By default, buckets do not have any CORS configuration set. To set or modify
CORS for an existing bucket you make a PUT request that is scoped to the bucket
and you use the cors
query string parameter. You must include an
XML document in the request body that contains one or more CORS configurations
that you want to apply. Notice that you cannot set CORS configuration on a new
bucket that you are creating.
You must have FULL_CONTROL
permission to apply a CORS
configuration to an existing bucket. Also, you must be authenticated to use the
PUT Bucket method.
For more information about CORS configuration, see Configuring Cross-Origin Resource Sharing (CORS).
Query string parameters
Parameter | Description | Required |
---|---|---|
cors |
You use this to change the CORS configuration on an existing bucket. You must provide the CORS XML document in the request body. | No |
Request headers
Request body elements
The following diagram shows the nesting of XML elements in the CORS configuration. See the table below the diagram for additional details.
The following request body elements are applicable only if you use the
cors
query string parameter to specify CORS for an existing
bucket.
Element | Description |
---|---|
CorsConfig |
Container for one or more Cors configuration containers. If you specify multiple Cors configurations, be aware that the Cors configurations will be evaluated in the order listed within the CorsConfig container, with the first Cors configuration matching the Origin and Method of the request used to determine any CORS response headers to add to the response. |
Cors |
Container for a CORS configuration to be applied to the bucket. You can specify multiple Origins and multiple Methods in each Cors container. There will be a match if the request Origin matches any of the Origins in the Cors container and the request Method matches any of the Methods in the Cors container. |
Origins |
Container for the origins permitted for cross origin resource sharing with this Cloud Storage bucket. |
Origin |
An Origin permitted for cross origin resource sharing with this Cloud Storage bucket. For example, http://origin1.example.com . You can use wildcards ("*"). However, if the host part of the Origin begins with a *, then any origin that ends with the same suffix will be considered a match. If you supply a value that consists of only the wildcard (<Origin>*</Origin> ), this gives access to ALL origins. |
Methods |
Container for one or more HTTP Method elements, specifying the methods permitted in cross origin resource sharing with this Cloud Storage bucket. |
Method |
An HTTP method supported in this configuration. Valid values are GET, HEAD, PUT, POST, and DELETE. |
ResponseHeaders |
Optional container for one or more ResponseHeader elements. |
ResponseHeader |
Specifies a response header that the user agent is permitted to share across origins. |
MaxAgeSec |
This value is used to respond to preflight requests, indicating the number of seconds that the client (browser) is allowed to make requests before the client must repeat the preflight request. (Indicates cache expiry time.) Preflight requests are required if the request method contains non-simple headers or if the request method is not POST, GET, or HEAD. The value is returned in the Access-Control-Max-Age header in responses to preflight requests. |
Request syntax
PUT /?cors HTTP/1.1 Host: <bucket>.storage.googleapis.com Date: <date and time of the request> Content-Length: <request body length> Content-Type: <MIME type of the body> Authorization: <authentication string> <xml_document_defining_cors>
Response headers
The request can return a variety of response headers depending on the request headers you use.
Response body elements
The response does not include an XML document in the response body.
Example
The following sample sets a CORS configuration on a bucket named acme-pets. This CORS configuration sets two origins and the HTTP methods allowed for those origins. In this example, all of the available HTTP methods are allowed.
Request
PUT /?cors HTTP/1.1 Host: acme-pets.storage.googleapis.com Date: Thu, 12 Mar 2012 03:38:42 GMT Content-Length: 1320 Authorization: Bearer ya29.AHES6ZRVmB7fkLtd1XTmq6mo0S1wqZZi3-Lh_s-6Uw7p8vtgSwg <?xml version="1.0" encoding="UTF-8"?> <CorsConfig> <Cors> <Origins> <Origin>http://origin1.example.com</Origin> <Origin>http://origin2.example.com</Origin> </Origins> <Methods> <Method>GET</Method> <Method>HEAD</Method> <Method>PUT</Method> <Method>POST</Method> <Method>DELETE</Method> </Methods> <ResponseHeaders> <ResponseHeader>x-goog-meta-foo1</ResponseHeader> <ResponseHeader>x-goog-meta-foo2</ResponseHeader> </ResponseHeaders> <MaxAgeSec>1800</MaxAgeSec> </Cors> </CorsConfig>
Response
HTTP/1.1 200 OK Date: Thu, 12 Mar 2012 03:38:42 GMT Expires: Mon, 01 Jan 1990 00:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate Content-Length: 0 Content-Type: text/html