Missing Access-Control-Allow-Origin headers from Amazon S3 bucket

Question

I have the following CORS configuration for my Amazon S3 bucket. The thing is that the configuration seems to be completely ignored. I do not get any Access-Control-Allow-Origin headers when requesting objects from the bucket. Does or did anyhome have a similar issue or debugging hints?

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
    <AllowedOrigin>http://www.example.com</AllowedOrigin>
    <AllowedMethod>GET</AllowedMethod>
    <MaxAgeSeconds>3000</MaxAgeSeconds>
    <AllowedHeader>*</AllowedHeader>
</CORSRule>
<CORSRule>
    <AllowedOrigin>http://localhost:8100</AllowedOrigin>
    <AllowedMethod>GET</AllowedMethod>
    <MaxAgeSeconds>3000</MaxAgeSeconds>
    <AllowedHeader>*</AllowedHeader>
</CORSRule>

This is my bucket policy:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "AddPerm",
        "Effect": "Allow",
        "Principal": "*",
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::example.com/*"
    }
]}

Answer 1

You must supply an Origin header on the request in order to get the Access-Control-Allow-Origin header on the response.

Using curl:

$ curl -XGET -H 'Origin: www.example.com' https://my-bucket.s3.amazonaws.com/doc/2006-03-01/

Note that--contrary to the documentation--CORS configuration is honored even if you do not enable "Static Website Hosting" on the bucket. You can access the bucket either by the bucket subdomain (as above) or via the full path: https://s3.amazonaws.com/my-bucket/doc/2006-03-01