Console
    Contact Us Start free

    CORS configuration examples

    Overview Setup

    This page shows example configurations for Cross-origin resource sharing (CORS) . When you set a CORS configuration on a bucket , you allow interactions between resources from different origins, something that is normally prohibited in order to prevent malicious behavior.

    Basic CORS configuration

    Say you have a dynamic website which users can access at your-example-website.appspot.com . You have an image file hosted in a Cloud Storage bucket named your-example-bucket . You'd like to use the image on your website, so you must apply a CORS configuration on your-example-bucket that enables your users' browsers to request resources from the bucket. Based on the following configuration, preflight requests are valid for 1 hour, and successful browser requests return the Content-Type of the resource in the response.

    Command line

    Example gcloud command

    gcloud storage buckets update gs://example_bucket --cors-file=example_cors_file.json

    Example JSON file containing the CORS configuration

     [ 
  
 { 
  
 "origin" 
 : 
  
 [ 
 "https://your-example-website.appspot.com" 
 ], 
  
 "method" 
 : 
  
 [ 
 "GET" 
 ], 
  
 "responseHeader" 
 : 
  
 [ 
 "Content-Type" 
 ], 
  
 "maxAgeSeconds" 
 : 
  
 3600 
  
 } 
 ]

    For more information on how to set a CORS configuration using Google Cloud CLI, see the gcloud storage buckets update reference documentation .

    REST APIs

    JSON API

     { 
  
 "cors" 
 : 
  
 [ 
  
 { 
  
 "origin" 
 : 
  
 [ 
 "https://your-example-website.appspot.com" 
 ], 
  
 "method" 
 : 
  
 [ 
 "GET" 
 ], 
  
 "responseHeader" 
 : 
  
 [ 
 "Content-Type" 
 ], 
  
 "maxAgeSeconds" 
 : 
  
 3600 
  
 } 
  
 ] 
 }

    For the generalized format of a CORS configuration file, see the bucket resource representation for JSON .

    XML API

      
<?xml  
version="1.0"  
encoding="UTF-8"?>  
<CorsConfig>  
<Cors>  
<Origins>  
<Origin>https://your-example-website.appspot.com</Origin>  
</Origins>  
<Methods>  
<Method>GET</Method>  
</Methods>  
<ResponseHeaders>  
<ResponseHeader>Content-Type</ResponseHeader>  
</ResponseHeaders>  
<MaxAgeSec>3600</MaxAgeSec>  
</Cors>  
</CorsConfig>

    For the generalized format of a CORS configuration file, see the CORS configuration format for XML .

    Remove CORS settings from a bucket

    To remove CORS settings from a bucket, supply a CORS configuration file that's empty.

    Command line

    When you use the gcloud storage buckets update command with the --clear-cors flag, you remove the CORS configuration from a bucket:

    gcloud storage buckets update gs:// BUCKET_NAME 
--clear-cors

    Where BUCKET_NAME is the name of the bucket whose CORS configuration you want to remove.

    Client libraries

    C++

    For more information, see the Cloud Storage C++ API reference documentation .

    To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries .

    The following sample removes any existing CORS configuration from a bucket:

      namespace 
  
 gcs 
  
 = 
  
 :: 
 google 
 :: 
 cloud 
 :: 
 storage 
 ; 
 using 
  
 :: 
 google 
 :: 
 cloud 
 :: 
 StatusOr 
 ; 
 []( 
 gcs 
 :: 
 Client 
  
 client 
 , 
  
 std 
 :: 
 string 
  
 const 
&  
 bucket_name 
 ) 
  
 { 
  
 StatusOr<gcs 
 :: 
 BucketMetadata 
>  
 original 
  
 = 
  
 client 
 . 
 GetBucketMetadata 
 ( 
 bucket_name 
 ); 
  
 if 
  
 ( 
 ! 
 original 
 ) 
  
 throw 
  
 std 
 :: 
 move 
 ( 
 original 
 ). 
 status 
 (); 
  
 StatusOr<gcs 
 :: 
 BucketMetadata 
>  
 patched 
  
 = 
  
 client 
 . 
 PatchBucket 
 ( 
  
 bucket_name 
 , 
  
 gcs 
 :: 
 BucketMetadataPatchBuilder 
 (). 
 ResetCors 
 (), 
  
 gcs 
 :: 
 IfMetagenerationMatch 
 ( 
 original 
 - 
> metageneration 
 ())); 
  
 if 
  
 ( 
 ! 
 patched 
 ) 
  
 throw 
  
 std 
 :: 
 move 
 ( 
 patched 
 ). 
 status 
 (); 
  
 std 
 :: 
 cout 
 << 
 "Cors configuration successfully removed for bucket " 
 << 
 patched 
 - 
> name 
 () 
 << 
 " 
 \n 
 " 
 ; 
 }

    C#

    For more information, see the Cloud Storage C# API reference documentation .

    To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries .

    The following sample removes any existing CORS configuration from a bucket:

      using 
  
 Google.Apis.Storage.v1.Data 
 ; 
 using 
  
  Google.Cloud.Storage.V1 
 
 ; 
 using 
  
 System 
 ; 
 public 
  
 class 
  
 BucketRemoveCorsConfigurationSample 
 { 
  
 public 
  
 Bucket 
  
 BucketRemoveCorsConfiguration 
 ( 
 string 
  
 bucketName 
  
 = 
  
 "your-bucket-name" 
 ) 
  
 { 
  
 var 
  
 storage 
  
 = 
  
  StorageClient 
 
 . 
  Create 
 
 (); 
  
 var 
  
 bucket 
  
 = 
  
 storage 
 . 
 GetBucket 
 ( 
 bucketName 
 ); 
  
 if 
  
 ( 
 bucket 
 . 
 Cors 
  
 == 
  
 null 
 ) 
  
 { 
  
 Console 
 . 
 WriteLine 
 ( 
 "No CORS to remove" 
 ); 
  
 } 
  
 else 
  
 { 
  
 bucket 
 . 
 Cors 
  
 = 
  
 null 
 ; 
  
 bucket 
  
 = 
  
 storage 
 . 
 UpdateBucket 
 ( 
 bucket 
 ); 
  
 Console 
 . 
 WriteLine 
 ( 
 $"Removed CORS configuration from bucket {bucketName}." 
 ); 
  
 } 
  
 return 
  
 bucket 
 ; 
  
 } 
 }

    Go

    For more information, see the Cloud Storage Go API reference documentation .

    To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries .

    The following sample removes any existing CORS configuration from a bucket:

      import 
  
 ( 
  
 "context" 
  
 "fmt" 
  
 "io" 
  
 "time" 
  
 "cloud.google.com/go/storage" 
 ) 
 // removeBucketCORSConfiguration removes the CORS configuration from a bucket. 
 func 
  
 removeBucketCORSConfiguration 
 ( 
 w 
  
 io 
 . 
  Writer 
 
 , 
  
 bucketName 
  
 string 
 ) 
  
 error 
  
 { 
  
 // bucketName := "bucket-name" 
  
 ctx 
  
 := 
  
 context 
 . 
 Background 
 () 
  
 client 
 , 
  
 err 
  
 := 
  
 storage 
 . 
 NewClient 
 ( 
 ctx 
 ) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "storage.NewClient: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 defer 
  
 client 
 . 
 Close 
 () 
  
 ctx 
 , 
  
 cancel 
  
 := 
  
 context 
 . 
 WithTimeout 
 ( 
 ctx 
 , 
  
 time 
 . 
 Second 
 * 
 10 
 ) 
  
 defer 
  
 cancel 
 () 
  
 bucket 
  
 := 
  
 client 
 . 
  Bucket 
 
 ( 
 bucketName 
 ) 
  
 bucketAttrsToUpdate 
  
 := 
  
 storage 
 . 
  BucketAttrsToUpdate 
 
 { 
  
 CORS 
 : 
  
 [] 
 storage 
 . 
  CORS 
 
 {}, 
  
 } 
  
 if 
  
 _ 
 , 
  
 err 
  
 := 
  
 bucket 
 . 
 Update 
 ( 
 ctx 
 , 
  
 bucketAttrsToUpdate 
 ); 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "Bucket(%q).Update: %w" 
 , 
  
 bucketName 
 , 
  
 err 
 ) 
  
 } 
  
 fmt 
 . 
 Fprintf 
 ( 
 w 
 , 
  
 "Removed CORS configuration from a bucket %v\n" 
 , 
  
 bucketName 
 ) 
  
 return 
  
 nil 
 }

    Java

    For more information, see the Cloud Storage Java API reference documentation .

    To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries .

    The following sample removes any existing CORS configuration from a bucket:

      import 
  
 com.google.cloud.storage. Bucket 
 
 ; 
 import 
  
 com.google.cloud.storage. Cors 
 
 ; 
 import 
  
 com.google.cloud.storage. Storage 
 
 ; 
 import 
  
 com.google.cloud.storage. StorageOptions 
 
 ; 
 import 
  
 java.util.ArrayList 
 ; 
 import 
  
 java.util.List 
 ; 
 public 
  
 class 
 RemoveBucketCors 
  
 { 
  
 public 
  
 static 
  
 void 
  
 removeBucketCors 
 ( 
 String 
  
 projectId 
 , 
  
 String 
  
 bucketName 
 ) 
  
 { 
  
 // The ID of your GCP project 
  
 // String projectId = "your-project-id"; 
  
 // The ID of your GCS bucket 
  
 // String bucketName = "your-unique-bucket-name"; 
  
  Storage 
 
  
 storage 
  
 = 
  
  StorageOptions 
 
 . 
 newBuilder 
 (). 
 setProjectId 
 ( 
 projectId 
 ). 
 build 
 (). 
  getService 
 
 (); 
  
  Bucket 
 
  
 bucket 
  
 = 
  
 storage 
 . 
  get 
 
 ( 
 bucketName 
 , 
  
 Storage 
 . 
 BucketGetOption 
 . 
 fields 
 ( 
 Storage 
 . 
 BucketField 
 . 
 CORS 
 )); 
  
 // getCors() returns the List and copying over to an ArrayList so it's mutable. 
  
 List<Cors> 
  
 cors 
  
 = 
  
 new 
  
 ArrayList 
<> ( 
 bucket 
 . 
  getCors 
 
 ()); 
  
 // Clear bucket CORS configuration. 
  
 cors 
 . 
 clear 
 (); 
  
 // Update bucket to remove CORS. 
  
 bucket 
 . 
  toBuilder 
 
 (). 
 setCors 
 ( 
 cors 
 ). 
 build 
 (). 
 update 
 (); 
  
 System 
 . 
 out 
 . 
 println 
 ( 
 "Removed CORS configuration from bucket " 
  
 + 
  
 bucketName 
 ); 
  
 } 
 }

    Node.js

    For more information, see the Cloud Storage Node.js API reference documentation .

    To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries .

    The following sample removes any existing CORS configuration from a bucket:

      /** 
 * TODO(developer): Uncomment the following lines before running the sample. 
 */ 
 // The ID of your GCS bucket 
 // const bucketName = 'your-unique-bucket-name'; 
 // Imports the Google Cloud client library 
 const 
  
 { 
 Storage 
 } 
  
 = 
  
 require 
 ( 
 ' @google-cloud/storage 
' 
 ); 
 // Creates a client 
 const 
  
 storage 
  
 = 
  
 new 
  
 Storage 
 (); 
 async 
  
 function 
  
 removeBucketCors 
 () 
  
 { 
  
 await 
  
 storage 
 . 
 bucket 
 ( 
 bucketName 
 ). 
  setCorsConfiguration 
 
 ([]); 
  
 console 
 . 
 log 
 ( 
 `Removed CORS configuration from bucket 
 ${ 
 bucketName 
 } 
 ` 
 ); 
 } 
 removeBucketCors 
 (). 
 catch 
 ( 
 console 
 . 
 error 
 );

    PHP

    For more information, see the Cloud Storage PHP API reference documentation .

    To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries .

    The following sample removes any existing CORS configuration from a bucket:

      use Google\Cloud\Storage\StorageClient; 
 /** 
 * Remove the CORS configuration from the specified bucket. 
 * 
 * @param string $bucketName The name of your Cloud Storage bucket. 
 *        (e.g. 'my-bucket') 
 */ 
 function remove_cors_configuration(string $bucketName): void 
 { 
 $storage = new StorageClient(); 
 $bucket = $storage->bucket($bucketName); 
 $bucket->update([ 
 'cors' => null, 
 ]); 
 printf('Removed CORS configuration from bucket %s', $bucketName); 
 }

    Python

    For more information, see the Cloud Storage Python API reference documentation .

    To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries .

    The following sample removes any existing CORS configuration from a bucket:

      from 
  
 google.cloud 
  
 import 
  storage 
 
 def 
  
 remove_cors_configuration 
 ( 
 bucket_name 
 ): 
  
 """Remove a bucket's CORS policies configuration.""" 
 # bucket_name = "your-bucket-name" 
 storage_client 
 = 
  storage 
 
 . 
  Client 
 
 () 
 bucket 
 = 
 storage_client 
 . 
  get_bucket 
 
 ( 
 bucket_name 
 ) 
 bucket 
 . 
  cors 
 
 = 
 [] 
 bucket 
 . 
 patch 
 () 
 print 
 ( 
 f 
 "Remove CORS policies for bucket 
 { 
 bucket 
 . 
 name 
 } 
 ." 
 ) 
 return 
 bucket

    Ruby

    For more information, see the Cloud Storage Ruby API reference documentation .

    To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries .

    The following sample removes any existing CORS configuration from a bucket:

      def 
  
 remove_cors_configuration 
  
 bucket_name 
 : 
  
 # The ID of your GCS bucket 
  
 # bucket_name = "your-unique-bucket-name" 
  
 require 
  
 "google/cloud/storage" 
  
 storage 
  
 = 
  
 Google 
 :: 
 Cloud 
 :: 
  Storage 
 
 . 
  new 
 
  
 bucket 
  
 = 
  
 storage 
 . 
 bucket 
  
 bucket_name 
  
 bucket 
 . 
 cors 
  
 do 
  
 | 
 c 
 | 
  
 c 
 . 
 clear 
  
 end 
  
 puts 
  
 "Remove CORS policies for bucket 
 #{ 
 bucket_name 
 } 
 " 
 end

    REST APIs

    JSON API

    When set on a bucket , the following configuration removes all CORS settings from a bucket:

     { 
  
 "cors" 
 : 
  
 [] 
 }

    For the generalized format of a CORS configuration file, see the bucket resource representation for JSON .

    XML API

    When set on a bucket , the following configuration removes all CORS settings from a bucket:

    <CorsConfig></CorsConfig>

    For the generalized format of a CORS configuration file, see the CORS configuration format for XML .

    What's next

    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: