[R2] Document CORS configurations

[KianNH]

Which Cloudflare product(s) does this pertain to?

R2

Subject Matter

How to retrieve, set and delete CORS configurations for buckets

Content Location

New document in Examples

Additional information

Now that CORS configuration via PutBucketCors has been implemented, we need some examples on how to use this operation.

CORS configurability has been a highly requested item in regards to presigned URLs so we’ll want to cover that use-case as well.

[KianNH]

Presigned URL example currently blocked as R2 responds with a 403 SignatureDoesNotMatch due to the verb changing as opposed to recognising it as a preflight request.

Edit: should be fixed.

[yfxie]

Assumed bucket CORS configurations are set correctly. Manually sending a put request with the origin header is ok. The issue is preflight requests are sent by browsers, request headers will be changed then R2 response 403 instead of 200 with Access-Control-Allow-Origin header. Changes in request headers result in SignatureDoesNotMatch with 403 as a response. R2 should ignore the signature validation for preflight requests.

[KianNH]

To clarify, if your signature doesn't match then it'd never succeed anyways. Preflight requests are still validated, just that the verb in the signature is compared against the verb in the Access-Control-Request-Method header.

curl -X OPTIONS <PresignedPutObjectURL> --header 'Origin: <origin>' --header 'Access-Control-Request-Method: PUT' -vvv

That'll get a 204 response back with the CORS headers - or a 403 if you change the verb from PUT to anything else.

[dcpena]

I think this might be resolved because of https://github.com/cloudflare/cloudflare-docs/pull/7574, but let me know if that's not the case.

[KianNH]

Closed by #7574