How to restrict object access to only certain origins through CORS policy in Spaces?

Posted September 23, 2017 7.2k views
Object Storage

This isn’t necessarily specific to DigitalOcean, as I am experiencing the same thing with S3.

First, here is the request that I am sending successfully from Node.js AWS SDK:

  CORSConfiguration: {
    CORSRules: [
        AllowedHeaders: [`*`],
        AllowedMethods: [`GET`],
        AllowedOrigins: [``]
}, (err, data) => {
  if (err) throw err

I have verified that this indeed works as a call to getBucketCors returns expected configuration.

From the above policy, I would expect to not be able to access objects in EXAMPLE_BUCKET from localhost, or anywhere that isn’t, however, that isn’t the case. I am able to GET objects in this bucket from localhost, as well as

What am I not understanding?

1 comment

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
6 answers

Hi did you fix it ? Im in the same situation I’m trying to set the following CORS xml:



s3cmd setcors s3cors.xml s3://myfiles

But I’m getting:
WARNING: Retrying failed request: /?cors (500 (UnknownError))
WARNING: Retrying failed request: /?cors (500 (UnknownError))

Sent a ticket to DigitalOcean Support 5 hours ago .... still no answer ....

Did you get any resolution for this from the DO Team?

As For Digital Ocean,
I believe the expected XML generated is not right
since Digital Ocean expects something like this


according to the api docs, however with boto it seems to generate using

CORSConfiguration: {
    CORSRules: [

Note the difference between CORSRules(boto) and CORSRule(DO API)

I have been working on this also for an entire day

Posting this for reference as it pertains to the original use case that prompted the question:

Hey all - we just released a UI for CORS in the Control Panel. Hopefully this helps a bit.

I’m trying to prevent other websites from hotlinking images/videos hosted in my DigitalOcean Spaces account.

If other websites are able to show images/videos which I’m paying hosting for it defeats the purpose of using Spaces I think.