Help Center/ Object Storage Service/ API Reference/ Bucket APIs/ Cross-Origin Resource Sharing (CORS)/ Configuring Bucket CORS
Updated on 2026-04-16 GMT+08:00
View PDF
Share

Configuring Bucket CORS

Functions

Cross-origin resource sharing (CORS) is a standard mechanism proposed by World Wide Web Consortium (W3C) and allows cross-origin requests from clients. You can call this API to configure CORS for a bucket so that websites hosted on OBS can respond to cross-origin requests from other websites. For more information about CORS, see Configuring CORS to Allow Cross-Origin Access to OBS.

Authorization Information

To call this API, you must be the bucket owner or have the permission to configure bucket CORS. You are advised to use IAM or bucket policies for authorization. For details about OBS authorization methods, see Differences Between OBS Permissions Control Methods.

  • If you use IAM for authorization, you need to use either role/policy-based authorization or identity policy-based authorization and configure the required permissions:
    • If you use role/policy-based authorization (IAM v3 APIs in the old IAM version), you need to grant the obs:bucket:PutBucketCORS permission. For details, see Creating a Custom IAM Policy.
    • If you use identity policy-based authorization (IAM v5 APIs in the new IAM version), you need to grant the obs:bucket:putBucketCORS permission, as shown in the following table. For details, see Creating a Custom IAM Identity Policy.

      Action

      Access Level

      Resource Type (*: Required)

      Condition Key

      Alias

      Dependencies

      obs:bucket:putBucketCORS

      Write

      bucket *

      -

      -

      -
      • obs:EpochTime
      • obs:SourceIp
      • obs:TlsVersion
      • obs:CustomDomain
  • If you use bucket policies for authorization, you need to grant the obs:bucket:PutBucketCORS permission. For details, see Creating a Custom Bucket Policy.

Request Syntax

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
 
PUT /?cors HTTP/1.1 
Host: bucketname.obs.region.myhuaweicloud.com 
Content-Length: length
Date: date
Authorization: authorization
Content-SHA256: SHA256
Content-MD5: MD5
<?xml version="1.0" encoding="UTF-8"?> 
<CORSConfiguration> 
    <CORSRule> 
        <ID>id</ID> 
        <AllowedMethod>method</AllowedMethod> 
        <AllowedOrigin>origin</AllowedOrigin> 
        <AllowedHeader>header</AllowedHeader> 
        <MaxAgeSeconds>seconds</MaxAgeSeconds> 
        <ExposeHeader>header</ExposeHeader> 
    </CORSRule> 
</CORSConfiguration>

URI Parameters

This request contains no parameters.

Request Headers

This request uses common headers and CORS request headers. For details, see Table 3 and Table 1.

Table 1 CORS request headers

Header

Type

Mandatory (Yes/No)

Description

Content-SHA256

String

Yes

Definition

SHA-256 digest string of the message body, that is, the string obtained after the 256-bit SHA-256 value of the message body is encoded using Base64

Example: ogX9qClMrVJUBiUSIKDFM0qO41jJM0I5SCN55/OtMyI=

Default Value

None

Content-MD5

String

Yes

Definition

Base64-encoded 128-bit MD5 digest of the message according to RFC 1864 You can also configure the Content-SHA256 header whose value is the Base64-encoded SHA-256 digest of the message. Configure either Content-MD5 or Content-SHA256.

Example: n58IG6hfM7vqI4K0vnWpog==

Constraints

None

Range

None

Default Value

None

Request Body

In this request body, you must configure the CORS rules for a bucket in XML format. Table 2 describes the specific configuration elements.

Table 2 CORS configuration elements

Element

Type

Mandatory (Yes/No)

Description

CORSConfiguration

Container

Yes

Definition

Root node of CORSRules.

Parent: none

Constraints

The maximum size is 64 KB.

Range

None

Default Value

None

CORSRule

Container

Yes

Definition

CORS rules

Parent: CORSConfiguration

Constraints

CORSConfiguration can contain a maximum of 100 rules.

Range

None

Default Value

None

ID

String

No

Definition

The ID of a CORS rule.

Parent: CORSRule

Constraints

The ID cannot be longer than 255 characters.

Range

A string of 1 to 255 characters.

Default Value

None

AllowedMethod

String

Yes

Definition

The allowed HTTP methods (types of operations on buckets and objects) for a cross-origin request.

Parent: CORSRule

Constraints

None

Range

The following HTTP methods are supported:

  • GET
  • PUT
  • HEAD
  • POST
  • DELETE

Default Value

None

AllowedOrigin

String

Yes

Definition

The origin that is allowed to access the bucket.

Parent: CORSRule

Constraints

Only English domain names are supported. Regular expressions are used to match. Each rule allows at most one asterisk (*). For example, https://*.vbs.example.com.

Range

The value must comply with the CORS protocol and contain 0 to 20480 characters.

Default Value

None

AllowedHeader

String

No

Definition

What headers are allowed in a CORS request. If a CORS request contains the Access-Control-Request-Headers header, the headers listed in this header must match the headers in the AllowedHeader element so that the request can be considered valid. The matching is based on regular expressions.

Parent: CORSRule

Constraints

At most one asterisk (*) is allowed. Spaces, ampersands (&), colons (:), less-than signs (<), and full-width characters are not allowed.

Range

The value must comply with the CORS protocol and contain 0 to 20480 characters.

Default Value

None

MaxAgeSeconds

Integer

No

Definition

How long the response can be cached on a client

Parent: CORSRule

Constraints

Each CORS rule can contain at most one MaxAgeSeconds.

Range

An integer greater than or equal to 0, in seconds

Default Value

3000

ExposeHeader

String

No

Definition

Specifies additional headers allowed in the response by a CORS rule, which are used to provide extra information to clients. By default, a browser can access only headers Content-Length and Content-Type. If the browser needs to access other headers, you need to configure them in this parameter.

Parent: CORSRule

Constraints

Spaces, asterisks (*), ampersands (&), colons (:), less-than signs (<), and full-width characters are not allowed.

Range

The value that complies with the CORS

Default Value

None

Response Syntax

1
2
3
4
 
HTTP/1.1 status_code

Date: date
Content-Length: length

Response Headers

This response uses common headers. For details, see Table 1.

Response Body

The response of this API does not contain a response body.

Error Responses

No special error responses are returned. For details about error responses, see Table 2.

Sample Request

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
 
PUT /?cors HTTP/1.1
User-Agent: curl/7.29.0
Host: examplebucket.obs.region.myhuaweicloud.com
Accept: */*
Date: WED, 01 Jul 2015 03:51:52 GMT
Authorization: OBS H4IPJX0TQTHTHEBQQCEC:lq7BGoqE9yyhdEwE6KojJ7ysVxU=
Content-SHA256: ogX9qClMrVJUBiUSIKDFM0qO41jJM0I5SCN55/OtMyI=
Content-MD5: NGLzvw81f/A2C9PiGO0aZQ==
Content-Length: 617

<?xml version="1.0" encoding="utf-8"?>
<CORSConfiguration> 
  <CORSRule> 
    <AllowedMethod>POST</AllowedMethod>  
    <AllowedMethod>GET</AllowedMethod>  
    <AllowedMethod>HEAD</AllowedMethod>  
    <AllowedMethod>PUT</AllowedMethod>  
    <AllowedMethod>DELETE</AllowedMethod>  
    <AllowedOrigin>www.example.com</AllowedOrigin>  
    <AllowedHeader>AllowedHeader_1</AllowedHeader>  
    <AllowedHeader>AllowedHeader_2</AllowedHeader>  
    <MaxAgeSeconds>100</MaxAgeSeconds>  
    <ExposeHeader>ExposeHeader_1</ExposeHeader>  
    <ExposeHeader>ExposeHeader_2</ExposeHeader> 
  </CORSRule>
</CORSConfiguration>

Sample Response

1
2
3
4
5
6
7
 
HTTP/1.1 100 Continue
HTTP/1.1 200 OK
Server: OBS
x-obs-request-id: BF26000001643627112BD03512FC94A4
x-obs-id-2: 32AAAQAAEAABSAAgAAEAABAAAQAAEAABCSYi6wLC4bkrvuS9sqnlRjxK2a5Fe3ry
Date: WED, 01 Jul 2015 03:51:52 GMT
Content-Length: 0

Sample Request: Configuring Two CORS Rules for a Bucket

PUT /?cors HTTP/1.1
Authorization: OBS H4IPJX0TQTHTHEBQQCEC:iqSPeUBl66PwXDApxjRKk6hlcN4=
User-Agent: curl/7.29.0
Host: examplebucket.obs.region.myhuaweicloud.com
Date: WED, 01 Jul 2015 02:37:22 GMT
Content-Type: application/xml
Content-MD5: HwVUAzslyD0rroMp/eIdwQ==
 
<CORSConfiguration>
    <CORSRule>
        <AllowedOrigin>http://www.example.com</AllowedOrigin>
        <AllowedMethod>PUT</AllowedMethod>
        <AllowedMethod>POST</AllowedMethod>
        <AllowedMethod>DELETE</AllowedMethod>
        <AllowedHeader>*</AllowedHeader>
    </CORSRule>
    <CORSRule>
        <AllowedOrigin>*</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
    </CORSRule>
</CORSConfiguration>

Sample Response: Configuring Two CORS Rules for a Bucket

x-obs-id-2: 32AAAQAAEAABSAAgAAEAABAAAQAAEAABCTPXg+yj9IXC9r6mgmWgfSfqQGvHM3rS
x-obs-request-id: 0000018A3A14051AD2886D166EE13D98
Server: OBS
Content-Length: 0
Date: WED, 01 Jul 2015 02:37:22 GMT

Using SDKs to Call APIs

You are advised to use OBS SDKs to call APIs. SDKs encapsulate APIs to simplify development. You can call SDK API functions to access OBS without manually calculating signatures.

Java

Python

C

Go

BrowserJS: not supported

.NET

Android

iOS

PHP

Node.js
Parent Topic: Cross-Origin Resource Sharing (CORS)