CORS in Object Storage

EricC5 · November 3, 2020, 6:02am

Hello,

how can I configure CORS in Object Storage? The `aws s3api put-bucket-cors` seems to not be supported:

aws s3api put-bucket-cors --bucket bucket-name --cors-configuration file://cors.json --endpoint-url=https://s3.waw.cloud.ovh.net

An error occurred (NotImplemented) when calling the PutBucketCors operation: The requested resource is not implemented

system · December 3, 2020, 7:25pm

With openstack:

openstack container set --property Access-Control-Allow-Headers='Content-Type, X-CSRFToken' name_of_container
openstack container set --property Access-Control-Allow-Origin='https://domain1.com https://domain2.com' name_of_container

drzraf · January 28, 2021, 2:27pm

@AlexD2 : Ideally yes, that would enough.
In practice, it's not for two reasons:

- If you want web-based access through S3, it won't work, because the https://docs.openstack.org/keystone/pike/configuration/samples/keystone-conf.html s3api won't take into account container's CORS settings]
- If you want Swift access, container's CORS configuration isn't enough because OVH didn't (yet) configured keystone extra headers [keystone.conf : `cors.expose_headers` / `cors.allow_headers` that would allow browser to retrieve the `x-subject-token` returned by `/auth/tokens`. These two issues makes impossible to use our containers from web-based application which is a huge drawback in terms of applications and creativity.

drzraf · January 28, 2021, 2:27pm

s3api won’t take into account container’s CORS settings: https://bugs.launchpad.net/swift/+bug/1905104

See also this thread about CORS for Swift https://community.ovhcloud.com/t/26315

WadeeH · February 23, 2021, 7:29am

Hi folks,

Quick up on the post, I've been trying the commands that @AlexD2 posted, but it doesn't work on my end.

I'm using the S3 endpoints with Laravel, and when I try to load a PDF, my console shows a warning about CORS not being set.

Access to fetch at 'XXXXXX' from origin 'XXXXXX' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Am I doing something wrong?

VitK · April 13, 2021, 7:21pm

I might be wrong, but the command above with 2 domains is incorrect.
According to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin , Access-Control-Allow-Origin can only have a single origin, if you need to support multiple domains you should use wildcard '*'.