Menu
I'm trying to perform a signed resumable upload to GCS. Our frontend is running up against CORS restrictions on the initial request:
Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
The response headers show no CORS headers:
alt-svc: quic=":443"; ma=2592000; v="44,43,39,35"
cache-control: private, max-age=0
content-length: 0
content-type: text/html; charset=UTF-8
date: Tue, 13 Nov 2018 20:28:32 GMT
expires: Tue, 13 Nov 2018 20:28:32 GMT
server: UploadServer
status: 200
x-guploader-uploadid: AEnB2Ups1tKbTbhPmsjrPXbIuIUyQt135AlSJ1n7-7XTwMrtQ2vUvn1WwpX3a_iusfmsXHaufdf5B3H2PzmDONs2wW7tKkLarYoxrVyWalhaX6FzGQPoRW0
Debugging, I sent a curl request mimicking our frontend's request:
curl -H "Access-Control-Request-Headers: content-type,x-goog-resumable" \
-H "Access-Control-Request-Method: POST" \
-H "Origin: https://www.example.com" \
-X OPTIONS -I https://storage.googleapis.com/bucket/...
Again, the response contains no CORS response headers:
HTTP/2 200
x-guploader-uploadid: AEnB2UqwKiRSJjHjF9mzsZRMODdQmF6xhUAhdeEenuD0_WXmxpVA6n0i_HWY2NOJxvXS2t_I4IoFW_yvz6lssMz_HVmvlswL5NilGC3wE2YT0-L9aD7Pf1Q
date: Tue, 13 Nov 2018 21:39:53 GMT
expires: Tue, 13 Nov 2018 21:39:53 GMT
cache-control: private, max-age=0
content-length: 0
server: UploadServer
content-type: text/html; charset=UTF-8
alt-svc: quic=":443"; ma=2592000; v="44,43,39,35"
I've set my bucket CORS settings with gsutil cors set cors.json gs://bucket where cors.json contains [{"maxAgeSeconds": 3600, "method": ["GET", "POST", "PUT", "OPTIONS"], "origin": ["*"]}]
Am I missing something here?
373
You set a CORS configuration on a bucket by specifying information, such as HTTP methods and originating domains, that identify the types of requests the bucket can accept. You cannot manage CORS using the console. Use gsutil instead. Create a JSON file with the CORS configuration you would like to apply.
If the server is under your control, add the origin of the requesting site to the set of domains permitted access by adding it to the Access-Control-Allow-Origin header's value. You can also configure a site to allow any site to access it by using the * wildcard. You should only use this for public APIs.
JSON API endpoints allow CORS requests, regardless of CORS configuration on the target bucket. XML API endpoints accept CORS requests based on the CORS configuration on the target bucket. The authenticated browser download endpoint storage.cloud.google.com does not allow CORS requests.
The access-control-allow-origin plugin essentially turns off the browser's same-origin policy. For every request, it will add the Access-Control-Allow-Origin: * header to the response. It tricks the browser, and overrides the CORS header that the server has in place with the open wildcard value.
I have found a solution. I had to add x-goog-resumable to the list of response headers.
My CORS file is
[
{
"origin": ["*"],
"responseHeader": [
"Content-Type",
"Access-Control-Allow-Origin",
"x-goog-resumable"],
"method": ["GET", "HEAD", "DELETE", "POST", "OPTIONS"],
"maxAgeSeconds": 3600
}
]
At least preflight started to work
126
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
