Question
How to restrict object access to only certain origins through CORS policy in Spaces?
- Posted September 23, 2017
- Object Storage
This isn’t necessarily specific to DigitalOcean, as I am experiencing the same thing with S3.
First, here is the request that I am sending successfully from Node.js AWS SDK:
s3.putBucketCors({
Bucket: EXAMPLE_BUCKET,
CORSConfiguration: {
CORSRules: [
{
AllowedHeaders: [`*`],
AllowedMethods: [`GET`],
AllowedOrigins: [`https://example.com`]
}
]
}
}, (err, data) => {
if (err) throw err
console.log(data)
})
I have verified that this indeed works as a call to getBucketCors returns expected configuration.
From the above policy, I would expect to not be able to access objects in EXAMPLE_BUCKET from localhost, or anywhere that isn’t example.com, however, that isn’t the case. I am able to GET objects in this bucket from localhost, as well as http://dev.example.com.
What am I not understanding?
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Did you get any resolution for this from the DO Team?
Hi did you fix it ? Im in the same situation I’m trying to set the following CORS xml:
<CORSConfiguration> <CORSRule> <AllowedOrigin></AllowedOrigin> <AllowedMethod>GET</AllowedMethod> <AllowedHeader></AllowedHeader> </CORSRule> </CORSConfiguration>
Using:
s3cmd setcors s3cors.xml s3://myfiles
But I’m getting: WARNING: Retrying failed request: /?cors (500 (UnknownError)) WARNING: Retrying failed request: /?cors (500 (UnknownError))
Sent a ticket to DigitalOcean Support 5 hours ago … still no answer …
Hi did you fix it ? Im in the same situation I’m trying to set the following CORS xml:
<CORSConfiguration> <CORSRule> <AllowedOrigin></AllowedOrigin> <AllowedMethod>GET</AllowedMethod> <AllowedHeader></AllowedHeader> </CORSRule> </CORSConfiguration>
Using:
s3cmd setcors s3cors.xml s3://myfiles
But I’m getting: WARNING: Retrying failed request: /?cors (500 (UnknownError)) WARNING: Retrying failed request: /?cors (500 (UnknownError))
Sent a ticket to DigitalOcean Support 5 hours ago … still no answer …
Hi did you fix it ? Im in the same situation I’m trying to set the following CORS xml:
<CORSConfiguration> <CORSRule> <AllowedOrigin></AllowedOrigin> <AllowedMethod>GET</AllowedMethod> <AllowedHeader></AllowedHeader> </CORSRule> </CORSConfiguration>
Using:
s3cmd setcors s3cors.xml s3://myfiles
But I’m getting: WARNING: Retrying failed request: /?cors (500 (UnknownError)) WARNING: Retrying failed request: /?cors (500 (UnknownError))
Sent a ticket to DigitalOcean Support 5 hours ago … still no answer …
I’m trying to prevent other websites from hotlinking images/videos hosted in my DigitalOcean Spaces account.
If other websites are able to show images/videos which I’m paying hosting for it defeats the purpose of using Spaces I think.
Hey all - we just released a UI for CORS in the Control Panel. Hopefully this helps a bit.
Posting this for reference as it pertains to the original use case that prompted the question:
As For Digital Ocean, I believe the expected XML generated is not right since Digital Ocean expects something like this
<CORSConfiguration>
<CORSRule>
.....
according to the api docs, however with boto it seems to generate using
CORSConfiguration: {
CORSRules: [
Note the difference between CORSRules(boto) and CORSRule(DO API)
I have been working on this also for an entire day
Any answers on this?