You can add custom HTTP response headers to enable cross-origin resource sharing (CORS). This topic describes what CORS is, how to configure CORS, and some use scenarios.

What is CORS

CORS is a standard cross-origin solution provided by HTML5 to allow web application servers to control cross-origin access. This solution secures data transmission.

Enable CORS

  1. Log on to the Alibaba Cloud CDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column of the domain name.
  4. In the management pane of the domain name, click Cache.
  5. Click the Custom HTTP Response Header tab.
  6. Click Customize and set the parameters.
  7. When you select Add and set Response Header to Access-Control-Allow-Origin, you can enable CORS. Customize
    Note By default, CORS is disabled. You can configure CORS only when Operation is set to Add and Response Header is set to Access-Control-Allow-Origin.
    • Enable: After CORS is enabled, CDN edge nodes check the Origin header of user requests based on the following rules and return results that correspond to the Access-Control-Allow-Origin value.
    • Disable: After CORS is disabled, CDN edge nodes do not check the Origin header of user requests. In this case, CDN edge nodes only return results that correspond to the Access-Control-Allow-Origin value.

Example

Example 1: The response header of CORS is set to one or more values that are separated by commas (,):
  • If the Origin value of a request header exactly matches a specified value, the corresponding response header is returned.
  • If the Origin value does not have an exact match, no response header is returned.

The response header is set to Access-Control-Allow-Origin:http://a.com,https://c.com in the CDN console.

  • If the Origin value of a request header is http://a.com, CDN edge nodes return Access-Control-Allow-Origin:http://a.com.
  • If the Origin value of a request header is http://c.com, CDN edge nodes return Access-Control-Allow-Origin:http://c.com.
  • If the Origin value of a request header is http://x.com, CDN edge nodes do not return Access-Control-Allow-Origin.

Example 2: If the response header of CORS has a wildcard domain name configured, CDN edge nodes check whether the Origin value of a request header has a wildcard domain name that matches Access-Control-Allow-Origin.

The response header is set to Access-Control-Allow-Origin:http://*.test.com in the CDN console.
  • If the Origin value of a request header is Origin:http://a.test.com, CDN returns Access-Control-Allow-Origin:http://a.test.com.
  • If the Origin value of a request header is Origin:http://b.test.com, CDN returns Access-Control-Allow-Origin:http://b.test.com.
  • If the Origin value of a request header is Origin: http://c.com, CDN does not respond to the request.
  • If the Origin value of a request header is Origin: http://a.123.test.com, CDN returns Access-Control-Allow-Origin:http://a.123.test.com.
  • If the Origin value of a request header is Origin:https://a.test.com, CDN does not respond to the request because the request uses HTTPS while CDN responds to only HTTP requests.