Question
How to restrict object access to only certain origins through CORS policy in Spaces?
This isn’t necessarily specific to DigitalOcean, as I am experiencing the same thing with S3.
First, here is the request that I am sending successfully from Node.js AWS SDK:
s3.putBucketCors({
Bucket: EXAMPLE_BUCKET,
CORSConfiguration: {
CORSRules: [
{
AllowedHeaders: [`*`],
AllowedMethods: [`GET`],
AllowedOrigins: [`https://example.com`]
}
]
}
}, (err, data) => {
if (err) throw err
console.log(data)
})
I have verified that this indeed works as a call to getBucketCors
returns expected configuration.
From the above policy, I would expect to not be able to access objects in EXAMPLE_BUCKET
from localhost, or anywhere that isn’t example.com, however, that isn’t the case. I am able to GET objects in this bucket from localhost, as well as http://dev.example.com.
What am I not understanding?
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
×
Any answers on this?