Applying a CORS policy to a bucket
What is CORS
CORS is a header mechanism applicable to HTTP addressable content, that defines when it is appropriate for said content to be referenced or loaded by a web browser when the request originates from another domain.
Web Applets or native applications that make use of s3.cern.ch
as a backend
for data storage, and that also expect clients to interact with the endpoint
indirectly will encounter a need for a CORS policy.
For example, if you have a domain / URI https://mywebapp.cern.ch
that contains or generates elements that load content from a bucket, e.g: https://s3.cern.ch/mywebapp
,
a valid CORS policy needs to be present on the mywebapp
bucket.
Do I really need a CORS Policy?
Before deploying a service or application that makes use of CORS or S3, you should consider: is there an existing centrally managed service provided by the IT department that can resolve your use case?
Create a CORS Policy
The most common case regarding CORS policies is to allow GETs on a given bucket, for the proxying of application data. Below is an example that achieves this:
<CORSConfiguration>
<CORSRule>
<ID>ALlow GET from mywebapp.cern.ch</ID> <!-- define the individual CORS rule name --!>
<AllowedOrigin>https://mywebapp.cern.ch</AllowedOrigin> <!-- what URL can reference content in this bucket? --!>
<AllowedMethod>GET</AllowedMethod> <!-- what HTTP Verbs are allowed? --!>
<AllowedHeader>*</AllowedHeader> <!-- what Headers are allowed during the request? --!>
<MaxAgeSeconds>3000</MaxAgeSeconds> <!-- how long can the referenced resource be cached in browser? --!>
</CORSRule>
</CORSConfiguration>
for a more detailed explanation of the headers parameters available in CORS see The following documentation on AWS/S3
Once you have decided upon your CORS policy, write it to a .xml
file.
Apply the Policy
This section will employ s3cmd. First, check that you are not overriding an existing CORS policy on your bucket:
$ s3cmd info s3://mywebapp
s3://mywebapp (bucket):
Location: default
Payer: BucketOwner
Ownership: none
Versioning:none
Expiration rule: none
Block Public Access: none
Policy: none
CORS: none <------------------------
ACL: Zachary Goggin: FULL_CONTROL
Double check your Policy is appropriate:
$ cat cors.xml
<CORSConfiguration>
<CORSRule>
<ID>ALlow GET from mywebapp.cern.ch</ID>
<AllowedOrigin>https://mywebapp.cern.ch</AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<AllowedHeader>*</AllowedHeader>
<MaxAgeSeconds>3000</MaxAgeSeconds>
</CORSRule>
</CORSConfiguration>
Apply the policy, then check it as expected:
$ s3cmd setcors cors.xml s3://mywebapp
$ s3cmd info s3://mywebapp
s3://mywebapp (bucket):
Location: default
Payer: BucketOwner
Ownership: none
Versioning:none
Expiration rule: none
Block Public Access: none
Policy: none
CORS: <CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><CORSRule><ID>ALlow GET from mywebapp.cern.ch</ID><AllowedMethod>GET</AllowedMethod><AllowedOrigin>https://mywebapp.cern.ch</AllowedOrigin><AllowedHeader>*</AllowedHeader><MaxAgeSeconds>3000</MaxAgeSeconds></CORSRule></CORSConfiguration>
ACL: Zachary Goggin: FULL_CONTROL
If you realise you have made a mistake, you can remove your CORS policy like so: