Cross-origin resource sharing (CORS)
Cross-Origin Resource Sharing (CORS) enables client-side web applicationsto access resources from different origins. Cloud Storage supports theCORS specification, letting you configure your buckets to share resourcessecurely with scripts from other origins. For example, you can use CORS toenable your web applicationhttps://example-app.appspot.com to access aresource at the originhttps://example-data.storage.googleapis.com.
For more information about CORS configuration components, seeSet Bucket CORS.
How CORS works
Use CORS when you want your website to fetch files, images, or scripts directlyfrom a Cloud Storage bucket using a browser-based request.
Allowing access across domains
By default, web browsers enforce a security measure calledsame-origin policy. Same-origin policy prevents a script on one websitefrom interacting with resources on a different domain. Although this protectsusers from malicious sites, it also blocks legitimate requests. For example, ifyour web applicationhttps://example-app.appspot.com attempts to access aresource at the originhttps://example-data.storage.googleapis.com, the browser willblock the request by default because the domains don't match.
TheCORS specification provides a way for servers to tell the browser,"I trust this specific domain, so go ahead and allow the request."
Cloud Storage lets you set a CORS configuration on your bucket. Whenconfigured, Cloud Storage sends specific HTTP headers back to thebrowser (such asAccess-Control-Allow-Origin) that authorize the browser toshare the bucket's resources with your web application.
Request types
CORS requests operate in two ways: simple and preflighted. Asimple request proceeds directly, while apreflighted request firstsends a preliminary request to obtain permission.
Simple requests
The following process occurs when a browser makes a simple request toCloud Storage:
The browser adds the
Originheader to the request. TheOriginheadercontains the origin of the resource seeking to share theCloud Storage bucket's resources, for example,Origin:https://www.example-app.appspot.com.Cloud Storage compares the HTTP method of the request and the valueof the
Originheader to theMethods andOrigins information in thetarget bucket's CORS configuration to see if there are matches. If there are,Cloud Storage includes theAccess-Control-Allow-Originheader inits response. TheAccess-Control-Allow-Originheader contains the value oftheOriginheader from the initial request.The browser receives the response and checks to see if the
Access-Control-Allow-Originvalue matches the domain specified in theoriginal request. If they do match, the request succeeds. If they don'tmatch, or if theAccess-Control-Allow-Originheader isnot present in the response, the request fails.
Preflighted requests
A request is preflighted if any of the following circumstances are true:
- It uses methods other than
GET,HEADorPOST. - It uses the
POSTmethod with aContent-Typeother thantext/plain,application/x-www-form-urlencoded, ormultipart/form-data. - It sets custom headers. For example,
X-PINGOTHER.
A preflighted request performs the following steps first. If it is successful,it then follows the same process as a simple request:
The browser sends an
OPTIONSrequest containing theRequested MethodandRequested Headersof the primary request.Cloud Storage responds back with the values of the HTTP methods andheaders allowed by the targeted resource. If any of the method or headervalues in the preflight request aren't in the set of methods and headersallowed by the targeted resource, the request fails, and the primary requestisn't sent.
For a more complete description of CORS requests, read theFetch spec.
Cloud Storage CORS support
Cloud Storage lets you set CORS configurations at the bucket level. TheJSON API and XML API endpoints handle CORS requests and return response headersdifferently. Understand these behaviors to configure your buckets effectively:
JSON API endpoints always allow CORS requests and return default values in theCORS response headers, regardless of the configuration set on the bucket.
XML API endpoints only allow CORS requests based on the configuration on thebucket and return specific CORS header values in response to thatconfiguration.
The authenticated browser download endpoint
storage.cloud.google.comdoesnot allow CORS requests. Note that the Google Cloud console provides thisendpoint for each object's public URL link.
You can use either of the following XML API request URLs to obtain a responsefrom Cloud Storage that contains the CORS headers:
storage.googleapis.com/BUCKET_NAME
BUCKET_NAME.storage.googleapis.com
For information about XML API request URLs, seeRequest Endpoints.
Components of a CORS configuration
When using the XML API, the values you set on your bucket's CORS configurationdetermine the CORS headers Cloud Storage returns in an HTTP response.When using the JSON API, Cloud Storage does not evaluate your bucket'sconfiguration and instead returns default header values.
The following table describes the fields in a CORS configuration and theresponse behavior of the XML and JSON APIs. To learn how these fields are used,seeCORS configuration examples.
| Field1 | Description | XML API response behavior | JSON API response behavior |
|---|---|---|---|
origin | Specify origins that you want to allow for cross origin resource sharing with this Cloud Storage bucket.For example,https://origin1.example.com. | If the origin in a browser's request matches an origin in your CORS configuration,Cloud Storage returnsAccess-Control-Allow-Origin to the browser. If there is no match, Cloud Storage does not includeAccess-Control-Allow-Origin in the response. You can supply a wildcard value that grants access to all origins:<Origin>*</Origin>. | Cloud Storage returns theAccess-Control-Allow-Origin header set to the origin of the request. |
method | Specify HTTP methods that you want to allow for cross origin resource sharingwith this Cloud Storage bucket. The value is returned in the Since | Cloud Storage supports the following methods: Cloud Storage checks the methodssent from the browser in the | Cloud Storage returns theAccess-Control-Allow-Methods header set to the following methods:DELETE,GET,HEAD,PATCH,POST,PUT. |
responseHeader | Specify which headers you want to allow for cross origin resource sharing with this Cloud Storage bucket. The value is returned in theAccess-Control-Allow-Headers header in response to successful preflight requests. | For preflight requests, Cloud Storage checks the headers sent from the browser in theAccess-Control-Request-Headers header against the bucket's CORS configuration. If there is no match, Cloud Storage doesn't return CORS response headers. | Cloud Storage returns theAccess-Control-Allow-Headers header set equal to the values specified by theAccess-Control-Request-Headers header. |
maxAgeSeconds (optional) | Specify the number of seconds the browser is allowed to make requests before it must repeat the preflight request. This is also known as the cache expiry time. This value is returned in theAccess-Control-Max-Age header in responses to preflight requests. For example,3600 sets the cache expiry time to 1 hour. | Cloud Storage returns theAccess-Control-Max-Age header with the specified cache expiry time. If you omit this field, Cloud Storage returns the default value of3600. | Cloud Storage returns theAccess-Control-Max-Age header with the default value of3600. |
1 Names documented in the Field column are specific to the JSON API.When using the XML API to set a CORS configuration, use theXML-specific format.
Specifying multiple origins, methods, or headers
To learn how to set multiple origins, methods, or headers in a CORSconfiguration, see the following list:
When using the JSON API, you can specify multiple origins, methods, or headersby using a comma-separated array. For example,
Caution: When you set a CORS configuration using the JSON API, requests fromall origins are accepted regardless of the"method": ["GET", "PUT"].originfield value in the CORSconfiguration.When using the XML API, you can specify multiple origins, methods, or headersby using separate elements. For example:
<Methods><Method>PUT</Method><Method>GET</Method></Methods>
To allow requests to be made from any origin, set the origin to the wildcard
*. For example,"origin": ["*"]in the JSON API or<Origin>*</Origin>inthe XML API. While this origin is helpful for testing configurations, in mostcases, you'll want to restrict request origins to prevent unwanted usage ofyour resources.
Additional considerations
The following table describes considerations when making requests usingcredentials or access control headers:
| Property or header | Description | XML API response behavior | JSON API response behavior |
|---|---|---|---|
| Credentials | Cookies, authorization headers, or TLS client certificates. | Cloud Storage never returns theAccess-Control-Allow-Credentials header. CORS credentials are not supported by the XML API. | For simple requests, if the CORS request is approved, the For preflight requests, if |
| Exposed headers | For preflight requests, theAccess-Control-Request-Headers request header indicates which headers a future CORS request might include. TheAccess-Control-Expose-Headers response header is included in the server's response and indicates to the client which headers can be exposed. | For simple requests,Access-Control-Expose-Headers liststhe values of the response headers in your CORS configuration. | For simple requests,Access-Control-Expose-Headers returns the values specified inAccess-Control-Request-Headers if they are part of a list of common HTTP headers. |
Allowing buckets to access external resources
Sometimes, you might want to allow scripts hosted in Cloud Storage toaccess static resources that are hosted on a website external toCloud Storage. In this scenario, the website serves CORS headers sothat content onstorage.googleapis.com is allowed access.
As a best practice, you should dedicate a specific bucket for this data access.This approach prevents your site from inadvertently over-exposing staticresources to all ofstorage.googleapis.com. For example, if you want todedicate a bucket namedmybucket for data access, you should have the websiteserve the CORS headerAccess-Control-Allow-Origin: https://mybucket.storage.googleapis.com insteadofAccess-Control-Allow-Origin: https://storage.googleapis.com.
Client-side CORS support
Most browsers use theXMLHttpRequest object to make a cross-domain request.XMLHttpRequest takes care of all the work of inserting the right headers andhandling the CORS interaction with the server. You don't have to add any newcode to take advantage of CORS support on Cloud Storage buckets.
What's next
- Learn how toenable CORS for your bucket.
- ExploreCORS configuration examples, including an example that removesthe CORS configuration on a bucket.
- Learn how totroubleshoot CORS requests.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.