DigitalOcean

Report this

What is the reason for this report?
Question

How to restrict object access to only certain origins through CORS policy in Spaces?

Posted on September 23, 2017
Object Storage
lokua

By lokua

This isn’t necessarily specific to DigitalOcean, as I am experiencing the same thing with S3.

First, here is the request that I am sending successfully from Node.js AWS SDK:

s3.putBucketCors({
  Bucket: EXAMPLE_BUCKET,
  CORSConfiguration: {
    CORSRules: [
      { 
        AllowedHeaders: [`*`],
        AllowedMethods: [`GET`],
        AllowedOrigins: [`https://example.com`]
      }
    ]
  }
}, (err, data) => {
  if (err) throw err
  console.log(data)
})

I have verified that this indeed works as a call to getBucketCors returns expected configuration.

From the above policy, I would expect to not be able to access objects in EXAMPLE_BUCKET from localhost, or anywhere that isn’t example.com, however, that isn’t the case. I am able to GET objects in this bucket from localhost, as well as http://dev.example.com.

What am I not understanding?



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
Hector Paterno
Hector Paterno
October 2, 2017

Hi did you fix it ? Im in the same situation I’m trying to set the following CORS xml:

<CORSConfiguration> <CORSRule> <AllowedOrigin></AllowedOrigin> <AllowedMethod>GET</AllowedMethod> <AllowedHeader></AllowedHeader> </CORSRule> </CORSConfiguration>

Using:

s3cmd setcors s3cors.xml s3://myfiles

But I’m getting: WARNING: Retrying failed request: /?cors (500 (UnknownError)) WARNING: Retrying failed request: /?cors (500 (UnknownError))

Sent a ticket to DigitalOcean Support 5 hours ago … still no answer …

0
lokua
lokua
November 5, 2017

Posting this for reference as it pertains to the original use case that prompted the question:

https://stackoverflow.com/questions/46516183/s3-cors-configuration-restricting-to-specific-domains-has-no-affect

0
leonardk1
leonardk1
September 30, 2017

As For Digital Ocean, I believe the expected XML generated is not right since Digital Ocean expects something like this

<CORSConfiguration>
 <CORSRule>
  .....

according to the api docs, however with boto it seems to generate using

CORSConfiguration: {
    CORSRules: [

Note the difference between CORSRules(boto) and CORSRule(DO API)

I have been working on this also for an entire day

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2025 DigitalOcean, LLC.Sitemap.