Cross-origin resource sharing (CORS)

Cross-origin resource sharing (CORS) defines a way for client web applications that are loaded in one domain to interact with resources in a different domain. You can get more information on the subject from this document from Amazon.

It is important to understand that the ACLs and policies continue to apply when you enable CORS on the bucket. Changing the CORS rules for a bucket does not have any impact on its ACL and policies.

When using Yarkon, enabling CORS is always necessary.

Enabling CORS Automatically

The recommended way to get all your CORS settings updated in bulk, is using the Yarkon Admin Console.

Bucket List

Use Yarkon Admin Console to view the list of buckets the server has access to. No matter which security model you elect to use, no Yarkon end user will ever get access to a bucket that is not listed here.

The bucket lists will show the region, date created and CORS status for each bucket; when using "Display Names" for buckets, the display name you set for each bucket will be shown as well.

Bucket List

Initially, for optimization reasons, the CORS status for each bucket is displayed as "N/A" (Not Available), until you analyze it to determine the current state.

Analyzing and Updating CORS

To analyze CORS for a bucket, use the action button next to its name and choose Analyze CORS from the context menu displayed. If you want to analyze CORS for multiple buckets, check the boxes next to their names, then click the Analyze CORS button from the toolbar. The status of the bucket will update once the analysis is completed.

Enable CORS Settings

After you analyzed the CORS status and determined that an update is required for a specific bucket or buckets, proceed to enable CORS for the buckets. To enable CORS for a bucket, use the action button next to its name and choose Update CORS from the context menu displayed. If you want to enable CORS for multiple buckets, check the boxes next to their names, then click the Update CORS button from the toolbar. In the pop-up form, specify the origin you want to set and approve the change.

Update CORS Settings

You only need to update the CORS rules for buckets you expect end users to be using with Yarkon.

Enabling CORS Manually

If you prefer to update the CORS rules for your S3 buckets manually using the Amazon Console, go to the S3 service, and for each bucket you need accessed by end users, click on the Bucket, then go to the "Permissions" tab and use the "CORS Configuration" button to edit the CORS rules for that bucket.

Note that the changes do take a little bit of processing by Amazon, and it is also possible that due to browser caching, it might take a few minutes before you can access the newly updated bucket.

Below, we have the CORS policy stated as JSON (the new way) and as XML (for backward compatibility), so depending on the editor you use, choose the proper format.

All origins

To enable access from all origins, use the * (the star character), like so:

[
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "GET",
            "PUT",
            "POST",
            "DELETE",
            "HEAD"
        ],
        "AllowedOrigins": [
            "*"
        ],
        "ExposeHeaders": [
            "ETag",
            "x-amz-server-side-encryption",
            "x-amz-restore"
        ],
        "MaxAgeSeconds": 3000
    }
]
<CORSConfiguration>
    <CORSRule>
        <AllowedOrigin>*</AllowedOrigin>
        <AllowedMethod>HEAD</AllowedMethod>
        <AllowedMethod>GET</AllowedMethod>
        <AllowedMethod>PUT</AllowedMethod>
        <AllowedMethod>POST</AllowedMethod>
        <AllowedMethod>DELETE</AllowedMethod>
        <ExposeHeader>ETag</ExposeHeader>
        <ExposeHeader>x-amz-server-side-encryption</ExposeHeader>
        <ExposeHeader>x-amz-restore</ExposeHeader>
        <AllowedHeader>*</AllowedHeader>
        <MaxAgeSeconds>3000</MaxAgeSeconds>
    </CORSRule>
</CORSConfiguration>

Enabling for all origins is useful if you run different editions of Yarkon at the same time, or you plan to change the edition you use in the future.

Yarkon Cloud

The following is the proper CORS rule to be used to enable access by Yarkon Cloud:

[
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "GET",
            "PUT",
            "POST",
            "DELETE",
            "HEAD"
        ],
        "AllowedOrigins": [
            "https://app.yarkons3.com"
        ],
        "ExposeHeaders": [
            "ETag",
            "x-amz-server-side-encryption",
            "x-amz-restore"
        ],
        "MaxAgeSeconds": 3000
    }
]
<CORSConfiguration>
    <CORSRule>
        <AllowedOrigin>https://app.yarkons3.com</AllowedOrigin>
        <AllowedMethod>HEAD</AllowedMethod>
        <AllowedMethod>GET</AllowedMethod>
        <AllowedMethod>PUT</AllowedMethod>
        <AllowedMethod>POST</AllowedMethod>
        <AllowedMethod>DELETE</AllowedMethod>
        <ExposeHeader>ETag</ExposeHeader>
        <ExposeHeader>x-amz-server-side-encryption</ExposeHeader>
        <ExposeHeader>x-amz-restore</ExposeHeader>
        <AllowedHeader>*</AllowedHeader>
        <MaxAgeSeconds>3000</MaxAgeSeconds>
    </CORSRule>
</CORSConfiguration>

Yarkon Server

The following is the proper CORS rule to be used to enable access by Yarkon Server. Just replace the origin url with the proper DNS name you assigned Yarkon in your organization.

[
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "GET",
            "PUT",
            "POST",
            "DELETE",
            "HEAD"
        ],
        "AllowedOrigins": [
            "https://yarkon.mycompany.com"
        ],
        "ExposeHeaders": [
            "ETag",
            "x-amz-server-side-encryption",
            "x-amz-restore"
        ],
        "MaxAgeSeconds": 3000
    }
]
<CORSConfiguration>
    <CORSRule>
        <AllowedOrigin>https://yarkon.mycompany.com</AllowedOrigin>
        <AllowedMethod>HEAD</AllowedMethod>
        <AllowedMethod>GET</AllowedMethod>
        <AllowedMethod>PUT</AllowedMethod>
        <AllowedMethod>POST</AllowedMethod>
        <AllowedMethod>DELETE</AllowedMethod>
        <ExposeHeader>ETag</ExposeHeader>
        <ExposeHeader>x-amz-server-side-encryption</ExposeHeader>
        <ExposeHeader>x-amz-restore</ExposeHeader>
        <AllowedHeader>*</AllowedHeader>
        <MaxAgeSeconds>3000</MaxAgeSeconds>
    </CORSRule>
</CORSConfiguration>