500f512d9abd455ed7e029d5002797dca0dae1aa
By:
lokua

How to restrict object access to only certain origins through CORS policy in Spaces?

September 23, 2017 356 views
Object Storage

This isn't necessarily specific to DigitalOcean, as I am experiencing the same thing with S3.

First, here is the request that I am sending successfully from Node.js AWS SDK:

s3.putBucketCors({
  Bucket: EXAMPLE_BUCKET,
  CORSConfiguration: {
    CORSRules: [
      { 
        AllowedHeaders: [`*`],
        AllowedMethods: [`GET`],
        AllowedOrigins: [`https://example.com`]
      }
    ]
  }
}, (err, data) => {
  if (err) throw err
  console.log(data)
})

I have verified that this indeed works as a call to getBucketCors returns expected configuration.

From the above policy, I would expect to not be able to access objects in EXAMPLE_BUCKET from localhost, or anywhere that isn't example.com, however, that isn't the case. I am able to GET objects in this bucket from localhost, as well as http://dev.example.com.

What am I not understanding?

3 Answers

Hi did you fix it ? Im in the same situation I'm trying to set the following CORS xml:

<CORSConfiguration>
<CORSRule>
<AllowedOrigin></AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<AllowedHeader>
</AllowedHeader>
</CORSRule>
</CORSConfiguration>

Using:

s3cmd setcors s3cors.xml s3://myfiles

But I'm getting:
WARNING: Retrying failed request: /?cors (500 (UnknownError))
WARNING: Retrying failed request: /?cors (500 (UnknownError))

Sent a ticket to DigitalOcean Support 5 hours ago .... still no answer ....

As For Digital Ocean,
I believe the expected XML generated is not right
since Digital Ocean expects something like this

<CORSConfiguration>
 <CORSRule>
  .....

according to the api docs, however with boto it seems to generate using

CORSConfiguration: {
    CORSRules: [

Note the difference between CORSRules(boto) and CORSRule(DO API)

I have been working on this also for an entire day

Did you get any resolution for this from the DO Team?

Have another answer? Share your knowledge.