The AllowedOrigins are omitted, but correct. The exact value of the request's Origin header is provi

The AllowedOrigins are omitted, but correct. The exact value of the request's Origin header is provided here.

Can someone help me to turn on https. I tried turned on always use https, http rewrites and pages rules , configuration added and ssl labs given grade T. But still page is not secure

Original message was deleted

shun•11/16/24, 2:48 PM

This. Thanks!
https://developers.cloudflare.com/api/operations/zone-purge?schema_url=https%3A%2F%2Fraw.githubusercontent.com%2Fcloudflare%2Fapi-schemas%2Fmain%2Fopenapi.yaml

Cloudflare API Documentation

Interact with Cloudflare's products and services via the Cloudflare API

Zzimmed The AllowedOrigins are omitted, but correct. The exact value of the request's Or...

zimmedOP•11/16/24, 2:51 PM

Original message was deleted

zimmedOP•11/16/24, 2:52 PM

No, the list has just grown as I try to debug and add anything I can find in the forums that might fix it.

zimmedOP•11/16/24, 2:55 PM

I'm not sure if there's a delay in the config being applied, but after saving it to match yours and trying again, nothing has changed.

Original message was deleted

zimmedOP•11/16/24, 3:02 PM

Same thing. But I do still see that the Cache-Control is set to max-age=14400, which I would expect to be 3600 based on my provided config, no?

Original message was deleted

zimmedOP•11/16/24, 3:08 PM

If that's the case, then which repsonse header is supposed to indicate the browser can cache the preflight response for up to the time specified?

Original message was deleted

zimmedOP•11/16/24, 3:10 PM

Yes, but the cache is browser-side. So how does the browser know to cache it for an hour? Typically caching is achieved through the Cache-Control response header.

Original message was deleted

zimmedOP•11/16/24, 3:11 PM

Which the browser receives via... ?

Original message was deleted

zimmedOP•11/16/24, 3:14 PM

Is it possible the browser is still receiving a cached preflight response since that header isn't present in the response (was added only about 30 minutes ago to the config)?

Original message was deleted

zimmedOP•11/16/24, 3:16 PM

Do the responses cache server-side at all? Because it wouldn't make sense that I'd still be getting a cached response from another browser, or even the same browser with caching disabled.

maco6517•11/16/24, 3:56 PM

Why can I still access my direct link when I set the rule like this? What did I do wrong?

maco6517•11/16/24, 3:56 PM

https://video.wikidata.top/ab.mp4

Original message was deleted

maco6517•11/16/24, 4:05 PM

let me add mp4 link to cosplay website it can play,

Original message was deleted

maco6517•11/16/24, 4:07 PM

is there any way to block others from getting my direct mp4 link to play?

Fernando Dilland•11/16/24, 4:10 PM

I’m sharing this library I made for a video player with HLS, supporting multiple qualities and deferred loading with Cloudflare R2. Suggestions and support are welcome! :MeowHeartCloudflare:

Includes CORS configuration recommendations, video thumbnails, etc.!

https://github.com/fernandodilland/r2-player.js

GitHub

GitHub - fernandodilland/r2-player.js: Cloudflare R2 and HLS embedd...

Cloudflare R2 and HLS embedded video player JavaScript library featuring thumbnails, lazy loading, and multiple quality options. - fernandodilland/r2-player.js

Original message was deleted

maco6517•11/16/24, 4:15 PM

how can i get my cosplay.baby site to play mp4 links, which other sites can't play

Original message was deleted

maco6517•11/16/24, 4:20 PM

I have enabled hot link and I don't know what to do next :((

maco6517•11/16/24, 4:27 PM

my mp4 direct link still works :((

Original message was deleted

maco6517•11/16/24, 4:32 PM

https://video.wikidata.top/ab.mp4 yes sir it still works no block

Original message was deleted

maco6517•11/16/24, 4:49 PM

https://cosplay.baby/video/juqcyxp3mbZwnTW but it doesn't work with my site :((

maco6517•11/16/24, 5:28 PM

:((

maco6517•11/16/24, 6:10 PM

https://cosplay.baby/video/juqcyxp3mbZwnTW
Can anyone help me the rule is working "block
Hostname" but does not work with Referer

flayks•11/16/24, 7:42 PM

Hey! I have a grid of looped video previews using R2 and only 9 of out 12 play, is there a limit on the amount of simultaneous requests or something?
Most videos load and some just failed as "canceled"

I was using Mux and no such issue so it's not coming from my code or browser either, feels specific to Cloudflare and/or R2!

Original message was deleted

flayks•11/16/24, 8:19 PM

The code has not changed from Mux to R2 so what can explain this?

Original message was deleted

flayks•11/16/24, 8:20 PM

It's not my portfolio

working locally

flayks•11/16/24, 8:21 PM

It's just auto played 4sc videos from 300 to 700kb.. Nothing crazy.

flayks•11/16/24, 8:22 PM

There is no detail in the network tab

Mmaco6517 https://cosplay.baby/video/juqcyxp3mbZwnTW Can anyone help me the rule is workin...

maco6517•11/17/24, 2:46 AM

helpme

maco6517•11/17/24, 6:43 AM

it seems no one cares, other people can take your r2 link and post it on their website without spending any resources

Original message was deleted

flayks•11/17/24, 10:40 AM

ok, so apparently it was special characters in the video filename that was causing issues

(coming from the client so could not investigate easily)

maco6517•11/17/24, 2:46 PM

How to allow access to video.wikidata from one domain only?
i have set the rule as in the image, it only works in wordpress page but this player is not working

Is there any way to get it to work in these players?
https://cosplay.baby/video/juqcyxp3mbZwnTW

Is there a problem with my custom player page?

zimmedOP•11/17/24, 3:15 PM

I am utterly perplexed by R2's CORS configuration. With valid configuration, I am unable to fetch most resources with proper CORS headers, but anonymous access to all resources works just fine. Additionally, CORS requests work for SOME resource types (such as images), but not others (css stylesheets). Comparing the request headers between the CORS requests that fail and succeed (i.e., response has CORS headers) are practically identical, other than the 'Accept' and 'Sec-Fetch-Dest', for obvious reasons.

What on earth am I missing here?

Also, is there no ability to restrict bucket access from a custom domain to only allow CORS requests?

fry69•11/17/24, 3:16 PM

?r2-4xx-cors

Flare•11/17/24, 3:16 PM

Troubleshooting 403 / CORS issues with R2

So, your assets aren't loading because you are getting a CORS error despite having setup everything correctly?
Let's try troubleshooting.

In your browser console, do you see a 401/403 error right above the CORS error? If yes, then you aren't actually dealing with a CORS issue! If you do have a CORS issue, head to the last section.

If you are using a Custom domain

Go to the Network tab and find the failing request (you may need to reload the page, since only requests after opening the developer tools are logged).
You need to check the response headers for the following two headers:

cf-cache-statuscf-cache-status
cf-mitigatedcf-mitigated

### If you have a cf-mitigatedcf-mitigated header

Your request was blocked by one of your WAF rules. Go to Security Events and look for what service blocked your request.

If you don't have a `cf-cache-statuscf-cache-status` header

Your request was blocked by Hotlink Protection.
Go to your dashboard and disable it or write a configuration rule to only disable on your Custom domain

If you are using the S3 API

Your request is very likely incorrectly signed.
Try executing the request via curl to inspect the real response returned by the S3 api and then tackle that issue.
Once your request is correctly signed, you'll receive the proper CORS headers.

If it's actually CORS

Here are some common issues with CORS configurations:

ExposeHeadersExposeHeaders is missing headers like
```
ETag
```
```
ETag
```
AllowedHeadersAllowedHeaders is missing headers like AuthorizationAuthorization or Content-TypeContent-Type
AllowedMethodsAllowedMethods is missing methods like
```
POST
```
```
POST
```
/PUTPUT (you do not need to include OPTIONSOPTIONS)

Ffry69 ?r2-4xx-cors

zimmedOP•11/17/24, 3:17 PM

Been there done that. :/

zimmedOP•11/17/24, 3:19 PM

I am also curious why most "fixes" I've seen mention that PUT needs to be in the allowed methods at the bare minimum. Why does PUT need to be allowed if you're only sending GET/OPTIONS requests?

Zzimmed I am utterly perplexed by R2's CORS configuration. With valid configuration, I a...

zimmedOP•11/17/24, 3:41 PM

With further testing, it appears that it's ONLY CSS files that fail to fetch. All other file types (text,json,audio,video,image,custom) are fine. Anyone ever run into this? What could possibly cause this?

Tyler•11/17/24, 3:49 PM

how do i fix a cors issue with r2? I set the allowed methods to use options but the site says it's not an allowed method. I get a 401 error. I'm using presigned urls

[
{
"AllowedOrigins": [
""
],
"AllowedMethods": [
"HEAD",
"GET",
"POST",
"PUT"
],
"AllowedHeaders": [
"Content-Type",
"Content-Disposition",
"Content-Length",
"x-amz-meta-organizationid",
"x-amz-date",
"authorization",
"x-amz-algorithm",
"x-amz-credential",
"x-amz-signature",
"x-amz-security-token",
"x-amz-content-sha256"
],
"ExposeHeaders": [
"ETag",
"x-amz-meta-",
"x-amz-server-side-encryption",
"x-amz-request-id",
"x-amz-id-2"
]
}
]

boldpix•11/17/24, 4:24 PM

Hi erveryone
In a free plan, what is the specific meaning of "Operation", and what is the difference between Class A and Class B that results in a different price?

Erisa•11/17/24, 4:47 PM

1 operation = 1 request from r2

class a is writes and deletes
clsss b is reads

Erisa•11/17/24, 4:48 PM

full details here https://developers.cloudflare.com/r2/pricing/#class-a-operations

Cloudflare Docs

Pricing | Cloudflare R2 docs

R2 charges based on the total volume of data stored, along with two classes of operations on that data:

EErisa 1 operation = 1 request from r2 class a is writes and deletes clsss b is reads

boldpix•11/17/24, 5:52 PM

Thank you so much
I read the link on the difference between both classes, but because it is specialized, I didn't understand it well, that's why I have a question:
Does "reading" mean just showing the file to the user? Is it possible to download the small file in Class B?

Original message was deleted

boldpix•11/17/24, 5:59 PM

Thanks, very nice

ryantg•11/17/24, 6:28 PM

Is there a way to see the bandwidth used by our buckets? I would like to compare our current usage to the pricing of other services (like DO Spaces). I know that R2 doesn't charge for bandwidth, but I would still like to see it.

Rryantg Is there a way to see the bandwidth used by our buckets? I would like to compare...

Hello, I’m Allie!•11/17/24, 6:36 PM

You can see bandwidth used if you are using a custom domain, by going to HTTP Traffic | Analytics, then applying a HostHost filter that covers your Custom Domain

ryantg•11/17/24, 6:37 PM

I agree that it's hard to beat free. However, we have some users experience strange issues - it seems like their work networks are sometimes resolving our CF-managed domain in very strange ways. I can't yet tell if it's their vpn rules being wack, or if CF is blocking their vpn in some way.

ryantg•11/17/24, 6:38 PM

Seems like the former. Our domain is resolving to other IPs

ryantg•11/17/24, 6:38 PM

This is a fresh domain that we've only ever used with CF, so it's odd.

ryantg•11/17/24, 6:43 PM

Like, one person pinged my domain and received an Akamai ip address in return

The AllowedOrigins are omitted, but correct. The exact value of the request's Origin header is provi

Troubleshooting 403 / CORS issues with R2

If you are using a Custom domain

If you don't have a `cf-cache-statuscf-cache-status` header

If you are using the S3 API

If it's actually CORS

Similar Threads

Similar Threads

Troubleshooting 403 / CORS issues with R2

If you are using a Custom domain

If you don't have a
`cf-cache-status`
`cf-cache-status`
`cf-cache-status`
`cf-cache-status` header

If you are using the S3 API

If it's actually CORS

Similar Threads

The AllowedOrigins are omitted, but correct. The exact value of the request's Origin header is provi

Troubleshooting 403 / CORS issues with R2

If you are using a Custom domain

If you don't have a cf-cache-statuscf-cache-status header

If you are using the S3 API

If it's actually CORS

Similar Threads

Similar Threads

Troubleshooting 403 / CORS issues with R2

If you are using a Custom domain

If you don't have a cf-cache-statuscf-cache-statuscf-cache-statuscf-cache-status header

If you are using the S3 API

If it's actually CORS

Similar Threads

If you don't have a `cf-cache-statuscf-cache-status` header

If you don't have a
`cf-cache-status`
`cf-cache-status`
`cf-cache-status`
`cf-cache-status` header