How to get Spaces pre-signed URL working with CORS?

Question

I’m trying to upload a file using Vue+axios by generating a pre-signed URL on my server and then using that URL to attempt a PUT.

Unfortunately I constantly get request has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. even though I’ve configured my CORS as loose as possible:

Origins: * Methods: GET, PUT, DELETE, HEAD, POST Headers: Access-Control-Allow-Origin, Access-Control-Request-Headers, Access-Control-Request-Method, Origin, Referer

I’ve also tried with * as the Headers value and putting my prod domain (I had hoped the above would work on localhost). It also doesn’t work for my prod domain.

Any idea on how one can get this to work?

Thanks

Answer 1

mstrlaw December 7, 2020

Figured out that it isn’t an issue with DO’ Spaces CORS config, but actually related to axios (in my case I was using axios in a VueJS app).

In my case: I was generating a pre-signed PUT URL. Then, on the actual PUT request, my axios instance sent the common default headers (specifically the Authorization header due to the user auth token being set globally), which was resulting in continuously getting a No 'Access-Control-Allow-Origin' response..

The solution, if you’re using axios, is to use transformRequest in order to remove the Authorization header for that single request only (my advice, remove any other header).

It will avoid sending these Headers and your PUT request to the pre-signed URL will work. This answer put me in the right path (after figuring out that when using fetch the issue didn’t occur.

Reply Report

Answer 2

mythicmaniac August 8, 2021

Writing this in case it’s helpful for future readers:

I was struggling with a similar issue, where we used pre-signed URLs with the DigitalOcean spaces storage backend for multi-part file uploads.

Initially, the requests failed entirely due to lacking CORS policies in the DigitalOcean spaces responses. After some diggin, it turned out you can configure CORS policies in the DO spaces management dashboard.

Next issue we ran to is that the client (browser) didn’t have access to the ETag response header sent by DigitalOcean spaces, as it was lacking the Access-Control-Expose-Headers header allowing the access to the ETag header. To solve this, there doesn’t seem to be an official DigitalOcean supported way to do it, but luckily I found this thread which showed how you can do it directly with s3cmd:

With s3cmd, it’s possible to upload a CORS policy file directly to the bucket, which also works on DigitalOcean spaces. This overrides any existing CORS settings set on the bucket

Example CORS policy file:

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
    <CORSRule>
        <AllowedOrigin>*</AllowedOrigin>
        <AllowedMethod>POST</AllowedMethod>
        <AllowedMethod>PUT</AllowedMethod>
        <AllowedMethod>DELETE</AllowedMethod>
        <MaxAgeSeconds>3000</MaxAgeSeconds>
        <ExposeHeader>ETag</ExposeHeader>
        <AllowedHeader>*</AllowedHeader>
    </CORSRule>
</CORSConfiguration>

Note how we can define the ExposeHeader property here on top of the settings already manageable on the DigitalOcean dashboard. I do not know why has the option been omitted from the official UI.

Once you have the file and s3cmd configured, it’s simple enough to upload to the bucket:

s3cmd setcors FILE s3://BUCKET

Reply Report

Related

Question

How to get Spaces pre-signed URL working with CORS?

Related

Leave a comment

Looking for something else?

Sign up for our newsletter

Related

Question

How to get Spaces pre-signed URL working with CORS?

Related

Leave a comment

Related

question

Does App Platform to Spaces upload count as Outbound Traffic?

question

Global middleware invoked when accessing API endpoints

question

How is it possible to lose space access more than 2 days already?

question

My domain name directs me to UNMS login page after a problem in my payment method

Looking for something else?