Cross-origin resource sharing (CORS) defines a way for client web applications that are loaded in one domain to interact with resources in a different domain. With CORS support, you can build rich client-side web applications with Amazon S3 and selectively allow cross-origin access to your Amazon S3 resources.
This section provides an overview of CORS. The subtopics describe how you can enable CORS using the Amazon S3 console, or programmatically by using the Amazon S3 REST API and the AWS SDKs.
Cross-origin resource sharing: Use-case scenarios
The following are example scenarios for using CORS.
Suppose that you are hosting a website in an Amazon S3 bucket named
website as described in Hosting a static website using Amazon S3. Your users load the website endpoint:
Suppose that you want to host a web font from your S3 bucket. Again, browsers require a CORS check (also called a preflight check) for loading web fonts. You would configure the bucket that is hosting the web font to allow any origin to make these requests.
How does Amazon S3 evaluate the CORS configuration on a bucket?
When Amazon S3 receives a preflight request from a browser, it evaluates the CORS configuration for the bucket and uses the first
CORSRule rule that matches the incoming browser request to enable a cross-origin request. For a rule to match, the following conditions must be met:
- The request’s
Originheader must match an
- The request method (for example, GET or PUT) or the
Access-Control-Request-Methodheader in case of a preflight
OPTIONSrequest must be one of the
- Every header listed in the request’s
Access-Control-Request-Headersheader on the preflight request must match an