Simple Object Storage’s CORS (Cross-Origin Resource Sharing) support lets you configure access to your buckets from browser-based applications and websites. CORS rules are applied to entire buckets and all the objects they contain.

CORS configuration format

In the portal, a CORS configuration is a JSON document containing a set of rules. Each rule defines a set of allowed HTTP origins, methods, and headers.

Here is an example CORS configuration:

{
    "CORSRules": [
        {
            "AllowedHeaders": [
                "Content-*"
            ],
            "AllowedMethods": [
                "*"
            ],
            "AllowedOrigins": [
                "http://www.example.com"
            ],
            "ExposeHeaders": [
                "x-amz-server-side-encryption"
            ],
            "MaxAgeSeconds": 3000
        },
      {
            "AllowedMethods": [
                "GET",
                "HEAD"
            ],
            "AllowedOrigins": [
                "*"
            ],
            "MaxAgeSeconds": 3000
        }
    ]
}

This configuration allows all HTTP methods from the https://example.com origin, and all headers starting with Content-. For all other origins, the GET and HEAD methods are allowed.

You can use wildcards (*) in allowed origins, methods and headers. Wildcards in allowed headers are limited to prefix matches.

AllowedMethods

"AllowedMethods" supports the following values:

  • HEAD
  • GET
  • POST
  • PUT
  • DELETE

AllowedOrigins

"AllowedOrigins" specifies the origins from which you want to allow cross-domain requests. You can choose an exact match (https://example.com) or a match with the wildcard character (https://*.example.com). If you set "AllowedOrigins" to *, it allows all origins.

Additional elements

Each "CORSRule" element additionally supports the following elements:

  • "MaxAgeSeconds": controls the browser’s cache for the OPTIONS response. Caching responses helps the browser avoid making repeated OPTIONS calls if the original request is being repeated. To set a 5-minute cache, set "MaxAgeSeconds" to 300.

  • "ExposeHeader": a comma-separated list of headers that SOS can send back in its responses, making them available to your JavaScript application code.

Accessing the CORS configuration in the Portal

CORS configuration can be edited in the Exoscale Portal. Navigate to the bucket list and click on the “Details” action next to your bucket. In the CORS tab, paste your JSON document.

Managing CORS configuration within the SOS API

The API endpoint for CORS management is https://<bucket-name>.sos-ch-dk-2.exo.io/?cors. This endpoint uses an XML representation of the CORS rules but has an equivalent semantic for the parameters. See the AWS S3 documentation for more details: