Cross-origin resource sharing (CORS) is a standard mechanism proposed by World Wide Web Consortium (W3C) and allows cross-origin requests from clients. For standard web page requests, the scripts and contents at one website cannot interact with those at another website due to the existence of the Same Origin Policy (SOP).
OBS allows buckets to store static web resources. The buckets of OBS can serve as website resources if the buckets are properly used (for details, see Configuring Static Website Hosting for a Bucket). A website in OBS can respond to requests of another websites only after CORS is properly configured.
Typical application scenarios are as follows:
To perform this operation, you must have the PutBucketCORS permission. By default, only the bucket owner can perform this operation. The bucket owner can grant the permission to other users by configuring the bucket policy or user policy.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | PUT /?cors HTTP/1.1 Host: bucketname.obs.region.example.com Content-Length: length Date: date Authorization: authorization Content-MD5: MD5 <?xml version="1.0" encoding="UTF-8"?> <CORSConfiguration> <CORSRule> <ID>id</ID> <AllowedMethod>method</AllowedMethod> <AllowedOrigin>origin</AllowedOrigin> <AllowedHeader>header</AllowedHeader> <MaxAgeSeconds>seconds</MaxAgeSeconds> <ExposeHeader>header</ExposeHeader> </CORSRule> </CORSConfiguration> |
This request contains no parameters.
This request uses common headers and CORS request headers. For details, see Table 3 and Table 1.
In this request body, you must configure the CORS rules for a bucket in XML format. Table 2 describes the specific configuration elements.
Element |
Type |
Mandatory (Yes/No) |
Description |
|---|---|---|---|
CORSConfiguration |
Container |
Yes |
Explanation: Root node of CORSRules. Parent: none Restrictions: The maximum size is 64 KB. Value range: None Default value: None |
CORSRule |
Container |
Yes |
Explanation: CORS rules Parent: CORSConfiguration Restrictions: CORSConfiguration can contain a maximum of 100 rules. Value range: None Default value: None |
ID |
String |
No |
Explanation: The ID of a CORS rule. Parent: CORSRule Restrictions: The ID cannot be longer than 255 characters. Value range: A string of 1 to 255 characters. Default value: None |
AllowedMethod |
String |
Yes |
Explanation: The allowed HTTP methods (types of operations on buckets and objects) for a cross-origin request. Parent: CORSRule Restrictions: None Value range: The following HTTP methods are supported:
Default value: None |
AllowedOrigin |
String |
Yes |
Explanation: The origin that is allowed to access the bucket. Parent: CORSRule Restrictions: Only English domain names are supported. Regular expressions are used to match. Each rule allows at most one asterisk (*). For example, https://*.vbs.example.com. Value range: The value must comply with the CORS protocol and contain 0 to 20480 characters. Default value: None |
AllowedHeader |
String |
No |
Explanation: What headers are allowed in a CORS request. If a CORS request contains the Access-Control-Request-Headers header, the headers listed in this header must match the headers in the AllowedHeader element so that the request can be considered valid. The matching is based on regular expressions. Parent: CORSRule Restrictions: At most one asterisk (*) is allowed. Spaces, ampersands (&), colons (:), less-than signs (<), and full-width characters are not allowed. Value range: The value must comply with the CORS protocol and contain 0 to 20480 characters. Default value: None |
MaxAgeSeconds |
Integer |
No |
Explanation: How long the response can be cached on a client Parent: CORSRule Restrictions: Each CORS rule can contain at most one MaxAgeSeconds. Value range: An integer greater than or equal to 0, in seconds Default value: 3000 |
ExposeHeader |
String |
No |
Explanation: Specifies additional headers allowed in the response by a CORS rule, which are used to provide extra information to clients. By default, a browser can access only headers Content-Length and Content-Type. If the browser needs to access other headers, you need to configure them in this parameter. Parent: CORSRule Restrictions: Spaces, asterisks (*), ampersands (&), colons (:), less-than signs (<), and full-width characters are not allowed. Value range: The value that complies with the CORS Default value: None |
1 2 3 4 | HTTP/1.1 status_code Date: date Content-Length: length |
The response to the request uses common headers. For details, see Table 1.
This response contains no elements.
No special error responses are returned. For details about error responses, see Table 2.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | PUT /?cors HTTP/1.1 User-Agent: curl/7.29.0 Host: examplebucket.obs.region.example.com Accept: */* Date: WED, 01 Jul 2015 03:51:52 GMT Authorization: OBS H4IPJX0TQTHTHEBQQCEC:lq7BGoqE9yyhdEwE6KojJ7ysVxU= Content-MD5: NGLzvw81f/A2C9PiGO0aZQ== Content-Length: 617 <?xml version="1.0" encoding="utf-8"?> <CORSConfiguration> <CORSRule> <AllowedMethod>POST</AllowedMethod> <AllowedMethod>GET</AllowedMethod> <AllowedMethod>HEAD</AllowedMethod> <AllowedMethod>PUT</AllowedMethod> <AllowedMethod>DELETE</AllowedMethod> <AllowedOrigin>www.example.com</AllowedOrigin> <AllowedHeader>AllowedHeader_1</AllowedHeader> <AllowedHeader>AllowedHeader_2</AllowedHeader> <MaxAgeSeconds>100</MaxAgeSeconds> <ExposeHeader>ExposeHeader_1</ExposeHeader> <ExposeHeader>ExposeHeader_2</ExposeHeader> </CORSRule> </CORSConfiguration> |
1 2 3 4 5 6 7 | HTTP/1.1 100 Continue HTTP/1.1 200 OK Server: OBS x-obs-request-id: BF26000001643627112BD03512FC94A4 x-obs-id-2: 32AAAQAAEAABSAAgAAEAABAAAQAAEAABCSYi6wLC4bkrvuS9sqnlRjxK2a5Fe3ry Date: WED, 01 Jul 2015 03:51:52 GMT Content-Length: 0 |