By default, buckets do not have any CORS configuration set. To set or modify
CORS for an existing bucket you make a PUT request that is scoped to the bucket
and you use the cors query string parameter. You must include an
XML document in the request body that contains one or more CORS configurations
that you want to apply. Notice that you cannot set CORS configuration on a new
bucket that you are creating.
You must have FULL_CONTROL permission to apply a CORS
configuration to an existing bucket. Also, you must be authenticated to use the
PUT Bucket method.
For a guide to setting CORS configurations on buckets, see Configuring Cross-Origin Resource Sharing (CORS).
Query string parameters
| Parameter | Description | Required |
|---|---|---|
cors |
You use this to change the CORS configuration on an existing bucket. You must provide the CORS XML document in the request body. | No |
Request headers
Request body elements
The following diagram shows the nesting of XML elements in the CORS configuration. See the table below the diagram for additional details.
The following request body elements are applicable only if you use the
cors query string parameter to specify CORS for an existing
bucket.
| Element | Description |
|---|---|
CorsConfig |
Container for one or more Cors configuration containers. If you specify multiple Cors configurations, be aware that the Cors configurations will be evaluated in the order listed within the CorsConfig container, with the first Cors configuration matching the Origin and Method of the request used to determine any CORS response headers to add to the response. |
Cors |
Container for a CORS configuration to be applied to the bucket. You can specify multiple Origins and multiple Methods in each Cors container. There will be a match if the request Origin matches any of the Origins in the Cors container and the request Method matches any of the Methods in the Cors container. |
Origins |
Container for the origins permitted for cross origin resource sharing with this Cloud Storage bucket. |
Origin |
An Origin permitted for cross origin resource sharing with this Cloud Storage bucket. For example, https://origin1.example.com. If you supply a value that consists of only the wildcard (<Origin>*</Origin>), this gives access to ALL origins. |
Methods |
Container for one or more HTTP Method elements, specifying the methods permitted in cross origin resource sharing with this Cloud Storage bucket. |
Method |
An HTTP method used in this configuration. Valid values are DELETE,
GET, HEAD, POST, and PUT.
OPTIONS is interpreted as a preflight request, so you don't need to specify this method in your CORS
configuration. |
ResponseHeaders |
Optional container for one or more ResponseHeader elements. |
ResponseHeader |
Specifies a response header that the user agent is permitted to share across origins. |
MaxAgeSec |
This value is used to respond to preflight requests, indicating the number of seconds that the client (browser) is allowed to make requests before the client must repeat the preflight request. (Indicates cache expiry time.) Preflight requests are required if the request method contains non-simple headers or if the request method is not POST, GET, or HEAD. The value is returned in the Access-Control-Max-Age header in responses to preflight requests. |
Request syntax
PUT /?cors HTTP/1.1 Host: <bucket>.storage.googleapis.com Date: <date and time of the request> Content-Length: <request body length> Content-Type: <MIME type of the body> Authorization: <authentication string> <xml_document_defining_cors>
Response headers
The request can return a variety of response headers depending on the request headers you use.
Response body elements
The response does not include an XML document in the response body.
Example
The following sample sets a CORS configuration on a bucket named acme-pets. This CORS configuration sets two origins and the HTTP methods allowed for those origins. In this example, all of the available HTTP methods are allowed.
Request
PUT /?cors HTTP/1.1
Host: acme-pets.storage.googleapis.com
Date: Thu, 12 Mar 2012 03:38:42 GMT
Content-Length: 1320
Authorization: Bearer ya29.AHES6ZRVmB7fkLtd1XTmq6mo0S1wqZZi3-Lh_s-6Uw7p8vtgSwg
<?xml version="1.0" encoding="UTF-8"?>
<CorsConfig>
<Cors>
<Origins>
<Origin>http://origin1.example.com</Origin>
<Origin>http://origin2.example.com</Origin>
</Origins>
<Methods>
<Method>GET</Method>
<Method>HEAD</Method>
<Method>PUT</Method>
<Method>POST</Method>
<Method>DELETE</Method>
</Methods>
<ResponseHeaders>
<ResponseHeader>x-goog-meta-foo1</ResponseHeader>
<ResponseHeader>x-goog-meta-foo2</ResponseHeader>
</ResponseHeaders>
<MaxAgeSec>1800</MaxAgeSec>
</Cors>
</CorsConfig>
Response
HTTP/1.1 200 OK Date: Thu, 12 Mar 2012 03:38:42 GMT Expires: Mon, 01 Jan 1990 00:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate Content-Length: 0 Content-Type: text/html