Overview

If you need to share cross-domain or access resources after your service is connected to Alibaba Cloud CDN, you can customize HTTP response headers. This topic describes how to use HTTP headers to configure cross-origin resource sharing (CORS) in Alibaba Cloud Content Delivery Network.

Details

To use the corresponding HTTP header cross-origin resource sharing, perform the following steps:

  1. Log on to the Alibaba Cloud Content Delivery Network console.
  2. On the Domain Names page, click Manage next to the domain name that you want to configure the CORS feature.
  3. Click Cache Configuration, select Custom HTTP Response Header, and then click Add.
  4. On the Custom HTTP Response Headers page, select as follows, specify the source of the allowed cross-domain request, and then click OK to save the configuration.  
    parameter example
    Response header operation Increase
    Custom response header parameters Access-Control-Allow-Origin
    Response header value

    *

    Description:

    • The response header value can be configured as "*" to indicate any source.
    • If the response header value is not "*", you can configure single or multiple IP addresses, domain names, or a mixture of IP and domain names. Separate each other with ",".
    • If the response header value is not "*", the protocol header "http://" or "https://" must be included.
    • The response header value supports carrying ports.
    • The response header value supports wildcard domain names.
    • See Configuration cross-origin resource sharing for configuration examples.
    Whether duplication is allowed

    Not allowed

    Description:

    • Allow means that duplicates are allowed, that is, the headers returned by the origin will be retained and a header with the same name will be added.
    • If not allowed, duplicates are not allowed. That is, the headers returned by the origin will be overwritten by the newly configured header with the same name.
    • This article takes not allowing repetition as an example, the site can be determined according to the actual environment.
  5. Click Add to go to the Custom HTTP Response Header page, select the following content, specify the allowed cross-domain request method, and then click OK to save the configuration.  
    parameter example
    Response header operation Increase
    Custom response header parameters Access-Control-Allow-Methods
    Response header value

    GET,POST,PUT

    Note: Separate POST, GET, and PUT with commas (,).
    Whether duplication is allowed

    Not allowed

    Description:

    • Allow means that duplicates are allowed, that is, the headers returned by the origin will be retained and a header with the same name will be added.
    • If not allowed, duplicates are not allowed. That is, the headers returned by the origin will be overwritten by the newly configured header with the same name.
    • This article takes not allowing repetition as an example, the site can be determined according to the actual environment.

More information

The following is a more description of Configuration cross-origin resource sharing (CORS):

  • If OSS is used as the origin site and CORS is configured in both the OSS and Alibaba Cloud Content Delivery Network console, the Alibaba Cloud Content Delivery Network configuration will overwrite OSS.
  • If the origin server is a local server or ECS instance, we recommend that you perform static-static separation first. Alibaba Cloud Content Delivery Network acceleration is used for static files. The CORS feature configured in the Alibaba Cloud Content Delivery Network console takes effect only for static files.
  • If the value of the custom response header parameter "Access-Control-Allow-Origin" is set to "*", regardless of whether the user request carries the "Origin" parameter, and regardless of the value of the "Origin" parameter carried, it will return "Access-Control-Allow-Origin:*".
  • If the cross-origin resource sharing response header value is set to single or multiple values (multiple values are separated by ",").
    • If the "Origin" parameter value carried in the user request header exactly matches any value set, it will respond to the corresponding cross-domain header.
    • If there is no exact match, the cross-domain header is not responded.
  • If the cross-origin resource sharing response header value is set to a wildcard domain name, it checks whether the Origin value in the request header matches the wildcard domain name on the "Access-Control-Allow-Origin".

Related documents

Applies to

  • CDN