Before sending a cross-origin request, the browser automatically sends a preflight OPTIONS request to OSS with the origin, HTTP method, and headers to determine whether the cross-origin request is allowed.
Request structure
OPTIONS /ObjectName HTTP/1.1
Host: BucketName.oss-cn-hangzhou.aliyuncs.com
Origin:Origin
Access-Control-Request-Method:HTTP method
Access-Control-Request-Headers:Request Headers
Request headers
|
Header |
Type |
Required |
Example |
Description |
|
Origin |
String |
Yes |
http://www.example.com |
The request origin, used to identify a cross-origin request. Only one Origin header is allowed per request. Default value: null |
|
Access-Control-Request-Method |
String |
Yes |
PUT |
The HTTP method for the actual cross-origin request. Only one value is allowed per request. Default value: null |
|
Access-Control-Request-Headers |
String |
No |
x-oss-test1,x-oss-test2 |
Custom headers for the actual cross-origin request. Separate multiple headers with commas (,). Default value: null |
Response headers
|
Header |
Type |
Example |
Description |
|
Access-Control-Allow-Origin |
String |
http://www.example.com |
The allowed origin. Not included in the response if the request is denied. |
|
Access-Control-Allow-Methods |
String |
PUT |
The allowed HTTP method. Not included in the response if the request is denied. |
|
Access-Control-Allow-Headers |
String |
x-oss-test,x-oss-test1 |
The allowed request headers. If disallowed headers are included, the request is denied and this header is omitted from the response. |
|
Access-Control-Expose-Headers |
String |
x-oss-test1,x-oss-test2 |
Headers accessible to client-side JavaScript. |
|
Access-Control-Max-Age |
Integer |
60 |
Maximum time the browser caches preflight results. Unit: seconds. |
Examples
Sample request
OPTIONS /testobject HTTP/1.1
Host: oss-example.oss-cn-hangzhou.aliyuncs.com
Date: Fri, 24 Feb 2012 05:45:34 GMT
Origin:http://www.example.com
Access-Control-Request-Method:PUT
Access-Control-Request-Headers:x-oss-test1,x-oss-test2
Sample response
HTTP/1.1 200 OK
x-oss-request-id: 5051845BC4689A033D00****
Date: Fri, 24 Feb 2012 05:45:34 GMT
Access-Control-Allow-Origin: http://www.example.com
Access-Control-Allow-Methods: PUT
Access-Control-Expose-Headers: x-oss-test1,x-oss-test2
Connection: keep-alive
Content-Length: 0
Server: AliyunOSS
ossutil
For information about the ossutil command that corresponds to this operation, see option-object.
Error codes
|
Error code |
HTTP status code |
Description |
|
AccessForbidden |
403 |
Returned when OSS rejects the cross-origin request or CORS is disabled for the bucket. Call PutBucketCORS to enable CORS. After CORS is enabled, OSS determines whether to allow the actual cross-origin request based on the specified CORS rules. |