Alibaba Cloud CDN supports Cross-origin resource sharing (CORS). You can add custom HTTP response headers to enable CORS. This topic describes how CORS works, how to configure CORS, and some use scenarios of CORS.

What is CORS?

CORS is a standard cross-origin solution provided by HTML5 to allow web application servers to control cross-origin access. This solution secures data transmission.

The following figure describes how CORS works.1
The following figure shows how CORS interacts with Alibaba Cloud CDN.2

Enable CORS

  1. Log on to the Alibaba Cloud CDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column of the domain name.
  4. In the management pane of the domain name, click Cache.
  5. Click the Custom HTTP Response Header tab.
  6. Click Customize and set the parameters.
  7. You must select Add and set Response Header to Access-Control-Allow-Origin if you want to enable CORS. Set parameters
    Note By default, CORS is disabled. You can configure CORS only if Operation is set to Add and Response Header is set to Access-Control-Allow-Origin.
    • Enable: After CORS is enabled, CDN edge nodes check the Origin header of user requests based on the following rules and specify a value for Access-Control-Allow-Origin.
    • Disable: After CORS is disabled, CDN edge nodes do not check the Origin header of user requests. In this case, CDN edge nodes only return the value of Access-Control-Allow-Origin.

Examples

Example 1: The response header of CORS is set to one or more values that are separated by commas (,).
  • If the Origin value of a request header exactly matches one of the specified values, a response header with the destination origin is returned.
  • If the Origin value does not have an exact match, no response header is returned.

The response header is set to Access-Control-Allow-Origin:http://example.com,https://aliyundoc.com in the Alibaba Cloud CDN console.

  • If the Origin value of a request header is http://example.com, CDN edge nodes return Access-Control-Allow-Origin:http://example.com.
  • If the Origin value of a request header is http://aliyundoc.com, CDN edge nodes return Access-Control-Allow-Origin:http://aliyundoc.com.
  • If the Origin value of a request header is http://example.edu, CDN edge nodes do not return Access-Control-Allow-Origin.

Example 2: If the response header of CORS has a wildcard domain name configured, CDN edge nodes check whether the Origin value of a request header has a wildcard domain name that matches Access-Control-Allow-Origin.

The response header is set to Access-Control-Allow-Origin:http://*.aliyundoc.com in the Alibaba Cloud CDN console.
  • If the Origin value of a request header is Origin:http://demo.aliyundoc.com, CDN edge nodes return Access-Control-Allow-Origin:http://demo.aliyundoc.com.
  • If the Origin value of a request header is Origin: http://demo.example.com, CDN edge nodes do not respond to the request.
  • If the Origin value of a request header is Origin:https://demo.aliyundoc.com, CDN edge nodes do not respond to the request because the request uses HTTPS while CDN edge nodes respond only to HTTP requests.