PutBucketCors - Configure bucket CORS rules - Object Storage Service

Usage notes

Disabled-by-default design

CORS is disabled by default. All cross-origin requests are not allowed.
Overwriting mechanism

New CORS rules configured by PutBucketCors overwrite all existing CORS rules for the bucket.
Use of CORS in applications

You must call PutBucketCors to configure CORS rules before using CORS in applications.

For example, to allow example.com to access OSS through browser XMLHttpRequest, configure a CORS rule in XML using this operation.
CORS rule matching

When OSS receives a cross-origin request or OPTIONS request for a bucket, it checks configured CORS rules sequentially and returns corresponding headers for the first match. If no rule matches, OSS does not include CORS headers in the response.

A request matches a CORS rule only when all the following conditions are met:
- The request origin matches an AllowedOrigin value in the rule.
- The request method or the Access-Control-Request-Method header value matches an AllowedMethod value.
- Each header in Access-Control-Request-Headers matches an AllowedHeader value.

Permissions

By default, an Alibaba Cloud account has full permissions. RAM users or RAM roles under an Alibaba Cloud account do not have any permissions by default. The Alibaba Cloud account or account administrator must grant operation permissions through RAM policies or Bucket Policy.

Request syntax

PUT /?cors HTTP/1.1
Date: GMT Date
Content-Length: ContentLength
Content-Type: application/xml
Host: BucketName.oss-cn-hangzhou.aliyuncs.com
Authorization: SignatureValue
<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration>
    <CORSRule>
      <AllowedOrigin>the origin you want allow CORS request from</AllowedOrigin>
      <AllowedOrigin>…</AllowedOrigin>
      <AllowedMethod>HTTP method</AllowedMethod>
      <AllowedMethod>…</AllowedMethod>
        <AllowedHeader> headers that allowed browser to send</AllowedHeader>
          <AllowedHeader>…</AllowedHeader>
          <ExposeHeader> headers in response that can access from client app</ExposeHeader>
          <ExposeHeader>…</ExposeHeader>
          <MaxAgeSeconds>time to cache pre-fight response</MaxAgeSeconds>
    </CORSRule>
    <CORSRule>
      ...
    </CORSRule>
...
</CORSConfiguration >

Request elements

Element	Type	Required	Example	Description
CORSRule	Container	Yes	N/A	The container that stores CORS rules. Maximum: 20 CORS rules per bucket. Maximum request body size: 16 KB. Parent nodes: CORSConfiguration
AllowedOrigin	String	Yes	*	The allowed cross-origin request origin. Specify multiple elements for multiple origins. An asterisk (*) wildcard allows all origins. Only one wildcard is supported per element. Parent nodes: CORSRule
AllowedMethod	Enumeration	Yes	GET	The cross-origin request method that is allowed. Valid values: GET, PUT, DELETE, POST, and HEAD. Parent nodes: CORSRule
AllowedHeader	String	No	Authorization	The allowed headers in cross-origin requests, validated against `Access-Control-Request-Headers` in preflight requests. Each header in `Access-Control-Request-Headers` must match an AllowedHeader value. Important You can use only one asterisk (*) as the wildcard for AllowedHeader. The following characters are not supported: < > & ' " Parent nodes: CORSRule
ExposeHeader	String	No	x-oss-test	The response headers accessible to client applications such as JavaScript XMLHttpRequest. Important The following characters are not supported: * < > & ' " Parent nodes: CORSRule
MaxAgeSeconds	Integer	No	100	The time the browser can cache the preflight response. Unit: seconds. Only one MaxAgeSeconds element is allowed per CORS rule. Parent nodes: CORSRule
CORSConfiguration	Container	Yes	N/A	The container that stores CORS configurations for the bucket. Parent nodes: none
ResponseVary	Boolean	No	false	Whether to return the Vary: Origin header. Valid values: true: Returns the Vary: Origin header regardless of whether the request is cross-origin or succeeds. false: does not return the Vary: Origin header. Important Valid only when at least one CORS rule is configured.

This operation also uses Common HTTP headers.

Response headers

PutBucketCors responses contain only Common HTTP headers.

Examples

Sample request

PUT /?cors HTTP/1.1
Host: oss-example.oss-cn-hangzhou.aliyuncs.com
Content-Length: 186
Date: Fri, 04 May 2012 03:21:12 GMT
Authorization: OSS4-HMAC-SHA256 Credential=LTAI********************/20250417/cn-hangzhou/oss/aliyun_v4_request,AdditionalHeaders=content-length,Signature=a7c3554c729d71929e0b84489addee6b2e8d5cb48595adfc51868c299c0c218e
<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration>
    <CORSRule>
      <AllowedOrigin>*</AllowedOrigin>
      <AllowedMethod>PUT</AllowedMethod>
      <AllowedMethod>GET</AllowedMethod>
      <AllowedHeader>Authorization</AllowedHeader>
    </CORSRule>
    <CORSRule>
      <AllowedOrigin>http://example.com</AllowedOrigin>
      <AllowedOrigin>http://example.net</AllowedOrigin>
      <AllowedMethod>GET</AllowedMethod>
      <AllowedHeader> Authorization</AllowedHeader>
      <ExposeHeader>x-oss-test</ExposeHeader>
      <ExposeHeader>x-oss-test1</ExposeHeader>
      <MaxAgeSeconds>100</MaxAgeSeconds>
    </CORSRule>
    <ResponseVary>false</ResponseVary>
</CORSConfiguration >

Sample response

HTTP/1.1 200 OK
x-oss-request-id: 50519080C4689A033D0*****
Date: Fri, 04 May 2012 03:21:12 GMT
Content-Length: 0
Connection: keep-alive
Server: AliyunOSS
x-oss-server-time: 94

SDK

The following OSS SDKs support PutBucketCors:

ossutil

For information about the ossutil command that corresponds to the PutBucketCors operation, see put-bucket-cors.

Error codes

Error code	HTTP status code	Description
InvalidDigest	400	The Content-MD5 value calculated from the request body does not match the Content-MD5 value in the request header.

API	Action	Description
PutBucketCors	oss:PutBucketCors	Configures cross-origin resource sharing (CORS) rules for a bucket.