Configuring cross-origin resource sharing (CORS)

Go to concepts

Cross Origin Resource Sharing (CORS) allows interactions between resources from different origins, something that is normally prohibited in order to prevent malicious behavior. Use this topic to learn how to configure CORS on a Cloud Storage bucket.

Configuring CORS on a bucket

You set a CORS configuration on a bucket by specifying information, such as HTTP methods and originating domains, that identify the types of requests it will accept. You can use the gsutil command-line tool, the XML API, the JSON API, or the client libraries for Cloud Storage to set CORS configuration on a bucket.

The following example shows how to configure CORS on your bucket:

gsutil

Create a JSON file that contains the following:
```
[
    {
      "origin": ["ORIGIN"],
      "method": ["METHOD"],
      "responseHeader": ["HEADER"],
      "maxAgeSeconds": MAX-AGE
    }
]
```
Where:
- ORIGIN is an origin allowed for cross origin resource sharing with this bucket. For example, example.appspot.com.
- METHOD is an HTTP method allowed for cross origin resource sharing with this bucket. For example, GET or PUT.
- HEADER is a header allowed for cross origin resource sharing with this bucket. For example, Content-Type.
- MAX-AGE is the number of seconds the browser is allowed to make requests before it must repeat the preflight request. For example, 3600.
For more information, see Elements of a CORS configuration.
Use the gsutil cors command to configure CORS on a bucket:
```
gsutil cors set JSON_FILE_NAME.json gs://BUCKET_NAME
```
Where
- JSON_FILE_NAME is the path to the JSON file you created in Step 1.
- BUCKET_NAME is the name of the bucket. For example, my-bucket.

Code samples

C++

For more information, see the Cloud Storage C++ API reference documentation.

View on GitHub Feedback

namespace gcs = google::cloud::storage;
using ::google::cloud::StatusOr;
[](gcs::Client client, std::string const& bucket_name,
   std::string const& origin) {
  StatusOr<gcs::BucketMetadata> original =
      client.GetBucketMetadata(bucket_name);

  if (!original) throw std::runtime_error(original.status().message());
  std::vector<gcs::CorsEntry> cors_configuration;
  cors_configuration.emplace_back(
      gcs::CorsEntry{3600, {"GET"}, {origin}, {"Content-Type"}});

  StatusOr<gcs::BucketMetadata> patched_metadata = client.PatchBucket(
      bucket_name,
      gcs::BucketMetadataPatchBuilder().SetCors(cors_configuration),
      gcs::IfMetagenerationMatch(original->metageneration()));

  if (!patched_metadata) {
    throw std::runtime_error(patched_metadata.status().message());
  }

  if (patched_metadata->cors().empty()) {
    std::cout << "Cors configuration is not set for bucket "
              << patched_metadata->name() << "\n";
    return;
  }

  std::cout << "Cors configuration successfully set for bucket "
            << patched_metadata->name() << "\nNew cors configuration: ";
  for (auto const& cors_entry : patched_metadata->cors()) {
    std::cout << "\n  " << cors_entry << "\n";
  }
}

Java

For more information, see the Cloud Storage Java API reference documentation.

View on GitHub Feedback

import com.google.cloud.storage.Bucket;
import com.google.cloud.storage.Cors;
import com.google.cloud.storage.HttpMethod;
import com.google.cloud.storage.Storage;
import com.google.cloud.storage.StorageOptions;
import com.google.common.collect.ImmutableList;

public class ConfigureBucketCors {
  public static void configureBucketCors(
      String projectId,
      String bucketName,
      String origin,
      String responseHeader,
      Integer maxAgeSeconds) {
    // The ID of your GCP project
    // String projectId = "your-project-id";

    // The ID of your GCS bucket
    // String bucketName = "your-unique-bucket-name";

    // The origin for this CORS config to allow requests from
    // String origin = "http://example.appspot.com";

    // The response header to share across origins
    // String responseHeader = "Content-Type";

    // The maximum amount of time the browser can make requests before it must repeat preflighted
    // requests
    // Integer maxAgeSeconds = 3600;

    Storage storage = StorageOptions.newBuilder().setProjectId(projectId).build().getService();
    Bucket bucket = storage.get(bucketName);

    // See the HttpMethod documentation for other HTTP methods available:
    // https://cloud.google.com/appengine/docs/standard/java/javadoc/com/google/appengine/api/urlfetch/HTTPMethod
    HttpMethod method = HttpMethod.GET;

    Cors cors =
        Cors.newBuilder()
            .setOrigins(ImmutableList.of(Cors.Origin.of(origin)))
            .setMethods(ImmutableList.of(method))
            .setResponseHeaders(ImmutableList.of(responseHeader))
            .setMaxAgeSeconds(maxAgeSeconds)
            .build();

    bucket.toBuilder().setCors(ImmutableList.of(cors)).build().update();

    System.out.println(
        "Bucket "
            + bucketName
            + " was updated with a CORS config to allow GET requests from "
            + origin
            + " sharing "
            + responseHeader
            + " responses across origins");
  }
}

C#

For more information, see the Cloud Storage C# API reference documentation.

You cannot currently configure CORS with the C# client library.

Go

For more information, see the Cloud Storage Go API reference documentation.

To set a CORS configuration for a bucket using Go, see the CORS reference documentation.

Node.js

For more information, see the Cloud Storage Node.js API reference documentation.

To set a CORS configuration for a bucket using NodeJS, see the Bucket reference documentation.

PHP

For more information, see the Cloud Storage PHP API reference documentation.

To set a CORS configuration for a bucket using PHP, see the Google\Cloud\Storage\Bucket reference documentation.

Python

For more information, see the Cloud Storage Python API reference documentation.

To set a CORS configuration for a bucket using Python, see the cors reference documentation.

Ruby

For more information, see the Cloud Storage Ruby API reference documentation.

To set a CORS configuration for a bucket using Ruby, see the Google::Cloud::Storage reference documentation.

REST APIs

JSON API

Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials.
Create a JSON file that contains the following:
```
{
 "cors": [
   {
     "origin": [
       "ORIGIN"
     ],
     "method": [
       "METHOD"
     ],
     "responseHeader": [
       "HEADER"
     ],
     "maxAgeSeconds": MAX-AGE
   }
 ]
}
```
Where:
- ORIGIN is an origin allowed for cross origin resource sharing with this bucket. For example, example.appspot.com.
- METHOD is an HTTP method allowed for cross origin resource sharing with this bucket. For example, GET or PUT.
- HEADER is a header allowed for cross origin resource sharing with this bucket. For example, Content-Type.
- MAX-AGE is the number of seconds the browser is allowed to make requests before it must repeat the preflight request. For example, 3600.
For more information, see Elements of a CORS configuration.
Use cURL to call the JSON API with a PATCH Bucket request:
```
curl --request PATCH \
 'https://storage.googleapis.com/storage/v1/b/BUCKET_NAME' \
 --header 'Authorization: Bearer OAUTH2_TOKEN' \
 --header 'Content-Type: application/json' \
 --data-binary @JSON_FILE_NAME.json
```
Where:
- BUCKET_NAME is the name of the bucket. For example, my-bucket.
- OAUTH2_TOKEN is the access token you generated in Step 1.
- JSON_FILE_NAME is the path to the file you created in Step 2.

XML API

Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials.
Create an XML file that contains the following:
```
<?xml version="1.0" encoding="UTF-8"?>
<CorsConfig>
 <Cors>
   <Origins>
     <Origin>ORIGIN</Origin>
   </Origins>
   <Methods>
     <Method>METHOD</Method>
   </Methods>
   <ResponseHeaders>
     <ResponseHeader>HEADER</ResponseHeader>
   </ResponseHeaders>
   <MaxAgeSec>MAX-AGE</MaxAgeSec>
 </Cors>
</CorsConfig>
```
Where:
- ORIGIN is an origin allowed for cross origin resource sharing with this bucket. For example, example.appspot.com.
- METHOD is an HTTP method allowed for cross origin resource sharing with this bucket. For example, GET or PUT.
- HEADER is a header allowed for cross origin resource sharing with this bucket. For example, Content-Type.
- MAX-AGE is the number of seconds the browser is allowed to make requests before it must repeat the preflight request. For example, 3600.
For more information, see Elements of a CORS configuration.
Use cURL to call the XML API with a Set Bucket CORS request:
```
curl -X PUT --data-binary @XML_FILE_NAME.xml \
-H "Authorization: Bearer OAUTH2_TOKEN" \
-H "x-goog-project-id: PROJECT_ID" \
"https://storage.googleapis.com/BUCKET_NAME?cors"
```
Where:
- BUCKET_NAME is the name of the bucket. For example, my-bucket.
- OAUTH2_TOKEN is the access token you generated in Step 1.
- PROJECT_ID is the ID of the project associated with the bucket. For example, my-project.
- XML_FILE_NAME is the path to the file you created in Step 2.

Viewing the CORS configuration for a bucket

To view the CORS configuration for a bucket:

gsutil

Use the gsutil cors command to get the CORS configuration of a bucket:

gsutil cors get gs://BUCKET_NAME

Where BUCKET_NAME is the name of the bucket. For example, my-bucket.

Code samples

To view the CORS configuration for a bucket using the client libraries, follow the instructions for displaying a bucket's metadata and look for the CORS field in the response:

C++

For more information, see the Cloud Storage C++ API reference documentation.

View on GitHub Feedback

namespace gcs = google::cloud::storage;
using ::google::cloud::StatusOr;
[](gcs::Client client, std::string const& bucket_name) {
  StatusOr<gcs::BucketMetadata> bucket_metadata =
      client.GetBucketMetadata(bucket_name);

  if (!bucket_metadata) {
    throw std::runtime_error(bucket_metadata.status().message());
  }

  std::cout << "The metadata for bucket " << bucket_metadata->name() << " is "
            << *bucket_metadata << "\n";
}

C#

For more information, see the Cloud Storage C# API reference documentation.

View on GitHub Feedback

private void GetBucketMetadata(string bucketName)
{
    var storage = StorageClient.Create();
    var bucket = storage.GetBucket(bucketName);
    Console.WriteLine($"Bucket:\t{bucket.Name}");
    Console.WriteLine($"Acl:\t{bucket.Acl}");
    Console.WriteLine($"Billing:\t{bucket.Billing}");
    Console.WriteLine($"Cors:\t{bucket.Cors}");
    Console.WriteLine($"DefaultEventBasedHold:\t{bucket.DefaultEventBasedHold}");
    Console.WriteLine($"DefaultObjectAcl:\t{bucket.DefaultObjectAcl}");
    Console.WriteLine($"Encryption:\t{bucket.Encryption}");
    if (bucket.Encryption != null)
    {
        Console.WriteLine($"KmsKeyName:\t{bucket.Encryption.DefaultKmsKeyName}");
    }
    Console.WriteLine($"Id:\t{bucket.Id}");
    Console.WriteLine($"Kind:\t{bucket.Kind}");
    Console.WriteLine($"Lifecycle:\t{bucket.Lifecycle}");
    Console.WriteLine($"Location:\t{bucket.Location}");
    Console.WriteLine($"LocationType:\t{bucket.LocationType}");
    Console.WriteLine($"Logging:\t{bucket.Logging}");
    Console.WriteLine($"Metageneration:\t{bucket.Metageneration}");
    Console.WriteLine($"Owner:\t{bucket.Owner}");
    Console.WriteLine($"ProjectNumber:\t{bucket.ProjectNumber}");
    Console.WriteLine($"RetentionPolicy:\t{bucket.RetentionPolicy}");
    Console.WriteLine($"SelfLink:\t{bucket.SelfLink}");
    Console.WriteLine($"StorageClass:\t{bucket.StorageClass}");
    Console.WriteLine($"TimeCreated:\t{bucket.TimeCreated}");
    Console.WriteLine($"Updated:\t{bucket.Updated}");
    Console.WriteLine($"Versioning:\t{bucket.Versioning}");
    Console.WriteLine($"Website:\t{bucket.Website}");
}

Go

For more information, see the Cloud Storage Go API reference documentation.

View on GitHub Feedback

import (
	"context"
	"fmt"
	"io"
	"time"

	"cloud.google.com/go/storage"
)

// getBucketMetadata gets the bucket metadata.
func getBucketMetadata(w io.Writer, bucketName string) (*storage.BucketAttrs, error) {
	// bucketName := "bucket-name"
	ctx := context.Background()
	client, err := storage.NewClient(ctx)
	if err != nil {
		return nil, fmt.Errorf("storage.NewClient: %v", err)
	}
	defer client.Close()

	ctx, cancel := context.WithTimeout(ctx, time.Second*10)
	defer cancel()
	attrs, err := client.Bucket(bucketName).Attrs(ctx)
	if err != nil {
		return nil, fmt.Errorf("Bucket(%q).Attrs: %v", bucketName, err)
	}
	fmt.Fprintf(w, "BucketName: %v\n", attrs.Name)
	fmt.Fprintf(w, "Location: %v\n", attrs.Location)
	fmt.Fprintf(w, "LocationType: %v\n", attrs.LocationType)
	fmt.Fprintf(w, "StorageClass: %v\n", attrs.StorageClass)
	fmt.Fprintf(w, "TimeCreated: %v\n", attrs.Created)
	fmt.Fprintf(w, "Metageneration: %v\n", attrs.MetaGeneration)
	fmt.Fprintf(w, "PredefinedACL: %v\n", attrs.PredefinedACL)
	if attrs.Encryption != nil {
		fmt.Fprintf(w, "DefaultKmsKeyName: %v\n", attrs.Encryption.DefaultKMSKeyName)
	}
	if attrs.Website != nil {
		fmt.Fprintf(w, "IndexPage: %v\n", attrs.Website.MainPageSuffix)
		fmt.Fprintf(w, "NotFoundPage: %v\n", attrs.Website.NotFoundPage)
	}
	fmt.Fprintf(w, "DefaultEventBasedHold: %v\n", attrs.DefaultEventBasedHold)
	if attrs.RetentionPolicy != nil {
		fmt.Fprintf(w, "RetentionEffectiveTime: %v\n", attrs.RetentionPolicy.EffectiveTime)
		fmt.Fprintf(w, "RetentionPeriod: %v\n", attrs.RetentionPolicy.RetentionPeriod)
		fmt.Fprintf(w, "RetentionPolicyIsLocked: %v\n", attrs.RetentionPolicy.IsLocked)
	}
	fmt.Fprintf(w, "RequesterPays: %v\n", attrs.RequesterPays)
	fmt.Fprintf(w, "VersioningEnabled: %v\n", attrs.VersioningEnabled)
	if attrs.Logging != nil {
		fmt.Fprintf(w, "LogBucket: %v\n", attrs.Logging.LogBucket)
		fmt.Fprintf(w, "LogObjectPrefix: %v\n", attrs.Logging.LogObjectPrefix)
	}
	if attrs.CORS != nil {
		fmt.Fprintln(w, "CORS:")
		for _, v := range attrs.CORS {
			fmt.Fprintf(w, "\tMaxAge: %v\n", v.MaxAge)
			fmt.Fprintf(w, "\tMethods: %v\n", v.Methods)
			fmt.Fprintf(w, "\tOrigins: %v\n", v.Origins)
			fmt.Fprintf(w, "\tResponseHeaders: %v\n", v.ResponseHeaders)
		}
	}
	if attrs.Labels != nil {
		fmt.Fprintf(w, "\n\n\nLabels:")
		for key, value := range attrs.Labels {
			fmt.Fprintf(w, "\t%v = %v\n", key, value)
		}
	}
	return attrs, nil
}

Java

For more information, see the Cloud Storage Java API reference documentation.

View on GitHub Feedback

import com.google.cloud.storage.Bucket;
import com.google.cloud.storage.BucketInfo;
import com.google.cloud.storage.Storage;
import com.google.cloud.storage.StorageOptions;
import java.util.Map;

public class GetBucketMetadata {
  public static void getBucketMetadata(String projectId, String bucketName) {
    // The ID of your GCP project
    // String projectId = "your-project-id";

    // The ID of your GCS bucket
    // String bucketName = "your-unique-bucket-name";

    Storage storage = StorageOptions.newBuilder().setProjectId(projectId).build().getService();

    // Select all fields. Fields can be selected individually e.g. Storage.BucketField.NAME
    Bucket bucket =
        storage.get(bucketName, Storage.BucketGetOption.fields(Storage.BucketField.values()));

    // Print bucket metadata
    System.out.println("BucketName: " + bucket.getName());
    System.out.println("DefaultEventBasedHold: " + bucket.getDefaultEventBasedHold());
    System.out.println("DefaultKmsKeyName: " + bucket.getDefaultKmsKeyName());
    System.out.println("Id: " + bucket.getGeneratedId());
    System.out.println("IndexPage: " + bucket.getIndexPage());
    System.out.println("Location: " + bucket.getLocation());
    System.out.println("LocationType: " + bucket.getLocationType());
    System.out.println("Metageneration: " + bucket.getMetageneration());
    System.out.println("NotFoundPage: " + bucket.getNotFoundPage());
    System.out.println("RetentionEffectiveTime: " + bucket.getRetentionEffectiveTime());
    System.out.println("RetentionPeriod: " + bucket.getRetentionPeriod());
    System.out.println("RetentionPolicyIsLocked: " + bucket.retentionPolicyIsLocked());
    System.out.println("RequesterPays: " + bucket.requesterPays());
    System.out.println("SelfLink: " + bucket.getSelfLink());
    System.out.println("StorageClass: " + bucket.getStorageClass().name());
    System.out.println("TimeCreated: " + bucket.getCreateTime());
    System.out.println("VersioningEnabled: " + bucket.versioningEnabled());
    if (bucket.getLabels() != null) {
      System.out.println("\n\n\nLabels:");
      for (Map.Entry<String, String> label : bucket.getLabels().entrySet()) {
        System.out.println(label.getKey() + "=" + label.getValue());
      }
    }
    if (bucket.getLifecycleRules() != null) {
      System.out.println("\n\n\nLifecycle Rules:");
      for (BucketInfo.LifecycleRule rule : bucket.getLifecycleRules()) {
        System.out.println(rule);
      }
    }
  }
}

Node.js

For more information, see the Cloud Storage Node.js API reference documentation.

View on GitHub Feedback

// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');

// Creates a client
const storage = new Storage();

async function getBucketMetadata() {
  // Get bucket metadata.
  /**
   * TODO(developer): Uncomment the following line before running the sample.
   */
  // const bucketName = 'Name of a bucket, e.g. my-bucket';

  // Get Bucket Metadata
  const [metadata] = await storage.bucket(bucketName).getMetadata();

  for (const [key, value] of Object.entries(metadata)) {
    console.log(`${key}: ${value}`);
  }
}

PHP

For more information, see the Cloud Storage PHP API reference documentation.

View on GitHub Feedback

use Google\Cloud\Storage\StorageClient;

/**
 * Get bucket metadata.
 *
 * @param string $bucketName the name of your Cloud Storage bucket.
 *
 * @return void
 */
function get_bucket_metadata($bucketName)
{
    $storage = new StorageClient();
    $bucket = $storage->bucket($bucketName);
    $info = $bucket->info();

    printf("Bucket Metadata: %s" . PHP_EOL, print_r($info));
}

Python

For more information, see the Cloud Storage Python API reference documentation.

View on GitHub Feedback

import pprint

from google.cloud import storage


def bucket_metadata(bucket_name):
    """Prints out a bucket's metadata."""
    # bucket_name = 'your-bucket-name'

    storage_client = storage.Client()
    bucket = storage_client.get_bucket(bucket_name)

    print("ID: {}".format(bucket.id))
    print("Name: {}".format(bucket.name))
    print("Storage Class: {}".format(bucket.storage_class))
    print("Location: {}".format(bucket.location))
    print("Location Type: {}".format(bucket.location_type))
    print("Cors: {}".format(bucket.cors))
    print(
        "Default Event Based Hold: {}".format(bucket.default_event_based_hold)
    )
    print("Default KMS Key Name: {}".format(bucket.default_kms_key_name))
    print("Metageneration: {}".format(bucket.metageneration))
    print(
        "Retention Effective Time: {}".format(
            bucket.retention_policy_effective_time
        )
    )
    print("Retention Period: {}".format(bucket.retention_period))
    print("Retention Policy Locked: {}".format(bucket.retention_policy_locked))
    print("Requester Pays: {}".format(bucket.requester_pays))
    print("Self Link: {}".format(bucket.self_link))
    print("Time Created: {}".format(bucket.time_created))
    print("Versioning Enabled: {}".format(bucket.versioning_enabled))
    print("Labels:")
    pprint.pprint(bucket.labels)

Ruby

For more information, see the Cloud Storage Ruby API reference documentation.

View on GitHub Feedback

# bucket_name = "Your Google Cloud Storage bucket name"

require "google/cloud/storage"

storage = Google::Cloud::Storage.new
bucket  = storage.bucket bucket_name

puts "ID:                       #{bucket.id}"
puts "Name:                     #{bucket.name}"
puts "Storage Class:            #{bucket.storage_class}"
puts "Location:                 #{bucket.location}"
puts "Location Type:            #{bucket.location_type}"
puts "Cors:                     #{bucket.cors}"
puts "Default Event Based Hold: #{bucket.default_event_based_hold?}"
puts "Default KMS Key Name:     #{bucket.default_kms_key}"
puts "Logging Bucket:           #{bucket.logging_bucket}"
puts "Logging Prefix:           #{bucket.logging_prefix}"
puts "Metageneration:           #{bucket.metageneration}"
puts "Retention Effective Time: #{bucket.retention_effective_at}"
puts "Retention Period:         #{bucket.retention_period}"
puts "Retention Policy Locked:  #{bucket.retention_policy_locked?}"
puts "Requester Pays:           #{bucket.requester_pays}"
puts "Self Link:                #{bucket.api_url}"
puts "Time Created:             #{bucket.created_at}"
puts "Versioning Enabled:       #{bucket.versioning?}"
puts "Index Page:               #{bucket.website_main}"
puts "Not Found Page:           #{bucket.website_404}"
puts "Labels:"
bucket.labels.each do |key, value|
  puts " - #{key} = #{value}"
end

REST APIs

JSON API

Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials.
Use cURL to call the JSON API with a GET Bucket request:
```
curl -X GET \
    -H "Authorization: Bearer OAUTH2_TOKEN" \
    "https://storage.googleapis.com/storage/v1/b/BUCKET_NAME?fields=cors"
```
Where:
- OAUTH2_TOKEN is the name of the access token you generated in Step 1.
- BUCKET_NAME is the name of the relevant bucket. For example, my-bucket.

XML API

Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials.
Use cURL to call the XML API with a GET Bucket request:
```
curl -X GET \
  -H "Authorization: Bearer OAUTH2_TOKEN" \
  "https://storage.googleapis.com/BUCKET_NAME?cors"
```
Where:
- OAUTH2_TOKEN is the name of the access token you generated in Step 1.
- BUCKET_NAME is the name of the relevant bucket. For example, my-bucket.

Removing CORS from a bucket

To remove the CORS configuration from a bucket:

gsutil

Create a JSON file that contains the following:
```
[]
```
Use the gsutil cors command to configure CORS on a bucket:
```
gsutil cors set JSON_FILE_NAME.json gs://BUCKET_NAME
```
Where
- JSON_FILE_NAME is the path to the JSON file you created in Step 1.
- BUCKET_NAME is the name of the bucket. For example, my-bucket.

Code samples

Java

For more information, see the Cloud Storage Java API reference documentation.

View on GitHub Feedback

import com.google.cloud.storage.Bucket;
import com.google.cloud.storage.Cors;
import com.google.cloud.storage.Storage;
import com.google.cloud.storage.StorageOptions;
import java.util.ArrayList;
import java.util.List;

public class RemoveBucketCors {
  public static void removeBucketCors(String projectId, String bucketName) {
    // The ID of your GCP project
    // String projectId = "your-project-id";

    // The ID of your GCS bucket
    // String bucketName = "your-unique-bucket-name";

    Storage storage = StorageOptions.newBuilder().setProjectId(projectId).build().getService();
    Bucket bucket =
        storage.get(bucketName, Storage.BucketGetOption.fields(Storage.BucketField.CORS));

    // getCors() returns the List and copying over to an ArrayList so it's mutable.
    List<Cors> cors = new ArrayList<>(bucket.getCors());

    // Clear bucket CORS configuration.
    cors.clear();

    // Update bucket to remove CORS.
    bucket.toBuilder().setCors(cors).build().update();
    System.out.println("Removed CORS configuration from bucket " + bucketName);
  }
}

C#

For more information, see the Cloud Storage C# API reference documentation.

You cannot currently work with CORS using the C# client library.

Go

For more information, see the Cloud Storage Go API reference documentation.

To work with CORS configurations for a bucket using Go, see the CORS reference documentation.

Node.js

For more information, see the Cloud Storage Node.js API reference documentation.

To work with CORS configurations for a bucket using NodeJS, see the Bucket reference documentation.

PHP

For more information, see the Cloud Storage PHP API reference documentation.

To work with CORS configurations for a bucket using PHP, see the Google\Cloud\Storage\Bucket reference documentation.

Python

For more information, see the Cloud Storage Python API reference documentation.

To work with CORS configurations for a bucket using Python, see the cors reference documentation.

Ruby

For more information, see the Cloud Storage Ruby API reference documentation.

To work with CORS configurations for a bucket using Ruby, see the Google::Cloud::Storage reference documentation.

REST APIs

JSON API

Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials.
Create a JSON file that contains the following:
```
{
 "cors": []
}
```
Use cURL to call the JSON API with a PATCH Bucket request:
```
curl --request PATCH \
'https://storage.googleapis.com/storage/v1/b/BUCKET_NAME' \
--header 'Authorization: Bearer OAUTH2_TOKEN' \
--header 'Content-Type: application/json' \
--data-binary @JSON_FILE_NAME.json
```
Where:
- BUCKET_NAME is the name of the bucket. For example, my-bucket.
- OAUTH2_TOKEN is the access token you generated in Step 1.
- JSON_FILE_NAME is the path to the file you created in Step 2.

XML API

Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials.
Create an XML file that contains the following:
```
<CorsConfig></CorsConfig>
```
Use cURL to call the XML API with a Set Bucket CORS request:
```
curl -X PUT --data-binary @XML_FILE_NAME.xml \
-H "Authorization: Bearer OAUTH2_TOKEN" \
-H "x-goog-project-id: PROJECT_ID" \
"https://storage.googleapis.com/BUCKET_NAME?cors"
```
Where:
- BUCKET_NAME is the name of the bucket. For example, my-bucket.
- OAUTH2_TOKEN is the access token you generated in Step 1.
- PROJECT_ID is the ID of the project associated with the bucket. For example, my-project.
- XML_FILE_NAME is the path to the file you created in Step 2.

Troubleshooting CORS requests

If you run into unexpected behavior when accessing Cloud Storage buckets from a different origin, try the following steps:

Use gsutil cors get on the target bucket to get its CORS configuration. If you have multiple CORS configuration entries, make sure that as you go through the following steps that the request values map to values in the same single CORS configuration entry.
Check that you are not making a request to the storage.cloud.google.com endpoint, which doesn't allow CORS requests. For more information about supported endpoints for CORS, see Cloud Storage CORS support.
Review a request and response using the tool of your choice. In a Chrome browser, you can use the standard developer tools to see this information:
1. Click the Chrome menu on the browser toolbar.
2. Select More Tools > Developer Tools.
3. Click the Network tab.
4. From your application or command line, send the request.
5. In the pane displaying the network activity, locate the request.
6. In the Name column, click the name corresponding to the request.
7. Click the Headers tab to see the response headers, or the Response tab to see the content of the response.
If you're not seeing a request and response, it is possible that your browser has cached an earlier failed preflight request attempt. Clearing your browser's cache should also clear the preflight cache. If it doesn't, set the MaxAgeSec value in your CORS configuration to a lower value (the default value is 1800 (30 minutes) if not specified), wait for however long the old MaxAgeSec was, then try the request again. This performs a new preflight request, which fetches the new CORS configuration and purges the cache entries. Once you have debugged your problem, raise MaxAgeSec back to a higher value, to reduce the preflight traffic to your bucket.
Ensure that the request has an Origin header and that the header value matches at least one of the Origins values in the bucket's CORS configuration. Note that the scheme, host, and port of the values must match exactly. Some examples of acceptable matches are as follows:
- http://origin.example.com matches http://origin.example.com:80 (because 80 is the default HTTP port), but does not match https://origin.example.com, http://origin.example.com:8080, http://origin.example.com:5151, or http://sub.origin.example.com.
- https://example.com:443 matches https://example.com but not http://example.com or http://example.com:443.
- http://localhost:8080 only matches exactly http://localhost:8080, not http://localhost:5555 or http://localhost.example.com:8080.
Ensure that the HTTP method of the request (if this is a simple request), or the method specified in Access-Control-Request-Method (if this a preflight request), matches at least one of the Methods values in the bucket's CORS configuration.
If this is a preflight request, see if it includes one or more Access-Control-Request-Header headers. If so, then ensure that each Access-Control-Request-Header value matches a ResponseHeader value in the bucket's CORS configuration. All headers named in the Access-Control-Request-Header must be in the CORS configuration for the preflight request to succeed and include CORS headers in the response.

What's next

Learn more about Cross Origin Resource Sharing (CORS).