Still no 'Access-Control-Allow-Origin' header with resumable upload

Question

In this question, I am partially referring to this one.

I am generating an upload URI with an authenticated request on my server, using the gcloud-package for Node. This is done with the createResumableUpload-method of a file. The actual upload will be done in a browser, which will not have the same origin.

Currently, my PUT-requests are cancelled because this header is missing, while OPTIONS-requests work fine.

I found three solutions of which none work.

1. On number 8 of the troubleshooting list of the documentation about CORS on Google Cloud Storage, it is recommended to set the origin to * (wildcard), using the XML CORS API. While this is outdated, as the API has switched to JSON, it still won't set the header afterwards. I also dislike having to set this to a wildcard, pretty insecure.
2. Set CORS-option when generating the upload URI to * and the actual origin, these are both ignored
3. Set CORS as a query string parameter, this is also ignored.

Am I missing something here, or is this still not fixed after two years?

Answer 1

Thanks to Brandon Yarbrough's answer, I could fix my situation.

Turns out, there's a pretty easy solution around this. Set the origin-header using a request-interceptor, and supply it as an option to the createResumableUpload-method of a file in a bucket.

You can now finish your uploads from a browser.

Answer 2

This is still not supported, unfortunately. Resumable uploads are logically considered to be a single operation, which is assumed to involve one remote entity. As I understand it, only the first Origin header will be respected.

You could workaround this in a couple of ways. The best way would probably be to have your server sign a URL and allow the client to start the upload themselves. Alternately, when starting the upload, you could try having your server provide the Origin header that the clients will use, keeping it consistent through the entire operation.