How to restrict object access to only certain origins through CORS policy in Spaces?

Question

This isn’t necessarily specific to DigitalOcean, as I am experiencing the same thing with S3.

First, here is the request that I am sending successfully from Node.js AWS SDK:

s3.putBucketCors({
  Bucket: EXAMPLE_BUCKET,
  CORSConfiguration: {
    CORSRules: [
      { 
        AllowedHeaders: [`*`],
        AllowedMethods: [`GET`],
        AllowedOrigins: [`https://example.com`]
      }
    ]
  }
}, (err, data) => {
  if (err) throw err
  console.log(data)
})

I have verified that this indeed works as a call to getBucketCors returns expected configuration.

From the above policy, I would expect to not be able to access objects in EXAMPLE_BUCKET from localhost, or anywhere that isn’t example.com, however, that isn’t the case. I am able to GET objects in this bucket from localhost, as well as http://dev.example.com.

What am I not understanding?

Hector Paterno · Answer

Hi did you fix it ? Im in the same situation I’m trying to set the following CORS xml:

Using:

s3cmd setcors s3cors.xml s3://myfiles

But I’m getting: WARNING: Retrying failed request: /?cors (500 (UnknownError)) WARNING: Retrying failed request: /?cors (500 (UnknownError))

Sent a ticket to DigitalOcean Support 5 hours ago … still no answer …

varunvarde2007 · Answer

Did you get any resolution for this from the DO Team?

Dan Poynor · Answer

I’m trying to prevent other websites from hotlinking images/videos hosted in my DigitalOcean Spaces account.

If other websites are able to show images/videos which I’m paying hosting for it defeats the purpose of using Spaces I think.

Related Questions

Question

How to restrict object access to only certain origins through CORS policy in Spaces?

Popular Topics

Questions