Setting Access-Control-Allow-Origin in my space doesn't work with *

I’ve set my headers in my space to be Access-Control-Allow-Origin:* with all permissions set. Every time I load in an image from the space onto my localhost, every request to that image doesn’t work. Here’s an image you can try it on:

What gives? I keep getting an error that I feel I shouldn’t be receiving after setting it.

Thanks in advance!


@MattIPv4 Thank you for your reply Matt. I have made a screenshot of the settings I have on the space which is hosting the images ( As far as I’m aware, this is all I need to do, yet it’s not working. I’m a little new to CORS configurations, so bear with me.


Hey there @2hands10fingers,

When I attempt to request this image, it resolves correctly but it looks like the CORS header isn’t set?

  1. curl -I
HTTP/1.1 200 OK Content-Length: 22621 Accept-Ranges: bytes Last-Modified: Tue, 06 Aug 2019 18:55:40 GMT ETag: "61edfce11ffd265ceea0769d1d20bf6b" x-amz-request-id: tx000000000000104f17ab9-005d4be617-23e283-sfo2a Content-Type: application/octet-stream Date: Thu, 08 Aug 2019 09:06:31 GMT Strict-Transport-Security: max-age=15552000; includeSubDomains; preload

Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Worth noting that if you have CDN enabled, it looks as though you might have to clear the cache for CORS changes to take affect.

Hey! Thanks for providing the screenshot!

The CORS settings for your Spaces is working and here is the curl output:

curl -v -X OPTIONS  '' -H "Origin:https://localhost" -H "Access-Control-Request-Method: GET,PUT,POST,HEAD,DELETE"
*   Trying
* Connected to ( port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: *
* Server certificate: DigiCert SHA2 Secure Server CA
* Server certificate: DigiCert Global Root CA
> OPTIONS /1/1565117740336-dog.g-1q0nvMe.jpeg HTTP/1.1
> Host:
> User-Agent: curl/7.54.0
> Accept: */*
> Origin:https://localhost
> Access-Control-Request-Method: GET,PUT,POST,HEAD,DELETE
< HTTP/1.1 200 OK
< Access-Control-Allow-Origin: https://localhost
< Vary: Origin
< Access-Control-Allow-Methods: GET,PUT,POST,HEAD,DELETE
< Access-Control-Max-Age: 0
< x-amz-request-id: tx000000000000112633397-005d52a396-23e283-sfo2a
< Content-Length: 0
< Date: Tue, 13 Aug 2019 11:48:38 GMT
< Strict-Transport-Security: max-age=15552000; includeSubDomains; preload
* Connection #0 to host left intact