Cross-origin resource sharing (CORS) allows web applications to access resources that belong to different regions. Object Storage Service (OSS) provides CORS operations for cross-origin access control.

Configure CORS rules

The following sample code shows how to configure CORS rules for a specific bucket:

const OSS = require('ali-oss');

const client = new OSS({
  // Set yourRegion to the endpoint of the region in which the bucket is located. For example, if your bucket is located in the China (Hangzhou) region, set yourRegion to oss-cn-hangzhou. 
  region: 'yourRegion',
  // Security risks may arise if you use the AccessKey pair of an Alibaba Cloud account to access OSS because the account has permissions on all API operations. We recommend that you use a RAM user to call API operations or perform routine operations and maintenance. To create a RAM user, log on to the RAM console. 
  accessKeyId: 'yourAccessKeyId',
  accessKeySecret: 'yourAccessKeySecret',
  // Specify the name of the bucket for which you want to configure CORS rules. 
  bucket: 'yourBucket'
});

const rules = [{
        // Specify the origin of allowed cross-origin requests. You can set the origin to an asterisk (*) wildcard to allow requests from all regions. 
        allowedOrigin: 'http://example.com',
        // Specify the method of allowed cross-origin requests, including GET, PUT, DELETE, POST, and HEAD. 
        allowedMethod: 'GET',
        // Specify the header included in the responses to allowed cross-origin requests. We recommend that you use an asterisk (*) wildcard unless otherwise specified. 
        allowedHeader: '*',
       // Specify the response header that can be obtained by web applications, such as an XMLHttpRequest object in JavaScript. The asterisk (*) wildcard is not supported. 
        exposeHeader: 'Content-Length',
       // Specify the time period during which the browser can cache the response to a preflight OPTIONS request for a specific resource. Unit: seconds. 
        maxAgeSeconds: '30'
      }];
      // You can configure up to 10 CORS rules. If a new rule that is the same as an existing rule is configured, the existing rule is overwritten. 
      const putResult = await client.putBucketCORS(bucket, rules);            

Query CORS rules

The following sample code shows how to query the CORS rules of a specified bucket:

const OSS = require('ali-oss');
const client = new OSS({
  // Set yourRegion to the endpoint of the region in which the bucket is located. For example, if your bucket is located in the China (Hangzhou) region, set yourRegion to oss-cn-hangzhou. 
  region: 'yourRegion',
  // Security risks may arise if you use the AccessKey pair of an Alibaba Cloud account to access OSS because the account has permissions on all API operations. We recommend that you use a RAM user to call API operations or perform routine operations and maintenance. To create a RAM user, log on to the RAM console. 
  accessKeyId: 'yourAccessKeyId',
  accessKeySecret: 'yourAccessKeySecret'
});

// Specify the name of the bucket whose CORS rules you want to query. 
const getResult = await client.getBucketCORS(bucket);
      assert.equal(getResult.res.status, 200);
      assert.deepEqual(getResult.rules, [{
        allowedOrigin: 'https://example.com',
        allowedMethod: 'GET',
        allowedHeader: '*',
        exposeHeader: 'Content-Length',
        maxAgeSeconds: '30'
      }]);

Delete CORS rules

The following sample code shows how to delete the CORS rules configured for a specific bucket:

const OSS = require('ali-oss');

const client = new OSS({
  // Set yourRegion to the endpoint of the region in which the bucket is located. For example, if your bucket is located in the China (Hangzhou) region, set yourRegion to oss-cn-hangzhou. 
  region: 'yourRegion',
  // Security risks may arise if you use the AccessKey pair of an Alibaba Cloud account to access OSS because the account has permissions on all API operations. We recommend that you use a RAM user to call API operations or perform routine operations and maintenance. To create a RAM user, log on to the RAM console. 
  accessKeyId: 'yourAccessKeyId',
  accessKeySecret: 'yourAccessKeySecret'
});
// Specify the name of the bucket whose CORS rules you want to delete. 
client.deleteBucketCORS('bucketName').then((res) => {
  console.log(res);
}).catch(e => {
  console.log(e)
})

References

  • For more information about the complete sample code of CORS, visit GitHub.
  • For more information about the API operation that you can call to configure CORS rules, see PutBucketCors.
  • For more information about the API operation that you can call to query CORS rules, see GetBucketCors.
  • For more information about the API operation that you can call to delete CORS rules, see DeleteBucketCors.