Set bucket CORS

By default, buckets do not have any CORS configuration set. To set or modify CORS for an existing bucket you make a PUT request that is scoped to the bucket and you use the cors query string parameter. You must include an XML document in the request body that contains one or more CORS configurations that you want to apply. Notice that you cannot set CORS configuration on a new bucket that you are creating.

You must have FULL_CONTROL permission to apply a CORS configuration to an existing bucket. Also, you must be authenticated to use the PUT Bucket method.

For more information about CORS configuration, see Configuring Cross-Origin Resource Sharing (CORS).

Query string parameters

Parameter Description Required
cors You use this to change the CORS configuration on an existing bucket. You must provide the CORS XML document in the request body. No

Request headers

See common request headers.

Request body elements

The following diagram shows the nesting of XML elements in the CORS configuration. See the table below the diagram for additional details.

The following request body elements are applicable only if you use the cors query string parameter to specify CORS for an existing bucket.

Element Description
CorsConfig Container for one or more Cors configuration containers. If you specify multiple Cors configurations, be aware that the Cors configurations will be evaluated in the order listed within the CorsConfig container, with the first Cors configuration matching the Origin and Method of the request used to determine any CORS response headers to add to the response.
Cors Container for a CORS configuration to be applied to the bucket. You can specify multiple Origins and multiple Methods in each Cors container. There will be a match if the request Origin matches any of the Origins in the Cors container and the request Method matches any of the Methods in the Cors container.
Origins Container for the origins permitted for cross origin resource sharing with this Cloud Storage bucket.
Origin An Origin permitted for cross origin resource sharing with this Cloud Storage bucket. For example, You can use wildcards ("*"). However, if the host part of the Origin begins with a *, then any origin that ends with the same suffix will be considered a match. If you supply a value that consists of only the wildcard (<Origin>*</Origin>), this gives access to ALL origins.
Methods Container for one or more HTTP Method elements, specifying the methods permitted in cross origin resource sharing with this Cloud Storage bucket.
Method An HTTP method supported in this configuration. Valid values are GET, HEAD, PUT, POST, and DELETE.
ResponseHeaders Optional container for one or more ResponseHeader elements.
ResponseHeader Specifies a response header that the user agent is permitted to share across origins.
MaxAgeSec This value is used to respond to preflight requests, indicating the number of seconds that the client (browser) is allowed to make requests before the client must repeat the preflight request. (Indicates cache expiry time.) Preflight requests are required if the request method contains non-simple headers or if the request method is not POST, GET, or HEAD. The value is returned in the Access-Control-Max-Age header in responses to preflight requests.

Request syntax

PUT /?cors HTTP/1.1
Host: <bucket>
Date: <date and time of the request>
Content-Length: <request body length>
Content-Type: <MIME type of the body>
Authorization: <authentication string>


Response headers

The request can return a variety of response headers depending on the request headers you use.

Response body elements

The response does not include an XML document in the response body.


The following sample sets a CORS configuration on a bucket named acme-pets. This CORS configuration sets two origins and the HTTP methods allowed for those origins. In this example, all of the available HTTP methods are allowed.


PUT /?cors HTTP/1.1
Date: Thu, 12 Mar 2012 03:38:42 GMT
Content-Length: 1320
Authorization: Bearer ya29.AHES6ZRVmB7fkLtd1XTmq6mo0S1wqZZi3-Lh_s-6Uw7p8vtgSwg

<?xml version="1.0" encoding="UTF-8"?>


HTTP/1.1 200 OK
Date: Thu, 12 Mar 2012 03:38:42 GMT
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Content-Length: 0
Content-Type: text/html


Cloud Storage