CORS

When a user's browser requests a bucket, it declares the domain, request method, and headers in the request. Using Cross-Origin Resource Sharing (CORS) technology, you can restrict access to objects in a bucket based on the values of these parameters.

To use CORS, the technology must be supported by both the storage and the user's browser; CORS support is enabled by default in modern browsers.

For CORS to work, Virtual-Hosted addressing must be enabled.

You can configure CORS settings in the control panel or upload a configuration XML file via S3 API.

CORS parameters

Header	Description	Required
AllowedOrigins	List of domains from which requests to the bucket are allowed	✓
AllowedHeaders	Headers available for use in a JavaScript application in the browser	✗
ExposeHeaders	Headers allowed in a request to an object	✗
AllowedMethods	HTTP methods allowed for use in requests. Available methods: GET, PUT, HEAD, POST, DELETE	✓
MaxAgeSeconds	The time, in seconds, for which Preflight request results can be cached (in seconds). If the header is not specified, the default value of 3600 is applied	✗

Configure CORS

You can add up to 100 CORS rules.

In the control panel, click Products on the top menu and select S3.
Go to the Buckets section.
Open the bucket page → CORS tab.
Click Create Rule.
Configure the CORS rule parameters.
Optional: to add another rule, click Add Rule.
Click Create.