CORS configuration of buckets

Sample configuration as an XML file


This configuration allows you to send cross-domain requests from the website using the PUT, POST, and DELETE methods without any header restrictions.

Possible elements

Element Description
CORSConfiguration Root element of a CORS configuration. May contain a maximum of 100 CORSRule
Path: /CORSConfiguration.
CORSRule Rule for filtering incoming requests to the resource. Each rule must contain at least one AllowedMethod and AllowedOrigin element.

Path: /CORSConfiguration/CORSRule.
ID Unique rule ID (maximum 255 characters).

Optional. You can use it to search for a rule in a file.

Path: /CORSConfiguration/CORSRule/ID.
AllowedMethod HTTP method (PUT, GET, HEAD, POST, or DELETE) that can be used in a cross-domain request. Each method should be specified in a separate element. Specify at least one method.

Path: /CORSConfiguration/CORSRule/AllowedMethod.
AllowedOrigin Website that allows sending cross-domain requests to a bucket. Specify at least one AllowedOrigin element.

It may contain no more than one * character. Examples: http://*, *.

Path: /CORSConfiguration/CORSRule/AllowedOrigin.
AllowedHeader Header allowed in a request to an object. If multiple headers are allowed, specify each one in a separate AllowedHeader element. You can use a single * character in the header name to define a template. For example, <AllowedHeader>*</AllowedHeader> means that all headers are allowed.

An OPTIONS request contains the Access-Control-Request-Headers header. Object Storage maps the headers passed in Access-Control-Request-Headers to the AllowedHeader set and returns a list of allowed headers in response to the OPTIONS request.

Path: /CORSConfiguration/CORSRule/AllowedHeader.
MaxAgeSeconds Time in seconds during which the results of OPTIONS requests to objects are cached by the browser.

Path: /CORSConfiguration/CORSRule/MaxAgeSeconds.
ExposeHeader Header that can be displayed in a JavaScript app in the browser. If multiple headers are allowed, specify each of them in a separate element.

When sending a request to an object, the JavaScript client can only use the headers specified in ExposeHeader elements.

Path: /CORSConfiguration/CORSRule/ExposeHeader.