CORS

Last update: November 19 2024

CORS

When a container is accessed, the user's browser declares the domain, request method, and headers in the request. Using cross-domain request technology (CORS), you can restrict access to objects in the container based on the values of these parameters.

To use CORS, the technology must be supported by both the repository and the user's browser; by default, CORS support is included in modern browsers.

For CORS to work, there must be Virtual-Hosted addressing is enabled.

You can set up the CORS configuration in the control panel or download the XML configuration file via S3 API.

CORS Parameters⁠

Caption	Description	Mandatory
AllowedOrigins	List of domains from which requests to the container are allowed	✓
AllowedHeaders	Headers available for use in a JavaScript application in the browser	✗
ExposeHeaders	Headers allowed in a request to an object	✗
AllowedMethods	HTTP methods allowed for use in requests. Available methods: GET, PUT, HEAD, POST, DELETE	✓
MaxAgeSeconds	Time for which Preflight request results can be cached (in seconds). If no header is specified, the default value of 3600 applies	✗

Set up the CORS configuration⁠

You can add up to 100 CORS rules.

1. In control panel go to Object Storage → Containers.
2. Open the container page → tab CORS.
3. Click Create a rule.
4. Set it up CORS rule parameters.
5. Optional: to add another rule, press Add rule.
6. Click Create.