Release Notes and Announcements
- Release Notes
- Announcements
Product Introduction
Billing
- Billing Overview
- Billing Method
- Billable Items
- Free Tier
- Billing Examples
- Viewing and Downloading Bill
- Payment Overdue
- FAQs
Getting Started
- Console
- Getting Started with COSBrowser
User Guide
- Creating Request
- Bucket
- Object
- Data Management
- Batch Operation
- Global Acceleration
- Monitoring and Alarms
- Operations Center
- Data Processing
- Content Moderation
- Smart Toolbox
- Data Processing Workflow
- Application Integration
User Tools
- Tool Overview
- Installation and Configuration of Environment
- COSBrowser
- COSCLI (Beta)
- COSCMD
- COS Migration
- FTP Server
- Hadoop
- COSDistCp
- HDFS TO COS
- GooseFS-Lite Tool
- Online Tools
- Diagnostic Tool
Use Cases
- Overview
- Access Control and Permission Management
- Performance Optimization
- Accessing COS with AWS S3 SDK
- Data Disaster Recovery and Backup
- Domain Name Management Practice
- Image Processing
- Audio/Video Practices
- Workflow
- Direct Data Upload
- Content Moderation
- Data Security
- Data Verification
- Big Data Practice
- COS Cost Optimization Solutions
- Using COS in the Third-party Applications
Migration Guide
Data Lake Storage
- Cloud Native Datalake Storage
- Metadata Accelerator
- GooseFS
Data Processing
- Data Processing Overview
- Image Processing
- Media Processing
- Content Moderation
- File Processing Service
- File Preview
Troubleshooting
- Obtaining RequestId
- Slow Upload over Public Network
- 403 Error for COS Access
- Resource Access Error
- POST Object Common Exceptions
API Documentation
- Introduction
- Common Request Headers
- Common Response Headers
- Error Codes
- Request Signature
- Action List
- Service APIs
- Bucket APIs
- Object APIs
- Batch Operation APIs
- Data Processing APIs
- Job and Workflow
- Content Moderation APIs
- Cloud Antivirus API
SDK Documentation
- SDK Overview
- Preparations
- Android SDK
- C SDK
- C++ SDK
- .NET(C#) SDK
- Flutter SDK
- Go SDK
- iOS SDK
- Java SDK
- JavaScript SDK
- Node.js SDK
- PHP SDK
- Python SDK
- React Native SDK
- Mini Program SDK
- Harmony SDK
- Endpoint SDK Quality Optimization
- Error Codes
Security and Compliance
- Data Disaster Recovery
- Data Security
- Cloud Access Management
FAQs
- Popular Questions
- General
- Billing
- Domain Name Compliance Issues
- Bucket Configuration
- Domain Names and CDN
- Object Operations
- Logging and Monitoring
- Permission Management
- Data Processing
- Data Security
- Pre-signed URL Issues
- SDKs
- Tools
- APIs
Agreements
Contact Us
Glossary

PUT Bucket cors

Download

Mode fokus

Ukuran font

Terakhir diperbarui: 2026-05-19 15:53:12

Feature Description
The PUT Bucket cors request is used to configure Cross-Origin Resource Sharing (CORS) access control for a bucket. You can perform this configuration by submitting an XML configuration file, which has a size limit of 64 KB.
﻿
Authorization Description
When you use an authorization policy, set the action to cos:PutBucketCORS. An example is provided below.
{
  "version": "2.0",
  "statement": [
    {
      "action": [
        "name/cos:PutBucketCORS"
      ],
      "effect": "allow",
      "resource": [
        "qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/*"
      ]
    }
  ]
}
For more COS actions, see CAM-supported Business APIs.
Request
Request Example
PUT /?cors HTTP/1.1
Host: <BucketName-APPID>.cos.<Region>.myqcloud.com
Date: GMT Date
Content-Type: application/xml
Content-Length: Content Length
Content-MD5: MD5
Authorization: Auth String
﻿
[Request Body]
Note:
Host: <BucketName-APPID>.cos.<Region>.myqcloud.com. Here, <BucketName-APPID> is the bucket name with the APPID suffix, for example, examplebucket-1250000000. For details, see the Bucket Overview > Basic Information and Bucket Overview > Bucket Naming Conventions documents. <Region> is the available region of COS. For details, see the Regions and Access Domains document.
Authorization: Auth String (For details, see Request Signature).
Request Parameter
This API has no request parameters.
Request Header
This API only uses common request headers. For details, see Common Request Headers.
Request Body
Submit the request data in application/xml format. The data must contain complete Cross-Origin Resource Sharing (CORS) configuration information for the bucket.
<CORSConfiguration>
    <CORSRule>
        <AllowedOrigin>string</AllowedOrigin>
        <AllowedMethod>enum</AllowedMethod>
        <AllowedMethod>enum</AllowedMethod>
        <AllowedHeader>string</AllowedHeader>
        <AllowedHeader>string</AllowedHeader>
        <ExposeHeader>string</ExposeHeader>
        <ExposeHeader>string</ExposeHeader>
        <MaxAgeSeconds>integer</MaxAgeSeconds>
    </CORSRule>
    <CORSRule>
        <ID>string</ID>
        <AllowedOrigin>string</AllowedOrigin>
        <AllowedOrigin>string</AllowedOrigin>
        <AllowedMethod>enum</AllowedMethod>
        <AllowedMethod>enum</AllowedMethod>
        <AllowedHeader>string</AllowedHeader>
        <ExposeHeader>string</ExposeHeader>
        <ExposeHeader>string</ExposeHeader>
        <MaxAgeSeconds>integer</MaxAgeSeconds>
    </CORSRule>
    <ResponseVary>false</ResponseVary>
</CORSConfiguration>
The detailed node descriptions are as follows:
Node Name (Keyword)
Parent Node
Description
Type
Required
CORSConfiguration
None
Contains all request information for the PUT Bucket cors operation.
Container
Yes
Content of the CORSConfiguration Container Node:
Node Name (Keyword)
Parent Node
Description
Type
Required
CORSRule
CORSConfiguration
Describes all information for a single cross-origin resource sharing (CORS) configuration, which can contain up to 100 CORSRules.
Container
Yes
ResponseVary
CORSConfiguration
Indicates whether the cross-origin request returns the Vary:Origin header. Supports the Boolean value true|false, where true means it is returned, and false means it is not returned. If this field is omitted, the default value is false.
Boolean
No
Content of the CORSRule Container Node:
Node Name (Keyword)
Parent Node
Description
Type
Required
AllowedOrigin
CORSConfiguration.CORSRule
Specifies the allowed origins. A single CORSRule can be configured with multiple AllowedOrigins.
The configuration supports *, which means all domains are allowed. However, this is not recommended.
It supports a single, specific domain, for example, http://www.example.com.
The * wildcard is supported. It can appear in any position, including the protocol, domain, and port, and can match zero or more characters. However, only one * wildcard is allowed. Use wildcards with caution, as they may inadvertently match unintended origins.
Ensure you include the protocol name, either http or https. If the port is not the default (80 for http or 443 for https), you must also specify the port, for example, https://example.com:8443.
string
Yes
AllowedMethod
CORSConfiguration.CORSRule
Allowed HTTP methods (Method). This corresponds to the Access-Control-Allow-Methods header in the CORS request response. A single CORSRule can be configured with multiple AllowedMethod values. Enumerated values: PUT, GET, POST, DELETE, HEAD.
enum
Yes
AllowedHeader
CORSConfiguration.CORSRule
When sending a preflight (OPTIONS) request, the browser informs the server of the custom HTTP request headers that will be used in the subsequent actual request. This configuration specifies the custom HTTP request headers that the browser is allowed to carry when sending CORS requests. The matching is case-insensitive. A single CORSRule can be configured with multiple AllowedHeaders.
You can configure *, which indicates that all headers are allowed. To avoid omissions, it is recommended to configure it as *.
If you do not configure it as *, then each header that appears in the Access-Control-Request-Headers header of a preflight (OPTIONS) request must have a corresponding entry in AllowedHeader.
string
No
ExposeHeader
CORSConfiguration.CORSRule
Specifies the headers in the CORS response that the browser is allowed to obtain. The matching is case-insensitive. A single CORSRule can be configured with multiple ExposeHeaders.
By default, browsers can only access simple response headers: Cache-Control, Content-Type, Expires, and Last-Modified. To access other response headers, you must add an ExposeHeader configuration.
Configuring * is not supported. You must explicitly configure specific headers.
Determine this based on your browser's actual requirements. By default, ETag is recommended. You can refer to the response header sections of the relevant API documentation and the Common Response Headers document.
string
No
MaxAgeSeconds
CORSConfiguration.CORSRule
The validity period for the Cross-Origin Resource Sharing configuration is measured in seconds. During this period, the browser does not need to initiate a preflight (OPTIONS) request again for the same request. This corresponds to the Access-Control-Max-Age header in the CORS request response. Only one MaxAgeSeconds can be configured for a single CORSRule.
integer
No
ID
CORSConfiguration.CORSRule
The ID configured for a single CORSRule. It is used to locate a specific CORSRule when a GET Bucket cors request is performed. This field is optional. A single CORSRule can be configured with at most one ID.
string
No
Response
Response Headers
This API only returns common response headers. For details, see Common Response Headers.
Response Body
The response body of this API is empty.
Error Codes
This API follows unified error responses and error codes. For details, see Error Codes.
Practical Case
Request
PUT /?cors HTTP/1.1
Host: examplebucket-1250000000.cos.ap-beijing.myqcloud.com
Date: Thu, 09 Jul 2020 11:15:01 GMT
Content-Type: application/xml
Content-Length: 1185
Content-MD5: ZNkhBxyjkaZcs1j7/cIE2A==
Authorization: q-sign-algorithm=sha1&q-ak=************************************&q-sign-time=1594293301;1594300501&q-key-time=1594293301;1594300501&q-header-list=content-length;content-md5;content-type;date;host&q-url-param-list=cors&q-signature=****************************************
Connection: close
﻿
<CORSConfiguration>
    <CORSRule>
        <AllowedOrigin>*</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
        <AllowedMethod>HEAD</AllowedMethod>
        <AllowedHeader>Range</AllowedHeader>
        <AllowedHeader>x-cos-server-side-encryption-customer-algorithm</AllowedHeader>
        <AllowedHeader>x-cos-server-side-encryption-customer-key</AllowedHeader>
        <AllowedHeader>x-cos-server-side-encryption-customer-key-MD5</AllowedHeader>
        <ExposeHeader>Content-Length</ExposeHeader>
        <ExposeHeader>ETag</ExposeHeader>
        <ExposeHeader>x-cos-meta-author</ExposeHeader>
        <MaxAgeSeconds>600</MaxAgeSeconds>
    </CORSRule>
    <CORSRule>
        <ID>example-id</ID>
        <AllowedOrigin>https://example.com</AllowedOrigin>
        <AllowedOrigin>https://example.net</AllowedOrigin>
        <AllowedMethod>PUT</AllowedMethod>
        <AllowedMethod>GET</AllowedMethod>
        ...
        <AllowedMethod>HEAD</AllowedMethod>
        <AllowedHeader>*</AllowedHeader>
        <ExposeHeader>Content-Length</ExposeHeader>
        <ExposeHeader>ETag</ExposeHeader>
        <ExposeHeader>x-cos-meta-author</ExposeHeader>
        <MaxAgeSeconds>600</MaxAgeSeconds>
    </CORSRule>
    <ResponseVary>true</ResponseVary>
</CORSConfiguration>
Response
HTTP/1.1 200 OK
Content-Length: 0
Connection: close
Date: Thu, 09 Jul 2020 11:15:01 GMT
Server: tencent-cos
x-cos-request-id: NWYwNmZjMzVfMzFiYjBiMDlfZjgzYV8xZDky****
﻿

Bantuan dan Dukungan

Apakah halaman ini membantu?

Anda juga dapat Menghubungi Penjualan atau Mengirimkan Tiket untuk meminta bantuan.

masukan

tencent cloud

Cloud Object Storage

PUT Bucket cors

Feature Description

Authorization Description

Request

Request Example

Request Parameter

Request Header

Request Body

Response

Response Headers

Response Body

Error Codes

Practical Case

Request

Response

Bantuan dan Dukungan

Node Name (Keyword)	Parent Node	Description	Type	Required
CORSConfiguration	None	Contains all request information for the PUT Bucket cors operation.	Container	Yes