Builder Editor - Iframe view blocked by Cloudfront due to invalid character in query Parameter

I have already mentioned this on a Bug posted on May 4th but I have had no response to it so I am posting on a fresh feed.

Builder content link

N/A - Applies to any Builder Editor View

Builder public api key

Detailed steps to reproduce the bug

  1. Create a Next.js application for Builder
  2. Deploy it with SST (which deploys it to AWS)
  3. Try to create a page and preview it via Builder

Notice that on step 3, you’ll get the following error:

This is the query that CloudFront is blocking, “:” characters are not allowed in query parameters.


I have been unable to find a way to configure AWS to ignore this problem. The only workaround I have found is to edit the query in the iframe of the visual builder, allowing me to live edit and publish changes. However, this is not optimal as I have to do this every time I load the page.

Code stack you are integrating Builder with
Next.js, SST, & AWS.

Hi @samcoleman,
Sorry about the delay, wanted to check issue still persists for you?

Hi @OmPrakash, I have just checked and yes this problem still persists.

I can still workaround the issue for now by changing the Iframe src as before

Thank you for your response, @samcoleman . We are investigating the matter and will reach out if we require additional information or have updates to share.

@samcoleman can you please include a content URL or the URL that is getting blocked?

Could you please compare the URL that is getting blocked to a working URL for a different page to see if both of them have the encoded “:” in the URL. If the working URL has the “:” encoded, then it’s a problem with the integration.

@samcoleman We were able to track it down. SST adds a cloudfront function which seems to be doing the blocking.

You can change the SST code to change these query strings to be able to proceed.

For example, in the cloudfront function SST generated, change

function handler(event) {
  var request = event.request;
  request.headers["x-forwarded-host"] =;
  return request;


function handler(event) {
  var request = event.request;
  console.log('REQUEST----', event.request.querystring);
  if (event.request.querystring['']) {
      event.request.querystring[''] = event.request.querystring[''];
      delete event.request.querystring[''];
  request.headers["x-forwarded-host"] =;
  return request;

The above is just a hack, but it gets the request serving again