Updated on 2023-07-07 GMT+08:00


Cross-origin resource sharing (CORS) is a browser-standard mechanism provided by the World Wide Web Consortium (W3C). It defines the interaction methods between client-side web applications in one origin and resources in another. For general web page requests, website scripts and contents in one origin cannot interact with those in another because of Same Origin Policies (SOPs).

OBS supports CORS rules and allows resources in OBS to be accessed across origins. The configuration of CORS takes effect within two minutes.

OBS supports Static Website Hosting. Static websites stored in OBS can respond to website requests from another origin only when CORS is configured for the bucket.

By default, the OBS system is configured to support cross-domain access using the root domain name. This allows access from all domains, and clients are likely to be attacked.

To address this issue, you can create a crossdomain.xml file with specific rules in the bucket for each client, and add Security.loadPolicyFile("https://bucket.obs.ap-southeast-1.myhuaweicloud.com/crossdomain.xml") in the flash code of the file to prevent attacks. bucket.obs.ap-southeast-1.myhuaweicloud.com needs to be replaced with the actual access domain name of your bucket.

Background Information

Cross-domain refers to access between different domains.

Restricting cross-domain access is a browser policy for security purposes, that is, the same-origin policy. Due to this JavaScript same-origin policy, JavaScript under domain A cannot operate objects under domain B or C.

The same protocol, domain name (or IP address), and port are considered as the same domain. If the protocols, domain names, and ports (if specified) of the two web pages are the same, the two web pages have the same origin. To better understand the same-origin policy, you can see the analysis on accessing the example address https://support.huaweicloud.com/dir/test.html in Table 1.

Table 1 Example analysis


Access Result




Same protocol, domain name, and port



Same protocol, domain name, and port



Same domain name and port, but different protocols



Same protocol and domain name, but different ports



Same protocol and port, but different domain names


Typical application scenarios of CORS are as follows:
  • Enables JavaScript and HTML5 to be used for establishing web applications that can directly access resources in OBS. No proxy servers are required for transfer.
  • Enables the dragging function of HTML5 to be used to upload files to OBS (with the upload progress displayed) or update OBS contents using web applications.
  • External web pages, style sheets, and HTML5 applications hosted in different origins can access web fonts or pictures stored in OBS, implementing resource sharing.

How to Use

You can configure CORS using OBS Console, APIs, or SDKs.



OBS Console

Configuring CORS


OBS supports software development kits (SDKs) in multiple languages. For details, see the corresponding developer guide on the SDK Overview page.


Configuring Bucket CORS