All Products
Search
Document Center

Object Storage Service:Options

Last Updated:Jun 03, 2026

Before sending a cross-origin request, the browser automatically sends a preflight OPTIONS request to OSS with the origin, HTTP method, and headers to determine whether the cross-origin request is allowed.

Request structure

OPTIONS /ObjectName HTTP/1.1
Host: BucketName.oss-cn-hangzhou.aliyuncs.com
Origin:Origin
Access-Control-Request-Method:HTTP method
Access-Control-Request-Headers:Request Headers

Request headers

Header

Type

Required

Example

Description

Origin

String

Yes

http://www.example.com

The request origin, used to identify a cross-origin request.

Only one Origin header is allowed per request.

Default value: null

Access-Control-Request-Method

String

Yes

PUT

The HTTP method for the actual cross-origin request.

Only one value is allowed per request.

Default value: null

Access-Control-Request-Headers

String

No

x-oss-test1,x-oss-test2

Custom headers for the actual cross-origin request.

Separate multiple headers with commas (,).

Default value: null

Response headers

Header

Type

Example

Description

Access-Control-Allow-Origin

String

http://www.example.com

The allowed origin. Not included in the response if the request is denied.

Access-Control-Allow-Methods

String

PUT

The allowed HTTP method. Not included in the response if the request is denied.

Access-Control-Allow-Headers

String

x-oss-test,x-oss-test1

The allowed request headers. If disallowed headers are included, the request is denied and this header is omitted from the response.

Access-Control-Expose-Headers

String

x-oss-test1,x-oss-test2

Headers accessible to client-side JavaScript.

Access-Control-Max-Age

Integer

60

Maximum time the browser caches preflight results. Unit: seconds.

Examples

Sample request

OPTIONS /testobject HTTP/1.1
Host: oss-example.oss-cn-hangzhou.aliyuncs.com  
Date: Fri, 24 Feb 2012 05:45:34 GMT  
Origin:http://www.example.com
Access-Control-Request-Method:PUT
Access-Control-Request-Headers:x-oss-test1,x-oss-test2

Sample response

HTTP/1.1 200 OK 
x-oss-request-id: 5051845BC4689A033D00****
Date: Fri, 24 Feb 2012 05:45:34 GMT
Access-Control-Allow-Origin: http://www.example.com
Access-Control-Allow-Methods: PUT
Access-Control-Expose-Headers: x-oss-test1,x-oss-test2
Connection: keep-alive
Content-Length: 0  
Server: AliyunOSS

ossutil

For information about the ossutil command that corresponds to this operation, see option-object.

Error codes

Error code

HTTP status code

Description

AccessForbidden

403

Returned when OSS rejects the cross-origin request or CORS is disabled for the bucket. Call PutBucketCORS to enable CORS. After CORS is enabled, OSS determines whether to allow the actual cross-origin request based on the specified CORS rules.