All Products
Search
Document Center

Object Storage Service:OSS CORS errors and troubleshooting

Last Updated:Oct 26, 2023

Symptoms

  • The browser reports a 403 error:

    OPTIONS http://bucket.oss-cn-beijing.aliyuncs.com/
    XMLHttpRequest cannot load http://bucket.oss-cn-beijing.aliyuncs.com/. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin '{yourwebsite}' is therefore not allowed access. The response had HTTP status code 403.
  • Object Storage Service (OSS) reports an error that cross-origin resource sharing (CORS) requests are not allowed:

    <Code>AccessForbidden</Code>
    <Message>CORSResponse: This CORS request is not allowed. This is usually because the evaluation of Origin, request method / Access-Control-Request-Method or Access-Control-Request-Headers are not whitelisted by the resource's CORS spec.</Message>

Causes

The error messages returned because the CORS rule is incorrectly configured.

Note
  • CORS errors occur when you use OSS in websites and CORS configurations are improper. You can view the request details from the browser. If you are using Google Chrome, press F12 to access Chrome DevTools. On the Network tab, you can view information about corresponding elements.

  • Errors returned from OSS can be obtained by capturing packets. For example, you can use Wireshark and specify host bucket-name.oss-cn-beijing.aliyuncs.com as the filter to capture packets.

Solutions

Follow the steps to correctly configure CORS rules.

  1. Log on to the OSS console.

  2. In the left-side navigation pane, click Buckets. On the Buckets page, find and click the desired bucket.

  3. In the left-side navigation tree, choose Content Security > CORS (Cross-Origin Resource Sharing).

  4. On the CORS page, click Create Rule.

  5. In the Create Rule panel, configure the parameters. The following table describes the parameters. Retain the default configurations for other parameters that are not described in the table.

    • Sources: Set Sources to an asterisk (*).

    • Allowed Methods: Select GET, POST, PUT, DELETE, and HEAD.

    • Allowed Headers: Set Allowed Headers to an asterisk (*).

    • Exposed Headers: Set Exposed Headers to specified values or leave this parameter unspecified.

  6. Click OK.