针对公共存储桶的S3 CORS政策 | 针对公共存储桶的S3

本文介绍了针对公共存储桶的S3 CORS政策的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

这似乎很容易，但是我不知道自己缺少什么.我有一个从我的网站获取的带有js脚本的公共存储桶.我注意到我没有将Origin标头发送到S3，这不是必需的，并且在没有任何CORS配置的情况下一切正常.

It seems to be easy, but I don't know what I am missing.I have a public bucket with a js script that I fetch from my web site. I noticed that I don't send Origin header to S3, it is not required and everything works without any CORS configurations.

更重要的是，即使在我手动将Origin标头添加到该GET调用并通过以下方式明确禁止GET和我的域之后，也是如此:

What's more, even after I manually added Origin header to that GET call and explicitly disallowed GET and my domain via:

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
    <AllowedOrigin>http://www.nonexistingdomain.com</AllowedOrigin>
    <AllowedMethod>POST</AllowedMethod>
    <AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>

我仍然可以获取内容.这是怎么回事?

I can still get the content. What's going on here?

推荐答案

好吧，在与Quentin交谈之后，我想我知道我在误解CORS应该如何工作.在Java世界中，当Origin不匹配时实际上拒绝请求是一种非常普遍的做法.这是提到的.如果以Spring为例(在Java世界中这是事实上的标准)，则在添加CORS过滤器后会发生以下情况:

Ok, after a conversation with Quentin, I think I understand where I am misinterpreting how CORS should work.In Java world, it's a very common practice to actually reject requests when Origin doesn't match. Here is another thread where it's mentioned.If we take Spring as an example(which is de-facto standard in Java world), here is what happens when CORS filter is added:

    String allowOrigin = checkOrigin(config, requestOrigin);
    ...

    if (allowOrigin == null) {
        logger.debug("Reject: '" + requestOrigin + "' origin is not allowed");
        rejectRequest(response);
        return false;
    }

其中:

/**
 * Invoked when one of the CORS checks failed.
 */
protected void rejectRequest(ServerHttpResponse response) {
    response.setStatusCode(HttpStatus.FORBIDDEN);
}

您可以找到代码此处.

但是令我惊讶的是，这与其他堆栈和服务器端技术并不是一种常见的做法.另一种常见的方法是将他们需要的任何CORS配置发送给浏览器，然后再由其决定.

But to my surprise, it is not such a common practice with other stacks and server-side technologies. Another common approach would be to send whatever CORS configuration they have to the browser and leave the decision to it.

S3更加棘手:仅在存储桶CORS规则与启用了CORS的请求(请求qith头)匹配时，才发送CORS响应头.否则，将没有CORS响应标头.

这篇关于针对公共存储桶的S3 CORS政策的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！