Before a cross-origin request is sent, the browser sends a preflight (OPTIONS) request that includes a specific origin, HTTP method, and header information to OSS to determine whether to send the cross-origin request.

Request syntax

OPTIONS /ObjectName HTTP/1.1
Host: BucketName.oss-cn-hangzhou.aliyuncs.com
Origin:Origin
Access-Control-Request-Method:HTTP method
Access-Control-Request-Headers:Request Headers

Request headers

Header Type Description
Origin String

The origin of the request, used to identify a cross-origin request.

Default value: null.

Access-Control-Request-Method String

The method to use in the cross-origin request.

Default value: null.

Access-Control-Request-Headers String

The request headers, except for standard headers, to use in the cross-origin request.

Default value: null.

Response headers

Header Type Description
Access-Control-Allow-Origin String

The origin that is included in the request. If the request is denied, the response does not contain the header.

Access-Control-Allow-Methods String

The HTTP method of the request. If the request is denied, the response does not contain the header.

Access-Control-Allow-Headers String

The list of headers included in the request. If the request includes headers that are not allowed, the response does not contain the header and the request is denied.

Access-Control-Expose-Headers String

The list of header fields that are accessible to JavaScript applications on the client.

Access-Control-Max-Age Integer

The maximum duration for the browser to cache preflight results. Unit: seconds.

Examples

Sample requests

OPTIONS /testobject HTTP/1.1
Host: oss-example.oss-cn-hangzhou.aliyuncs.com  
Date: Fri, 24 Feb 2012 05:45:34 GMT  
Origin:http://www.example.com
Access-Control-Request-Method:PUT
Access-Control-Request-Headers:x-oss-test

Sample success responses

HTTP/1.1 200 OK 
x-oss-request-id: 5051845BC4689A033D00****
Date: Fri, 24 Feb 2012 05:45:34 GMT
Access-Control-Allow-Origin: http://www.example.com
Access-Control-Allow-Methods: PUT
Access-Control-Expose-Headers: x-oss-test
Connection: keep-alive
Content-Length: 0  
Server: AliyunOSS

Error codes

Error code HTTP status code Description
Forbidden 403 The error message returned because the access is forbidden. OSS allows you to enable CORS for a bucket by using PutBucketCORS. After CORS is enabled for a bucket, OSS determines whether to allow the preflight request sent from the browser based on the specified CORS rules. If OSS does not allow the request or CORS is disabled for the bucket, 403 Forbidden is returned.