CORS enables micro services on AWS

AWS User Group Singapore (Mar 2016)

Kai Hendry

HTTP_ORIGIN

CORS

en.wikipedia.org/wiki/Cross-origin_resource_sharing

Headers & OPTIONS

curl \
    --verbose \
    --request OPTIONS \
    http://s.natalian.org/2016-03-20/rtest2.json \
    --header 'Origin: http://bad.example.com' \
    --header 'Access-Control-Request-Headers: Origin, Accept, Content-Type' \
    --header 'Access-Control-Request-Method: GET'

s.natalian.org/2016-03-23/accepted.txt

s.natalian.org/2016-03-23/denied.txt

Fixing S3

diff --git a/nay.txt b/yay.txt
index 3bbcd43..76aba5d 100644
--- a/nay.txt
+++ b/yay.txt
@@ -3,7 +3,7 @@
        <AllowedOrigin>*</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
        <MaxAgeSeconds>3000</MaxAgeSeconds>
        <AllowedHeader>Authorization</AllowedHeader><AllowedHeader>*</AllowedHeader>
    </CORSRule>
</CORSConfiguration>

Access-Control-Allow-Origin: *

For APIs, maybe we want to control access a little?

e.g. Access-Control-Allow-Origin: https://dabase.com

Use case

We need to listen to our customers! From our statically generated site!

natalian.org/stats.js

dabase.com/blog/Openwrt_rescue/

AJAX with CORS enables us to communicate with:

feedback.dabase.com/

AWS EC2 / SES / Route 53 live demo!

Spawn a EC2 instance with Docker

aws ec2 run-instances --image-id ami-94aa68f7 --count 1 --instance-type t1.micro --key-name hendry --security-groups default

Copy in our data, with SES keys
Do DNS name for SSL with Route 53
Launch a Docker container

Take aways

CORS is like a IP whitelist that enables the INTERNET OF THINGS

It's not really a security feature. It allows browsers to ease same origin policy and
it allows Web services to bless certain domains can use its services FROM THE BROWSER.

Thank you

19:00 23 March 2016

Tags: docker, caddy, CORS, AWS

Kai Hendry

hendry@iki.fi

http://hendry.iki.fi/

@kaihendry