tell them to do.

> It does. It adds tens of milliseconds when the alternatives can add hundreds of milliseconds. You're also expected to do basic engineering work and do basic performance work when seeking performance improvements, such as measuring things instead of mindlessly jumping on bandwagons without caring for the outcome.

Sorry for not writing a detailed blog post to describe all of my findings. FYI, the latency added with Lambda@Edge caused my request time to double and added much more variance.

I'm surprised a lot of your counterpoints are just blaming me for doing the wrong thing, when this is actually what is recommended by AWS. Invoking a custom function to process the request. See [0]. Of course the right solution is to use nginx (but then you lose out on AWS scaling) or completely redesign your system to fit another solution like API Gateway.

From AWS's blog:

> In this scenario we can use Lambda@Edge to change the path pattern before forwarding a request to the origin and thus removing the context. For details on see this detailed re:Invent session. [0]

[0] https://aws.amazon.com/blogs/architecture/serving-content-us...

> But don't worry! AWS thought of this! They invented Another Cloud Thing, namely Lambda@Edge, to solve this.

No, CloudFront Functions is the Another Cloud Thing AWS invented more specifically for this use case. Lambda@Edge is the older and more general purpose edge computing facility.

> You read that right! Execute code every time a request hits your proxy!

Any rewrite rule in any platform, and heck, any other functionality provided by the distribution, is executing code every time it gets a request (whether or not you are writing code for the purpose.)

Is there any way to read the OPTIONS response from JavaScript?

I'm guessing not, but if there was, theoretically could you just include your API response in the CORS rejection response?

CORS exists to protect the backed from developers that ask these types of questions.
Let's not be mean to someone asking a question. It is always good to ask, even stupid ones.
I'm not mean to anyone with less karma than me.
From my experience, when you want to have 12 factor apps and just build your Frontend/backend once, and don’t want to leak absolute urls in the Frontend code, you are better of with relative URL’s anyways, i.e. /api for your api, and let a reverse proxy do the proper mapping to your services.

Then of course you don’t need CORS

That's what I tend to stick to, CORS is a headache and very easy to do wrong and you shouldn't do it unless you make an open API that can be directly integrated into other websites - which is probably a bad idea.

For most if not all use cases, you can set up a proxy in your front-end's web server so that it doesn't need CORS.

That's one strategy. Having something like `API_URL=https://api.foo.bar/v1` works equally well for 12 factor apps, and gives you the added benefit of transparently pointing to test hosts or staging versions running elsewhere.
Yeah. I would have this env var inside my reverse proxy to have it 12-factor app compatible. And I guess your solution as well? And you have some templating mechanism to replace the absolute variable on the fly?

I would use a mix of your solution, i.e. allow the Java script client to be configured with either absolute or relative urls in case one needs to point the client elsewhere + reverse proxy

Didn't we do this back in the day for IE?
Here is an extensive step-by-step tutorial which describes in detail how to create and deploy a React-based web app frontend using TypeScript and Redux Toolkit on top of a Node.js based AWS Lambda backend with a DynamoDB database, connect and integrate them through API Gateway and CloudFront, and explains how to codify and automate the required cloud infrastructure and deployment process using Terraform.

The resulting architecture does not require any CORS requests, too:

https://manuel.kiessling.net/2021/05/02/tutorial-react-singl...

That's a mouthful.
I've read that sentence three times and still were not sure if it's meant as a joke or not.
It’s not – I like to summarize my tutorials comprehensively. I am not a native speaker though; I apologize if the sentence isn’t structured correctly or sounds inelegant. Corrections welcome.
I guess it's just the mind-bogglingly huge number of components involved to display HTML to someone :)
That is absolutely true in some sense - then again, it is one solution where you start with a decent architecture that can grow and is scalable at linear, and very low, costs.

If you were to really only deliver some HTML, it's overkill. For this reason, my blog is hosted with an old-school 90s-style FTP-backed "webspace" provider.

But the architecture described is used to develop-build-deploy a full-flegded web-based application, with a persistence layer for user data and a potentially complex user-interface.

And for this, having a sound architecture and tech-stack where you do not need to care about low-level server issues is, while certainly not a silver bullet, quite a productive experience.

Oh, your language is perfectly fine. It's just that your article description reveals a sad truth about modern web technologies: it's a tangled mess.
Highly complicated jacked up messes that you can't explain to your customers...and they don't care.
That’s frontend for you.
Im not sure if its to deploy a blog or a satellite.
> Here is an extensive step-by-step tutorial which describes in detail how to create and deploy a React-based web app frontend using TypeScript and Redux Toolkit on top of a Node.js based AWS Lambda backend with a DynamoDB database, connect and integrate them through API Gateway and CloudFront, and explains how to codify and automate the required cloud infrastructure and deployment process using Terraform.

I think it's time we take a step back and address this insane complexity required to send HTML documents to users...

I don't think I'm a fan of CV development...
I hope it's clear that the reference to CVDD is tongue-in-cheek.
Looking at some of my HTTP requests, I noticed that

* `Sec-Fetch-Site: cross-site` can be `Sec-Fetch-Mode: no-cors`

* `Sec-Fetch-Site: same-origin` can be `Sec-Fetch-Mode: cors`

It looks like all four combinations of these two headers are possible.

Recently chrome required COOP and COEP for shared memory access, which essentially restricts any access to anything besides the same origin. This basically killed my project/motivation of 2~ years.

Using Emscripten and threads, you require COOP & COEP headers to be sent via the main document. This is not common practice for static html hosting sites, thus requiring that you have access to a config file or .htaccess, and requires ALL assets to be hosted exclusively on that same server.

Killing my project is a bit extreme, but killed my motivation.

It's a web-based game with multiplayer that I was hoping people would modify and expand on, hosting themselves, uploading to places like Github.

I've recently started modifying Emscripten's runtime library to try and treat each webworker as a separate instance that just communicates between each other. This has major overhead as each thread is a new memory instance. I've tried getting it to extract each function into it's own module for a webworker to load but that's a major task.

Web apps want to act as desktop applications but they're so held back by security it's nearly impossible. We don't even have a proper local storage system.

To quote Dilbert, "Security is more important than usability. In a perfect world, no one would be able to use anything."

I may have misunderstood your requirements, but why do you say that most static hosts don't allow custom headers to be set?

I know that Netlify does[0], and use it myself, so I would expect the other big names to support something as well.

0: https://docs.netlify.com/routing/headers/

I really wanted to give developers more control over their asset hosting. If they wanted to host their assets on a remote server for better performance, that's an option I'd want them to have. Relying on only X Y Z service will certainly work, but certainly not optimal.

It didn't out right kill the project, It'll work under these specific conditions but reducing usability is not helpful.

I’m sorry your project was stalled by this.

What static file hosting were you using? If it doesn’t support COOP/COEP headers yet, you can force it by using a service worker with this neat hack: https://stefnotch.github.io/web/COOP%20and%20COEP%20Service%...

Firebase hosting would allow you to set headers with a .htaccess file. Cloudflare Workers can also set the headers.

If your project was going to entail loading resources from other origins not under your control, well, that’s exactly the code injection scenario these headers are designed to prevent.

Sorry late reply, ended up going to bed. This article is actually very interesting, I'll have to dig deeper into this. Thanks.
I'm quite saddened the web has had to rescind so many features (high-res timers, shared memory, memory profiling). It's worth noting that most of these high-end capabilities had just gotten outright disabled for a time, when Spectre/Meltdown hit. That they got turned on at all is a notable improvement. https://web.dev/why-coop-coep/

I don't like some of the candor of the article. Treating cross-origin activity as a mis-feature is a great mis-service to the web: it's not really much of a web, imo, if sites are restricted to talking to themselves. That the web standards crew is happy to shit on this range of capabilities, to write new standards that walk the web back: it's a harsh regression, by afraid leaders. There is a lot a lot a lot of trouble here, in these domains, but this desire to just cancel the feature & walk away, to make the web one where sites have to work & play only with themselves: it's a death knell, against the spirit of the thing, deeply. That it's so inconvenient & troublesome to standards authors, so difficult for browser engineers, that it (used to be) a hazard for sitemasters: I'm sorry for your suffering but good things & great powers have a price. You're wrong to want to shut this possibility out. Easier path that it may be.

Have you looked at Electron? It brings a learning curve and other problems but you have a node.js backend that you can pass messages to and would have full access to the machine.
Or you can have the browser cache the CORS header for up to 2 hours (cross-browser), for the same performance effect - but it will also work for third party website consumers of your API that you can't just put on your domain.
The author did not actually solve the problem at hand.

Try the API playground[1] on the authors site. Its takes more than 1 secs for me to get a preflight response back.

The preflight request hits fastly and aws apigateway and maybe the application well. There are lot of options to solve the problem at fastly and apigateway as I mention in another comment[2].

I really hope author reads the comments here.

[1] https://www.meetup.com/api/playground/

[2] https://news.ycombinator.com/item?id=29778973

(comment deleted)
I'm not 100% on this, but doesn't disabling CORS essentially re-introduce CSRF?
Theory is that an attacker can bypass CSRF protections when CORS is disabled by making an extra GET request to parse the CSRF token which is then provided in the next request.
Then again, I suppose a dedicated attacker can just bypass CORS.
They are bot disabling CORS, they are just proxying the request throigh the same origin so that for their web app they won't have CORS requests.
I think you misunderstand what CORS is. Are you under the impression CORS is a way of blocking requests? It’s the other way around.

Browsers prevent most types of requests that go from one hostname/port/protocol to another by default. CORS is a way for a server to tell browsers to relax these restrictions in some way.

If you disable CORS, all that means is that the default browser behaviour applies, which means that more types of requests are prevented.

Thanks for helping to clarify!
Please use Access-Control-Max-Age instead. CORS has some nice security properties.
What is the security risk of moving from an API subdomain to a single host?
nothing

CORS is just a verification that the cross domain request is to a trusted domain. Your own domain is assumed to be trusted, by default

That is also my understanding, but I'm trying to find out what my parent thinks the security advantage is
CORS tries to prevent CSRF issues by preventing cross-origin cookie authentication.
Sure, but moving your whole app under a single origin to avoid dealing with CORS doesn't weaken any protection here.
if handled correctly, sure. but it also means that implicit cookie authentication ('ambient authority') is possible and can easily happen by accident
Is avoiding the OPTIONS request as simple as keeping a fetch to the same origin? I thought there were all kinds of rules for something to be considered a "simple request", like it can't be JSON, can't be PUT or DELETE, etc. I haven't looked much into this but does someone have a clear answer?
Hint for those who didn't fall for cloud behemoths vendor lock. Deploying your app to plain VPS you still need a reverse proxy like nginx to handle raw requests and terminate TLS. So it is natural to let it do the routing part too.
Going to implement this to improve Denigma.app load time!
I've struggled with this exact problem. A client developed a SPA and an API to go with it. Because "reasons" they wanted the API to live on api.customersite.com. Fair enough, that's their problem. Except it's not, because the developers have no idea how CORS work, only that it's a thing. So their API can't send CORS headers back, they never implemented that and apparently can't figure out how to make it work.

Instead, we now have a reverse proxy (haproxy) that "fixes" the missing CORS headers, by intercepting the OPTIONS call and return a dummy response with the correct headers included. The developer basically understand NOTHING in regards to CORS, so whenever the silly SPA breaks, the logic is always the same: "CORS is broken, fix it". At not point has it been an option to fix the API service to include the correct headers.

We could just have moved the API to /api and saved days of debugging and writing work-arounds, but no, api.customersite.com looks more professional.

How you can be a web developer today and not knowing how to add two headers to all responses a API does, boggles my mind. Literally took me about 30 minutes to understand how CORS works when it first started being shipped with browsers.
You probably understand the rest of what you need to understand CORS. I've noticed that web developers today don't even understand things like HTTP in general particularly well. They're not trying to understand, they're trying to ship the next feature, and CORS is "blocking them".
Sadly true, I love to ask webdevs in intervews if they can give definitions of http, or idk, user agent, and it's impressive how much ignorance there is out there.
In my experience with CORS, my problem is it takes 30 minutes nearly every time you need to bugfix it.

It’s not that complicated but when something breaks CORS adjacent, you’re stuck reviewing the gotchas.

I've had similar experience.

I inherited both front and back-end. Their solution was "allow: *" (which is like saying, "I don't like carrying my house keys, so I removed the lock")

The system did require a "api.*" for other things, so my quick solution was a proxy_pass for /api.

I'm pretty sure this is the most upvoted answer on SO

...tap ...tap ...tap

No. Second top answer. https://stackoverflow.com/a/27280939/1507124

With the obvious WTF top comment and the natural follow-up. It solved my problem, therefore it's great.

Interestingly, your hacky workaround to client non-cooperation sounds very much like what others are suggesting as their first-choice solution anyway!

See for instance this comment: https://news.ycombinator.com/item?id=29778528 Which suggests implementing the CORS response in a reverse proxy or some other covering layer.

And of course the OP also involves a reverse-proxy, although one mapping to avoid the need for CORS headers.