TechQA.

How to fix cors on s3

570 views Asked by At

I set up CORS on s3 using https://docs.aws.amazon.com/AmazonS3/latest/userguide/ManageCorsUsing.html. On my site I am using ckeditor to upload an image which sends it to s3. problem is, the POST works but GET does not. fails with

cross-origin-resource-policy

To use this resource from a different origin, the server needs to specify a cross-origin resource policy in the response headers:

Cross-Origin-Resource-Policy: same-site Choose this option if the resource and the document are served from the same site.

Cross-Origin-Resource-Policy: cross-origin Only choose this option if an arbitrary website including this resource does not impose a security risk.

Response from GET

Accept-Ranges: bytes
Content-Length: 90105
Content-Type: image/png
Date: Wed, 12 May 2021 16:44:33 GMT
ETag: "3524cdaa5d0975c249bb464033808244"
Last-Modified: Wed, 12 May 2021 16:44:33 GMT
Server: AmazonS3
...
x-amz-id-2: pNoskXKWXhpCbwArHgIN4kVD+oO8Pyq/3PIJAEcSJCo3hWMmHVspn2mIjfItCFAM+jUXtcN3pqY=
x-amz-request-id: 3BEE5J8RQPCXTQ93

I have the following set on apache server

Header set Content-Security-Policy "default-src 'self' *.s3.amazonaws.com *.uatdomainplus.com *.qadomainplus.com *.hci.com hci.com ; font-src *.typekit.net cdnjs.cloudflare.com fonts.gstatic.com *.hcidomain.plus *.uatdomainplus.com *.qadomainplus.com ; img-src 'self' data: *.s3.amazonaws.com; style-src 'self' 'unsafe-inline' p.typekit.net use.typekit.net cdnjs.cloudflare.com cdn.jsdelivr.net fonts.googleapis.com cdn.datatables.net; script-src 'self' 'unsafe-inline' ajax.googleapis.com cdnjs.cloudflare.com maxcdn.bootstrapcdn.com cdn.jsdelivr.net cdn.datatables.net;"
Header always set X-Content-Type-Options nosniff
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
Header always append X-Frame-Options SAMEORIGIN
Header set Cache-Control "no-cache, no-store, must-revalidate"
Header set Pragma "no-cache"
Header set Expires 0
### set only for webapps
Header add Access-Control-Allow-Origin "s3.amazonaws.com uatdomainplus.com qadomainplus.com hci.com typekit.net cdnjs.cloudflare.com fonts.gstatic.com hcidomain.plus uatdomainplus.com qadomainplus.com cdn.datatables.net"
Header always set Access-Control-Allow-Methods "POST,GET,OPTIONS,PUT,PATCH,DELETE"
Header always set Access-Control-Max-Age "3600"
Header always set Access-Control-Allow-Headers "Content-Type,Authorization"
Header always set Cross-Origin-Embedder-Policy: require-corp
Header always set Cross-Origin-Opener-Policy: same-origin
Header always set Cross-Origin-Resource-Policy: cross-origin
amazon-s3 cross-origin-resource-policy
Original Q&A
0

There are 0 answers

Related Questions in AMAZON-S3

Related Questions in CROSS-ORIGIN-RESOURCE-POLICY

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions