This page shows example configurations for Cross-origin resource sharing (CORS). When you set a CORS configuration on a bucket, you allow interactions between resources from different origins, something that is normally prohibited in order to prevent malicious behavior.
Basic CORS configuration
Say you have a dynamic website which users can
access at your-example-website.appspot.com
. You have an image file hosted in a
Cloud Storage bucket named your-example-bucket
. You'd like to use
the image on your website, so you must apply a CORS configuration on
your-example-bucket
that enables your users' browsers to request resources
from the bucket. Based on the following configuration, preflight requests are
valid for 1 hour, and successful browser requests return the Content-Type
of
the resource in the response.
Command line
Example gcloud command
gcloud storage buckets update gs://example_bucket --cors-file=example_cors_file.json
Example JSON file containing the CORS configuration
[ { "origin": ["https://your-example-website.appspot.com"], "method": ["GET"], "responseHeader": ["Content-Type"], "maxAgeSeconds": 3600 } ]
For more information on how to set a CORS configuration using
Google Cloud CLI, see the
gcloud storage buckets update
reference documentation.
REST APIs
JSON API
{ "cors": [ { "origin": ["https://your-example-website.appspot.com"], "method": ["GET"], "responseHeader": ["Content-Type"], "maxAgeSeconds": 3600 } ] }
For the generalized format of a CORS configuration file, see the bucket resource representation for JSON.
XML API
<?xml version="1.0" encoding="UTF-8"?> <CorsConfig> <Cors> <Origins> <Origin>https://your-example-website.appspot.com</Origin> </Origins> <Methods> <Method>GET</Method> </Methods> <ResponseHeaders> <ResponseHeader>Content-Type</ResponseHeader> </ResponseHeaders> <MaxAgeSec>3600</MaxAgeSec> </Cors> </CorsConfig>
For the generalized format of a CORS configuration file, see the CORS configuration format for XML.
Remove CORS settings from a bucket
To remove CORS settings from a bucket, supply a CORS configuration file that's empty.
Command line
When you use the gcloud storage buckets update
command with the
--clear-cors
flag, you remove the CORS configuration from a bucket:
gcloud storage buckets update gs://BUCKET_NAME --clear-cors
Where BUCKET_NAME is the name of the bucket whose CORS configuration you want to remove.
Client libraries
For more information, see the
Cloud Storage C API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
The following sample removes any existing CORS configuration from a bucket:
For more information, see the
Cloud Storage C# API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
The following sample removes any existing CORS configuration from a bucket:
For more information, see the
Cloud Storage Go API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
The following sample removes any existing CORS configuration from a bucket:
For more information, see the
Cloud Storage Java API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
The following sample removes any existing CORS configuration from a bucket:
For more information, see the
Cloud Storage Node.js API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
The following sample removes any existing CORS configuration from a bucket:
For more information, see the
Cloud Storage PHP API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
The following sample removes any existing CORS configuration from a bucket:
For more information, see the
Cloud Storage Python API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
The following sample removes any existing CORS configuration from a bucket:
For more information, see the
Cloud Storage Ruby API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
The following sample removes any existing CORS configuration from a bucket:C
C#
Go
Java
Node.js
PHP
Python
Ruby
REST APIs
JSON API
When set on a bucket, the following configuration removes all CORS settings from a bucket:
{ "cors": [] }
For the generalized format of a CORS configuration file, see the bucket resource representation for JSON.
XML API
When set on a bucket, the following configuration removes all CORS settings from a bucket:
<CorsConfig></CorsConfig>
For the generalized format of a CORS configuration file, see the CORS configuration format for XML.
What's next
- Learn more about Cross Origin Resource Sharing (CORS).
- Set and view the CORS configuration on a bucket.