Reputation: 315
Why does S3 CORS allow methods that I have not specified in the CORS configuration?
Why does S3 allow me to PUT objects to the bucket using a PUT HTTP request despite only specifying a GET in allowed method?
<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
<AllowedOrigin>*</AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<MaxAgeSeconds>3000</MaxAgeSeconds>
<AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>
Upvotes: 0
Views: 70
Answers (1)
Reputation: 4507
The <AllowedMethod>GET</AllowedMethod> CORSRule node simply indicates what value should be returned in the Access-Control-Allowed-Methods response header for a CORS preflight OPTIONS request. That will then be checked (in the browser) against the method which is about to be used for the real request.
It does not have anything to do with which methods are actually allowed for requests.
However, if your request is a 'simple' CORS request which doesn't need preflighting, then there's no checking in the browser - it just makes the request.
That being said, a PUT request shouldn't be a simple request, so can you post your full request/response headers here?
Upvotes: 1
Related Questions
- Why does a static website hosted on AWS S3 require CORS to be enabled
- S3 CORS Configuration: restricting to specific domains has no affect?
- How to configure CORS on AWS S3?
- Amazon S3, impossible to set CORS Policy
- How to allow http method OPTIONS from any Origin with S3?
- Amazon S3 weird CORS behaviour: No 'Access-Control-Allow-Origin' header is present on the requested resource
- S3 - blocks any CORS request, no matter what
- Three.js AWS S3 CORS
- S3 CORS responding with 403
- Risk of enabling CORS?