Closed KianNH closed 1 year ago
Presigned URL example currently blocked as R2 responds with a 403 SignatureDoesNotMatch
due to the verb changing as opposed to recognising it as a preflight request.
Edit: should be fixed.
Assumed bucket CORS configurations are set correctly. Manually sending a put request with the origin header is ok. The issue is preflight requests are sent by browsers, request headers will be changed then R2 response 403 instead of 200 with Access-Control-Allow-Origin
header. Changes in request headers result in SignatureDoesNotMatch
with 403 as a response. R2 should ignore the signature validation for preflight requests.
To clarify, if your signature doesn't match then it'd never succeed anyways. Preflight requests are still validated, just that the verb in the signature is compared against the verb in the Access-Control-Request-Method
header.
curl -X OPTIONS <PresignedPutObjectURL> --header 'Origin: <origin>' --header 'Access-Control-Request-Method: PUT' -vvv
That'll get a 204 response back with the CORS headers - or a 403 if you change the verb from PUT
to anything else.
I think this might be resolved because of https://github.com/cloudflare/cloudflare-docs/pull/7574, but let me know if that's not the case.
Closed by #7574
Which Cloudflare product(s) does this pertain to?
R2
Subject Matter
How to retrieve, set and delete CORS configurations for buckets
Content Location
New document in Examples
Additional information
Now that CORS configuration via PutBucketCors has been implemented, we need some examples on how to use this operation.
CORS configurability has been a highly requested item in regards to presigned URLs so we’ll want to cover that use-case as well.