Cross-origin resource sharing (CORS) is a standard cross-origin solution provided by HTML5 to allow web application servers to control cross-origin access. This way, the security of data transmission across origins is ensured. You can run the cors-options command to send HTTP OPTIONS requests to Object Storage Service (OSS) and check whether specific cross-origin requests are allowed.

Note
  • In this topic, the sample command lines are based on the 64-bit Linux system. For other systems, replace ./ossutil64 in the commands with the corresponding binary name. For more information, see ossutil.
  • For more information about how to configure CORS, see cors.

Command syntax

./ossutil64 cors-options oss://bucketname/[objectname]
[--acr-method <value>]
[--origin <value>]
[--acr-headers <value>] 

The following table describes the parameters that you can configure when you run the cors-options command.

Parameter Description
bucketname The name of the bucket to access.
objectname The name of the object to access.
--acr-method The method that is allowed to use in the request. This parameter specifies the value of the Access-Control-Request-Method request header. Valid values: GET, PUT, POST, DELETE, and HEAD.
--origin The origins from which you want to allow cross-origin requests. Example: http://www.aliyun.com.
--acr-headers Specifies the value of the Access-Control-Request-Headers request header. This parameter specifies actual headers except for commonly used headers. You can specify multiple headers in a request. Separate multiple headers with commas (,). Example: --acr-headers "header1,header2,header3".

Examples

You can run the following command to detect whether the examplebucket bucket allows a cross-origin request whose origin is http://www.aliyun.com and request method is PUT:

./ossutil64 cors-options --acr-method  put --origin "http://www.aliyun.com" oss://examplebucket

A similar output is displayed if examplebucket allows the cross-origin request.

Access-Control-Allow-Methods: GET, POST, PUT
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 0

0.079520(s) elapsed

A similar output is displayed if examplebucket denies the cross-origin request.

Error: oss: service returned error: StatusCode=403, ErrorCode=AccessForbidden, ErrorMessage="CORSResponse: This CORS request is not allowed. This is usually
 because the evalution of Origin, request method / Access-Control-Request-Method or Access-Control-Requet-Headers are not whitelisted by the resource's CORS
 spec.", RequestId=60F7F55F553DA2363138****

Common options

To use ossutil to manage buckets that are located in different regions, you can use the -e option to use the endpoint of the specified bucket. To use ossutil to manage buckets that are owned by different Alibaba Cloud accounts, you can use the -i option to use the AccessKey ID of the specified account, and use the -k option to use the AccessKey secret of the specified account.

To detect whether a bucket named testbucket allows a cross-origin request whose origin is http://www.alibabacloud.com and request method is PUT, run the following command:

./ossutil64 cors-options --acr-method  put --origin "http://www.alibabacloud.com" oss:/testbucket -e oss-cn-hangzhou.aliyuncs.com -i LTAI4Fw2NbDUCV8zYUzA****  -k 67DLVBkH7EamOjy2W5RVAHUY9H****

For more information about other common options that you can use for the cors-options command, see Common options.