Skip to content
Products
Platform
Developer Tools
Portal

Cross Origin Resource Sharing (CORS)

You can configure Cross-Origin Resource Sharing (CORS) for an Bucket if you want to make objects within this bucket accessible to a web application which is hosted in a

different domain. CORS is a security mechanism that enables web applications hosted in one domain to access resources in a different domain.

E.g. you have some pictures in your bucket names “my-example-bucket” and want those pictures to be displayed on your website hosted on the URL https://exmaple.com

In order to make this work. you would need to place a CORS Rule on your bucket “my-example-bucket” to allow access to the pictures by https://example.com

All examples shown below were done with S3cmd.

CORS Rules

Section titled “CORS Rules”

A CORS Rule can be either defined as a XML or as a JSON. Our examples shows a configuration done with a XML and S3cmd as client.

The CORS Rule usually consists of those elements:

  • ID → An ID to identify the Rule (as more then one CORS Rule can be specified on a bucket)
  • AllowedOrigin → Specifies the origin you want to allow access from. You can also use Wildcards like ”*” to allow it for all origins.
  • AllowedMethod → Specifies the methods allowed on the objects by the “Origin” (GET / PUT / DELETE / HEAD)
  • AllowedHeader → Specifies which headers are allowed. You can also use Wildcards like ”*” to allow all headers.
  • ExposeHeader → Specifies the response header that will be provided back to your application.
  • MaxAgeSeconds → Specifies the time how long the preflight request can be cached.

Set CORS Rule

Section titled “Set CORS Rule”

To set a Cross-Origin Resource Sharing (CORS) rules for a bucket you first have to create a CORS Configuration file. Our example uses XML format and could look like this:

<CORSConfiguration>
<CORSRule>
 <ID>Allow Bucket for my-app.com</ID>
 <AllowedOrigin>https://www.my-app.com</AllowedOrigin>
 <AllowedOrigin>http://www.my-app.com</AllowedOrigin>
 <AllowedOrigin>https://my-app.com</AllowedOrigin>
 <AllowedOrigin>http://my-app.com</AllowedOrigin>
 <AllowedMethod>GET</AllowedMethod>
 <AllowedMethod>HEAD</AllowedMethod>
 <AllowedHeader>Content-*</AllowedHeader>
 <AllowedHeader>Host</AllowedHeader>
 <ExposeHeader>ETag</ExposeHeader>
 <MaxAgeSeconds>86400</MaxAgeSeconds>
</CORSRule>
</CORSConfiguration>

Then you have to apply the configuration file using the setcors command. For the s3://my-example-bucket bucket, the command will look like this:

$ s3cmd setcors cors-rules.xml s3://my-example-bucket/

As the command does not provides any output, you can verify if your rules are applied correctly by using the info command:

$ s3cmd info s3://my-example-bucket/
s3://my-example-bucket/ (bucket):
 [...]
 CORS: <CORSConfiguration>
<CORSRule>
 <ID>Allow Bucket for my-app.com</ID>
 <AllowedOrigin>https://www.my-app.com</AllowedOrigin>
 <AllowedOrigin>http://www.my-app.com</AllowedOrigin>
 <AllowedOrigin>https://my-app.com</AllowedOrigin>
 <AllowedOrigin>http://my-app.com</AllowedOrigin>
 <AllowedMethod>GET</AllowedMethod>
 <AllowedMethod>HEAD</AllowedMethod>
 <AllowedHeader>Content-*</AllowedHeader>
 <AllowedHeader>Host</AllowedHeader>
 <ExposeHeader>ETag</ExposeHeader>
 <MaxAgeSeconds>86400</MaxAgeSeconds>
</CORSRule>
</CORSConfiguration>
 [...]

Delete CORS Rules

Section titled “Delete CORS Rules”

To delete a CORS rule from a bucket, you have to use the delcors command. For the s3://my-example-bucket bucket, the command will look like this:

$ s3cmd delcors s3://my-example-bucket
s3://my-example-bucket/: CORS deleted