Cross-origin resource sharing (CORS) defines a way for client web applications that are loaded in one domain to interact with resources in a different domain. With CORS support, you can build rich client-side web applications with Amazon S3 and selectively allow cross-origin access to your Amazon S3 resources.
How does Amazon S3 evaluate the CORS configuration on a bucket?
When Amazon S3 receives a preflight request from a browser, it evaluates the CORS configuration for the bucket and uses the first CORSRule
rule that matches the incoming browser request to enable a cross-origin request. For a rule to match, the following conditions must be met:
- The request’s
Origin
header must match anAllowedOrigin
element. - The request method (for example, GET or PUT) or the
Access-Control-Request-Method
header in case of a preflightOPTIONS
request must be one of theAllowedMethod
elements. - Every header listed in the request’s
Access-Control-Request-Headers
header on the preflight request must match anAllowedHeader
element.
AllowedMethod element
In the CORS configuration, you can specify the following values for the AllowedMethod
element.
- GET
- PUT
- POST
- DELETE
- HEAD
AllowedOrigin element
In the AllowedOrigin
element, you specify the origins that you want to allow cross-domain requests from, for example, http://www.example.com
. The origin string can contain only one *
wildcard character, such as http://*.example.com
. You can optionally specify *
as the origin to enable all the origins to send cross-origin requests. You can also specify https
to enable only secure origins.
AllowedHeader element
The AllowedHeader
element specifies which headers are allowed in a preflight request through the Access-Control-Request-Headers
header. Each header name in the Access-Control-Request-Headers
header must match a corresponding entry in the rule. Amazon S3 will send only the allowed headers in a response that were requested. For a sample list of headers that can be used in requests to Amazon S3, go to Common Request Headers in the Amazon Simple Storage Service API Reference guide.
Each AllowedHeader string in the rule can contain at most one * wildcard character. For example, <AllowedHeader>x-amz-*</AllowedHeader>
will enable all Amazon-specific headers.
ExposeHeader element
Each ExposeHeader
element identifies a header in the response that you want customers to be able to access from their applications (for example, from a JavaScript XMLHttpRequest
object). For a list of common Amazon S3 response headers, go to Common Response Headers in the Amazon Simple Storage Service API Reference guide.
MaxAgeSeconds element
The MaxAgeSeconds
element specifies the time in seconds that your browser can cache the response for a preflight request as identified by the resource, the HTTP method, and the origin.