tencent cloud

APIs

문서APIsCloud Object StorageBucket APIsCross-Origin Resource Sharing (cors)PUT Bucket cors

PUT Bucket cors

Download
포커스 모드
폰트 크기
마지막 업데이트 시간: 2026-05-19 15:53:12

Feature Description

The PUT Bucket cors request is used to configure Cross-Origin Resource Sharing (CORS) access control for a bucket. You can perform this configuration by submitting an XML configuration file, which has a size limit of 64 KB.


Authorization Description

When you use an authorization policy, set the action to cos:PutBucketCORS. An example is provided below.
{
  "version": "2.0",
  "statement": [
    {
      "action": [
        "name/cos:PutBucketCORS"
      ],
      "effect": "allow",
      "resource": [
        "qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/*"
      ]
    }
  ]
}
For more COS actions, see CAM-supported Business APIs.

Request

Request Example

PUT /?cors HTTP/1.1
Host: <BucketName-APPID>.cos.<Region>.myqcloud.com
Date: GMT Date
Content-Type: application/xml
Content-Length: Content Length
Content-MD5: MD5
Authorization: Auth String

[Request Body]
Note:
Host: <BucketName-APPID>.cos.<Region>.myqcloud.com. Here, <BucketName-APPID> is the bucket name with the APPID suffix, for example, examplebucket-1250000000. For details, see the Bucket Overview > Basic Information and Bucket Overview > Bucket Naming Conventions documents. <Region> is the available region of COS. For details, see the Regions and Access Domains document.
Authorization: Auth String (For details, see Request Signature).

Request Parameter

This API has no request parameters.

Request Header

This API only uses common request headers. For details, see Common Request Headers.

Request Body

Submit the request data in application/xml format. The data must contain complete Cross-Origin Resource Sharing (CORS) configuration information for the bucket.
<CORSConfiguration>
    <CORSRule>
        <AllowedOrigin>string</AllowedOrigin>
        <AllowedMethod>enum</AllowedMethod>
        <AllowedMethod>enum</AllowedMethod>
        <AllowedHeader>string</AllowedHeader>
        <AllowedHeader>string</AllowedHeader>
        <ExposeHeader>string</ExposeHeader>
        <ExposeHeader>string</ExposeHeader>
        <MaxAgeSeconds>integer</MaxAgeSeconds>
    </CORSRule>
    <CORSRule>
        <ID>string</ID>
        <AllowedOrigin>string</AllowedOrigin>
        <AllowedOrigin>string</AllowedOrigin>
        <AllowedMethod>enum</AllowedMethod>
        <AllowedMethod>enum</AllowedMethod>
        <AllowedHeader>string</AllowedHeader>
        <ExposeHeader>string</ExposeHeader>
        <ExposeHeader>string</ExposeHeader>
        <MaxAgeSeconds>integer</MaxAgeSeconds>
    </CORSRule>
    <ResponseVary>false</ResponseVary>
</CORSConfiguration>
The detailed node descriptions are as follows:
Node Name (Keyword)
Parent Node
Description
Type
Required
CORSConfiguration
None
Contains all request information for the PUT Bucket cors operation.
Container
Yes
Content of the CORSConfiguration Container Node:
Node Name (Keyword)
Parent Node
Description
Type
Required
CORSRule
CORSConfiguration
Describes all information for a single cross-origin resource sharing (CORS) configuration, which can contain up to 100 CORSRules.
Container
Yes
ResponseVary
CORSConfiguration
Indicates whether the cross-origin request returns the Vary:Origin header. Supports the Boolean value true|false, where true means it is returned, and false means it is not returned. If this field is omitted, the default value is false.
Boolean
No
Content of the CORSRule Container Node:
Node Name (Keyword)
Parent Node
Description
Type
Required
AllowedOrigin
CORSConfiguration.CORSRule
Specifies the allowed origins. A single CORSRule can be configured with multiple AllowedOrigins.
The configuration supports *, which means all domains are allowed. However, this is not recommended.
It supports a single, specific domain, for example, http://www.example.com.
The * wildcard is supported. It can appear in any position, including the protocol, domain, and port, and can match zero or more characters. However, only one * wildcard is allowed. Use wildcards with caution, as they may inadvertently match unintended origins.
Ensure you include the protocol name, either http or https. If the port is not the default (80 for http or 443 for https), you must also specify the port, for example, https://example.com:8443.
string
Yes
AllowedMethod
CORSConfiguration.CORSRule
Allowed HTTP methods (Method). This corresponds to the Access-Control-Allow-Methods header in the CORS request response. A single CORSRule can be configured with multiple AllowedMethod values. Enumerated values: PUT, GET, POST, DELETE, HEAD.
enum
Yes
AllowedHeader
CORSConfiguration.CORSRule
When sending a preflight (OPTIONS) request, the browser informs the server of the custom HTTP request headers that will be used in the subsequent actual request. This configuration specifies the custom HTTP request headers that the browser is allowed to carry when sending CORS requests. The matching is case-insensitive. A single CORSRule can be configured with multiple AllowedHeaders.
You can configure *, which indicates that all headers are allowed. To avoid omissions, it is recommended to configure it as *.
If you do not configure it as *, then each header that appears in the Access-Control-Request-Headers header of a preflight (OPTIONS) request must have a corresponding entry in AllowedHeader.
string
No
ExposeHeader
CORSConfiguration.CORSRule
Specifies the headers in the CORS response that the browser is allowed to obtain. The matching is case-insensitive. A single CORSRule can be configured with multiple ExposeHeaders.
By default, browsers can only access simple response headers: Cache-Control, Content-Type, Expires, and Last-Modified. To access other response headers, you must add an ExposeHeader configuration.
Configuring * is not supported. You must explicitly configure specific headers.
Determine this based on your browser's actual requirements. By default, ETag is recommended. You can refer to the response header sections of the relevant API documentation and the Common Response Headers document.
string
No
MaxAgeSeconds
CORSConfiguration.CORSRule
The validity period for the Cross-Origin Resource Sharing configuration is measured in seconds. During this period, the browser does not need to initiate a preflight (OPTIONS) request again for the same request. This corresponds to the Access-Control-Max-Age header in the CORS request response. Only one MaxAgeSeconds can be configured for a single CORSRule.
integer
No
ID
CORSConfiguration.CORSRule
The ID configured for a single CORSRule. It is used to locate a specific CORSRule when a GET Bucket cors request is performed. This field is optional. A single CORSRule can be configured with at most one ID.
string
No

Response

Response Headers

This API only returns common response headers. For details, see Common Response Headers.

Response Body

The response body of this API is empty.

Error Codes

This API follows unified error responses and error codes. For details, see Error Codes.

Practical Case

Request

PUT /?cors HTTP/1.1
Host: examplebucket-1250000000.cos.ap-beijing.myqcloud.com
Date: Thu, 09 Jul 2020 11:15:01 GMT
Content-Type: application/xml
Content-Length: 1185
Content-MD5: ZNkhBxyjkaZcs1j7/cIE2A==
Authorization: q-sign-algorithm=sha1&q-ak=************************************&q-sign-time=1594293301;1594300501&q-key-time=1594293301;1594300501&q-header-list=content-length;content-md5;content-type;date;host&q-url-param-list=cors&q-signature=****************************************
Connection: close

<CORSConfiguration>
    <CORSRule>
        <AllowedOrigin>*</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
        <AllowedMethod>HEAD</AllowedMethod>
        <AllowedHeader>Range</AllowedHeader>
        <AllowedHeader>x-cos-server-side-encryption-customer-algorithm</AllowedHeader>
        <AllowedHeader>x-cos-server-side-encryption-customer-key</AllowedHeader>
        <AllowedHeader>x-cos-server-side-encryption-customer-key-MD5</AllowedHeader>
        <ExposeHeader>Content-Length</ExposeHeader>
        <ExposeHeader>ETag</ExposeHeader>
        <ExposeHeader>x-cos-meta-author</ExposeHeader>
        <MaxAgeSeconds>600</MaxAgeSeconds>
    </CORSRule>
    <CORSRule>
        <ID>example-id</ID>
        <AllowedOrigin>https://example.com</AllowedOrigin>
        <AllowedOrigin>https://example.net</AllowedOrigin>
        <AllowedMethod>PUT</AllowedMethod>
        <AllowedMethod>GET</AllowedMethod>
        ...
        <AllowedMethod>HEAD</AllowedMethod>
        <AllowedHeader>*</AllowedHeader>
        <ExposeHeader>Content-Length</ExposeHeader>
        <ExposeHeader>ETag</ExposeHeader>
        <ExposeHeader>x-cos-meta-author</ExposeHeader>
        <MaxAgeSeconds>600</MaxAgeSeconds>
    </CORSRule>
    <ResponseVary>true</ResponseVary>
</CORSConfiguration>

Response

HTTP/1.1 200 OK
Content-Length: 0
Connection: close
Date: Thu, 09 Jul 2020 11:15:01 GMT
Server: tencent-cos
x-cos-request-id: NWYwNmZjMzVfMzFiYjBiMDlfZjgzYV8xZDky****

이전 주제: GET Bucket acl다음 주제: GET Bucket cors

도움말 및 지원

문제 해결에 도움이 되었나요?

피드백