Updated on 2023-07-07 GMT+08:00

CORS

Cross-origin resource sharing (CORS) is a browser-standard mechanism provided by the World Wide Web Consortium (W3C). It defines the interaction methods between client-side web applications in one origin and resources in another. For general web page requests, website scripts and contents in one origin cannot interact with those in another because of Same Origin Policies (SOPs).

OBS supports CORS rules and allows resources in OBS to be accessed across origins. The configuration of CORS takes effect within two minutes.

OBS supports Static Website Hosting. Static websites stored in OBS can respond to website requests from another origin only when CORS is configured for the bucket.

By default, the OBS system is configured to support cross-domain access using the root domain name. This allows access from all domains, and clients are likely to be attacked.

To address this issue, you can create a crossdomain.xml file with specific rules in the bucket for each client, and add Security.loadPolicyFile("https://bucket.obs.ap-southeast-1.myhuaweicloud.com/crossdomain.xml") in the flash code of the file to prevent attacks. bucket.obs.ap-southeast-1.myhuaweicloud.com needs to be replaced with the actual access domain name of your bucket.

Background Information

Cross-domain refers to access between different domains.

Restricting cross-domain access is a browser policy for security purposes, that is, the same-origin policy. Due to this JavaScript same-origin policy, JavaScript under domain A cannot operate objects under domain B or C.

The same protocol, domain name (or IP address), and port are considered as the same domain. If the protocols, domain names, and ports (if specified) of the two web pages are the same, the two web pages have the same origin. To better understand the same-origin policy, you can see the analysis on accessing the example address https://support.huaweicloud.com/dir/test.html in Table 1.

Table 1 Example analysis

URL

Access Result

Cause

https://support.huaweicloud.com/dir/other.html

Successful

Same protocol, domain name, and port

https://support.huaweicloud.com/dir/inner/other.html

Successful

Same protocol, domain name, and port

http://support.huaweicloud.com/dir/test.html

Failed

Same domain name and port, but different protocols

https://support.huaweicloud.com:81/dir/test.html

Failed

Same protocol and domain name, but different ports

https://help.huaweicloud.com/dir/test.html

Failed

Same protocol and port, but different domain names

Scenarios

Typical application scenarios of CORS are as follows:
  • Enables JavaScript and HTML5 to be used for establishing web applications that can directly access resources in OBS. No proxy servers are required for transfer.
  • Enables the dragging function of HTML5 to be used to upload files to OBS (with the upload progress displayed) or update OBS contents using web applications.
  • External web pages, style sheets, and HTML5 applications hosted in different origins can access web fonts or pictures stored in OBS, implementing resource sharing.

How to Use

You can configure CORS using OBS Console, APIs, or SDKs.

Tool

Reference

OBS Console

Configuring CORS

SDKs

OBS supports software development kits (SDKs) in multiple languages. For details, see the corresponding developer guide on the SDK Overview page.

API

Configuring Bucket CORS