All Products
Search

This Product

    Object Storage Service:Why do cross-origin requests for OSS resources accelerated by CDN fail?

    Document Center

    Object Storage Service:Why do cross-origin requests for OSS resources accelerated by CDN fail?

    Last Updated:Mar 20, 2026

    When Alibaba Cloud CDN sits in front of OSS, browsers interact with CDN points of presence (POPs), not with OSS directly. This means the cross-origin resource sharing (CORS) rule you configure in the OSS console does not apply to CDN responses. You must configure CORS headers separately in the CDN console so that POPs include them in every cached response they serve.

    Problem description

    After you configure a cross-origin resource sharing (CORS) rule in the OSS console, you fail to access OSS resources by using CDN-accelerated domain names.

    Causes

    Two issues commonly cause cross-origin requests to fail in CDN-accelerated setups:

    • Stale cache: CDN POPs cached the original response headers before you configured the CORS rule. The browser receives those outdated headers — without CORS headers — and blocks the request.

    • Missing configuration: The CDN-accelerated domain name is not listed as an allowed origin, or you did not specify valid custom request headers or HTTP methods, such as GET, POST, and DELETE.

    Solution

    Configure custom POP HTTP response headers in the Alibaba Cloud CDN console. This makes CDN include CORS headers in every response it serves, regardless of what is in the POP cache.

    Configure POP HTTP response headers

    1. Log on to the Alibaba Cloud CDN console.

    2. In the left-side navigation pane, click Domain Names.

    3. On the Domain Names page, find the domain name you want to manage and click Manage in the Actions column.

    4. In the left-side navigation tree, click Cache. On the page that appears, click the POP HTTP Response Header tab.

    5. On the POP HTTP Response Header tab, click Customize.

    6. In the POP HTTP Response Header dialog box, configure the following response headers:

      Note

      The values below are starting points. Adjust them to match your actual allowed origins, methods, and headers.

      Response headerValueDescription
      Access-Control-Allow-Origin*Set the value to an asterisk (*) and enable authentication on cross-origin requests.
      Access-Control-Allow-MethodsPOST,GET,HEAD,PUT,DELETELists the HTTP methods permitted in cross-origin requests.
      Access-Control-Max-Age3600Sets how long (in seconds) the browser caches the preflight response.

      After configuration, the result looks similar to this:

      POP HTTP response header configuration

    Result

    After saving, CDN POPs include the configured headers in responses for OSS resources they serve. The following image shows example test results after the headers take effect:

    Test results showing CORS headers in the response