Setting Access-Control-Allow-Origin in my space doesn't work with *

August 7, 2019 201 views
React DigitalOcean Ubuntu 16.04

I’ve set my headers in my space to be Access-Control-Allow-Origin:* with all permissions set. Every time I load in an image from the space onto my localhost, every request to that image doesn’t work. Here’s an image you can try it on:

What gives? I keep getting an error that I feel I shouldn’t be receiving after setting it.

Thanks in advance!

  • Hey there @2hands10fingers,

    When I attempt to request this image, it resolves correctly but it looks like the CORS header isn’t set?

    • curl -I
    HTTP/1.1 200 OK Content-Length: 22621 Accept-Ranges: bytes Last-Modified: Tue, 06 Aug 2019 18:55:40 GMT ETag: "61edfce11ffd265ceea0769d1d20bf6b" x-amz-request-id: tx000000000000104f17ab9-005d4be617-23e283-sfo2a Content-Type: application/octet-stream Date: Thu, 08 Aug 2019 09:06:31 GMT Strict-Transport-Security: max-age=15552000; includeSubDomains; preload
  • @MattIPv4 Thank you for your reply Matt. I have made a screenshot of the settings I have on the space which is hosting the images ( As far as I’m aware, this is all I need to do, yet it’s not working. I’m a little new to CORS configurations, so bear with me.


1 Answer

Hey! Thanks for providing the screenshot!

The CORS settings for your Spaces is working and here is the curl output:

curl -v -X OPTIONS  '' -H "Origin:https://localhost" -H "Access-Control-Request-Method: GET,PUT,POST,HEAD,DELETE"
*   Trying…
* Connected to ( port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: *
* Server certificate: DigiCert SHA2 Secure Server CA
* Server certificate: DigiCert Global Root CA
> OPTIONS /1/1565117740336-dog.g-1q0nvMe.jpeg HTTP/1.1
> Host:
> User-Agent: curl/7.54.0
> Accept: */*
> Origin:https://localhost
> Access-Control-Request-Method: GET,PUT,POST,HEAD,DELETE
< HTTP/1.1 200 OK
< Access-Control-Allow-Origin: https://localhost
< Vary: Origin
< Access-Control-Allow-Methods: GET,PUT,POST,HEAD,DELETE
< Access-Control-Max-Age: 0
< x-amz-request-id: tx000000000000112633397-005d52a396-23e283-sfo2a
< Content-Length: 0
< Date: Tue, 13 Aug 2019 11:48:38 GMT
< Strict-Transport-Security: max-age=15552000; includeSubDomains; preload
* Connection #0 to host left intact
Have another answer? Share your knowledge.