Cross-origin resource sharing (CORS) is a standard cross-origin solution provided by HTML5 to allow web application servers to control cross-origin access. This way, the security of data transmission across origins is ensured.
|http://www.aliyun.com/org/other.html||Successful||Same protocol, domain name, and port number|
|http://www.aliyun.com/org/internal/page.html||Successful||Same protocol, domain name, and port|
|https://www.aliyun.com/page.html||Failed||Different protocols (HTTP and HTTPS)|
|http://www.aliyun.com:22/dir/page.html||Failed||Different port numbers (22 and 80)|
|http://www.alibabacloud.com/help/other.html||Failed||Different domain names|
The preceding table shows that the browser denies requests whose protocols, domain names, or port numbers are different from those of the accessed origin. If you want to allow access from the origins, you must configure CORS rules.
OSS allows you to configure CORS rules to allow or deny cross-origin requests based on your requirements. CORS rules are configured only to decide whether to add CORS-related headers to requests. The browser decides whether to reject cross-origin requests. For more information, see PutBucketCORS.
Vary: Originheader to true in the following scenarios to avoid the issue that resources cannot be accessed due to different values of the Origin headers in the request and the local cache.
Vary: Originheader to true, access by using the browser or Content Delivery Network (CDN) back-to-origin requests may increase.
- CORS and non-CORS requests are sent at the same time
For example, in the following code, a non-CORS request is created in the <img> field and a CORS request is created by using the fetch method:
<!doctype html> <html> <head> <meta charset="UTF-8"> <title>CORS Test</title> </head> <body> // Create a non-CORS request. <img class="img-responsive"src="https://examplebucket.oss-cn-beijing.aliyuncs.com/exampleobject.txt" alt=""> <script> // Create a CORS request. fetch("https://examplebucket.oss-cn-beijing.aliyuncs.com/exampleobject.txt").then(console.log) </script> </body> </html>
- The Origin header has multiple possible values
For example, you can set the Origin header to
https://www.example.orgto allow CORS requests from these origins.
|Console||A user-friendly and intuitive web application|
|Java SDK||SDK demos for various programming languages|
- What do I do if CORS errors occur when I use an accelerated domain name to access
If a CORS error occurs when you use an accelerated domain name to access OSS, you must configure CORS rules in the CDN console. For more information, visit Configure CORS for Alibaba Cloud CDN.
- What do I do if the
Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.error occurs when I send a cross-origin request?
We recommend that you set
xhr.withCredentialsto false to resolve this error.