CORS (Cross-Origin Resource Sharing) is a cross-origin resource sharing technology that allows you to determine how client web applications loaded in one domain interact with resources in another domain.
In other words, it is a mechanism that uses additional HTTP headers to enable a user agent to obtain permissions to access selected resources from a server at a source (domain) other than what the site is currently using.
CORS supports cross-domain requests and data transfer between the browser and web servers over a secure connection. Modern browsers use CORS in API containers such as XMLHttpRequest or Fetch to mitigate the inherent risks of requests from other sources.
Use cases for CORS are listed below.
- Scenario # 2 . For example, you need to place a web font from the service bucket on your resources. Browsers make sure to do CORS checking (pre-check) for loading web fonts, so you need to configure the bucket hosting the web font on its resources to allow requests from any source.
Creating a CORS Rule
The "Object Storage" service supports the technology of cross-domain requests for resources in a bucket. You can create a rule on the CORS tab of the open bucket.
- AllowedOrigins - The website from which cross-domain bucket requests are allowed. Can contain at most one * character
- AllowedMethods - HTTP method allowed for cross-domain request. It is allowed to use several methods in one rule
- MaxAgeSeconds - time in seconds during which the browser saves the result of a request to an object in the cache using the options method
- AllowedHeaders - the allowed header in the request to the object. You can use a single * character in the header name to define a template. Object Storage maps the headers passed in Access-Control-Request-Headers to the AllowedHeaders set and responds to options with a list of allowed ones
If necessary, you can add multiple parameter values in the Rule Designer.