The CORS standard describes new HTTP headers which provide browsers a way to request remote URLs only when they have permission. Although some validation and authorization can be performed by the server, it is generally the browser’s responsibility to support these headers and honor the restrictions they impose.
Before CORS became standarized it was not possible to call an API endpoint or other content under different domains for security reasons. This was (and to some degree still is) blocked by the Same-Origin Policy introduced with Netscape Navigator 2.0 in 1995.
An example of a cross-origin request: The frontend JavaScript code for a web application served from http://webapplication.com uses XMLHttpRequest
to make a request for http://customerapi.io/data.json. Another example might be JavaScript that calls files in an Object Storage bucket, like web fonts, downloads etc. It is possible to configure CORS for each bucket with aws-cli
.
Requirements
- You have an account and are logged into console.scaleway.com
- You have generated API Key
- You have installed
aws-cli
on your local computer- You have an Object Storage bucket
1 . Connect to the management console and enter the Object Storage section from the menu on the left.
2 . Create a new bucket or choose one of your existing buckets.
3 . The CORS configuration should be provided in a json file. Create a new file called cors.json
locally, open it in a text editor and copy the following content into the file before saving it:
{
"CORSRules": [
{
"AllowedOrigins": ["http://MY_DOMAIN_NAME", "http://www.MY_DOMAIN_NAME"],
"AllowedHeaders": ["*"],
"AllowedMethods": ["GET", "HEAD", "POST", "PUT", "DELETE"],
"MaxAgeSeconds": 3000,
"ExposeHeaders": ["Etag"]
}
]
}
Important: Replace
http://MY_DOMAIN_NAME
with the domain name to authorize for CORS. You can specify multiple domain names, or put an asterisk (*
) to allow all domains.
4 . Set the CORS configuration of the Bucket with AWS CLI:
aws s3api put-bucket-cors --bucket BUCKETNAME --cors-configuration file://cors.json
Important: Replace
BUCKETNAME
with the name of the bucket.
1 . To retrieve the CORS rules of a bucket, use aws-cli
:
aws s3api get-bucket-cors --bucket BUCKETNAME
If CORS rules are set for the bucket, the API returns a JSON list like this example:
{
"CORSRules": [
{
"AllowedHeaders": [
"*"
],
"AllowedMethods": [
"GET",
"HEAD",
"POST",
"PUT",
"DELETE"
],
"AllowedOrigins": [
"http://MY_DOMAIN_NAME",
"http://www.MY_DOMAIN_NAME"
],
"ExposeHeaders": [
"Etag"
],
"MaxAgeSeconds": 3000
}
]
}
If there are no CORS rules set for the bucket, an error message appears:
An error occurred (NoSuchCORSConfiguration) when calling the GetBucketCors operation: The CORS configuration does not exist
To verify the CORS rules of a bucket, curl can be used with the different methods (GET
, POST
, …)
For example:
curl -X OPTIONS -H 'Origin: http://MY_DOMAIN_NAME' http://BUCKETNAME.s3.nl-ams.scw.cloud/index.html -H "Access-Control-Request-Method: GET"
To delete the CORS rules of a bucket, use aws-cli
:
aws s3api delete-bucket-cors --bucket BUCKETNAME
Important: No output is returned if the operation succeeded.
For more information on CORS and the Object Storage features, refer to the documentation.