SOS’s CORS (Cross-Origin Resource Sharing) support lets you configure access to your buckets from browser-based applications and websites. CORS rules are applied to entire buckets and all the objects they contain.

CORS configuration format

A CORS configuration is an XML document containing a set of rules. Each rule defines a set of allowed HTTP origins, methods, and headers. Here is an example CORS configuration:


This configuration allows all HTTP methods from the origin and all headers starting with Content-. For all other origins, the GET method is allowed.

You can use wildcards (*) in allowed origins, methods and headers. Wildcards in allowed headers are limited to prefix matches.

A single rule can contain mulitple <AllowedOrigin>, <AllowedMethod> and <AllowedHeader> elements.


<AllowedMethod> supports the following values:

  • HEAD
  • GET
  • POST
  • PUT


<AllowedOrigin> specifies the origins from which you want to allow cross-domain requests. You can choose an exact match (e.g. or a match with the wildcard character (e.g. https://* Simply setting <AllowedOrigin> to * allows all origins.

Additional elements

Each <CORSRule> element additionally supports the following elements:

  • <MaxAgeSeconds>: this controls the browser’s cache for the OPTIONS response. Caching response helps the browser to avoid making repeated OPTIONS calls if the original request is being repeated. To set a 5-minute cache, set <MaxAgeSeconds> to 300.

  • <ExposeHeader>: comma-separated list of headers that SOS can send back in its responses, making them available to your JavaScript application code.

Managing CORS configuration in the Exoscale Console

CORS configuration can be edited in the Exoscale console. Simply navigate to the bucket list and click the “Edit” button next to your bucket. In the “CORS” tab, paste your XML document.

Managing CORS configuration within the SOS API

The API endpoint for CORS management is https://<bucket-name> See the AWS S3 documentation for details: