5

I have the following CORS configuration for my Amazon S3 bucket. The thing is that the configuration seems to be completely ignored. I do not get any Access-Control-Allow-Origin headers when requesting objects from the bucket. Does or did anyhome have a similar issue or debugging hints?

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
    <AllowedOrigin>http://www.example.com</AllowedOrigin>
    <AllowedMethod>GET</AllowedMethod>
    <MaxAgeSeconds>3000</MaxAgeSeconds>
    <AllowedHeader>*</AllowedHeader>
</CORSRule>
<CORSRule>
    <AllowedOrigin>http://localhost:8100</AllowedOrigin>
    <AllowedMethod>GET</AllowedMethod>
    <MaxAgeSeconds>3000</MaxAgeSeconds>
    <AllowedHeader>*</AllowedHeader>
</CORSRule>

This is my bucket policy:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "AddPerm",
        "Effect": "Allow",
        "Principal": "*",
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::example.com/*"
    }
]}
starball
  • 20,030
  • 7
  • 43
  • 238
sebbo
  • 2,929
  • 2
  • 20
  • 37

2 Answers2

1

You must supply an Origin header on the request in order to get the Access-Control-Allow-Origin header on the response.

Using curl:

$ curl -XGET -H 'Origin: www.example.com' https://my-bucket.s3.amazonaws.com/doc/2006-03-01/

Note that--contrary to the documentation--CORS configuration is honored even if you do not enable "Static Website Hosting" on the bucket. You can access the bucket either by the bucket subdomain (as above) or via the full path: https://s3.amazonaws.com/my-bucket/doc/2006-03-01

bk0
  • 1,300
  • 10
  • 12
  • Still no difference :-( I can still access all files in the bucket without specifying an origin header. Do I have to adjust anything in my bucket policy? Updated my question with the contents of my policy. – sebbo May 17 '15 at 09:07
  • @sebbo - I think you misunderstand what CORS does. See here for explanation: http://stackoverflow.com/a/10636765/2838391 CORS is used for cross domain resource sharing. For certain type of files, CORS wont apply. – Rakesh Bollampally May 18 '15 at 10:31
  • @RakeshBollampally Yes but what I meant was that when I define a CORS policy for my bucket then I should only be able to fetch resources when specifying the Origin header with one of the authorized origins right? When I fetch a resource from my bucket I can do that without specifying an Origin header even though the CORS policy is present. – sebbo May 18 '15 at 10:38
  • 1
    @sebbo - Not true. You can fetch assets without specifying the origin. This header is for the browser. *After* browser downloads the file, it checks the header and decides weather or not the requesting page is violating the Cross-origin policy of the browser. – Rakesh Bollampally May 18 '15 at 10:42
  • @RakeshBollampally Ahhh okay, so can I also provide an Origin header that is not "allowed" by the CORS policy and fetch an object from my bucket? For instance via curl? – sebbo May 18 '15 at 13:22
  • @sebbo - Yes, you can. – Rakesh Bollampally May 18 '15 at 13:42
  • @RakeshBollampally Oh good to know that. So it's more a browser based security mechanism. I am wondering why Chrome for instance is not sending the Origin header for image requests. Due to this I am getting "missing CORS headers" warnings when loading my images from S3. – sebbo May 18 '15 at 15:56
  • 1
    CORS is a security mechanism for client side javascript. I would imagine that unless you are loading the images via JS, no Origin header would be sent. – bk0 May 18 '15 at 22:14
  • @bk0 that means that there is no easy way to protect my images from being loaded from other pages? – sebbo May 19 '15 at 10:01
  • 1
    @sebbo - To protect the assets, the best way is to generate signed URLs. Is you application Dynamic? Check this sample code for PHP: http://docs.aws.amazon.com/aws-sdk-php/v2/guide/service-s3.html#creating-a-pre-signed-url – Rakesh Bollampally May 19 '15 at 12:47
  • @RakeshBollampally yes - the application is dynamic. I will check your link. – sebbo May 19 '15 at 14:43
0

I am not sure why you are adding the extra xml information as I do not see that in the S3 documentation. Simply, this should work:

<CORSConfiguration>
<CORSRule>
    <AllowedOrigin>http://www.example.com</AllowedOrigin>
    <AllowedMethod>GET</AllowedMethod>
    <MaxAgeSeconds>3000</MaxAgeSeconds>
    <AllowedHeader>*</AllowedHeader>
</CORSRule>
<CORSRule>
    <AllowedOrigin>http://localhost:8100</AllowedOrigin>
    <AllowedMethod>GET</AllowedMethod>
    <MaxAgeSeconds>3000</MaxAgeSeconds>
    <AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>
Noman Ur Rehman
  • 6,707
  • 3
  • 24
  • 39