Skip to content

Applying a CORS policy to a bucket

What is CORS

CORS is a header mechanism applicable to HTTP addressable content, that defines when it is appropriate for said content to be referenced or loaded by a web browser when the request originates from another domain.

Web Applets or native applications that make use of s3.cern.ch as a backend for data storage, and that also expect clients to interact with the endpoint indirectly will encounter a need for a CORS policy.

For example, if you have a domain / URI https://mywebapp.cern.ch that contains or generates elements that load content from a bucket, e.g: https://s3.cern.ch/mywebapp, a valid CORS policy needs to be present on the mywebapp bucket.

Do I really need a CORS Policy?

Before deploying a service or application that makes use of CORS or S3, you should consider: is there an existing centrally managed service provided by the IT department that can resolve your use case?

Create a CORS Policy

The most common case regarding CORS policies is to allow GETs on a given bucket, for the proxying of application data. Below is an example that achieves this:

<CORSConfiguration>
<CORSRule>
    <ID>ALlow GET from mywebapp.cern.ch</ID> <!-- define the individual CORS rule name --!>
    <AllowedOrigin>https://mywebapp.cern.ch</AllowedOrigin> <!-- what URL can reference content in this bucket? --!>
    <AllowedMethod>GET</AllowedMethod> <!-- what HTTP Verbs are allowed? --!>
    <AllowedHeader>*</AllowedHeader> <!-- what Headers are allowed during the request? --!>
    <MaxAgeSeconds>3000</MaxAgeSeconds> <!-- how long can the referenced resource be cached in browser? --!>
</CORSRule>
</CORSConfiguration>

for a more detailed explanation of the headers parameters available in CORS see The following documentation on AWS/S3

Once you have decided upon your CORS policy, write it to a .xml file.

Apply the Policy

This section will employ s3cmd. First, check that you are not overriding an existing CORS policy on your bucket:

$ s3cmd info s3://mywebapp
s3://mywebapp (bucket):
   Location:  default
   Payer:     BucketOwner
   Ownership: none
   Versioning:none
   Expiration rule: none
   Block Public Access: none
   Policy:    none
   CORS:      none  <------------------------
   ACL:       Zachary Goggin: FULL_CONTROL

Double check your Policy is appropriate:

$ cat cors.xml
<CORSConfiguration>
<CORSRule>
    <ID>ALlow GET from mywebapp.cern.ch</ID>
    <AllowedOrigin>https://mywebapp.cern.ch</AllowedOrigin>
    <AllowedMethod>GET</AllowedMethod>
    <AllowedHeader>*</AllowedHeader>
    <MaxAgeSeconds>3000</MaxAgeSeconds>
</CORSRule>
</CORSConfiguration>

Apply the policy, then check it as expected:

$ s3cmd  setcors cors.xml s3://mywebapp
$ s3cmd info s3://mywebapp
s3://mywebapp (bucket):
   Location:  default
   Payer:     BucketOwner
   Ownership: none
   Versioning:none
   Expiration rule: none
   Block Public Access: none
   Policy:    none
   CORS:      <CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><CORSRule><ID>ALlow GET from mywebapp.cern.ch</ID><AllowedMethod>GET</AllowedMethod><AllowedOrigin>https://mywebapp.cern.ch</AllowedOrigin><AllowedHeader>*</AllowedHeader><MaxAgeSeconds>3000</MaxAgeSeconds></CORSRule></CORSConfiguration>
   ACL:       Zachary Goggin: FULL_CONTROL

If you realise you have made a mistake, you can remove your CORS policy like so:

$ s3cmd delcors s3://mywebapp
$ s3cmd info s3://mywebapp
s3://mywebapp (bucket):
   Location:  default
   Payer:     BucketOwner
   Ownership: none
   Versioning:none
   Expiration rule: none
   Block Public Access: none
   Policy:    none
   CORS:      none
   ACL:       Zachary Goggin: FULL_CONTROL