This topic describes how to configure cross-origin resource sharing (CORS) rules in the OSS console.

Background information

OSS provides CORS over HTML5 to enable cross-origin access. When OSS receives a cross-origin request (or an OPTIONS request) for a bucket, OSS reads the CORS rules of the bucket and checks the relevant permissions. OSS checks the request against each rule. When OSS finds the first match, it returns a corresponding header. If no match is found, OSS does not include any CORS header in the response.

Notice
  • You can configure up to 10 rules for each bucket.
  • If Alibaba Cloud CDN is enabled, you must configure the CORS rules in the CDN console to implement cross-origin access. For more information, see Configure CORS for Alibaba Cloud CDN.

For more information, see Set CORS rules.

Video tutorial

The following video shows you how to configure cross-origin access.

Procedure

  1. Log on to the OSS console.
  2. Click Buckets, and then click the name of the target bucket.
  3. Choose Access Control > Cross-Origin Resource Sharing (CORS). In the Cross-Origin Resource Sharing (CORS) section, click Configure.
  4. Click Create Rule. In the Create Rule dialog box that appears, configure the parameters listed in the following table.
    Parameter Required Description
    Sources Yes Specifies the sources from which you want to allow cross-origin requests.
    • You can configure multiple matching rules for the sources. Separate multiple rules with new lines.
    • Each matching rule can contain up to one asterisk (*) wildcard. If Sources is set to asterisk (*), all cross-origin requests are allowed.
    Allowed Methods Yes Specifies the cross-origin request methods that are allowed.
    Allowed Headers No Specifies the response headers for the allowed cross-origin requests.
    • This parameter is in key:value format and case-insensitive. Example: content-type:text/plain.
    • You can configure multiple matching rules for the allowed headers. Separate multiple rules with new lines.
    • Each matching rule can contain up to one asterisk (*) as the wildcard. Set this parameter to asterisk (*) if there are no special requirements.
    Exposed Headers No Specifies the response headers for allowed access requests from applications, such as a JavaScript XMLHttpRequest object. Exposed headers cannot contain asterisks (*).
    Cache Timeout (Seconds) No Specifies how long the browser can cache the response to a preflight (OPTIONS) request to a specific resource.
    Vary: Origin No Specifies whether to return the Vary: Origin header.

    If both CORS and non-CORS requests exist, or if the Origin header has multiple possible values, we recommend that you select Vary: Origin to avoid errors in the local cache.

    Notice If Vary: Origin is selected, access through the browser or the CDN back-to-origin requests may increase.
  5. Click OK.