Overview of CORS
Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources.
ZIOS supports CORS via Swift API requests to containers and objects and CORS metadata is held on the container only. The values given apply to the container itself and all objects within it.
Before a browser issues an actual request it may issue a preflight request. The preflight request is an OPTIONS call to verify the Origin is allowed to make the request. The sequence of events are,
-
Browser makes
OPTIONS
request to ZIOS -
ZIOS returns
200
/401
to browser based on allowed origins -
If
200
, browser makes the "actual request" to ZIOS, i.e.PUT
,POST
,DELETE
,HEAD
,GET
The max age for a client application to hold this preflight result can also be configured.
Configuration
The CORS functionality is configured via the Swift API using the following headers:
Header | Use |
X-Container-Meta-Access-Control-Allow-Origin | Origins to be allowed to make Cross Origin Requests, space separated. |
X-Container-Meta-Access-Control-Max-Age | Max age for the Origin to hold the preflight results. |
Usage
CORS can be configured by making a POST request against a VPSA Object Storage Container (bucket) with the header(s) above. In the most basic form, this could be done as follows:
curl -X POST -H 'X-Auth-Token: <token>' \
-H 'X-Container-Meta-Access-Control-Allow-Origin: <origins_to_allow>' \
https://<ZIOS>/v1/<account>/<container>