Question

How to restrict object access to only certain origins through CORS policy in Spaces?

Posted September 23, 2017 4.7k views
Object Storage

This isn’t necessarily specific to DigitalOcean, as I am experiencing the same thing with S3.

First, here is the request that I am sending successfully from Node.js AWS SDK:

s3.putBucketCors({
  Bucket: EXAMPLE_BUCKET,
  CORSConfiguration: {
    CORSRules: [
      { 
        AllowedHeaders: [`*`],
        AllowedMethods: [`GET`],
        AllowedOrigins: [`https://example.com`]
      }
    ]
  }
}, (err, data) => {
  if (err) throw err
  console.log(data)
})

I have verified that this indeed works as a call to getBucketCors returns expected configuration.

From the above policy, I would expect to not be able to access objects in EXAMPLE_BUCKET from localhost, or anywhere that isn’t example.com, however, that isn’t the case. I am able to GET objects in this bucket from localhost, as well as http://dev.example.com.

What am I not understanding?

Add a comment
500f512d9abd455ed7e029d5002797dca0dae1aa
By:
lokua
Add a comment
1 comment

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

6 answers
apaterno October 2, 2017

Hi did you fix it ? Im in the same situation I’m trying to set the following CORS xml:

<CORSConfiguration>
<CORSRule>
<AllowedOrigin></AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<AllowedHeader></AllowedHeader>
</CORSRule>
</CORSConfiguration>

Using:

s3cmd setcors s3cors.xml s3://myfiles

But I’m getting:
WARNING: Retrying failed request: /?cors (500 (UnknownError))
WARNING: Retrying failed request: /?cors (500 (UnknownError))

Sent a ticket to DigitalOcean Support 5 hours ago .... still no answer ....

Reply Report
varunvarde2007 October 5, 2017

Did you get any resolution for this from the DO Team?

Reply Report
leonardk1 September 30, 2017

As For Digital Ocean,
I believe the expected XML generated is not right
since Digital Ocean expects something like this

<CORSConfiguration>
 <CORSRule>
  .....

according to the api docs, however with boto it seems to generate using

CORSConfiguration: {
    CORSRules: [

Note the difference between CORSRules(boto) and CORSRule(DO API)

I have been working on this also for an entire day

Reply Report
lokua November 5, 2017

Posting this for reference as it pertains to the original use case that prompted the question:

https://stackoverflow.com/questions/46516183/s3-cors-configuration-restricting-to-specific-domains-has-no-affect

Reply Report
johngannon December 8, 2017

Hey all - we just released a UI for CORS in the Control Panel. Hopefully this helps a bit.

Reply Report
danpoynor June 10, 2019

I’m trying to prevent other websites from hotlinking images/videos hosted in my DigitalOcean Spaces account.

If other websites are able to show images/videos which I’m paying hosting for it defeats the purpose of using Spaces I think.

Reply Report
Submit an Answer

Related

Looking for something else?

Ask a new question Search for more help