CORS configuration for buckets
Written by
Updated at September 2, 2025
Object Storage allows you to manage bucket CORS configurations. To upload a CORS configuration to Object Storage, you need to create an XML document as described in this section. You can get a document in this format by downloading an existing configuration.
The general configuration format is as follows:
<ListBucketResult
xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<KeyCount>1</KeyCount>
<Name>my-sample-bucket</Name>
<Prefix></Prefix>
<MaxKeys>1000</MaxKeys>
<IsTruncated>false</IsTruncated>
<Contents>
<Key>text.txt</Key>
<LastModified>2025-05-15T07:23:08.030Z</LastModified>
<Owner>
<ID>ajegtlf2q28a********</ID>
<DisplayName>ajegtlf2q28a********</DisplayName>
</Owner>
<ETag>"f75a361db63aa4722fb8e083********"</ETag>
<Size>103</Size>
<StorageClass>STANDARD</StorageClass>
<TagSet></TagSet>
</Contents>
</ListBucketResult>
A configuration may contain up to 100 rules.
Elements
| Element | Description |
|---|---|
CORSConfiguration |
Root element of a CORS configuration. It may contain a maximum of 100 CORSRule elements.Path: /CORSConfiguration. |
CORSRule |
Rule for filtering incoming requests to the resource. Each rule must contain at least one AllowedMethod and AllowedOrigin element.Path: /CORSConfiguration/CORSRule. |
ID |
Unique rule ID (up to 255 characters). This is an optional parameter. It can be used to search for a rule in a file. Path: /CORSConfiguration/CORSRule/ID. |
AllowedMethod |
HTTP method (PUT, GET, HEAD, POST, or DELETE) that can be used in a cross-domain request. Each method should be specified in a separate element. Specify at least one method.Path: /CORSConfiguration/CORSRule/AllowedMethod. |
AllowedOrigin |
Website that allows sending CORS requests to the bucket. Specify at least one AllowedOrigin element.May not contain more than one * character. Examples: http://*.example.com, *.Path: /CORSConfiguration/CORSRule/AllowedOrigin. |
AllowedHeader |
Header allowed in a request to an object. If multiple headers are allowed, specify each one in a separate AllowedHeader element. You can use a single * character in the header name to define a template. For example, <ListBucketResult
xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<KeyCount>1</KeyCount>
<Name>my-sample-bucket</Name>
<Prefix></Prefix>
<MaxKeys>1000</MaxKeys>
<IsTruncated>false</IsTruncated>
<Contents>
<Key>text.txt</Key>
<LastModified>2025-05-15T07:23:08.030Z</LastModified>
<Owner>
<ID>ajegtlf2q28a********</ID>
<DisplayName>ajegtlf2q28a********</DisplayName>
</Owner>
<ETag>"f75a361db63aa4722fb8e083********"</ETag>
<Size>103</Size>
<StorageClass>STANDARD</StorageClass>
<TagSet></TagSet>
</Contents>
</ListBucketResult> means that all headers are allowed.An options request contains the Access-Control-Request-Headers header. Object Storage maps the headers provided to Access-Control-Request-Headers against the AllowedHeader set and returns a list of allowed headers in response to the options request.Path: /CORSConfiguration/CORSRule/AllowedHeader. |
MaxAgeSeconds |
Time in seconds during which the result of the options request to the object remains cached in the browser. Path: /CORSConfiguration/CORSRule/MaxAgeSeconds. |
ExposeHeader |
Header that can be exposed to browser JavaScript apps. If multiple headers are allowed, specify each one in a separate element. When requesting an object, the JavaScript client can only use the headers specified in ExposeHeader elements.Path: /CORSConfiguration/CORSRule/ExposeHeader. |
Example
The following configuration allows you to send CORS requests from the http://www.example.com website using the PUT, POST, and DELETE methods without any header restrictions.
<CORSConfiguration>
<CORSRule>
<AllowedOrigin>http://www.example.com</AllowedOrigin>
<AllowedMethod>PUT</AllowedMethod>
<AllowedMethod>POST</AllowedMethod>
<AllowedMethod>DELETE</AllowedMethod>
<AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>