Testing CORS - Amazon Simple Storage Service (original) (raw)
To test your CORS configuration, a CORS preflight request can be sent with the OPTIONS method so that the server can respond if it is acceptable to send the request. When Amazon S3 receives a preflight request, S3 evaluates the CORS configuration for the bucket and uses the first CORSRule rule that matches the incoming request to enable a cross-origin request. For a rule to match, the following conditions must be met:
- The
Originheader in a CORS request to your bucket must match the origins in theAllowedOriginselement in your CORS configuration. - The HTTP methods that are specified in the
Access-Control-Request-Methodin a CORS request to your bucket must match the method or methods listed in theAllowedMethodselement in your CORS configuration. - The headers listed in the
Access-Control-Request-Headersheader in a preflight request must match the headers in theAllowedHeaderselement in your CORS configuration.
The following is an example of a CORS configuration. To create a CORS Configuration, see Configuring CORS. For more examples of a CORS configuration, see Elements of a CORS configuration.
JSON
[
{
"AllowedHeaders": [
"Authorization"
],
"AllowedMethods": [
"GET"
"PUT",
"POST",
"DELETE"
],
"AllowedOrigins": [
"http://www.example1.com"
],
"ExposeHeaders": [
"x-amz-meta-custom-header"
]
}
]To test the CORS configuration, you can send a preflight OPTIONS check by using the following CURL command. CURL is a command-line tool that can be used to interact with S3. For more information, see CURL.
curl -v -X OPTIONS \
-H "Origin: http://www.example1.com" \
-H "Access-Control-Request-Method: PUT" \
-H "Access-Control-Request-Headers: Authorization" \
-H "Access-Control-Expose-Headers: x-amz-meta-custom-header"\
"http://bucket_name.s3.amazonaws.com/object_prefix_name"In the above example, the curl -v -x OPTIONS command is used to send a preflight request to S3 to inquire if it is allowed by S3 to send a PUT request on an object from the cross origin http://www.example1.com. The headersAccess-Control-Request-Headers andAccess-Control-Expose-Headers are optional.
- In response to the
Access-Control-Request-Methodheader in the preflightOPTIONSrequest, Amazon S3 returns the list of allowed methods if the requested methods match. - In response to the
Access-Control-Request-Headersheader in the preflightOPTIONSrequest, Amazon S3 returns the list of allowed headers if the requested headers match. - In response to the
Access-Control-Expose-Headersheader in the preflightOPTIONSrequest, Amazon S3 returns a list of allowed headers if the requested headers match the allowed headers that can be accessed by scripts running in the browser.
Note
When sending a preflight request, if any of the CORS request headers are not allowed, none of the response CORS headers are returned.
In response to this preflight OPTIONS request, you will receive a200 OK response. For common error codes received when testing CORS and more information to solve CORS related issues, see Troubleshooting CORS.
< HTTP/1.1 200 OK
< Date: Fri, 12 Jul 2024 00:23:51 GMT
< Access-Control-Allow-Origin: http://www.example1.com
< Access-Control-Allow-Methods: GET, PUT, POST, DELETE
< Access-Control-Allow-Headers: Authorization
< Access-Control-Expose-Headers: x-amz-meta-custom-header
< Access-Control-Allow-Credentials: true
< Vary: Origin, Access-Control-Request-Headers, Access-Control-Request-Method
< Server: AmazonS3
< Content-Length: 0