Add a cross-origin resource sharing (CORS) header to the response

The following example function adds an Access-Control-Allow-Origin HTTP header to the response if the response doesn’t already contain this header. This header is part of cross-origin resource sharing (CORS). The header’s value (*) tells web browsers to allow code from any origin to access this resource. For more information, see Access-Control-Allow-Origin on the MDN Web Docs website.

This is a viewer response function.

See this example on GitHub.


function handler(event)  {
    var response  = event.response;
    var headers  = response.headers;

    // If Access-Control-Allow-Origin CORS header is missing, add it.
    // Since JavaScript doesn't allow for hyphens in variable names, we use the dict["key"] notation.
    if (!headers['access-control-allow-origin']) {
        headers['access-control-allow-origin'] = {value: "*"};
        console.log("Access-Control-Allow-Origin was missing, adding it now.");
    }

    return response;
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Add a Cache-Control header to the response

Add cross-origin resource sharing (CORS) header to the request