Working with S3 API and Cross-Origin Resource Sharing

Cross-origin resource sharing (CORS) is a mechanism for client web applications loaded in one domain to interact with resources in a different domain.

Starting with VMware Cloud Director Object Storage Extension 1.5, you can define CORS rules at the system and at the bucket levels. To edit global CORS settings, see Edit Global Cross-Origin Resource Sharing Configuration.

Using VMware Cloud Director Object Storage Extension S3 API, you can define multiple CORS rules at the bucket level. CORS rules at the bucket level only take effect on virtual hosted-style S3 API requests. If you access resources using path-style S3 API requests, the global CORS rules take effect.

All requests that match the global CORS rules conditions are served. If a request does not match global CORS rules conditions, the request is evaluated against bucket CORS rules conditions. When VMware Cloud Director Object Storage Extension receives an access request for a bucket, VMware Cloud Director Object Storage Extension evaluates the CORS configuration of the bucket and uses the а rule that matches the incoming request conditions. For a rule to match, the request must satisfy the following conditions:
  • The request origin header must match the AllowedOrigin elements of the CORS rule.
  • The request method, for example GET, must match the AllowedMethods elements of the CORS rule.
  • Every header that is specified in the Access-Control-Request-Headers of the request of a pre-flight request must match an AllowedHeader element.

Cross-Origin Resource Sharing Use Cases

For example, as a service provider, you are hosting a Web application at https://cloud-object-storage.mgmt.com. The application consumes VMware Cloud Director Object Storage Extension S3 APIs. To make sure that the application is accessible for all requests, you can set a global CORS rule for https://cloud-object-storage.mgmt.com that allows all access requests.

As a service provider, you allow tenants to host websites in their buckets. For example, a tenant creates a website named tenant-website in a bucket named websites-bucket. The website endpoint that end users load is websites-bucket.s3.cloud-object-storage.example.com. To be able to make authenticated GET and PUT requests against the websites-bucket, the tenant wants to use JavaScript. Normally, web browsers block JavaScript from making such requests, but with CORS rules you can configure the bucket to serve cross-origin requests from websites-bucket.s3.cloud-object-storage.example.com.

For more information about AWS S3 cross-origin resource sharing, see https://docs.aws.amazon.com/AmazonS3/latest/dev/cors.html.