All Products
Search

This Product

    Object Storage Service:PutBucketCors

    Document Center

    Object Storage Service:PutBucketCors

    Last Updated:Aug 01, 2025

    You can call the PutBucketCors operation to set cross-origin resource sharing (CORS) rules for a specified bucket.

    Usage notes

    • CORS is disabled by default.

      By default, CORS is disabled for a bucket. All cross-origin requests are not allowed.

    • Overwriting semantics

      The PutBucketCors operation has overwriting semantics. The new CORS rules that you configure overwrite the existing CORS rules.

    • Use of CORS in applications

      To use the CORS feature in an application, you must call the PutBucketCors operation to upload CORS rules and enable the CORS feature.

      For example, if you want to access OSS from example.com using the XMLHttpRequest feature of your browser, you must call this operation to upload CORS rules that are described in an XML document.

    • CORS rule matching

      When OSS receives a cross-origin request or an OPTIONS request, it reads the CORS rules configured for the bucket and performs a permission check. OSS checks each rule in sequence and uses the first matched rule to allow the request and return the corresponding header. If no rule is matched, no CORS-related header is added.

      A CORS rule is matched only if the following three conditions are met:

      • The origin of the request must match an AllowedOrigin item.

      • The request method, such as GET or PUT, or the method that corresponds to the Access-Control-Request-Method header of the OPTIONS request must match an AllowedMethod item.

      • Each header included in the Access-Control-Request-Headers header of the OPTIONS request must match an AllowedHeader item.

    Permissions

    By default, an Alibaba Cloud account has full permissions. RAM users or RAM roles under an Alibaba Cloud account do not have any permissions by default. The Alibaba Cloud account or account administrator must grant operation permissions through RAM Policy or Bucket Policy.

    API

    Action

    Definition

    PutBucketCors

    oss:PutBucketCors

    Configures cross-origin resource sharing (CORS) rules for a bucket.

    Request syntax

    PUT /?cors HTTP/1.1
Date: GMT Date
Content-Length: ContentLength
Content-Type: application/xml
Host: BucketName.oss-cn-hangzhou.aliyuncs.com
Authorization: SignatureValue
<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration>
    <CORSRule>
      <AllowedOrigin>The origin that you want to allow to send cross-origin requests</AllowedOrigin>
      <AllowedOrigin>…</AllowedOrigin>
      <AllowedMethod>The HTTP method that you want to allow</AllowedMethod>
      <AllowedMethod>…</AllowedMethod>
        <AllowedHeader>The request headers that are allowed in cross-origin requests</AllowedHeader>
          <AllowedHeader>…</AllowedHeader>
          <ExposeHeader>The response headers that can be accessed by clients</ExposeHeader>
          <ExposeHeader>…</ExposeHeader>
          <MaxAgeSeconds>The maximum time in seconds that the preflight response can be cached</MaxAgeSeconds>
    </CORSRule>
    <CORSRule>
      …
    </CORSRule>
…
</CORSConfiguration >

    Request elements

    Name

    Type

    Required

    Example

    Description

    CORSRule

    Container

    Yes

    N/A

    The container that stores CORS rules.

    You can configure up to 20 CORS rules for each bucket. The maximum size of the uploaded XML document is 16 KB.

    Parent node: CORSConfiguration

    AllowedOrigin

    String

    Yes

    *

    The origins from which cross-origin requests are allowed. You can use multiple elements to specify multiple allowed origins.

    You can use only one asterisk (*) wildcard character in AllowedOrigin. If you set AllowedOrigin to an asterisk (*), all cross-origin requests are allowed.

    Parent node: CORSRule

    AllowedMethod

    Enumeration

    Yes

    GET

    The allowed cross-origin request methods. Valid values: GET, PUT, DELETE, POST, and HEAD.

    Parent node: CORSRule

    AllowedHeader

    String

    No

    Authorization

    Specifies whether the headers specified by Access-Control-Request-Headers in the OPTIONS preflight request are allowed.

    Each header specified in Access-Control-Request-Headers must have a corresponding entry in AllowedHeader.

    Important

    You can use only one asterisk (*) wildcard character in AllowedHeader. The following characters are not supported:

    • <

    • >

    • &

    • '

    • "

    Parent node: CORSRule

    ExposeHeader

    String

    No

    x-oss-test

    The response headers that users are allowed to access from applications, such as a JavaScript XMLHttpRequest object.

    Important

    The following characters are not supported in ExposeHeader:

    • *

    • <

    • >

    • &

    • '

    • "

    Parent node: CORSRule

    MaxAgeSeconds

    Integer

    No

    100

    The amount of time that the browser can cache the response to an OPTIONS preflight request for the specified resource. Unit: seconds.

    Only one MaxAgeSeconds is allowed in each CORS rule.

    Parent node: CORSRule

    CORSConfiguration

    Container

    Yes

    N/A

    The container that stores CORS rules for the bucket.

    Parent node: None

    ResponseVary

    Boolean

    No

    false

    Specifies whether to return the Vary: Origin header. The valid values are as follows:

    • true: The Vary: Origin header is returned regardless of whether the request is a cross-origin request or whether the cross-origin request is successful.

    • false (default): The Vary: Origin header is not returned in any case.

    Important

    This field cannot be configured independently. It takes effect only when at least one cross-origin rule is configured.

    For more information about other common request headers, such as Host and Authorization, see Common request headers.

    Response headers

    This operation returns only common response headers. For more information, see Common response headers.

    Examples

    • Sample request

      PUT /?cors HTTP/1.1
Host: oss-example.oss-cn-hangzhou.aliyuncs.com
Content-Length: 186
Date: Fri, 04 May 2012 03:21:12 GMT
Authorization: OSS4-HMAC-SHA256 Credential=LTAI********************/20250417/cn-hangzhou/oss/aliyun_v4_request,AdditionalHeaders=content-length,Signature=a7c3554c729d71929e0b84489addee6b2e8d5cb48595adfc51868c299c0c218e
<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration>
    <CORSRule>
      <AllowedOrigin>*</AllowedOrigin>
      <AllowedMethod>PUT</AllowedMethod>
      <AllowedMethod>GET</AllowedMethod>
      <AllowedHeader>Authorization</AllowedHeader>
    </CORSRule>
    <CORSRule>
      <AllowedOrigin>http://example.com</AllowedOrigin>
      <AllowedOrigin>http://example.net</AllowedOrigin>
      <AllowedMethod>GET</AllowedMethod>
      <AllowedHeader> Authorization</AllowedHeader>
      <ExposeHeader>x-oss-test</ExposeHeader>
      <ExposeHeader>x-oss-test1</ExposeHeader>
      <MaxAgeSeconds>100</MaxAgeSeconds>
    </CORSRule>
    <ResponseVary>false</ResponseVary>
</CORSConfiguration >

    • Sample response

      HTTP/1.1 200 OK
x-oss-request-id: 50519080C4689A033D0*****
Date: Fri, 04 May 2012 03:21:12 GMT
Content-Length: 0
Connection: keep-alive
Server: AliyunOSS
x-oss-server-time: 94

    SDK

    This operation is supported by SDKs for the following major programming languages:

    ossutil command-line interface

    For more information about the ossutil command for the PutBucketCors operation, see put-bucket-cors.

    Error codes

    Error code

    HTTP status code

    Description

    InvalidDigest

    400

    If you upload the Content-MD5 request header, OSS calculates the Content-MD5 value of the message body and checks the consistency. If the values are inconsistent, this error code is returned.