AJAX GET from S3 CORS fails on preflight OPTIONS with 403

Question

I saw several issues and talk on this, but still couldn't find any answer. I'm trying to do a simple GET for a file from S3 with AJAX GET. My bucket configured for CORS:

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
    <CORSRule>
        <AllowedOrigin>*</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
        <MaxAgeSeconds>3000</MaxAgeSeconds>
        <AllowedHeader>*</AllowedHeader>
    </CORSRule>
</CORSConfiguration>

Here is a curl snippet for my call (omitted the file..):

curl 'https://s3.amazonaws.com/mybucket/myfile.tar.gz
-X OPTIONS 

-H 'Access-Control-Request-Method: GET' 
-H 'Origin: http://0.0.0.0:9000' 
-H 'Referer: http://0.0.0.0:9000/' 
-H 'Access-Control-Request-Headers: accept, x-longtostring' 

-H 'Pragma: no-cache' 
-H 'Accept-Encoding: gzip, deflate, sdch' 
-H 'Accept-Language: en-US,en;q=0.8,he;q=0.6,mg;q=0.4' 
-H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36' 
-H 'Accept: */*' 
-H 'Cache-Control: no-cache' 
-H 'Connection: keep-alive' 
--compressed 
--verbose

I get an 403 result:

 HTTP/1.1 403 Forbidden
 x-amz-request-id: 1F545B4ED302B3AD
 x-amz-id-2: AiQwUgOeVhfxRjYL/13MLBsUQdx8n4bYLhV3TwftDfnMZ+7FhvnxfVAGLCo3WCiT
 Content-Type: application/xml
 Transfer-Encoding: chunked
 Date: Sun, 30 Aug 2015 21:25:17 GMT
 Server AmazonS3 is not blacklisted
 Server: AmazonS3

<?xml version="1.0" encoding="UTF-8"?>
 Connection #0 to host s3.amazonaws.com left intact
<Error><Code>AccessForbidden</Code><Message>CORSResponse: This CORS request is not allowed. This is usually because the evalution of Origin, request method / Access-Control-Request-Method or Access-Control-Requet-Headers are not whitelisted by the resource's CORS spec.</Message><Method>GET</Method></Error>

Removing the -X OPTIONS solves this. But this is added automatically by the browser (I'm using Angular $http.get), I have no control on this (or have I?).

Thanks

Answer 1

It seems that s3 won't accept OPTIONS call, in any configuration I could think of. But for GET request - if you don't add any custom header, the browser won't trigger OPTIONS.

So I removed any custom header from the specific $http.get(s3FilePath) request.

The reason I got 403 - was because file wasn't ready. After the file is ready, you get it right.