How Lightsail evaluates CORS configurations
When Lightsail object storage receives a preflight request from a browser, it evaluates the CORS configuration for the bucket and uses the first CORS rule that matches the incoming browser request to enable a cross-origin request. For a rule to match, the following conditions must be met:
-
The
Originheader in the request must match an origin in theAllowedOriginselement. -
The HTTP method specified in the
Access-Control-Request-Methodheader must match a method in theAllowedMethodselement. -
The headers listed in the
Access-Control-Request-Headersheader must match headers in theAllowedHeaderselement.
Note
Bucket permissions continue to apply when you enable CORS on your bucket. CORS configuration only determines whether the browser allows the cross-origin request to proceed. For more information, see Control access to Lightsail buckets and objects.
Elements of a CORS configuration
A CORS configuration is a JSON document that contains an array of CORS rules. Each rule defines which origins are allowed to access the bucket, which HTTP methods are permitted, and other configuration options.
The following elements can be included in a CORS rule:
- allowedOrigins
-
Specifies the origins that are allowed to access the bucket. You can use wildcards (*) to allow all origins, or specify specific domains like
https://example.com. - allowedMethods
-
Specifies the HTTP methods that are allowed for the specified origins. Valid values include GET, PUT, POST, DELETE, and HEAD.
- allowedHeaders
-
Specifies which headers are allowed in a preflight OPTIONS request through the Access-Control-Request-Headers header.
- exposeHeaders
-
Specifies which headers in the response can be accessed by the client application.
- id
-
A unique identifier for the CORS rule.
- maxAgeSeconds
-
Specifies the amount of time in seconds that the browser can cache the response for a preflight request.
For more information about these parameters, see BucketCorsRule in the Amazon Lightsail API Reference.
