Search code examples
google-cloud-platformcorsgoogle-cloud-storagesame-origin-policy

How to set Access-Control-Allow-Origin to the http_origin in Google Cloud Storage to fix the "response must not be the wildcard '*'" CORS error


I know if Access-Control-Allow-Origin is a wildcard *, script X cannot be accessed from an origin Y when the request's credentials mode is 'include'. Fair enough!

Normally, when we have Nginx, we solve this by something like:

    add_header 'Access-Control-Allow-Origin' $http_origin;

From what I understood, seems like there is no $http_origin equivalent in Google Cloud storage (or is there?).

So, if the resource is in Google Cloud storage, I don't know how can I adjust the CORS setting to do the same.

I currently do the following:

$ printf '[{"origin": ["*"],"responseHeader": ["*"],"method":
    ["GET","POST","HEAD"],"maxAgeSeconds": 900}]' > cors.json
$ gsutil cors set cors.json gs://mybucket
$ gsutil -m rsync -a public-read ./myfolder/ gs://mybucket/myfolder/ 

The error I received, as I said, is this:

Access to script at 'https://storage.googleapis.com/mybucket/myfolder/myfile.js' from origin 'https://www.whatever.com' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.

My question is specifically about Google Cloud storage settings: how can I fix this issue for static files I'm uploading to Google Cloud storage?

Update 1: This resource is a public url and can be called from any HTTPS website, even the ones that we don't explicitly know about.

Here is the screenshot of the error: enter image description here

Update 2:

Here is the request cURL I copy pasted from network tab in Chrome:

curl 'https://storage.googleapis.com/whatever/whatever/file.js' \
  -H 'authority: storage.googleapis.com' \
  -H 'accept: */*' \
  -H 'accept-language: en-US,en;q=0.9' \
  -H 'cache-control: no-cache' \
  -H 'origin: https://www.example.com' \
  -H 'pragma: no-cache' \
  -H 'referer: https://www.example.com/' \
  -H 'sec-ch-ua: "Google Chrome";v="107", "Chromium";v="107", "Not=A?Brand";v="24"' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'sec-ch-ua-platform: "macOS"' \
  -H 'sec-fetch-dest: script' \
  -H 'sec-fetch-mode: cors' \
  -H 'sec-fetch-site: cross-site' \
  -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36' \
  --compressed

Solution

  • The problem was the crossorigin settings of the generated tag. The problem was resolved after setting it to anynomous.