13

Recently I enabled Amazon S3 + CloudFront to serve as CDN for my rails application. In order to use font assets and display them in Firefox or IE, I have to enable CORS on my S3 bucket.

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
    <CORSRule>
        <AllowedOrigin>*</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
        <AllowedMethod>POST</AllowedMethod>
        <AllowedMethod>PUT</AllowedMethod>
        <MaxAgeSeconds>3000</MaxAgeSeconds>
        <AllowedHeader>*</AllowedHeader>
    </CORSRule>
</CORSConfiguration>

Then I used curl -I https://small-read-staging-assets.s3.amazonaws.com/staging/assets/settings_settings-312b7230872a71a534812e770ec299bb.js.gz, I got:

HTTP/1.1 200 OK
x-amz-id-2: Ovs0D578kzW1J72ej0duCi17lnw+wZryGeTw722V2XOteXOC4RoThU8t+NcXksCb
x-amz-request-id: 52E934392E32679A
Date: Tue, 04 Jun 2013 02:34:50 GMT
Cache-Control: public, max-age=31557600
Content-Encoding: gzip
Expires: Wed, 04 Jun 2014 08:16:26 GMT
Last-Modified: Tue, 04 Jun 2013 02:16:26 GMT
ETag: "723791e0c993b691c442970e9718d001"
Accept-Ranges: bytes
Content-Type: text/javascript
Content-Length: 39140
Server: AmazonS3

Should I see 'Access-Control-Allow-Origin' some where? Does S3 take time to update CORS settings? Can I force expiring headers if its caching them?

Daiwei
  • 40,666
  • 3
  • 38
  • 48
  • 1
    Ensure you have addressed these issues if you do not see CORS take effect. http://docs.aws.amazon.com/AmazonS3/latest/dev/cors-troubleshooting.html Ideally it should not take too long. I have seen it take about a few minutes before. – Keshi Jul 22 '13 at 20:51
  • @Keshi thanks the link helped... I had no realized you have to have the Origin header in your request match at least one of the AllowedOrigin elements in the specified CORSRule for it to be exposed into the header... duh :faceslap: – CrandellWS Nov 02 '18 at 12:54
  • Random issue causing a CORS update not to work: make sure there's no trailing slash in the domain name. – Fabien Snauwaert Oct 05 '22 at 12:27

4 Answers4

8

Try sending the Origin header:

$ curl -v -H "Origin: http://example.com" -X GET https://small-read-staging-assets.s3.amazonaws.com/staging/assets/settings_settings-312b7230872a71a534812e770ec299bb.js.gz > /dev/null

The output should then show the CORS response headers you are looking for:

< Access-Control-Allow-Origin: http://example.com
< Access-Control-Allow-Methods: GET
< Access-Control-Allow-Credentials: true
< Vary: Origin, Access-Control-Request-Headers, Access-Control-Request-Method

Additional information about how to debug CORS requests with cURL can be found here: How can you debug a CORS request with cURL?

Note that there are different types of CORS requests (simple and preflight), a nice tutorial about the differences can be found here: http://www.html5rocks.com/en/tutorials/cors/

Hope this helps!

Community
  • 1
  • 1
Foolish Brilliance
  • 480
  • 5
  • 6
3

Try these:

  1. Try to scope-down the domain names you want to allow access to. S3 doesn't like *.
  2. CloudFront + S3 doesn't handle the CORS configuration correctly out of the box. A kludge is to append a query string containing the name of the referring domain, and explicitly enable support for query strings in your CloudFront distribution settings.
Ryan Parman
  • 6,855
  • 1
  • 29
  • 43
3

To answer the actual question in the title:

No, S3 does not seem to take any time to propagate the CORS settings. (as of 2019)

However, if you're using Chrome (and maybe others), then CORS settings may be cached by the browser so you won't necessarily see the changes you expect if you just do an ordinary browser refresh. Instead right click on the refresh button and choose "Empty Cache and Hard Reload" (as of Chrome 73). Then the new CORS settings will take effect within <~5 seconds of making the change in the AWS console. (It may be much faster than that. Haven't tested.) This applies to a plain S3 bucket. I don't know how CloudFront affects things.

(I realize this question is 6 years old and may have involved additional technical issues that other people have long since answered, but when you search for the simple question of propagation times for CORS changes, this question is what pops up first, so I think it deserves an answer that addresses that.)

thund
  • 1,842
  • 2
  • 21
  • 31
  • What are your reference for 5secs ? – Zulu Jun 22 '19 at 23:34
  • @Zulu: I measured it. I can make the change in one browser tab then immediately switch to another and do a hard reload to test it, and the changes have already propagated. That process takes me about 5 secs. I didn’t try to measure it below that resolution. My buckets are us-east-1 and I’m testing from SF Bay Area. – thund Jun 23 '19 at 09:30
1

You have a few problems with the way you test CORS.

  1. Your CORS configuration does not have a HEAD method.
  2. Your curl command does not have -H header.

I am able to get your data by using curl like following. However they dumped garbage on my screen because your data is compressed binary.

curl --request GET  https://small-read-staging-assets.s3.amazonaws.com/staging/assets/settings_settings-312b7230872a71a534812e770ec299bb.js.gz -H "http://google.com"
Zameer Ansari
  • 28,977
  • 24
  • 140
  • 219
Shu
  • 11
  • 2