Cross-origin resource sharing (CORS) allows web applications to access resources that belong to different origins. Object Storage Service (OSS) provides CORS API operations to control cross-origin access.
Configure CORS rules
The following sample code provides an example on how to configure CORS rules for a specified bucket:
const OSS = require('ali-oss');
const client = new OSS({
// Specify the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the region to oss-cn-hangzhou.
region: 'yourRegion',
// Obtain access credentials from environment variables. Before you run the sample code, make sure that you have configured environment variables OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET.
accessKeyId: process.env.OSS_ACCESS_KEY_ID,
accessKeySecret: process.env.OSS_ACCESS_KEY_SECRET,
// Specify the name of the bucket.
bucket: 'yourBucket'
});
const rules = [{
// Specify the origin of allowed cross-origin requests. You can set the origin to an asterisk (*) to allow requests from all regions.
allowedOrigin: 'http://example.com',
// Specify the methods that can be used to send cross-origin requests, including GET, PUT, DELETE, POST, and HEAD.
allowedMethod: 'GET',
// Specify the response headers that allow cross-origin requests. We recommend that you use an asterisk (*) as the value, unless otherwise specified.
allowedHeader: '*',
// Specify the response headers for allowed access requests from applications, such as an XMLHttpRequest object in JavaScript. An asterisk (*) is not supported.
exposeHeader: 'Content-Length',
// Specify the period of time in which the browser can cache the response to an OPTIONS preflight request for specific resources. Unit: seconds.
maxAgeSeconds: '30'
},
];
// You can configure up to 10 CORS rules. If a new rule that is the same as an existing rule is configured, the existing rule is overwritten.
client.putBucketCORS("yourBucket", rules).then((r) => {
console.log(r);
});
Query CORS rules
The following sample code provides an example on how to query the CORS rules of a specified bucket:
const OSS = require("ali-oss");
const assert = require("assert");
const client = new OSS({
// Specify the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the region to oss-cn-hangzhou.
region: 'yourRegion',
// Obtain access credentials from environment variables. Before you run the sample code, make sure that you have configured environment variables OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET.
accessKeyId: process.env.OSS_ACCESS_KEY_ID,
accessKeySecret: process.env.OSS_ACCESS_KEY_SECRET,
// Specify the name of the bucket.
bucket: "yourBucket",
});
// Specify the name of the bucket.
client.getBucketCORS("yourBucket").then((r) => {
assert.equal(r.res.status, 200);
assert.deepEqual(r.rules, [
{
allowedOrigin: "http://example.com",
allowedMethod: "GET",
allowedHeader: "*",
exposeHeader: "Content-Length",
maxAgeSeconds: "30",
},
]);
});
Delete CORS rules
The following sample code provides an example on how to delete the CORS rules configured for a specified bucket:
const OSS = require('ali-oss');
const client = new OSS({
// Specify the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the region to oss-cn-hangzhou.
region: 'yourRegion',
// Obtain access credentials from environment variables. Before you run the sample code, make sure that you have configured environment variables OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET.
accessKeyId: process.env.OSS_ACCESS_KEY_ID,
accessKeySecret: process.env.OSS_ACCESS_KEY_SECRET
// Specify the name of the bucket.
bucket: "yourBucket",
});
// Specify the name of the bucket.
client.deleteBucketCORS('yourBucket').then((res) => {
console.log(res);
}).catch(e => {
console.log(e)
})
References
For the complete sample code that is used to manage CORS rules, visit GitHub.
For more information about the API operation that you can call to configure CORS rules, see PutBucketCors.
For more information about the API operation that you can call to query CORS rules, see GetBucketCors.
For more information about the API operation that you can call to delete CORS rules, see DeleteBucketCors.