S3 not returning Access-Control-Allow-Origin headers?

Question

I am having trouble forcing S3 to set CORS headers on all of the objects it returns from a bucket, though CORS is enabled, as client-side S3 uploads are working, the returned objects do not have CORS headers!

The policy I have enabled is :

<?xml version="1.0" encoding="UTF-8"?>

<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">

    <CORSRule>

        <AllowedOrigin>*</AllowedOrigin>

        <AllowedMethod>GET</AllowedMethod>

        <AllowedMethod>POST</AllowedMethod>

        <AllowedMethod>PUT</AllowedMethod>

        <AllowedHeader>*</AllowedHeader>

    </CORSRule>

</CORSConfiguration>

Does anyone know what is wrong?

Answer 1

Make sure that you use an Origin header with every request. S3 will not send access-control headers if there is no Origin header is sent because S3 will consider them irrelevant. 

While loading images with the img tag, add crossorigin=”anonymous” attribute. 

In case of loading images with img, you need to add crossorigin="anonymous" attribute. See MDN Documentation on the cross-origin attribute. This will cause the browser to send an Origin request header as it does with XMLHTTPRequest.

You will have to change this

 <AllowedOrigin>http://*</AllowedOrigin>

to

 <AllowedOrigin>http://*</AllowedOrigin>

 <AllowedOrigin>https://*</AllowedOrigin>