This page shows example configurations for Cross-origin resource sharing (CORS). When you set a CORS configuration on a bucket, you allow interactions between resources from different origins, something that is normally prohibited in order to prevent malicious behavior.
Basic CORS configuration
Say you have a dynamic website running on App Engine, which users can
access at your-example-website.appspot.com
. You have an image file hosted in a
Cloud Storage bucket named your-example-bucket
. You'd like to use
the image on your website, so you must apply a CORS configuration on
your-example-bucket
that enables your users' browsers to request resources
from the bucket. Based on the configuration below, preflight requests are valid
for 1 hour, and successful browser requests return the Content-Type
of the
resource in the response.
Command line
gcloud
Example gcloud command
gcloud storage buckets update gs://example_bucket --cors-file=example_cors_file.json
Example JSON file containing the CORS configuration
[ { "origin": ["https://your-example-website.appspot.com"], "method": ["GET"], "responseHeader": ["Content-Type"], "maxAgeSeconds": 3600 } ]
Note that you can specify multiple origins, methods, or headers using
a comma-separated list. For example, "method": ["GET", "PUT"]
.
For more information on how to set a CORS configuration using gcloud,
see the gcloud storage buckets update
reference documentation.
gsutil
Example gsutil command
gsutil cors set example_cors_file.json gs://example_bucket
Example JSON file containing the CORS configuration
[ { "origin": ["https://your-example-website.appspot.com"], "method": ["GET"], "responseHeader": ["Content-Type"], "maxAgeSeconds": 3600 } ]
Note that you can specify multiple origins, methods, or headers using
a comma-separated list. For example, "method": ["GET", "PUT"]
.
For more information on how to set a CORS configuration using gsutil,
see the gsutil cors
reference documentation.
REST APIs
JSON API
{ "cors": [ { "origin": ["https://your-example-website.appspot.com"], "method": ["GET"], "responseHeader": ["Content-Type"], "maxAgeSeconds": 3600 } ] }
Note that you can specify multiple origins, methods, or headers using
a comma-separated list. For example, "method": ["GET", "PUT"]
.
For the generalized format of a CORS configuration file, see the bucket resource representation for JSON.
XML API
<?xml version="1.0" encoding="UTF-8"?> <CorsConfig> <Cors> <Origins> <Origin>https://your-example-website.appspot.com</Origin> </Origins> <Methods> <Method>GET</Method> </Methods> <ResponseHeaders> <ResponseHeader>Content-Type</ResponseHeader> </ResponseHeaders> <MaxAgeSec>3600</MaxAgeSec> </Cors> </CorsConfig>
Note that you can specify multiple origins, methods, or headers using
separate elements for each. For example, having <Method>GET</Method>
and <Method>PUT</Method>
within the <Methods>
element.
For the generalized format of a CORS configuration file, see the CORS configuration format for XML.
Remove CORS settings from a bucket
To remove CORS settings from a bucket, supply a CORS configuration file that's empty.
Command line
gcloud
When you use the gcloud storage buckets update
command with the
--clear-cors
flag, you remove the CORS configuration from a bucket:
gcloud storage buckets update gs://BUCKET_NAME --clear-cors
Where BUCKET_NAME is the name of the bucket whose CORS configuration you want to remove.
gsutil
When you use the gsutil cors set
command and include an empty
JSON file, you remove the CORS settings from a bucket:
gsutil cors set CORS_CONFIG_FILE gs://BUCKET_NAME
Where:
CORS_CONFIG_FILE
is the path to the empty JSON file:[]
BUCKET_NAME
is the name of the bucket whose CORS configuration you want to remove.
Client libraries
For more information, see the
Cloud Storage C++ API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
The following sample removes any existing CORS configuration from a bucket:
For more information, see the
Cloud Storage C# API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
The following sample removes any existing CORS configuration from a bucket:
For more information, see the
Cloud Storage Go API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
The following sample removes any existing CORS configuration from a bucket:
For more information, see the
Cloud Storage Java API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
The following sample removes any existing CORS configuration from a bucket:
For more information, see the
Cloud Storage Node.js API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
The following sample removes any existing CORS configuration from a bucket:
For more information, see the
Cloud Storage PHP API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
The following sample removes any existing CORS configuration from a bucket:
For more information, see the
Cloud Storage Python API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
The following sample removes any existing CORS configuration from a bucket:
For more information, see the
Cloud Storage Ruby API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
The following sample removes any existing CORS configuration from a bucket:C++
C#
Go
Java
Node.js
PHP
Python
Ruby
REST APIs
JSON API
When set on a bucket, the following configuration removes all CORS settings from a bucket:
{ "cors": [] }
For the generalized format of a CORS configuration file, see the bucket resource representation for JSON.
XML API
When set on a bucket, the following configuration removes all CORS settings from a bucket:
<CorsConfig></CorsConfig>
For the generalized format of a CORS configuration file, see the CORS configuration format for XML.
What's next
- Learn more about Cross Origin Resource Sharing (CORS).
- Set and view the CORS configuration on a bucket.