Amazon Simple Storage Service
Developer Guide (API Version 2006-03-01)
Did this page help you?  Yes | No |  Tell us about it...
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.

Enabling Cross-Origin Resource Sharing

Cross-origin resource sharing (CORS) defines a way for client web applications that are loaded in one domain to interact with resources in a different domain. With CORS support in Amazon S3, you can build rich client-side web applications with Amazon S3 and selectively allow cross-origin access to your Amazon S3 resources.

This section provides an overview of CORS. The subtopics describe how you can enable CORS using the Amazon S3 console, or programmatically using the Amazon S3 REST API and the AWS SDKs.

Cross-Origin Resource Sharing: Examples

The following are example scenarios for using CORS:

  • Example 1: Suppose you are hosting a website in an Amazon S3 bucket named website as described in Hosting a Static Website on Amazon S3. Your users load the website endpoint http://website.s3-website-us-east-1.amazonaws.com. Now you want to use JavaScript on the web pages that are stored in this bucket to be able to make authenticated GET and PUT requests against the same bucket by using the Amazon S3's API endpoint for the bucket, website.s3.amazonaws.com. A browser would normally block JavaScript from allowing those requests, but with CORS, you can configure your bucket to explicitly enable cross-origin requests from website.s3-website-us-east-1.amazonaws.com.

  • Example 2: Suppose you want to host a web font from your S3 bucket. Again, browsers require a CORS check (also referred as a preflight check) for loading web fonts, so you would configure the bucket that is hosting the web font to allow any origin to make these requests.

How Do I Enable CORS on My Bucket?

To configure your bucket to allow cross-origin requests, you create a CORS configuration, an XML document with rules that identify the origins that you will allow to access your bucket, the operations (HTTP methods) will support for each origin, and other operation-specific information. You can add up to 100 rules to the configuration. You add the XML document as the cors subresource to the bucket.

For example, the following cors configuration on a bucket has three rules, which are specified as CORSRule elements:

  • The first rule allows cross-origin PUT, POST, and DELETE requests from the https://www.example1.com origin. The rule also allows all headers in a preflight OPTIONS request through the Access-Control-Request-Headers header. In response to any preflight OPTIONS request, Amazon S3 will return any requested headers.

  • The second rule allows same cross-origin requests as the first rule but the rule applies to another origin, https://www.example2.com.

  • The third rule allows cross-origin GET requests from all origins. The '*' wildcard character refers to all origins.

<CORSConfiguration>
 <CORSRule>
   <AllowedOrigin>http://www.example1.com</AllowedOrigin>

   <AllowedMethod>PUT</AllowedMethod>
   <AllowedMethod>POST</AllowedMethod>
   <AllowedMethod>DELETE</AllowedMethod>

   <AllowedHeader>*</AllowedHeader>
 </CORSRule>
 <CORSRule>
   <AllowedOrigin>http://www.example2.com</AllowedOrigin>

   <AllowedMethod>PUT</AllowedMethod>
   <AllowedMethod>POST</AllowedMethod>
   <AllowedMethod>DELETE</AllowedMethod>

   <AllowedHeader>*</AllowedHeader>
 </CORSRule>
 <CORSRule>
   <AllowedOrigin>*</AllowedOrigin>
   <AllowedMethod>GET</AllowedMethod>
 </CORSRule>
</CORSConfiguration>

The CORS configuration also allows optional configuration parameters, as shown in the following CORS configuration. In this example, the following CORS configuration allows cross-origin PUT and POST requests from the http://www.example.com origin.

<CORSConfiguration>
 <CORSRule>
   <AllowedOrigin>http://www.example.com</AllowedOrigin>
   <AllowedMethod>PUT</AllowedMethod>
   <AllowedMethod>POST</AllowedMethod>
   <AllowedMethod>DELETE</AllowedMethod>
   <AllowedHeader>*</AllowedHeader>
  <MaxAgeSeconds>3000</MaxAgeSeconds>
  <ExposeHeader>x-amz-server-side-encryption</ExposeHeader>
  <ExposeHeader>x-amz-request-id</ExposeHeader>
  <ExposeHeader>x-amz-id-2</ExposeHeader>
 </CORSRule>
</CORSConfiguration>

The CORSRule element in the preceding configuration includes the following optional elements:

  • MaxAgeSeconds—Specifies the amount of time in seconds (in this example, 3000) that the browser will cache an Amazon S3 response to a preflight OPTIONS request for the specified resource. By caching the response, the browser does not have to send preflight requests to Amazon S3 if the original request is to be repeated.

  • ExposeHeader—Identifies the response headers (in this example, x-amz-server-side-encryption, x-amz-request-id, and x-amz-id-2) that customers will be able to access from their applications (for example, from a JavaScript XMLHttpRequest object).

AllowedMethod Element

In the CORS configuration, you can specify the following values for the AllowedMethod element.

  • GET

  • PUT

  • POST

  • DELETE

  • HEAD

AllowedOrigin Element

In the AllowedOrigin element you specify the origins that you want to allow cross-domain requests from, for example, http://www.example.com. The origin string can contain at most one * wildcard character, such as http://*.example.com. You can optionally specify * as the origin to enable all the origins to send cross-origin requests. You can also specify https to enable only secure origins.

AllowedHeader Element

The AllowedHeader element specifies which headers are allowed in a preflight request through the Access-Control-Request-Headers header. Each header name in the Access-Control-Request-Headers header must match a corresponding entry in the rule. Amazon S3 will send only the allowed headers in a response that were requested. For a sample list of headers that can be used in requests to Amazon S3, go to Common Request Headers in the Amazon Simple Storage Service API Reference guide.

Each AllowedHeader string in the rule can contain at most one * wildcard character. For example, <AllowedHeader>x-amz-*</AllowedHeader> will enable all Amazon-specific headers.

ExposeHeader Element

Each ExposeHeader element identifies a header in the response that you want customers to be able to access from their applications (for example, from a JavaSript XMLHttpRequest object). For a list of common Amazon S3 response headers, go to Common Response Headers in the Amazon Simple Storage Service API Reference guide.

MaxAgeSeconds Element

The MaxAgeSeconds element specifies the time in seconds that your browser can cache the response for a preflight request as identified by the resource, the HTTP method, and the origin.

How Does Amazon S3 Evaluate the CORS Configuration On a Bucket?

When Amazon S3 receives a preflight request from a browser, it evaluates the CORS configuration for the bucket and uses the first CORSRule rule that matches the incoming browser request to enable a cross-origin request. For a rule to match, the following conditions must be met:

  • The request's Origin header must match an AllowedOrigin element.

  • The request method (for example, GET or PUT) or the Access-Control-Request-Method header in case of a preflight OPTIONS request must be one of the AllowedMethod elements.

  • Every header listed in the request's Access-Control-Request-Headers header on the preflight request must match an AllowedHeader element.

Note

The ACLs and policies continue to apply when you enable CORS on the bucket.

Managing Cross-Origin Resource Sharing (CORS)

Enable cross-origin resource sharing by setting a CORS configuration on your bucket using the AWS Management Console, the REST API, or the AWS SDKs.

Enabling Cross-Origin Resource Sharing (CORS) Using the AWS Management Console

You can use the AWS Management Console to set a CORS configuration on your bucket. For instructions, see Editing Bucket Permissions in the Amazon S3 Console User Guide

Enabling Cross-Origin Resource Sharing (CORS) Using the AWS SDK for Java

You can use the AWS SDK for Java to manage cross-origin resource sharing (CORS) for a bucket. For more information about CORS, see Enabling Cross-Origin Resource Sharing.

This section provides sample code snippets for following tasks, followed by a complete example program demonstrating all tasks.

  • Creating an instance of the Amazon S3 client class

  • Creating and adding a CORS configuration to a bucket

  • Updating an existing CORS configuration

Cross-Origin Resource Sharing Methods

AmazonS3Client()

Constructs an AmazonS3Client object.

setBucketCrossOriginConfiguration()

Sets the CORS configuration that to be applied to the bucket. If a configuration already exists for the specified bucket, the new configuration will replace the existing one.

getBucketCrossOriginConfiguration()

Retrieves the CORS configuration for the specified bucket. If no configuration has been set for the bucket, the Configuration header in the response will be null.

deleteBucketCrossOriginConfiguration()

Deletes the CORS configuration for the specified bucket.


For more information about the AWS SDK for Java API, go to AWS SDK for Java API Reference .

Creating an Instance of the Amazon S3 Client Class

The following snippet creates a new AmazonS3Client instance for a class called CORS_JavaSDK. This example retrieves the values for accessKey and secretKey from the AwsCredentials.properties file.

AmazonS3Client client;
client = new AmazonS3Client(new ProfileCredentialsProvider());

Creating and Adding a CORS Configuration to a Bucket

To add a CORS configuration to a bucket:

  1. Create a CORSRule object that describes the rule.

  2. Create a BucketCrossOriginConfiguration object, and then add the rule to the configuration object.

  3. Add the CORS configuration to the bucket by calling the client.setBucketCrossOriginConfiguration method.

The following snippet creates two rules, CORSRule1 and CORSRule2, and then adds each rule to the rules array. By using the rules array, it then adds the rules to the bucket bucketName.

// Add a sample configuration
BucketCrossOriginConfiguration configuration = new BucketCrossOriginConfiguration();

List<CORSRule> rules = new ArrayList<CORSRule>();

CORSRule rule1 = new CORSRule()
    .withId("CORSRule1")
    .withAllowedMethods(Arrays.asList(new CORSRule.AllowedMethods[] { 
            CORSRule.AllowedMethods.PUT, CORSRule.AllowedMethods.POST, CORSRule.AllowedMethods.DELETE}))
    .withAllowedOrigins(Arrays.asList(new String[] {"http://*.example.com"}));

CORSRule rule2 = new CORSRule()
.withId("CORSRule2")
.withAllowedMethods(Arrays.asList(new CORSRule.AllowedMethods[] { 
        CORSRule.AllowedMethods.GET}))
.withAllowedOrigins(Arrays.asList(new String[] {"*"}))
.withMaxAgeSeconds(3000)
.withExposedHeaders(Arrays.asList(new String[] {"x-amz-server-side-encryption"}));

configuration.setRules(Arrays.asList(new CORSRule[] {rule1, rule2}));

// Save the configuration
client.setBucketCrossOriginConfiguration(bucketName, configuration);

Updating an Existing CORS Configuration

To update an existing CORS configuration

  1. Get a CORS configuration by calling the client.getBucketCrossOriginConfiguration method.

  2. Update the configuration information by adding or deleting rules to the list of rules.

  3. Add the configuration to a bucket by calling the client.getBucketCrossOriginConfiguration method.

The following snippet gets an existing configuration and then adds a new rule with the ID NewRule.

// Get configuration.
BucketCrossOriginConfiguration configuration = client.getBucketCrossOriginConfiguration(bucketName);
 
// Add new rule.
CORSRule rule3 = new CORSRule()
.withId("CORSRule3")
.withAllowedMethods(Arrays.asList(new CORSRule.AllowedMethods[] { 
        CORSRule.AllowedMethods.HEAD}))
.withAllowedOrigins(Arrays.asList(new String[] {"http://www.example.com"}));

List<CORSRule> rules = configuration.getRules();
rules.add(rule3);
configuration.setRules(rules);

// Save configuration.
client.setBucketCrossOriginConfiguration(bucketName, configuration);

Example Program Listing

The following Java program incorporates the preceding tasks.

For information about creating and testing a working sample, see Testing the Java Code Examples.

import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;

import com.amazonaws.auth.profile.ProfileCredentialsProvider;
import com.amazonaws.services.s3.AmazonS3Client;
import com.amazonaws.services.s3.model.BucketCrossOriginConfiguration;
import com.amazonaws.services.s3.model.CORSRule;

public class Cors {

    /**
     * @param args
     * @throws IOException 
     */
    public static AmazonS3Client client;
    public static String bucketName = "***provide bucket name***";
    
    public static void main(String[] args) throws IOException {
        client = new AmazonS3Client(new ProfileCredentialsProvider());

        // Create a new configuration request and add two rules
        BucketCrossOriginConfiguration configuration = new BucketCrossOriginConfiguration();
        
        List<CORSRule> rules = new ArrayList<CORSRule>();
        
        CORSRule rule1 = new CORSRule()
            .withId("CORSRule1")
            .withAllowedMethods(Arrays.asList(new CORSRule.AllowedMethods[] { 
                    CORSRule.AllowedMethods.PUT, CORSRule.AllowedMethods.POST, CORSRule.AllowedMethods.DELETE}))
            .withAllowedOrigins(Arrays.asList(new String[] {"http://*.example.com"}));
        
        CORSRule rule2 = new CORSRule()
        .withId("CORSRule2")
        .withAllowedMethods(Arrays.asList(new CORSRule.AllowedMethods[] { 
                CORSRule.AllowedMethods.GET}))
        .withAllowedOrigins(Arrays.asList(new String[] {"*"}))
        .withMaxAgeSeconds(3000)
        .withExposedHeaders(Arrays.asList(new String[] {"x-amz-server-side-encryption"}));
        
        configuration.setRules(Arrays.asList(new CORSRule[] {rule1, rule2}));
        
         // Add the configuration to the bucket. 
        client.setBucketCrossOriginConfiguration(bucketName, configuration);

        // Retrieve an existing configuration. 
        configuration = client.getBucketCrossOriginConfiguration(bucketName);
        printCORSConfiguration(configuration);
        
        // Add a new rule.
        CORSRule rule3 = new CORSRule()
        .withId("CORSRule3")
        .withAllowedMethods(Arrays.asList(new CORSRule.AllowedMethods[] { 
                CORSRule.AllowedMethods.HEAD}))
        .withAllowedOrigins(Arrays.asList(new String[] {"http://www.example.com"}));

        rules = configuration.getRules();
        rules.add(rule3);
        configuration.setRules(rules);
        client.setBucketCrossOriginConfiguration(bucketName, configuration);
        System.out.format("Added another rule: %s\n", rule3.getId());
        
        // Verify that the new rule was added.
        configuration = client.getBucketCrossOriginConfiguration(bucketName);
        System.out.format("Expected # of rules = 3, found %s", configuration.getRules().size());

        // Delete the configuration.
        client.deleteBucketCrossOriginConfiguration(bucketName);
        
        // Try to retrieve configuration.
        configuration = client.getBucketCrossOriginConfiguration(bucketName);
        System.out.println("\nRemoved CORS configuration.");
        printCORSConfiguration(configuration);
    }
    
    static void printCORSConfiguration(BucketCrossOriginConfiguration configuration)
    {

        if (configuration == null)
        {
            System.out.println("\nConfiguration is null.");
            return;
        }

        System.out.format("\nConfiguration has %s rules:\n", configuration.getRules().size());
        for (CORSRule rule : configuration.getRules())
        {
            System.out.format("Rule ID: %s\n", rule.getId());
            System.out.format("MaxAgeSeconds: %s\n", rule.getMaxAgeSeconds());
            System.out.format("AllowedMethod: %s\n", rule.getAllowedMethods().toArray());
            System.out.format("AllowedOrigins: %s\n", rule.getAllowedOrigins());
            System.out.format("AllowedHeaders: %s\n", rule.getAllowedHeaders());
            System.out.format("ExposeHeader: %s\n", rule.getExposedHeaders());
        }
    }
}

Enabling Cross-Origin Resource Sharing (CORS) Using the AWS SDK for .NET

You can use the AWS SDK for .NET to manage cross-origin resource sharing (CORS) for a bucket. For more information about CORS, see Enabling Cross-Origin Resource Sharing.

This section provides sample code for the tasks in the following table, followed by a complete example program listing.

Managing Cross-Origin Resource Sharing

1

Create an instance of the AmazonS3Client class.

2

Create a new CORS configuration.

3

Retrieve and modify an existing CORS configuration.

4

Add the configuration to the bucket.


Cross-Origin Resource Sharing Methods

AmazonS3Client()

Constructs AmazonS3Client with the credentials defined in the App.config file.

PutCORSConfiguration()

Sets the CORS configuration that should be applied to the bucket. If a configuration already exists for the specified bucket, the new configuration will replace the existing one.

GetCORSConfiguration()

Retrieves the CORS configuration for the specified bucket. If no configuration has been set for the bucket, the Configuration header in the response will be null.

DeleteCORSConfiguration()

Deletes the CORS configuration for the specified bucket.


For more information about the AWS SDK for .NET API, go to Using the AWS SDK for .NET .

Creating an Instance of the AmazonS3 Class

The following sample creates an instance of the AmazonS3Client class.

static IAmazonS3 client;
using (client = new AmazonS3Client(Amazon.RegionEndpoint.USWest2))

Adding a CORS Configuration to a Bucket

To add a CORS configuration to a bucket:

  1. Create a CORSConfiguration object describing the rule.

  2. Create a PutCORSConfigurationRequest object that provides the bucket name and the CORS configuration.

  3. Add the CORS configuration to the bucket by calling client.PutCORSConfiguration.

The following sample creates two rules, CORSRule1 and CORSRule2, and then adds each rule to the rules array. By using the rules array, it then adds the rules to the bucket bucketName.

// Add a sample configuration
CORSConfiguration configuration = new CORSConfiguration
{
    Rules = new System.Collections.Generic.List<CORSRule>
    {
        new CORSRule
        {
            Id = "CORSRule1",
            AllowedMethods = new List<string> {"PUT", "POST", "DELETE"},
            AllowedOrigins = new List<string> {"http://*.example.com"}
        },
        new CORSRule
        {
            Id = "CORSRule2",
            AllowedMethods = new List<string> {"GET"},
            AllowedOrigins = new List<string> {"*"},
            MaxAgeSeconds = 3000,
            ExposeHeaders = new List<string> {"x-amz-server-side-encryption"}
        }
    }
};

// Save the configuration
PutCORSConfiguration(configuration);

static void PutCORSConfiguration(CORSConfiguration configuration)
{

    PutCORSConfigurationRequest request = new PutCORSConfigurationRequest
    {
        BucketName = bucketName,
        Configuration = configuration
    };

    var response = client.PutCORSConfiguration(request);
}

Updating an Existing CORS Configuration

To update an existing CORS configuration

  1. Get a CORS configuration by calling the client.GetCORSConfiguration method.

  2. Update the configuration information by adding or deleting rules.

  3. Add the configuration to a bucket by calling the client.PutCORSConfiguration method.

The following snippet gets an existing configuration and then adds a new rule with the ID NewRule.

// Get configuration.
configuration = GetCORSConfiguration(); 
// Add new rule.
configuration.Rules.Add(new CORSRule
{
    Id = "NewRule",
    AllowedMethods = new List<string> { "HEAD" },
    AllowedOrigins = new List<string> { "http://www.example.com" }
});

// Save configuration.
PutCORSConfiguration(configuration);

Example Program Listing

The following C# program incorporates the preceding tasks.

For information about creating and testing a working sample, see Testing the .NET Code Examples.

using System;
using System.Configuration;
using System.Collections.Specialized;
using System.Net;
using Amazon.S3;
using Amazon.S3.Model;
using Amazon.S3.Util;
using System.Diagnostics;
using System.Collections.Generic;

namespace s3.amazon.com.docsamples
{
    class CORS
    {
        static string bucketName = "*** Provide bucket name ***"; 

        static IAmazonS3 client;

        public static void Main(string[] args)
        {
            try
            {
                using (client = new AmazonS3Client(Amazon.RegionEndpoint.USWest2))
                {
                    // Create a new configuration request and add two rules    
                    CORSConfiguration configuration = new CORSConfiguration
                    {
                        Rules = new System.Collections.Generic.List<CORSRule>
                        {
                          new CORSRule
                          {
                            Id = "CORSRule1",
                            AllowedMethods = new List<string> {"PUT", "POST", "DELETE"},
                            AllowedOrigins = new List<string> {"http://*.example.com"}
                          },
                          new CORSRule
                          {
                            Id = "CORSRule2",
                            AllowedMethods = new List<string> {"GET"},
                            AllowedOrigins = new List<string> {"*"},
                            MaxAgeSeconds = 3000,
                            ExposeHeaders = new List<string> {"x-amz-server-side-encryption"}
                          }
                        }
                    };

                    // Add the configuration to the bucket 
                    PutCORSConfiguration(configuration);

                    // Retrieve an existing configuration 
                    configuration = GetCORSConfiguration();

                    // Add a new rule.
                    configuration.Rules.Add(new CORSRule
                    {
                        Id = "CORSRule3",
                        AllowedMethods = new List<string> { "HEAD" },
                        AllowedOrigins = new List<string> { "http://www.example.com" }
                    });

                    // Add the configuration to the bucket 
                    PutCORSConfiguration(configuration);

                    // Verify that there are now three rules
                    configuration = GetCORSConfiguration();
                    Console.WriteLine(); 
                    Console.WriteLine("Expected # of rulest=3; found:{0}", configuration.Rules.Count);
                    Console.WriteLine();
                    Console.WriteLine("Pause before configuration delete. To continue, click Enter...");
                    Console.ReadKey();

                    // Delete the configuration
                    DeleteCORSConfiguration();

                    // Retrieve a nonexistent configuration
                    configuration = GetCORSConfiguration();
                    Debug.Assert(configuration == null);
                }

                Console.WriteLine("Example complete.");
            }
            catch (AmazonS3Exception amazonS3Exception)
            {
                Console.WriteLine("S3 error occurred. Exception: " + amazonS3Exception.ToString());
                Console.ReadKey();
            }
            catch (Exception e)
            {
                Console.WriteLine("Exception: " + e.ToString());
                Console.ReadKey();
            }
            
            Console.WriteLine("Press any key to continue...");
            Console.ReadKey();
        }

        static void PutCORSConfiguration(CORSConfiguration configuration)
        {

            PutCORSConfigurationRequest request = new PutCORSConfigurationRequest
            {
                BucketName = bucketName,
                Configuration = configuration
            };

            var response = client.PutCORSConfiguration(request);
        }

        static CORSConfiguration GetCORSConfiguration()
        {
            GetCORSConfigurationRequest request = new GetCORSConfigurationRequest
            {
                BucketName = bucketName

            };
            var response = client.GetCORSConfiguration(request);
            var configuration = response.Configuration;
            PrintCORSRules(configuration);
            return configuration;
        }

        static void DeleteCORSConfiguration()
        {
            DeleteCORSConfigurationRequest request = new DeleteCORSConfigurationRequest
            {
                BucketName = bucketName
            };
            client.DeleteCORSConfiguration(request);
        }

        static void PrintCORSRules(CORSConfiguration configuration)
        {
            Console.WriteLine();

            if (configuration == null)
            {
                Console.WriteLine("\nConfiguration is null");
                return;
            }

            Console.WriteLine("Configuration has {0} rules:", configuration.Rules.Count);
            foreach (CORSRule rule in configuration.Rules)
            {
                Console.WriteLine("Rule ID: {0}", rule.Id);
                Console.WriteLine("MaxAgeSeconds: {0}", rule.MaxAgeSeconds);
                Console.WriteLine("AllowedMethod: {0}", string.Join(", ", rule.AllowedMethods.ToArray()));
                Console.WriteLine("AllowedOrigins: {0}", string.Join(", ", rule.AllowedOrigins.ToArray()));
                Console.WriteLine("AllowedHeaders: {0}", string.Join(", ", rule.AllowedHeaders.ToArray()));
                Console.WriteLine("ExposeHeader: {0}", string.Join(", ", rule.ExposeHeaders.ToArray()));
            }
        }
    }
}

Enabling Cross-Origin Resource Sharing (CORS) Using the REST API

You can use the AWS Management Console to set CORS configuration on your bucket. If your application requires it, you can also send REST requests directly. The following sections in the Amazon Simple Storage Service API Reference describe the REST API actions related to the CORS configuration:

Troubleshooting CORS Issues

When you are accessing buckets set with the CORS configuration, if you encounter unexpected behavior the following are some troubleshooting actions you can take:

  1. Verify that the CORS configuration is set on the bucket.

    For instructions, go to Editing Bucket Permissions in the Amazon Simple Storage Service Console User Guide. If you have the CORS configuration set, the console displays an Edit CORS Configuration link in the Permissions section of the Properties bucket.

  2. Capture the complete request and response using a tool of your choice. For each request Amazon S3 receives, there must exist one CORS rule matching the data in your request, as follows:

    1. Verify the request has the Origin header.

      If the header is missing, Amazon S3 does not treat the request as a cross-origin request and does not send CORS response headers back in the response.

    2. Verify that the Origin header in your request matches at least one of the AllowedOrigin elements in the specific CORSRule.

      The scheme, the host, and the port values in the Origin request header must match the AllowedOrigin in the CORSRule. For example, if you set the CORSRule to allow the origin http://www.example.com, then both https://www.example.com and http://www.example.com:80 origins in your request do not match the allowed origin in your configuration.

    3. Verify that the Method in your request (or the method specified in the Access-Control-Request-Method in case of a preflight request) is one of the AllowedMethod elements in the same CORSRule.

    4. For a preflight request, if the request includes an Access-Control-Request-Headers header, verify that the CORSRule includes the AllowedHeader entries for each value in the Access-Control-Request-Headers header.