CORS (Cross-Origin Resource Sharing) lets browser applications access files in your bucket from a different domain. Add CORS rules to specify which origins, HTTP methods, and headers are permitted.
About CORS
https://myapp.com).*.myapp.com).Changes may take up to 5 minutes to propagate. CORS configuration is cached. Wait at least 5 minutes after saving before testing.
Open a bucket, click the Settings tab, then click CORS in the settings sub-navigation.
Fill in the ADD CORS RULE panel — subtitle: “Configure cross-origin resource sharing for browser access.”
Allowed Origins
Helper: “Specify which domains can access this bucket from a browser:”
Enter an origin in the input (placeholder: https://myapp.com or *.myapp.com) and click + Add Origin to add more. Use * to allow all origins.
Allowed Methods
Helper: “Select which HTTP methods are allowed:“
Allowed Headers
Helper: “Comma-separated list of headers browsers can send:” — defaults to * (allow all headers).
Your new rule appears in the CORS Policy list. Allow up to 5 minutes for the configuration to propagate before testing from a browser.
CORS rule not taking effect CORS configuration is cached. Wait at least 5 minutes after saving before testing.
Browser still blocked after adding origin
Ensure the origin exactly matches the request origin — including the protocol (https://) and no trailing slash. Use *.myapp.com for wildcard subdomain matching.
All requests blocked
Ensure the HTTP method used by your browser app (e.g. PUT for uploads) is checked in Allowed Methods.
Allowed Headers errors
If your app sends custom headers, add them explicitly or use * to allow all headers.