How to restrict object access to only certain origins through CORS policy in Spaces?

September 23, 2017 4.2k views
Object Storage
500f512d9abd455ed7e029d5002797dca0dae1aa
By:
lokua

This isn’t necessarily specific to DigitalOcean, as I am experiencing the same thing with S3.

First, here is the request that I am sending successfully from Node.js AWS SDK:

s3.putBucketCors({
  Bucket: EXAMPLE_BUCKET,
  CORSConfiguration: {
    CORSRules: [
      { 
        AllowedHeaders: [`*`],
        AllowedMethods: [`GET`],
        AllowedOrigins: [`https://example.com`]
      }
    ]
  }
}, (err, data) => {
  if (err) throw err
  console.log(data)
})

I have verified that this indeed works as a call to getBucketCors returns expected configuration.

From the above policy, I would expect to not be able to access objects in EXAMPLE_BUCKET from localhost, or anywhere that isn’t example.com, however, that isn’t the case. I am able to GET objects in this bucket from localhost, as well as http://dev.example.com.

What am I not understanding?

1 comment
Log In to Comment
6 Answers
apaterno October 2, 2017

Hi did you fix it ? Im in the same situation I’m trying to set the following CORS xml:

<CORSConfiguration>
<CORSRule>
<AllowedOrigin></AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<AllowedHeader></AllowedHeader>
</CORSRule>
</CORSConfiguration>

Using:

s3cmd setcors s3cors.xml s3://myfiles

But I’m getting:
WARNING: Retrying failed request: /?cors (500 (UnknownError))
WARNING: Retrying failed request: /?cors (500 (UnknownError))

Sent a ticket to DigitalOcean Support 5 hours ago .... still no answer ....

Reply
varunvarde2007 October 5, 2017

Did you get any resolution for this from the DO Team?

Reply
leonardk1 September 30, 2017

As For Digital Ocean,
I believe the expected XML generated is not right
since Digital Ocean expects something like this

<CORSConfiguration>
 <CORSRule>
  .....

according to the api docs, however with boto it seems to generate using

CORSConfiguration: {
    CORSRules: [

Note the difference between CORSRules(boto) and CORSRule(DO API)

I have been working on this also for an entire day

Reply
lokua November 5, 2017

Posting this for reference as it pertains to the original use case that prompted the question:

https://stackoverflow.com/questions/46516183/s3-cors-configuration-restricting-to-specific-domains-has-no-affect

Reply
johngannon MOD December 8, 2017

Hey all - we just released a UI for CORS in the Control Panel. Hopefully this helps a bit.

Reply
  • pornvox November 29, 2018

    I have hosted videos and images in a digital ocean space. And I need to activate the hotlink so that you can only play or view those files only from my website,

    how can I do?

    digital ocean offers these configurations but I do not know if they do the function of what I need: http://prntscr.com/loj1hv

danpoynor June 10, 2019

I’m trying to prevent other websites from hotlinking images/videos hosted in my DigitalOcean Spaces account.

If other websites are able to show images/videos which I’m paying hosting for it defeats the purpose of using Spaces I think.

Reply
Have another answer? Share your knowledge.

Related