S3 不返回 Access-Control-Allow-Origin 标头? [英] S3 not returning Access-Control-Allow-Origin headers?

问题描述

我无法强制 S3 在它从存储桶返回的所有对象上设置 CORS 标头，尽管启用了 CORS，但当客户端 S3 上传工作时，返回的对象没有 CORS 标头！

我启用的策略是:

示例对象 URL https://s3.amazonaws.com/captionable/meme/test>

有谁知道出了什么问题?

解决方案

首先，确保每个请求都有一个 Origin 标头.如果没有发送 Origin 标头，S3 将不会发送 access-control 标头，因为 S3 认为它们不相关(通常情况下，它们是不相关的).当通过 XMLHTTPRequest 执行跨域 HTTP 请求时，浏览器(CORS 机制针对的)将自动发送 Origin 标头.

如果使用img加载图片，需要添加crossorigin="anonymous"属性.看关于 crossorigin 属性的 MDN 文档.这将导致浏览器发送一个 Origin 请求标头，就像处理 XMLHTTPRequest 一样.

根据 Sam Selikoff 的回答，您可能需要更改

 http://*

到

 http://*<AllowedOrigin>https://*</AllowedOrigin>

我没有测试过这个.

参考 Paul Draper 对此答案的评论:注意缓存问题.浏览器可能会使用不包含适当的 Access-Control 响应标头的缓存响应.在开发过程中，您可以清除缓存.在生产中，如果之前以静态方式使用过资源，则必须切换到该资源的新 URL.

I am having trouble forcing S3 to set CORS headers on all of the objects it returns from a bucket, though CORS is enabled, as client-side S3 uploads is working, the returned objects do not have CORS headers!

The policy I have enabled is :

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
    <CORSRule>
        <AllowedOrigin>*</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
        <AllowedMethod>POST</AllowedMethod>
        <AllowedMethod>PUT</AllowedMethod>
        <AllowedHeader>*</AllowedHeader>
    </CORSRule>
</CORSConfiguration>

An example object URL https://s3.amazonaws.com/captionable/meme/test

Does anyone know what is wrong?

解决方案

First of all, make sure an Origin header with every request. If no Origin header is sent, S3 won't send access-control headers, as S3 deems them irrelevant (and typically, they are). A browser (for which the CORS mechanism is meant) will automatically send an Origin header when doing cross-origin HTTP requests through XMLHTTPRequest.

In case of loading images with img, you need to add crossorigin="anonymous" attribute. See MDN Documentation on crossorigin attribute. This will cause the browser to send an Origin request header like it does with XMLHTTPRequest.

Going by the answer of Sam Selikoff, you may need to change

 <AllowedOrigin>http://*</AllowedOrigin>

to

 <AllowedOrigin>http://*</AllowedOrigin>
 <AllowedOrigin>https://*</AllowedOrigin>

I haven't tested this.

Going by Paul Draper's comment on this answer: Watch out for caching issues. A browser may use a cached response that did not include the appropriate Access-Control response headers. During development, you can clear your cache. In production, you must switch to a new URL for the resource, if it was used in a static manner before.

这篇关于S3 不返回 Access-Control-Allow-Origin 标头?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！