Before a cross-origin request is sent, the browser sends a preflight (OPTIONS) request that includes a specific origin, HTTP method, and header information to OSS to determine whether to send the cross-origin request.
Request syntax
OPTIONS /ObjectName HTTP/1.1
Host: BucketName.oss-cn-hangzhou.aliyuncs.com
Origin:Origin
Access-Control-Request-Method:HTTP method
Access-Control-Request-Headers:Request Headers
Request headers
Header | Type | Description |
---|---|---|
Origin | String |
The origin of the request, used to identify a cross-origin request. Default value: null. |
Access-Control-Request-Method | String |
The method to use in the cross-origin request. Default value: null. |
Access-Control-Request-Headers | String |
The request headers, except for standard headers, to use in the cross-origin request. Default value: null. |
Response headers
Header | Type | Description |
---|---|---|
Access-Control-Allow-Origin | String |
The origin that is included in the request. If the request is denied, the response does not contain the header. |
Access-Control-Allow-Methods | String |
The HTTP method of the request. If the request is denied, the response does not contain the header. |
Access-Control-Allow-Headers | String |
The list of headers included in the request. If the request includes headers that are not allowed, the response does not contain the header and the request is denied. |
Access-Control-Expose-Headers | String |
The list of header fields that are accessible to JavaScript applications on the client. |
Access-Control-Max-Age | Integer |
The maximum duration for the browser to cache preflight results. Unit: seconds. |
Examples
Sample requests
OPTIONS /testobject HTTP/1.1
Host: oss-example.oss-cn-hangzhou.aliyuncs.com
Date: Fri, 24 Feb 2012 05:45:34 GMT
Origin:http://www.example.com
Access-Control-Request-Method:PUT
Access-Control-Request-Headers:x-oss-test
Sample success responses
HTTP/1.1 200 OK
x-oss-request-id: 5051845BC4689A033D00****
Date: Fri, 24 Feb 2012 05:45:34 GMT
Access-Control-Allow-Origin: http://www.example.com
Access-Control-Allow-Methods: PUT
Access-Control-Expose-Headers: x-oss-test
Connection: keep-alive
Content-Length: 0
Server: AliyunOSS
Error codes
Error code | HTTP status code | Description |
---|---|---|
Forbidden | 403 | The error message returned because the access is forbidden. OSS allows you to enable CORS for a bucket by using PutBucketCORS. After CORS is enabled for a bucket, OSS determines whether to allow the preflight request sent from the browser based on the specified CORS rules. If OSS does not allow the request or CORS is disabled for the bucket, 403 Forbidden is returned. |