在S3 / CF上托管Javascript的推荐的CORS配置是什么？ [英] What is the recommended CORS configuration of hosting Javascript on S3/CF?

问题描述

我已经看到了类似问题的答案，但我想知道2017年，如果我想限制对* .domain.tld的合法访问，最好的方法是为S3 / CF配置CORS。 Javascript从CF加载，并使用对api.domain.tld的Ajax请求呈现Web应用。

I have seen the answers to similar questions but I am wondering that in 2017 what is the best way of configure CORS for S3/CF if I would like to restrict the legitimate access to *.domain.tld. The Javascript is loading from CF and renders a web app using Ajax requests to api.domain.tld.

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
    <CORSRule>
        <AllowedOrigin>*.domain.tld</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
        <AllowedMethod>HEAD</AllowedMethod>
        <AllowedMethod>OPTIONS</AllowedMethod>
        <MaxAgeSeconds>3000</MaxAgeSeconds>
        <AllowedHeader>*</AllowedHeader>
    </CORSRule>
</CORSConfiguration>

我还有什么可以添加来改善CORS设置的吗？

Is there anything else I could add to improve on the CORS settings?

推荐答案

以下是进行CORS配置的一般规则：

The following are the general rules for making a CORS configuration:

1)A valid CORS configuration consists of 0 to 100 CORS rules.
2)Each rule must include at least one origin.
3)An origin may contain at most one wildcard *
4)Each rule must include at least one method.
5)The supported methods are: GET, HEAD, PUT, POST, DELETE.
6)Each rule may contain an identifying string of up to 255 characters.
7)Each rule may specify zero or more allowed request headers (which the client may include in the request).
8)Each rule may specify zero or more exposed response headers (which are sent back from the server to the client).
9)Each rule may specify a cache validity time of zero or more seconds. If not included, the client should supply their own default.

最近我与一个JS / CF项目一起工作，这是我的CORS配置。

Recently I worked with one of JS/CF project and here is my CORS Configuration.

<CORSConfiguration>
<CORSRule>
    <ID>example.com: Allow PUT & POST with AWS S3 JS
    SDK</ID>
    <AllowedOrigin>https://www.example.com</AllowedOrigin>
    <AllowedOrigin>http://www.example.com</AllowedOrigin>
    <AllowedOrigin>https://example.com</AllowedOrigin>
    <AllowedOrigin>http://example.com</AllowedOrigin>
    <AllowedMethod>PUT</AllowedMethod>
    <AllowedMethod>POST</AllowedMethod>
    <AllowedHeader>Origin</AllowedHeader>
    <AllowedHeader>Content-Length</AllowedHeader>
    <AllowedHeader>Content-Type</AllowedHeader>
    <AllowedHeader>Content-MD5</AllowedHeader>
    <AllowedHeader>X-Amz-User-Agent</AllowedHeader>
    <AllowedHeader>X-Amz-Date</AllowedHeader>
    <AllowedHeader>Authorization</AllowedHeader>
    <ExposeHeader>ETag</ExposeHeader>
    <MaxAgeSeconds>1800</MaxAgeSeconds>
</CORSRule>
<CORSRule>
    <ID>example.com: Allow GET with AWS S3 JS SDK</ID>
    <AllowedOrigin>*</AllowedOrigin>
    <AllowedMethod>GET</AllowedMethod>
    <AllowedMethod>HEAD</AllowedMethod>
    <AllowedHeader>*</AllowedHeader>
    <ExposeHeader>ETag</ExposeHeader>
    <MaxAgeSeconds>1800</MaxAgeSeconds>
</CORSRule>
</CORSConfiguration>

更多详细信息，请参见此处

More details you can find here

谢谢

这篇关于在S3 / CF上托管Javascript的推荐的CORS配置是什么？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！