How to restrict object access to only certain origins through CORS policy in Spaces?

September 23, 2017 356 views
Object Storage

This isn't necessarily specific to DigitalOcean, as I am experiencing the same thing with S3.

First, here is the request that I am sending successfully from Node.js AWS SDK:

  CORSConfiguration: {
    CORSRules: [
        AllowedHeaders: [`*`],
        AllowedMethods: [`GET`],
        AllowedOrigins: [`https://example.com`]
}, (err, data) => {
  if (err) throw err

I have verified that this indeed works as a call to getBucketCors returns expected configuration.

From the above policy, I would expect to not be able to access objects in EXAMPLE_BUCKET from localhost, or anywhere that isn't example.com, however, that isn't the case. I am able to GET objects in this bucket from localhost, as well as http://dev.example.com.

What am I not understanding?

3 Answers

Hi did you fix it ? Im in the same situation I'm trying to set the following CORS xml:



s3cmd setcors s3cors.xml s3://myfiles

But I'm getting:
WARNING: Retrying failed request: /?cors (500 (UnknownError))
WARNING: Retrying failed request: /?cors (500 (UnknownError))

Sent a ticket to DigitalOcean Support 5 hours ago .... still no answer ....

As For Digital Ocean,
I believe the expected XML generated is not right
since Digital Ocean expects something like this


according to the api docs, however with boto it seems to generate using

CORSConfiguration: {
    CORSRules: [

Note the difference between CORSRules(boto) and CORSRule(DO API)

I have been working on this also for an entire day

Did you get any resolution for this from the DO Team?

Have another answer? Share your knowledge.