AWS S3 - No 'Access-Control-Allow-Origin' header is present on the requested resource

Question

I have a client static website on S3 (app.foo.org) sending http requests to a web application running on Elastic Beanstalk (www.foo.org).

The S3 web application configuration is:

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
    <CORSRule>
        <AllowedOrigin>*</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
        <AllowedHeader>*</AllowedHeader>
    </CORSRule>
</CORSConfiguration>

On the S3 application I set the http headers for CORS. On the server I set the response headers as following:

httpResponse.setHeader("Access-Control-Allow-Origin", "*"); 
httpResponse.setHeader("Access-Control-Allow-Methods", "GET, POST, DELETE, PUT");
httpResponse.setHeader("Access-Control-Allow-Headers", "X-Requested-With, Content-Type");

Everything was working fine, but when upload a new version of the static website on S3 via "aws async" command, it stopped working! and I get the following error:

XMLHttpRequest cannot load http://www.foo.org/rest/... 

No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://app.foo.org' is therefore not allowed access. The response had HTTP status code 500.

I tried changing the CORSRules: for instance to replace:

    <AllowedOrigin>*</AllowedOrigin>
with:
    <AllowedOrigin>http://*</AllowedOrigin>
    <AllowedOrigin>https://*</AllowedOrigin>

I tried many other suggestions I could find... nothing works.. any Idea what can be wrong?

Answer 1

I found the bug!

The client was sending http requests, while on the server side, I converted all the coming http://www.foo.org requests to https://www.foo.org and send it back, and expected the client to send me the https request.

So simply I set the client to send https requests and now everything works fine!