S3不返回Access-Control-Allow-Origin头? [英] S3 not returning Access-Control-Allow-Origin headers?
问题描述
我已启用的策略是:
<?xml version = 1.0encoding =UTF-8?>
< CORSConfiguration xmlns =http://s3.amazonaws.com/doc/2006-03-01/>
< CORSRule>
< AllowedOrigin> *< / AllowedOrigin>
< AllowedMethod> GET< / AllowedMethod>
< AllowedMethod> POST< / AllowedMethod>
< AllowedMethod> PUT< / AllowedMethod>
< AllowedHeader> *< / AllowedHeader>
< / CORSRule>
< / CORSConfiguration>
示例对象URL https://s3.amazonaws.com/captionable/meme/test
有人知道什么是错误吗?
首先,确保每个请求都有 Origin
标题。如果没有发送 Origin
头,S3不会发送 access-control
头,因为S3认为它们不相关通常,它们是)。当通过XMLHTTPRequest进行跨源HTTP请求时,浏览器(对于CORS机制而言)将自动发送 Origin
头。
如果使用 img
加载图片,则需要添加 crossorigin =anonymous
属性。请参阅
关于crossorigin属性的MDN文档。这将导致浏览器发送一个 Origin
请求头,就像XMLHTTPRequest一样。
Sam Selikoff,您可能需要更改
< AllowedOrigin> http:// *< / AllowedOrigin&
到
< AllowedOrigin> http:// *< / AllowedOrigin>
< AllowedOrigin> https:// *< / AllowedOrigin>
我没有测试过。
Paul Draper对这个答案的评论:注意缓存问题。浏览器可能使用未包含适当的 Access-Control
响应标头的缓存响应。在开发期间,您可以清除缓存。在生产中,如果资源以静态方式使用,您必须切换到该资源的新网址。
I am having trouble forcing S3 to set CORS headers on all of the objects it returns from a bucket, though CORS is enabled, as client-side S3 uploads is working, the returned objects do not have CORS headers!
The policy I have enabled is :
<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
<AllowedOrigin>*</AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<AllowedMethod>POST</AllowedMethod>
<AllowedMethod>PUT</AllowedMethod>
<AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>
An example object URL https://s3.amazonaws.com/captionable/meme/test
Does anyone know what is wrong?
First of all, make sure an Origin
header with every request. If no Origin
header is sent, S3 won't send access-control
headers, as S3 deems them irrelevant (and typically, they are). A browser (for which the CORS mechanism is meant) will automatically send an Origin
header when doing cross-origin HTTP requests through XMLHTTPRequest.
In case of loading images with img
, you need to add crossorigin="anonymous"
attribute. See
MDN Documentation on crossorigin attribute. This will cause the browser to send an Origin
request header like it does with XMLHTTPRequest.
Going by the answer of Sam Selikoff, you may need to change
<AllowedOrigin>http://*</AllowedOrigin>
to
<AllowedOrigin>http://*</AllowedOrigin>
<AllowedOrigin>https://*</AllowedOrigin>
I haven't tested this.
Going by Paul Draper's comment on this answer: Watch out for caching issues. A browser may use a cached response that did not include the appropriate Access-Control
response headers. During development, you can clear your cache. In production, you must switch to a new URL for the resource, if it was used in a static manner before.
这篇关于S3不返回Access-Control-Allow-Origin头?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!