CORS is a browser security mechanism that controls requests between different origins (origin = protocol + host + port).
- Same origin: Requests allowed without special handling.
- Different origin: Requests require the target to explicitly allow access via CORS headers (e.g.,
Access-Control-Allow-Origin).
Preflight requests:
- For certain methods (PUT, DELETE) or custom headers, the browser sends an
OPTIONSrequest first.
- Target server must respond with allowed origins, methods, and headers before the actual request proceeds
Amazon S3 – CORS
If a client makes a cross-origin request to an S3 bucket, the bucket must have a CORS configuration allowing the requesting origin.
- Can allow a specific origin or (all origins).
- Common in scenarios where one S3 bucket hosts a website and another serves assets (images, scripts).
Example:
Website bucket requests an image from another bucket. The asset bucket must return:
Without this header, the browser blocks the request.