Damn Cloudfront origin cookies whitelist
该文章根据 CC-BY-4.0 协议发表,转载请遵循该协议。
本文地址:https://fenying.net/en/post/2024/07/09/damn-cloudfront-origin-cookies-whitelist/
In the AWS cloudfront origin policy, there is a cookies whitelist.
In the document, AWS says:
The origin request settings allow you to receive some information from the viewer request, such as URL query strings, HTTP headers, and cookies, at the origin. For example, you might do this to collect data for analytics or telemetry.
And, look at this screenshot:
As it says, you can control what cookies will be forwarded to the origin.
You could trust it, truly. However, if you look at it carefully, you will notice that there is no controls for what cookies are sent from the origin to the client.
Well, that’s what sucks.
It actually controls both cookies forwarded to and sent from the origin.
That’s what shitted me for 2 hours, to find out where is my set-cookie header going??? Damn it.