S3 – Access-Control-Allow-Origin Header

Did anyone manage to add Access-Control-Allow-Origin to the response headers? What I need is something like this:

<img src="https://360assets.s3.amazonaws.com/tours/8b16734d-336c-48c7-95c4-3a93fa023a57/1_AU_COM_180212_Areitbahn_Hahnkoplift_Bergstation.tiles/l2_f_0101.jpg" /> 

This get request should contain in the response, header, Access-Control-Allow-Origin: *

My CORS settings for the bucket looks like this:

<?xml version="1.0" encoding="UTF-8"?> <CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">     <CORSRule>         <AllowedOrigin>*</AllowedOrigin>         <AllowedMethod>GET</AllowedMethod>         <MaxAgeSeconds>3000</MaxAgeSeconds>         <AllowedHeader>*</AllowedHeader>     </CORSRule> </CORSConfiguration> 

As you might expect there is no Origin response header.

Add Comment
23 Answer(s)

Usually, all you need to do is to “Add CORS Configuration” in your bucket properties.


The <CORSConfiguration> comes with some default values. That’s all I needed to solve your problem. Just click “Save” and try again to see if it worked. If it doesn’t, you could also try the code below (from alxrb answer) which seems to have worked for most of the people.

<?xml version="1.0" encoding="UTF-8"?> <CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">     <CORSRule>         <AllowedOrigin>*</AllowedOrigin>         <AllowedMethod>GET</AllowedMethod>         <AllowedMethod>HEAD</AllowedMethod>         <MaxAgeSeconds>3000</MaxAgeSeconds>         <AllowedHeader>Authorization</AllowedHeader>     </CORSRule> </CORSConfiguration>  

For further info, you can read this article on Editing Bucket Permission.

Add Comment

I was having a similar problem with loading web fonts, when I clicked on ‘add CORS configuration’, in the bucket properties, this code was already there:

<?xml version="1.0" encoding="UTF-8"?> <CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">     <CORSRule>         <AllowedOrigin>*</AllowedOrigin>         <AllowedMethod>GET</AllowedMethod>         <AllowedMethod>HEAD</AllowedMethod>         <MaxAgeSeconds>3000</MaxAgeSeconds>         <AllowedHeader>Authorization</AllowedHeader>     </CORSRule> </CORSConfiguration>  

I just clicked save and it worked a treat, my custom web fonts were loading in IE & Firefox. I’m no expert on this, I just thought this might help you out.

Add Comment

If your request doesn’t specify an Origin header, S3 won’t include the CORS headers in the response. This really threw me because I kept trying to curl the files to test the CORS but curl doesn’t include Origin.

Add Comment

@jordanstephens said this in a comment, but it kind of gets lost and was a really easy fix for me.

I simply added HEAD method and clicked saved and it started working.

<CORSConfiguration>  	<CORSRule>  		<AllowedOrigin>*</AllowedOrigin>  		<AllowedMethod>GET</AllowedMethod>  		<AllowedMethod>HEAD</AllowedMethod> <!-- Add this -->  		<MaxAgeSeconds>3000</MaxAgeSeconds>  		<AllowedHeader>Authorization</AllowedHeader>  	</CORSRule>  </CORSConfiguration>

Add Comment

This is a simple way to make this work.

I know this is an old question, but still is hard to find a solution.

To start, this worked for me on a project built with Rails 4, Paperclip 4, CamanJS, Heroku and AWS S3.

You have to request your image using the crossorigin: "anonymous" parameter.

    <img href="your-remote-image.jpg" crossorigin="anonymous">  

Add your site URL to CORS in AWS S3. Here is a refference from Amazon about that. Pretty much, just go to your bucket, and then select "Properties" from the tabs on the right, open "Permissions tab and then, click on "Edit CORS Configuration".

Originally, I had < AllowedOrigin> set to *. Just change that asterisk to your URL, be sure to include options like http:// and https:// in separate lines. I was expecting that the asterisk accepts "All", but apparently we have to be more specific than that.

This is how it looks for me.

enter image description here

Add Comment

See above answers. (but I had a chrome bug too)

Don’t load and display the image on the page in CHROME. (if you are going to later create a new instance)

In my case, I loaded images and displayed them on the page. When they were clicked, I created a new instance of them:

// there is already an html <img /> on the page, I'm creating a new one now img = $('<img crossorigin />')[0] img.onload = function(){   context.drawImage(img, 0, 0)   context.getImageData(0,0,w,h) } img.src = 'http://s3.amazonaws.com/my/image.png'; // I added arbitrary ?crossorigin to change the URL of this to fix it 

Chrome had already cached another version and NEVER tried to re-fetch the crossorigin version(even if I was using crossorigin on the displayed images.

To fix, I added ?crossorigin to the end of the image url(but you could add ?blah, it’s just arbitrary to change the cache status) when I loaded it for canvas.. Let me know if you find a better fix for CHROME

Add Comment

I’ll just add to this answer–above–which solved my issue.

To set AWS/CloudFront Distribution Point to torward the CORS Origin Header, click into the edit interface for the Distribution Point:

enter image description here

Go to the behaviors tab and edit the behavior, changing “Cache Based on Selected Request Headers” from None to Whitelist, then make sure Origin is added to the whitelisted box. See Configuring CloudFront to Respect CORS Settings in the AWS Docs for more.

enter image description here

Add Comment

I was having similar problems loading 3D models from S3 into a javascript 3D viewer (3D HOP), but strangely enough only with certain file types (.nxs).

What fixed it for me was changing AllowedHeader from the default Authorization to * in the CORS config:

<?xml version="1.0" encoding="UTF-8"?> <CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <CORSRule>     <AllowedOrigin>*</AllowedOrigin>     <AllowedMethod>GET</AllowedMethod>     <MaxAgeSeconds>3000</MaxAgeSeconds>     <AllowedHeader>*</AllowedHeader> </CORSRule> </CORSConfiguration> 
Add Comment

Like others have states, you first need to have the CORS configuration in your S3 bucket:

<CORSConfiguration> <CORSRule>     <AllowedOrigin>*</AllowedOrigin>     <AllowedMethod>GET</AllowedMethod>     <AllowedMethod>HEAD</AllowedMethod> <!-- Add this -->     <MaxAgeSeconds>3000</MaxAgeSeconds>     <AllowedHeader>Authorization</AllowedHeader> </CORSRule> </CORSConfiguration> 

But in my case after doing that, it was still not working. I was using Chrome (probably the same problem with other browsers).

The problem was that Chrome was caching the image with the headers (not containing the CORS data), so no matter what I tried to change in AWS, I would not see my CORS headers.

After clearing Chrome cache and reloading the page, the image had the expected CORS Headers

Add Comment

I tried all answers above and nothing worked. Actually, we need 3 steps from above answers together to make it work:

  1. As suggested by Flavio; add CORS configuration on your bucket:

    <CORSConfiguration>    <CORSRule>      <AllowedOrigin>*</AllowedOrigin>      <AllowedMethod>GET</AllowedMethod>    </CORSRule>  </CORSConfiguration> 
  2. On the image; mention crossorigin:

    <img href="abc.jpg" crossorigin="anonymous"> 
  3. Are you using a CDN? If everything works fine connecting to origin server but NOT via CDN; it means you need some setting on your CDN like accept CORS headers. Exact setting depends on which CDN you are using.

Add Comment

Your Answer

By posting your answer, you agree to the privacy policy and terms of service.