S3不返回Access-Control-Allow-Origin头？ [英] S3 not returning Access-Control-Allow-Origin headers?

问题描述

我遇到了问题，强制S3设置CORS头从所有的对象，它返回从桶，虽然CORS启用，因为客户端S3上传正在工作，返回的对象没有CORS头！

我已启用的策略是：

 <？xml version = 1.0encoding =UTF-8？> 
< CORSConfiguration xmlns =http://s3.amazonaws.com/doc/2006-03-01/> 
< CORSRule> 
< AllowedOrigin> *< / AllowedOrigin> 
< AllowedMethod> GET< / AllowedMethod> 
< AllowedMethod> POST< / AllowedMethod> 
< AllowedMethod> PUT< / AllowedMethod> 
< AllowedHeader> *< / AllowedHeader> 
< / CORSRule> 
< / CORSConfiguration> 
  

示例对象URL https://s3.amazonaws.com/captionable/meme/test

有人知道什么是错误吗？

解决方案

首先，确保每个请求都有 Origin 标题。如果没有发送 Origin 头，S3不会发送 access-control 头，因为S3认为它们不相关通常，它们是）。当通过XMLHTTPRequest进行跨源HTTP请求时，浏览器（对于CORS机制而言）将自动发送 Origin 头。

如果使用 img 加载图片，则需要添加 crossorigin =anonymous属性。请参阅
关于crossorigin属性的MDN文档。这将导致浏览器发送一个 Origin 请求头，就像XMLHTTPRequest一样。

Sam Selikoff，您可能需要更改

 < AllowedOrigin> http：// *< / AllowedOrigin& 
  

到

 < AllowedOrigin> http：// *< / AllowedOrigin> 
< AllowedOrigin> https：// *< / AllowedOrigin> 
  

我没有测试过。

Paul Draper对这个答案的评论：注意缓存问题。浏览器可能使用未包含适当的 Access-Control 响应标头的缓存响应。在开发期间，您可以清除缓存。在生产中，如果资源以静态方式使用，您必须切换到该资源的新网址。

I am having trouble forcing S3 to set CORS headers on all of the objects it returns from a bucket, though CORS is enabled, as client-side S3 uploads is working, the returned objects do not have CORS headers!

The policy I have enabled is :

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
    <CORSRule>
        <AllowedOrigin>*</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
        <AllowedMethod>POST</AllowedMethod>
        <AllowedMethod>PUT</AllowedMethod>
        <AllowedHeader>*</AllowedHeader>
    </CORSRule>
</CORSConfiguration>

An example object URL https://s3.amazonaws.com/captionable/meme/test

Does anyone know what is wrong?

解决方案

First of all, make sure an Origin header with every request. If no Origin header is sent, S3 won't send access-control headers, as S3 deems them irrelevant (and typically, they are). A browser (for which the CORS mechanism is meant) will automatically send an Origin header when doing cross-origin HTTP requests through XMLHTTPRequest.

In case of loading images with img, you need to add crossorigin="anonymous" attribute. See MDN Documentation on crossorigin attribute. This will cause the browser to send an Origin request header like it does with XMLHTTPRequest.

Going by the answer of Sam Selikoff, you may need to change

 <AllowedOrigin>http://*</AllowedOrigin>

to

 <AllowedOrigin>http://*</AllowedOrigin>
 <AllowedOrigin>https://*</AllowedOrigin>

I haven't tested this.

Going by Paul Draper's comment on this answer: Watch out for caching issues. A browser may use a cached response that did not include the appropriate Access-Control response headers. During development, you can clear your cache. In production, you must switch to a new URL for the resource, if it was used in a static manner before.

这篇关于S3不返回Access-Control-Allow-Origin头？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！