S3 – Access-Control-Allow-Origin Header
Did anyone manage to add Access-Control-Allow-Origin
to the response headers? What I need is something like this:
<img src="https://360assets.s3.amazonaws.com/tours/8b16734d-336c-48c7-95c4-3a93fa023a57/1_AU_COM_180212_Areitbahn_Hahnkoplift_Bergstation.tiles/l2_f_0101.jpg" />
This get request should contain in the response, header, Access-Control-Allow-Origin: *
My CORS settings for the bucket looks like this:
<?xml version="1.0" encoding="UTF-8"?> <CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <CORSRule> <AllowedOrigin>*</AllowedOrigin> <AllowedMethod>GET</AllowedMethod> <MaxAgeSeconds>3000</MaxAgeSeconds> <AllowedHeader>*</AllowedHeader> </CORSRule> </CORSConfiguration>
As you might expect there is no Origin
response header.
Usually, all you need to do is to “Add CORS Configuration” in your bucket properties.
The <CORSConfiguration>
comes with some default values. That’s all I needed to solve your problem. Just click “Save” and try again to see if it worked. If it doesn’t, you could also try the code below (from alxrb answer) which seems to have worked for most of the people.
<?xml version="1.0" encoding="UTF-8"?> <CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <CORSRule> <AllowedOrigin>*</AllowedOrigin> <AllowedMethod>GET</AllowedMethod> <AllowedMethod>HEAD</AllowedMethod> <MaxAgeSeconds>3000</MaxAgeSeconds> <AllowedHeader>Authorization</AllowedHeader> </CORSRule> </CORSConfiguration>
For further info, you can read this article on Editing Bucket Permission.
I was having a similar problem with loading web fonts, when I clicked on ‘add CORS configuration’, in the bucket properties, this code was already there:
<?xml version="1.0" encoding="UTF-8"?> <CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <CORSRule> <AllowedOrigin>*</AllowedOrigin> <AllowedMethod>GET</AllowedMethod> <AllowedMethod>HEAD</AllowedMethod> <MaxAgeSeconds>3000</MaxAgeSeconds> <AllowedHeader>Authorization</AllowedHeader> </CORSRule> </CORSConfiguration>
I just clicked save and it worked a treat, my custom web fonts were loading in IE & Firefox. I’m no expert on this, I just thought this might help you out.
If your request doesn’t specify an Origin
header, S3 won’t include the CORS headers in the response. This really threw me because I kept trying to curl the files to test the CORS but curl doesn’t include Origin
.
@jordanstephens said this in a comment, but it kind of gets lost and was a really easy fix for me.
I simply added HEAD method and clicked saved and it started working.
<CORSConfiguration> <CORSRule> <AllowedOrigin>*</AllowedOrigin> <AllowedMethod>GET</AllowedMethod> <AllowedMethod>HEAD</AllowedMethod> <!-- Add this --> <MaxAgeSeconds>3000</MaxAgeSeconds> <AllowedHeader>Authorization</AllowedHeader> </CORSRule> </CORSConfiguration>
This is a simple way to make this work.
I know this is an old question, but still is hard to find a solution.
To start, this worked for me on a project built with Rails 4, Paperclip 4, CamanJS, Heroku and AWS S3.
You have to request your image using the crossorigin: "anonymous"
parameter.
<img href="your-remote-image.jpg" crossorigin="anonymous">
Add your site URL to CORS in AWS S3. Here is a refference from Amazon about that. Pretty much, just go to your bucket, and then select "Properties" from the tabs on the right, open "Permissions tab and then, click on "Edit CORS Configuration".
Originally, I had
< AllowedOrigin>
set to*
. Just change that asterisk to your URL, be sure to include options likehttp://
andhttps://
in separate lines. I was expecting that the asterisk accepts "All", but apparently we have to be more specific than that.
This is how it looks for me.
See above answers. (but I had a chrome bug too)
Don’t load and display the image on the page in CHROME. (if you are going to later create a new instance)
In my case, I loaded images and displayed them on the page. When they were clicked, I created a new instance of them:
// there is already an html <img /> on the page, I'm creating a new one now img = $('<img crossorigin />')[0] img.onload = function(){ context.drawImage(img, 0, 0) context.getImageData(0,0,w,h) } img.src = 'http://s3.amazonaws.com/my/image.png'; // I added arbitrary ?crossorigin to change the URL of this to fix it
Chrome had already cached another version and NEVER tried to re-fetch the crossorigin
version(even if I was using crossorigin
on the displayed images.
To fix, I added ?crossorigin
to the end of the image url(but you could add ?blah
, it’s just arbitrary to change the cache status) when I loaded it for canvas.. Let me know if you find a better fix for CHROME
I’ll just add to this answer–above–which solved my issue.
To set AWS/CloudFront Distribution Point to torward the CORS Origin Header, click into the edit interface for the Distribution Point:
Go to the behaviors tab and edit the behavior, changing “Cache Based on Selected Request Headers” from None to Whitelist, then make sure Origin
is added to the whitelisted box. See Configuring CloudFront to Respect CORS Settings in the AWS Docs for more.
I was having similar problems loading 3D models from S3 into a javascript 3D viewer (3D HOP), but strangely enough only with certain file types (.nxs).
What fixed it for me was changing AllowedHeader
from the default Authorization
to *
in the CORS config:
<?xml version="1.0" encoding="UTF-8"?> <CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <CORSRule> <AllowedOrigin>*</AllowedOrigin> <AllowedMethod>GET</AllowedMethod> <MaxAgeSeconds>3000</MaxAgeSeconds> <AllowedHeader>*</AllowedHeader> </CORSRule> </CORSConfiguration>
Like others have states, you first need to have the CORS configuration in your S3 bucket:
<CORSConfiguration> <CORSRule> <AllowedOrigin>*</AllowedOrigin> <AllowedMethod>GET</AllowedMethod> <AllowedMethod>HEAD</AllowedMethod> <!-- Add this --> <MaxAgeSeconds>3000</MaxAgeSeconds> <AllowedHeader>Authorization</AllowedHeader> </CORSRule> </CORSConfiguration>
But in my case after doing that, it was still not working. I was using Chrome (probably the same problem with other browsers).
The problem was that Chrome was caching the image with the headers (not containing the CORS data), so no matter what I tried to change in AWS, I would not see my CORS headers.
After clearing Chrome cache and reloading the page, the image had the expected CORS Headers
I tried all answers above and nothing worked. Actually, we need 3 steps from above answers together to make it work:
-
As suggested by Flavio; add CORS configuration on your bucket:
<CORSConfiguration> <CORSRule> <AllowedOrigin>*</AllowedOrigin> <AllowedMethod>GET</AllowedMethod> </CORSRule> </CORSConfiguration>
-
On the image; mention crossorigin:
<img href="abc.jpg" crossorigin="anonymous">
-
Are you using a CDN? If everything works fine connecting to origin server but NOT via CDN; it means you need some setting on your CDN like accept CORS headers. Exact setting depends on which CDN you are using.