Updated on 2024-09-29 GMT+08:00

Configuring Bucket CORS

Functions

Cross-origin resource sharing (CORS) is a standard mechanism proposed by World Wide Web Consortium (W3C) and allows cross-origin requests from clients. For standard web page requests, the scripts and contents at one website cannot interact with those at another website due to the existence of the Same Origin Policy (SOP).

OBS allows buckets to store static web resources. The buckets of OBS can serve as website resources if the buckets are properly used (for details, see Configuring Static Website Hosting for a Bucket). A website in OBS can respond to requests of another websites only after CORS is properly configured.

Typical application scenarios are as follows:

  • With the support of CORS, you can use JavaScript and HTML5 to construct web applications and directly access the resources in OBS without the need to use proxy servers for transfer.
  • You can enable the dragging function of HTML 5 to directly upload files to the OBS (with the upload progress displayed) or update the OBS contents using web applications.
  • Hosts external web pages, style sheets, and HTML 5 applications in different origins. Web fonts or pictures on OBS can be shared by multiple websites.

To perform this operation, you must have the PutBucketCORS permission. By default, only the bucket owner can perform this operation. The bucket owner can grant the permission to other users by configuring the bucket policy or user policy.

Request Syntax

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
PUT /?cors HTTP/1.1 
Host: bucketname.obs.region.myhuaweicloud.com 
Content-Length: length
Date: date
Authorization: authorization
Content-SHA256: SHA256
<?xml version="1.0" encoding="UTF-8"?> 
<CORSConfiguration> 
    <CORSRule> 
        <ID>id</ID> 
        <AllowedMethod>method</AllowedMethod> 
        <AllowedOrigin>origin</AllowedOrigin> 
        <AllowedHeader>header</AllowedHeader> 
        <MaxAgeSeconds>seconds</MaxAgeSeconds> 
        <ExposeHeader>header</ExposeHeader> 
    </CORSRule> 
</CORSConfiguration>

Request Parameters

This request contains no parameters.

Request Headers

This request uses common headers and CORS request headers. For details, see Table 3 and Table 1.

Table 1 CORS request headers

Header

Type

Mandatory (Yes/No)

Description

Content-SHA256

String

Yes

Explanation:

Base64-encoded 256-bit SHA256 digest of the message according to SHA.

Example: ogX9qClMrVJUBiUSIKDFM0qO41jJM0I5SCN55/OtMyI=

Default value:

None

Request Elements

In this request body, you must configure the CORS rules for a bucket in XML format. Table 2 describes the specific configuration elements.

Table 2 CORS configuration elements

Element

Type

Mandatory (Yes/No)

Description

CORSConfiguration

Container

Yes

Explanation:

Root node of CORSRules.

Parent: none

Restrictions:

The maximum size is 64 KB.

Value range:

None

Default value:

None

CORSRule

Container

Yes

Explanation:

CORS rules

Parent: CORSConfiguration

Restrictions:

CORSConfiguration can contain a maximum of 100 rules.

Value range:

None

Default value:

None

ID

String

No

Explanation:

The ID of a CORS rule.

Parent: CORSRule

Restrictions:

The ID cannot be longer than 255 characters.

Value range:

A string of 1 to 255 characters.

Default value:

None

AllowedMethod

String

Yes

Explanation:

The allowed HTTP methods (types of operations on buckets and objects) for a cross-origin request.

Parent: CORSRule

Restrictions:

None

Value range:

The following HTTP methods are supported:

  • GET
  • PUT
  • HEAD
  • POST
  • DELETE

Default value:

None

AllowedOrigin

String

Yes

Explanation:

The origin that is allowed to access the bucket.

Restrictions:

Only English domain names are supported. Regular expressions are used to match. Each rule allows at most one asterisk (*). For example, https://*.vbs.example.com.

Value range:

The value must comply with the CORS protocol and contain 0 to 20480 characters.

Default value:

None

AllowedHeader

String

No

Explanation:

What headers are allowed in a CORS request. If a CORS request contains the Access-Control-Request-Headers header, the headers listed in this header must match the headers in the AllowedHeader element so that the request can be considered valid. The matching is based on regular expressions.

Parent: CORSRule

Restrictions:

At most one asterisk (*) is allowed. Spaces, ampersands (&), colons (:), less-than signs (<), and full-width characters are not allowed.

Value range:

The value must comply with the CORS protocol and contain 0 to 20480 characters.

Default value:

None

MaxAgeSeconds

Integer

No

Explanation:

How long the response can be cached on a client

Parent: CORSRule

Restrictions:

Each CORSRule can contain only one MaxAgeSeconds. It can be set to a negative value.

Value range:

An integer greater than or equal to 0, in seconds

Default value:

3000

ExposeHeader

String

No

Explanation:

Specifies additional headers allowed in the response by a CORS rule, which are used to provide extra information to clients. By default, a browser can access only headers Content-Length and Content-Type. If the browser needs to access other headers, you need to configure them in this parameter.

Parent: CORSRule

Restrictions:

Spaces, asterisks (*), ampersands (&), colons (:), less-than signs (<), and full-width characters are not allowed.

Value range:

The value that complies with the CORS

Default value:

None

Response Syntax

1
2
3
4
HTTP/1.1 status_code

Date: date
Content-Length: length

Response Headers

The response to the request uses common headers. For details, see Table 1.

Response Elements

This response contains no elements.

Error Responses

No special error responses are returned. For details about error responses, see Table 2.

Sample Request

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
PUT /?cors HTTP/1.1
User-Agent: curl/7.29.0
Host: examplebucket.obs.region.myhuaweicloud.com
Accept: */*
Date: WED, 01 Jul 2015 03:51:52 GMT
Authorization: OBS H4IPJX0TQTHTHEBQQCEC:lq7BGoqE9yyhdEwE6KojJ7ysVxU=
Content-SHA256: ogX9qClMrVJUBiUSIKDFM0qO41jJM0I5SCN55/OtMyI=
Content-Length: 617

<?xml version="1.0" encoding="utf-8"?>
<CORSConfiguration> 
  <CORSRule> 
    <AllowedMethod>POST</AllowedMethod>  
    <AllowedMethod>GET</AllowedMethod>  
    <AllowedMethod>HEAD</AllowedMethod>  
    <AllowedMethod>PUT</AllowedMethod>  
    <AllowedMethod>DELETE</AllowedMethod>  
    <AllowedOrigin>www.example.com</AllowedOrigin>  
    <AllowedHeader>AllowedHeader_1</AllowedHeader>  
    <AllowedHeader>AllowedHeader_2</AllowedHeader>  
    <MaxAgeSeconds>100</MaxAgeSeconds>  
    <ExposeHeader>ExposeHeader_1</ExposeHeader>  
    <ExposeHeader>ExposeHeader_2</ExposeHeader> 
  </CORSRule>
</CORSConfiguration>

Sample Response

1
2
3
4
5
6
7
HTTP/1.1 100 Continue
HTTP/1.1 200 OK
Server: OBS
x-obs-request-id: BF26000001643627112BD03512FC94A4
x-obs-id-2: 32AAAQAAEAABSAAgAAEAABAAAQAAEAABCSYi6wLC4bkrvuS9sqnlRjxK2a5Fe3ry
Date: WED, 01 Jul 2015 03:51:52 GMT
Content-Length: 0

Sample Request: Configuring Two CORS Rules for a Bucket

PUT /?cors HTTP/1.1
Authorization: OBS H4IPJX0TQTHTHEBQQCEC:iqSPeUBl66PwXDApxjRKk6hlcN4=
User-Agent: curl/7.29.0
Host: examplebucket.obs.region.myhuaweicloud.com
Date: WED, 01 Jul 2015 02:37:22 GMT
Content-Type: application/xml
Content-MD5: HwVUAzslyD0rroMp/eIdwQ==
 
<CORSConfiguration>
    <CORSRule>
        <AllowedOrigin>http://www.example.com</AllowedOrigin>
        <AllowedMethod>PUT</AllowedMethod>
        <AllowedMethod>POST</AllowedMethod>
        <AllowedMethod>DELETE</AllowedMethod>
        <AllowedHeader>*</AllowedHeader>
    </CORSRule>
    <CORSRule>
        <AllowedOrigin>*</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
    </CORSRule>
</CORSConfiguration>

Sample Response: Configuring Two CORS Rules for a Bucket

x-obs-id-2: 32AAAQAAEAABSAAgAAEAABAAAQAAEAABCTPXg+yj9IXC9r6mgmWgfSfqQGvHM3rS
x-obs-request-id: 0000018A3A14051AD2886D166EE13D98
Server: OBS
Content-Length: 0
Date: WED, 01 Jul 2015 02:37:22 GMT