Question

How to restrict object access to only certain origins through CORS policy in Spaces?

This isn’t necessarily specific to DigitalOcean, as I am experiencing the same thing with S3.

First, here is the request that I am sending successfully from Node.js AWS SDK:

s3.putBucketCors({
  Bucket: EXAMPLE_BUCKET,
  CORSConfiguration: {
    CORSRules: [
      { 
        AllowedHeaders: [`*`],
        AllowedMethods: [`GET`],
        AllowedOrigins: [`https://example.com`]
      }
    ]
  }
}, (err, data) => {
  if (err) throw err
  console.log(data)
})

I have verified that this indeed works as a call to getBucketCors returns expected configuration.

From the above policy, I would expect to not be able to access objects in EXAMPLE_BUCKET from localhost, or anywhere that isn’t example.com, however, that isn’t the case. I am able to GET objects in this bucket from localhost, as well as http://dev.example.com.

What am I not understanding?

Subscribe
Share

Any answers on this?


Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Hi did you fix it ? Im in the same situation I’m trying to set the following CORS xml:

<CORSConfiguration> <CORSRule> <AllowedOrigin></AllowedOrigin> <AllowedMethod>GET</AllowedMethod> <AllowedHeader></AllowedHeader> </CORSRule> </CORSConfiguration>

Using:

s3cmd setcors s3cors.xml s3://myfiles

But I’m getting: WARNING: Retrying failed request: /?cors (500 (UnknownError)) WARNING: Retrying failed request: /?cors (500 (UnknownError))

Sent a ticket to DigitalOcean Support 5 hours ago … still no answer …

Did you get any resolution for this from the DO Team?

I’m trying to prevent other websites from hotlinking images/videos hosted in my DigitalOcean Spaces account.

If other websites are able to show images/videos which I’m paying hosting for it defeats the purpose of using Spaces I think.

Hey all - we just released a UI for CORS in the Control Panel. Hopefully this helps a bit.

Posting this for reference as it pertains to the original use case that prompted the question:

https://stackoverflow.com/questions/46516183/s3-cors-configuration-restricting-to-specific-domains-has-no-affect

As For Digital Ocean, I believe the expected XML generated is not right since Digital Ocean expects something like this

<CORSConfiguration>
 <CORSRule>
  .....

according to the api docs, however with boto it seems to generate using

CORSConfiguration: {
    CORSRules: [

Note the difference between CORSRules(boto) and CORSRule(DO API)

I have been working on this also for an entire day