Document Center

Put Bucket cors

Last Updated: Mar 21, 2017

With the Put Bucket cors operation, you can set a CORS rule for a specified bucket. If an original rule exists, it will be overwritten.

Request syntax

  1. PUT /?cors HTTP/1.1
  2. Date: GMT Date
  3. Content-LengthContentLength
  4. Content-Type: application/xml
  5. Host: BucketName.oss-cn-hangzhou.aliyuncs.com
  6. Authorization: SignatureValue
  8. <?xml version="1.0" encoding="UTF-8"?>
  9. <CORSConfiguration>
  10.     <CORSRule>
  11.       <AllowedOrigin>the origin you want allow CORS request from</AllowedOrigin>
  12.       <AllowedOrigin>…</AllowedOrigin>
  13.       <AllowedMethod>HTTP method</AllowedMethod>
  14.       <AllowedMethod>…</AllowedMethod>
  15.         <AllowedHeader> headers that allowed browser to send</AllowedHeader>
  16.           <AllowedHeader>…</AllowedHeader>
  17.           <ExposeHeader> headers in response that can access from client app</ExposeHeader>
  18.           <ExposeHeader>…</ExposeHeader>
  19.           <MaxAgeSeconds>time to cache pre-fight response</MaxAgeSeconds>
  20.     </CORSRule>
  21.     <CORSRule>
  22.       
  23.     </CORSRule>
  25. </CORSConfiguration >

Request elements

Name Description Required?
CORSRule CORS rule container. Each bucket allows up to 10 rules
Type: container
Parent node: CORSConfiguration		 Yes
AllowedOrigin The origins allowed for cross-domain requests. Multiple elements can be used to specify multiple allowed origins. Each rule allows up to one wildcard “*“. If “*“ is specified, cross-domain requests of all origins are allowed.
Type: string
Parent node: CORSRule		 Yes
AllowedMethod Specify the allowed methods for cross-domain requests.
Type: enumeration (GET, PUT, DELETE, POST, HEAD)
Parent node: CORSRule		 Yes
AllowedHeader Control whether the headers specified by Access-Control-Request-Headers in the OPTIONS prefetch command are allowed. Each header specified by Access-Control-Request-Headers must match a value in AllowedHeader. Each rule allows up to one wildcard “”
Type: string
Parent node: CORSRule		 No
ExposeHeader Specify the response headers allowing users to access from an application (for example, a Javascript XMLHttpRequest object). The wildcard “*“ is not allowed.
Type: string
Parent node: CORSRule		 No
MaxAgeSeconds Specify the cache time for the returned result of a browser prefetch (OPTIONS) request to a specific resource. The unit is seconds. One CORSRule allows not more than one such parameter.
Type: integer
Parent node: CORSRule		 No
CORSConfiguration CORS rule container of a bucket
Type: container
Parent node: none		 Yes

Detail analysis

  • CORS is disabled for buckets by default. The origins of all cross-domain requests are forbidden.
  • To use CORS in applications, for example, accessing the OSS from www.a.com through the XMLHttpRequest function of the browser, you need to manually upload a CORS rule through this interface to enable CORS. This rule is described in an XML document.
  • The CORS setting for each bucket is specified by multiple CORS rules. Each bucket allows a maximum of 10 rules. The uploaded XML document cannot be larger than 16 KB.
  • When the OSS receives a cross-domain request (or an OPTIONS request), it reads the bucket’s CORS rules and then checks the relevant permissions. The OSS will check each rule sequentially and uses the first rule that matches to approve the request and return the corresponding header. If none of the rules match, the OSS will not attach any CORS header.
  • Successful CORS rule matching must satisfy three conditions. First, the request Origin must match the AllowedOrigin. Second, the request method (for example, GET, PUT) or the method corresponding to the Access-Control-Request-Method header in an OPTIONS request must match the AllowedMethod. Third, each header contained in the Access-Control-Request-Headers in an OPTIONS request must match the AllowedHeader.
  • If you have uploaded the Content-MD5 request header, the OSS will calculate the body’s Content-MD5 and check if the two are the same. If the two are different, the error code: InvalidDigest will be returned.

Example

Example of adding a bucket CORS rule:

  1. PUT /?cors HTTP/1.1
  2. Host: oss-example.oss-cn-hangzhou.aliyuncs.com
  3. Content-Length: 186
  4. Date: Fri, 04 May 2012 03:21:12 GMT
  5. Authorization: OSS qn6qrrqxo2oawuk53otfjbyc:KU5h8YMUC78M30dXqf3JxrTZHiA=
  7. <?xml version="1.0" encoding="UTF-8"?>
  8. <CORSConfiguration>
  9.     <CORSRule>
  10.       <AllowedOrigin>*</AllowedOrigin>
  11.       <AllowedMethod>PUT</AllowedMethod>
  12.       <AllowedMethod>GET</AllowedMethod>
  13.       <AllowedHeader>Authorization</AllowedHeader>
  14.     </CORSRule>
  15.     <CORSRule>
  16.       <AllowedOrigin>http://www.a.com</AllowedOrigin>
  17.       <AllowedOrigin>http://www.b.com</AllowedOrigin>
  18.       <AllowedMethod>GET</AllowedMethod>
  19.       <AllowedHeader> Authorization</AllowedHeader>
  20.       <ExposeHeader>x-oss-test</ExposeHeader>
  21.       <ExposeHeader>x-oss-test1</ExposeHeader>
  22.       <MaxAgeSeconds>100</MaxAgeSeconds>
  23.     </CORSRule>
  24. </CORSConfiguration >

Response example:

  1. HTTP/1.1 200 OK
  2. x-oss-request-id: 50519080C4689A033D00235F
  3. Date: Fri, 04 May 2012 03:21:12 GMT
  4. Content-Length: 0
  5. Connection: keep-alive
  6. Server: AliyunOSS
Thank you! We've received your feedback.
Free Trial Free Trial