Question

How to restrict object access to only certain origins through CORS policy in Spaces?

This isn’t necessarily specific to DigitalOcean, as I am experiencing the same thing with S3.

First, here is the request that I am sending successfully from Node.js AWS SDK:

s3.putBucketCors({
  Bucket: EXAMPLE_BUCKET,
  CORSConfiguration: {
    CORSRules: [
      { 
        AllowedHeaders: [`*`],
        AllowedMethods: [`GET`],
        AllowedOrigins: [`https://example.com`]
      }
    ]
  }
}, (err, data) => {
  if (err) throw err
  console.log(data)
})

I have verified that this indeed works as a call to getBucketCors returns expected configuration.

From the above policy, I would expect to not be able to access objects in EXAMPLE_BUCKET from localhost, or anywhere that isn’t example.com, however, that isn’t the case. I am able to GET objects in this bucket from localhost, as well as http://dev.example.com.

What am I not understanding?

Show comments

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

Hi did you fix it ? Im in the same situation I’m trying to set the following CORS xml:

<CORSConfiguration> <CORSRule> <AllowedOrigin></AllowedOrigin> <AllowedMethod>GET</AllowedMethod> <AllowedHeader></AllowedHeader> </CORSRule> </CORSConfiguration>

Using:

s3cmd setcors s3cors.xml s3://myfiles

But I’m getting: WARNING: Retrying failed request: /?cors (500 (UnknownError)) WARNING: Retrying failed request: /?cors (500 (UnknownError))

Sent a ticket to DigitalOcean Support 5 hours ago … still no answer …

Did you get any resolution for this from the DO Team?

I’m trying to prevent other websites from hotlinking images/videos hosted in my DigitalOcean Spaces account.

If other websites are able to show images/videos which I’m paying hosting for it defeats the purpose of using Spaces I think.