Configure CORS in OSS

Updated at: 2024-06-25 02:10

Browsers enforce the same-origin policy, which allows JavaScript code executed on a web page to access resources only from the same origin and denies cross-origin requests. Cross-origin resource sharing (CORS) allows web browsers to initiate requests from a domain or an origin to a different domain or origin. CORS allows JavaScript code loaded on your websites to request objects that have a different origin.

Same-origin policy

Browsers reject cross-origin requests based on the same-origin policy to keep website content secure. For example, if the JavaScript code on one website makes a request for a resource hosted on another website that has a different origin, the browser denies the request.

Two URLs have the same origin if they have the same protocol, domain name or IP address, and port number (if specified). The following table provides examples of origin comparison with http://www.aliyun.com/org/test.html.


Successful access



Successful access




Same protocol, domain name, and port number



Same protocol, domain name, and port number



Different protocols (HTTP and HTTPS)



Different port numbers (22 and no port number)



Different domain names

The preceding table shows that the browser rejects requests from a URL to another URL that has a different origin. If you want to allow cross-origin requests, you must configure CORS rules.

Usage notes

  • You can configure up to 20 CORS rules for a bucket.

  • When Object Storage Service (OSS) receives a cross-origin request or an OPTIONS request that is destined for a bucket, OSS reads the CORS rules that are configured for the bucket and attempts to match the rules one after another. If OSS finds the first match, OSS returns corresponding headers. If the request fails to match the CORS rules, OSS does not include CORS headers in the response.

  • To implement CORS after Alibaba Cloud CDN is activated, you must configure CORS rules in the CDN console. For more information, see Alibaba Cloud Content Delivery Network how to configure cross-origin resource sharing by using HTTP headers (CORS).

CORS rules

You can configure CORS rules to allow or reject cross-origin requests based on your requirements. CORS rules are configured only to determine whether to add CORS-related headers to requests. The browser determines whether to reject cross-origin requests.

If one of the following conditions is met, you need to select Vary: Origin to avoid local cache errors.


If Vary: Origin is selected, visits from the browser or the CDN back-to-origin requests may increase.

  • CORS and non-CORS requests are sent at the same time

    The following sample code provides an example of a non-CORS request that is created in the <img> field and a CORS request that is created by using the fetch method:

    <!doctype html>
     <meta charset="UTF-8">
     <title>CORS Test</title>
    <! -- Non-CORS request -->
    <img src="https://examplebucket.oss-cn-beijing.aliyuncs.com/exampleobject.txt" alt="">
      <! -- CORS request -->
  • The Origin header has multiple possible values

    For example, you set the Origin header to http://www.example.com and https://www.example.org to allow CORS requests from these origins.


Use the OSS console

  1. Log on to the OSS console.

  2. In the left-side navigation pane, click Buckets. On the Buckets page, find and click the desired bucket.

  3. In the left-side navigation tree, choose Content Security > CORS.

  4. On the CORS page, click Create Rule.

  5. In the Create Rule panel, configure the parameters. The following table describes the parameters.






    The origins from which cross-origin requests are allowed. When you configure this parameter, take note of the following items:

    • You can specify multiple allowed origins. Separate multiple origins with line feeds.

    • An origin URL must include the protocol, such as HTTP or HTTPS.

    • You can use an asterisk (*) as the wildcard character in an origin URL. Each origin can contain up to one asterisk (*).

    • If an origin URL does not use the default port number, specify the actual port number. Example: https://www.example.com:8080.

    The following examples show how to configure allowed origins:

    • To allow requests from a specific origin, specify the origin URL. Example: https://www.example.com.

    • To allow requests from subdomains of a specific root domain, use an asterisk (*) wildcard character in an origin URL. Example: https://*.example.com.

    • To allow requests from all origins, enter only an asterisk (*) wildcard character.

    Allowed Methods


    The methods that cross-origin requests are allowed to use.

    Allowed Headers


    The allowed headers in cross-origin requests. When you configure the headers, take note of the following items:

    • The value of this parameter is in the key:value format and not case-sensitive. Example: content-type:text/plain.

    • You can configure multiple headers. Separate multiple headers with line feeds.

    • You can use an asterisk (*) as the wildcard character. Each header can contain up to one asterisk (*). Set this parameter to an asterisk (*) if you do not have special requirements.

    Exposed Headers


    The response headers available to requests from applications, such as an XMLHttpRequest object in JavaScript. Exposed headers cannot contain an asterisk (*) wildcard character.

    We recommend that you configure the following common exposed headers:

    • x-oss-request-id

      If an issue occurs, provide technical support with the request ID for troubleshooting.

    • ETag

      You can use the ETag value of an object to check whether the object content is modified.

    Cache Timeout (Seconds)


    The period of time in which the browser can cache the response to an OPTIONS preflight request for specific resources. Unit: seconds.

    Vary: Origin


    Specifies whether to return the Vary: Origin header.

    If both CORS and non-CORS requests are sent to OSS, or if the Origin header has multiple possible values, we recommend that you select Vary: Origin to prevent errors in the local cache.


    If Vary: Origin is selected, visits from the browser or the CDN back-to-origin requests may increase.

  6. Click OK.


The following code provides examples on how to configure CORS rules by using OSS SDKs for common programming languages. For more information about how to configure CORS rules by using OSS SDKs for other programming languages, see Overview.

import com.aliyun.oss.ClientException;
import com.aliyun.oss.OSS;
import com.aliyun.oss.common.auth.*;
import com.aliyun.oss.OSSClientBuilder;
import com.aliyun.oss.OSSException;
import com.aliyun.oss.model.SetBucketCORSRequest;
import java.util.ArrayList;

public class Demo {

    public static void main(String[] args) throws Exception {
        // In this example, the endpoint of the China (Hangzhou) region is used. Specify your actual endpoint. 
        String endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
        // Obtain access credentials from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured. 
        EnvironmentVariableCredentialsProvider credentialsProvider = CredentialsProviderFactory.newEnvironmentVariableCredentialsProvider();
        // Specify the name of the bucket. Example: examplebucket. 
        String bucketName = "examplebucket";

        // Create an OSSClient instance. 
        OSS ossClient = new OSSClientBuilder().build(endpoint, credentialsProvider);

        try {
            SetBucketCORSRequest request = new SetBucketCORSRequest(bucketName);

            // You can configure up to 10 CORS rules for a bucket. 
            ArrayList<SetBucketCORSRequest.CORSRule> putCorsRules = new ArrayList<SetBucketCORSRequest.CORSRule>();

            SetBucketCORSRequest.CORSRule corRule = new SetBucketCORSRequest.CORSRule();

            ArrayList<String> allowedOrigin = new ArrayList<String>();
            // Specify the origins from which cross-origin requests are allowed. 
            allowedOrigin.add( "http://example.com");

            ArrayList<String> allowedMethod = new ArrayList<String>();
            // Specify the methods that can be used to send cross-origin requests, including GET, PUT, DELETE, POST, and HEAD. 

            ArrayList<String> allowedHeader = new ArrayList<String>();
            // Specify whether the headers that are specified by Access-Control-Request-Headers in the OPTIONS preflight request are allowed. 

            ArrayList<String> exposedHeader = new ArrayList<String>();
            // Specify the response headers for allowed access requests from applications. 
            // You can use only one asterisk (*) as a wildcard character for AllowedOrigins and AllowedMethods in a CORS rule. The asterisk (*) wildcard character specifies that all origins or operations are allowed. 
            // AllowedHeaders and ExposeHeaders do not support wildcard characters. 
            // Specify the period of time in which the browser can cache the response for an OPTIONS preflight request for specific resources. Unit: seconds. 

            // You can configure up to 10 CORS rules for the bucket. 
            // The existing CORS rules are overwritten. 
            // Specify whether to return the "Vary: Origin" header. If you set this parameter to TRUE, the Vary: Origin header is returned regardless of whether the request is a cross-origin request or whether the cross-origin request is successful. If you set this parameter to False, the Vary: Origin header is not returned. 
            // request.setResponseVary(Boolean.TRUE);
        } catch (OSSException oe) {
            System.out.println("Caught an OSSException, which means your request made it to OSS, "
                    + "but was rejected with an error response for some reason.");
            System.out.println("Error Message:" + oe.getErrorMessage());
            System.out.println("Error Code:" + oe.getErrorCode());
            System.out.println("Request ID:" + oe.getRequestId());
            System.out.println("Host ID:" + oe.getHostId());
        } catch (ClientException ce) {
            System.out.println("Caught an ClientException, which means the client encountered "
                    + "a serious internal problem while trying to communicate with OSS, "
                    + "such as not being able to access the network.");
            System.out.println("Error Message:" + ce.getMessage());
        } finally {
            if (ossClient != null) {
if (is_file(__DIR__ . '/../autoload.php')) {
    require_once __DIR__ . '/../autoload.php';
if (is_file(__DIR__ . '/../vendor/autoload.php')) {
    require_once __DIR__ . '/../vendor/autoload.php';

use OSS\Credentials\EnvironmentVariableCredentialsProvider;
use OSS\OssClient;
use OSS\CoreOssException;
use OSS\Model\CorsConfig;
use OSS\Model\CorsRule;

// Obtain access credentials from environment variables. Before you run the code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured. 
$provider = new EnvironmentVariableCredentialsProvider();
// Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com. 
$endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
// Specify the name of the bucket. Example: examplebucket. 
$bucket= "examplebucket";

$corsConfig = new CorsConfig();
$rule = new CorsRule();
// Specify the response headers based on which cross-origin requests are allowed. You can specify multiple allowed headers. Only one asterisk (*) can be used as the wildcard character for each allowed header. 
// If you do not have special requirements, we recommend that you set AllowedHeader to an asterisk (*). 
// Specify the response headers that you are allowed to access from applications. You can specify multiple exposed headers. Exposed headers cannot contain asterisks (*). 
// Specify the allowed origins from which cross-origin requests are sent. You can specify multiple allowed origins. Only one asterisk (*) can be used as the wildcard character for each allowed origin. 
// If you set AllowedOrigin to an asterisk (*), requests from all origins are allowed. 
// Specify the HTTP methods that cross-origin requests are allowed to use. 
// Specify the time that the browser can cache the response to a preflight (OPTIONS) request to a specific resource. Unit: seconds. 
// You can add up to 10 rules for each bucket. 
// Specify whether to return the Vary: Origin header. A value of false indicates that the Vary: Origin header is not returned in any case.

    $config = array(
        "provider" => $provider,
        "endpoint" => $endpoint,
    $ossClient = new OssClient($config);

    // OSS overwrites an existing CORS rule that has the same name as the CORS rule that you want to create in the request. 
    $ossClient->putBucketCors($bucket, $corsConfig);
} catch(OssException $e) {
    printf(__FUNCTION__ . ": FAILED\n");
    printf($e->getMessage() . "\n");
print(__FUNCTION__ . ": OK" . "\n");            
const OSS = require('ali-oss');

const client = new OSS({
  // Specify the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the region to oss-cn-hangzhou. 
  region: 'yourRegion',
  // Obtain access credentials from environment variables. Before you run the sample code, make sure that you have configured environment variables OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET. 
  accessKeyId: process.env.OSS_ACCESS_KEY_ID,
  accessKeySecret: process.env.OSS_ACCESS_KEY_SECRET,
  // Specify the name of the bucket. 
  bucket: 'yourBucket'

const rules = [{
        // Specify the origin of allowed cross-origin requests. You can set the origin to an asterisk (*) to allow requests from all regions. 
        allowedOrigin: 'http://example.com',
        // Specify the methods that can be used to send cross-origin requests, including GET, PUT, DELETE, POST, and HEAD. 
        allowedMethod: 'GET',
        // Specify the response headers that allow cross-origin requests. We recommend that you use an asterisk (*) as the value, unless otherwise specified. 
        allowedHeader: '*',
        // Specify the response headers for allowed access requests from applications, such as an XMLHttpRequest object in JavaScript. An asterisk (*) is not supported. 
        exposeHeader: 'Content-Length',
        // Specify the period of time in which the browser can cache the response to an OPTIONS preflight request for specific resources. Unit: seconds. 
        maxAgeSeconds: '30'
// You can configure up to 10 CORS rules. If a new rule that is the same as an existing rule is configured, the existing rule is overwritten. 
client.putBucketCORS("yourBucket", rules).then((r) => {
# -*- coding: utf-8 -*-
import oss2
from oss2.credentials import EnvironmentVariableCredentialsProvider
from oss2.models import BucketCors, CorsRule

# Obtain access credentials from the environment variables. Before you run the sample code, make sure that you have configured environment variables OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET. 
auth = oss2.ProviderAuth(EnvironmentVariableCredentialsProvider())
# Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com. 
# Specify the name of the bucket. Example: examplebucket. 
bucket = oss2.Bucket(auth, 'https://oss-cn-hangzhou.aliyuncs.com', 'examplebucket')

rule = CorsRule(allowed_origins=['*'],
                allowed_methods=['GET', 'HEAD'],

# An existing rule with the same name is overwritten. 
using Aliyun.OSS;
using Aliyun.OSS.Common;

// Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com. 
var endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
// Obtain access credentials from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured. 
var accessKeyId = Environment.GetEnvironmentVariable("OSS_ACCESS_KEY_ID");
var accessKeySecret = Environment.GetEnvironmentVariable("OSS_ACCESS_KEY_SECRET");
// Specify the name of the bucket. Example: examplebucket. 
var bucketName = "examplebucket";

// Create an OSSClient instance. 
var client = new OssClient(endpoint, accessKeyId, accessKeySecret);
    var request = new SetBucketCorsRequest(bucketName);
    var rule1 = new CORSRule();
    // Specify the origins from which cross-origin requests are allowed. 
    // Specify the methods that can be used to send cross-origin requests, including GET, PUT, DELETE, POST, and HEAD. 
    // AllowedHeaders and ExposeHeaders do not support wildcard characters. 
    // Specify the response headers for allowed access requests from applications. 
    // You can configure up to 10 CORS rules for a bucket. 
    var rule2 = new CORSRule();
    // You can use only one asterisk (*) as a wildcard character for AllowedOrigins and AllowedMethods in a CORS rule. The asterisk (*) wildcard character specifies that all origins or operations are allowed. 
    // Specify whether the headers that are specified by Access-Control-Request-Headers in the OPTIONS preflight request are allowed. 
    // Specify the period of time in which the browser can cache the response for an OPTIONS preflight request for specific resources. Unit: seconds. 
    rule2.MaxAgeSeconds = 100;
    // Configure the CORS rules. 
    Console.WriteLine("Set bucket:{0} Cors succeeded ", bucketName);
catch (OssException ex)
    Console.WriteLine("Failed with error info: {0}; Error info: {1}. \nRequestID:{2}\tHostID:{3}",
        ex.ErrorCode, ex.Message, ex.RequestId, ex.HostId);
catch (Exception ex)
    Console.WriteLine("Failed with error info: {0}", ex.Message);
package main

import (

func main() {
	// Specify the name of the bucket. 
	bucketName := "yourBucketName"

	// Obtain access credentials from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured. 
	provider, err := oss.NewEnvironmentVariableCredentialsProvider()
	if err != nil {
		fmt.Println("Error:", err)

	// Create an OSSClient instance. 
	// Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com. Specify your actual endpoint. 
	client, err := oss.New("yourEndpoint", "", "", oss.SetCredentialsProvider(&provider))
	if err != nil {
		fmt.Println("Error:", err)

	isTrue := true
	rule1 := oss.CORSRule{
		AllowedOrigin: []string{"*"},
		AllowedMethod: []string{"PUT", "GET", "POST"},
		AllowedHeader: []string{},
		ExposeHeader:  []string{},
		MaxAgeSeconds: 100,

	rule2 := oss.CORSRule{
		AllowedOrigin: []string{"http://www.a.com", "http://www.b.com"},
		AllowedMethod: []string{"GET"},
		AllowedHeader: []string{"Authorization"},
		ExposeHeader:  []string{"x-oss-test-01", "x-oss-test-02"},
		MaxAgeSeconds: 100,

	put := oss.PutBucketCORS{}
	put.CORSRules = []oss.CORSRule{rule1,rule2}
	put.ResponseVary = &isTrue
	// Create the CORS rules. 
	err = client.SetBucketCORSV2(bucketName, put)
	if err != nil {
		fmt.Println("Error:", err)

	fmt.Println("Set Success")
#include <alibabacloud/oss/OssClient.h>
using namespace AlibabaCloud::OSS;

int main(void)
    /* Initialize information about the account that is used to access OSS. */
    /* Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com. */
    std::string Endpoint = "yourEndpoint";
    /* Specify the name of the bucket. Example: examplebucket. */
    std::string BucketName = "examplebucket";

    /* Initialize resources such as network resources. */

    ClientConfiguration conf;
    /* Obtain access credentials from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured. */
    auto credentialsProvider = std::make_shared<EnvironmentVariableCredentialsProvider>();
    OssClient client(Endpoint, credentialsProvider, conf);

    SetBucketCorsRequest request(BucketName);

    /* Configure CORS rules. */
    auto rule1 = CORSRule();
    /* Specify the origins from which cross-origin requests are allowed. */
    /* Specify the methods that can be used to send cross-origin requests, including GET, PUT, POST, DELETE, and HEAD. */
    /* Specify whether the headers that are specified by Access-Control-Request-Headers in the OPTIONS preflight request are allowed. */
    /* Specify the response headers for allowed access requests from applications. */
    /* You can configure up to 10 CORS rules for the bucket. */

    auto rule2 = CORSRule();

    auto outcome = client.SetBucketCors(request);

    if (!outcome.isSuccess()) {
        /* Handle exceptions. */
        std::cout << "SetBucketCors fail" <<
        ",code:" << outcome.error().Code() <<
        ",message:" << outcome.error().Message() <<
        ",requestId:" << outcome.error().RequestId() << std::endl;
        return -1;

    /* Release resources such as network resources. */
    return 0;
#include "oss_api.h"
#include "aos_http_io.h"
/* Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com. */
const char *endpoint = "yourEndpoint";
/* Specify the name of the bucket. Example: examplebucket. */
const char *bucket_name = "examplebucket";
void init_options(oss_request_options_t *options)
    options->config = oss_config_create(options->pool);
    /* Use a char* string to initialize data of the aos_string_t type. */
    aos_str_set(&options->config->endpoint, endpoint);
    /* Obtain access credentials from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured. */
    aos_str_set(&options->config->access_key_id, getenv("OSS_ACCESS_KEY_ID"));
    aos_str_set(&options->config->access_key_secret, getenv("OSS_ACCESS_KEY_SECRET"));
    /* Specify whether to use CNAME. The value 0 indicates that CNAME is not used. */
    options->config->is_cname = 0;
    /* Specify network parameters, such as the timeout period. */
    options->ctl = aos_http_controller_create(options->pool, 0);
int main(int argc, char *argv[])
    /* Call the aos_http_io_initialize method in main() to initialize global resources, such as network resources and memory resources. */
    if (aos_http_io_initialize(NULL, 0) != AOSE_OK) {
    /* Create a memory pool to manage memory. aos_pool_t is equivalent to apr_pool_t. The code used to create a memory pool is included in the APR library. */
    aos_pool_t *pool;
    /* Create a memory pool. The value of the second parameter is NULL. This value indicates that the pool does not inherit other memory pools. */
    aos_pool_create(&pool, NULL);
    /* Create and initialize options. This parameter includes global configuration information, such as endpoint, access_key_id, access_key_secret, is_cname, and curl. */
    oss_request_options_t *oss_client_options;
    /* Allocate the memory resources in the memory pool to the options. */
    oss_client_options = oss_request_options_create(pool);
    /* Initialize oss_client_options. */
    /* Initialize the parameters. */
    aos_string_t bucket;
    aos_table_t *resp_headers = NULL; 
    aos_status_t *resp_status = NULL;
    aos_list_t cors_rule_list;
    oss_cors_rule_t *cors_rule1 = NULL, *cors_rule2 = NULL;
    aos_str_set(&bucket, bucket_name);
    cors_rule1 = oss_create_cors_rule(pool);
    aos_list_add_tail(&cors_rule1->node, &cors_rule_list);
    oss_create_sub_cors_rule(pool, &cors_rule1->allowed_origin_list, "allowed_origin_1_1");
    oss_create_sub_cors_rule(pool, &cors_rule1->allowed_origin_list, "allowed_origin_1_1");
    oss_create_sub_cors_rule(pool, &cors_rule1->allowed_method_list, "PUT");
    oss_create_sub_cors_rule(pool, &cors_rule1->allowed_method_list, "GET");
    oss_create_sub_cors_rule(pool, &cors_rule1->allowed_head_list, "Authorization");
    oss_create_sub_cors_rule(pool, &cors_rule1->expose_head_list, "expose_head_1_1");
    oss_create_sub_cors_rule(pool, &cors_rule1->expose_head_list, "expose_head_1_1");
    cors_rule2 = oss_create_cors_rule(pool);
    aos_list_add_tail(&cors_rule2->node, &cors_rule_list);
    oss_create_sub_cors_rule(pool, &cors_rule2->allowed_origin_list, "allowed_origin_2_1");
    oss_create_sub_cors_rule(pool, &cors_rule2->allowed_origin_list, "allowed_origin_2_2");
    oss_create_sub_cors_rule(pool, &cors_rule2->allowed_method_list, "PUT");
    oss_create_sub_cors_rule(pool, &cors_rule2->allowed_method_list, "GET");
    oss_create_sub_cors_rule(pool, &cors_rule2->allowed_head_list, "Authorization");
    oss_create_sub_cors_rule(pool, &cors_rule2->expose_head_list, "expose_head_2_1");
    oss_create_sub_cors_rule(pool, &cors_rule2->expose_head_list, "expose_head_2_2");
    /* Configure CORS rules. */
    resp_status = oss_put_bucket_cors(oss_client_options, &bucket, &cors_rule_list, &resp_headers);
    if (aos_status_is_ok(resp_status)) {
        printf("put bucket cors succeeded\n");
    } else {
        printf("put bucket cors failed\n");      
    /* Release the memory pool. This operation releases the memory resources allocated for the request. */
    /* Release the allocated global resources. */
    return 0;
require 'aliyun/oss'

client = Aliyun::OSS::Client.new(
  # In this example, the endpoint of the China (Hangzhou) region is used. Specify your actual endpoint. 
  endpoint: 'https://oss-cn-hangzhou.aliyuncs.com',
  # Obtain access credentials from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured. 
  access_key_id: ENV['OSS_ACCESS_KEY_ID'],
  access_key_secret: ENV['OSS_ACCESS_KEY_SECRET']

# Specify the name of the bucket. Example: examplebucket. 
bucket = client.get_bucket('examplebucket')
# Configure CORS rules. 
bucket.cors = [
      # Specify the origin from which you want to allow cross-origin requests. Example: http://example.com. 
      :allowed_origins => ['http://example.com', 'http://example.net'],
      # Specify the methods that can be used to send cross-origin requests, including GET, PUT, DELETE, POST, and HEAD. 
      :allowed_methods => ['PUT', 'POST', 'GET'],
      # Specify the headers that are allowed in OPTIONS preflight requests. Example: x-oss-test. 
      :allowed_headers => ['x-oss-test'],
      # Specify the response headers for allowed access requests from applications. 
      :expose_headers => ['x-oss-test1'],
      # Specify the period of time in which the browser can cache the response for an OPTIONS preflight request for specific resources. Unit: seconds. 
      :max_age_seconds => 100)

Use ossutil

For more information about how to configure CORS rules by using ossutil, see cors.

Use the OSS API

If your business requires a high level of customization, you can directly call RESTful APIs. To directly call an API, you must include the signature calculation in your code. For more information, see PutBucketcors.


What do I do if the "No 'Access-Control-Allow-Origin'" error is reported?

For more information about the causes of and solutions to the error, see The "No 'Access-Control-Allow-Origin'" error persists when I call OSS after CORS rules are configured.

What do I do if a CORS error occurs when I use a CDN-accelerated domain name to access OSS?

If a CORS error occurs when you use a CDN-accelerated domain name to access OSS, you must configure CORS rules in the Alibaba Cloud CDN console. For more information, see Configure CORS.

What do I do if an error is reported indicating that the Access-Control-Allow-Origin header cannot be an asterisk (*) when I send a cross-origin request?

If the Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. error message is returned, change the value of Access-Control-Allow-Origin to specific URLs or specify xhr.withCredentials = false; in your code to fix the error. For more information, see How do I fix a cross-origin request error indicating that Access-Control-Allow-Origin cannot be an asterisk (*)?

Why are two CORS rules for the same bucket unable to apply to a request simultaneously?

If you configure two CORS rules, OSS matches the rules in sequence. After OSS finds the first match, OSS returns corresponding headers.

