I am utterly perplexed by R2's CORS configuration. With valid configuration, I am unable to fetch mo

I am utterly perplexed by R2's CORS configuration. With valid configuration, I am unable to fetch most resources with proper CORS headers, but anonymous access to all resources works just fine. Additionally, CORS requests work for SOME resource types (such as images), but not others (css stylesheets). Comparing the request headers between the CORS requests that fail and succeed (i.e., response has CORS headers) are practically identical, other than the 'Accept' and 'Sec-Fetch-Dest', for obvious reasons.

What on earth am I missing here?

Also, is there no ability to restrict bucket access from a custom domain to only allow CORS requests?

fry69•11/17/24, 3:16 PM

?r2-4xx-cors

Flare•11/17/24, 3:16 PM

Troubleshooting 403 / CORS issues with R2

So, your assets aren't loading because you are getting a CORS error despite having setup everything correctly?
Let's try troubleshooting.

In your browser console, do you see a 401/403 error right above the CORS error? If yes, then you aren't actually dealing with a CORS issue! If you do have a CORS issue, head to the last section.

If you are using a Custom domain

Go to the Network tab and find the failing request (you may need to reload the page, since only requests after opening the developer tools are logged).
You need to check the response headers for the following two headers:

cf-cache-statuscf-cache-status
cf-mitigatedcf-mitigated

### If you have a cf-mitigatedcf-mitigated header

Your request was blocked by one of your WAF rules. Go to Security Events and look for what service blocked your request.

If you don't have a `cf-cache-statuscf-cache-status` header

Your request was blocked by Hotlink Protection.
Go to your dashboard and disable it or write a configuration rule to only disable on your Custom domain

If you are using the S3 API

Your request is very likely incorrectly signed.
Try executing the request via curl to inspect the real response returned by the S3 api and then tackle that issue.
Once your request is correctly signed, you'll receive the proper CORS headers.

If it's actually CORS

Here are some common issues with CORS configurations:

ExposeHeadersExposeHeaders is missing headers like ETagETag
AllowedHeadersAllowedHeaders is missing headers like
```
Authorization
```
```
Authorization
```
or Content-TypeContent-Type
AllowedMethodsAllowedMethods is missing methods like POSTPOST/PUTPUT (you do not need to include OPTIONSOPTIONS)

Ffry69 ?r2-4xx-cors

zimmedOP•11/17/24, 3:17 PM

Been there done that. :/

zimmedOP•11/17/24, 3:19 PM

I am also curious why most "fixes" I've seen mention that PUT needs to be in the allowed methods at the bare minimum. Why does PUT need to be allowed if you're only sending GET/OPTIONS requests?

Zzimmed I am utterly perplexed by R2's CORS configuration. With valid configuration, I a...

zimmedOP•11/17/24, 3:41 PM

With further testing, it appears that it's ONLY CSS files that fail to fetch. All other file types (text,json,audio,video,image,custom) are fine. Anyone ever run into this? What could possibly cause this?

Tyler•11/17/24, 3:49 PM

how do i fix a cors issue with r2? I set the allowed methods to use options but the site says it's not an allowed method. I get a 401 error. I'm using presigned urls

[
{
"AllowedOrigins": [
""
],
"AllowedMethods": [
"HEAD",
"GET",
"POST",
"PUT"
],
"AllowedHeaders": [
"Content-Type",
"Content-Disposition",
"Content-Length",
"x-amz-meta-organizationid",
"x-amz-date",
"authorization",
"x-amz-algorithm",
"x-amz-credential",
"x-amz-signature",
"x-amz-security-token",
"x-amz-content-sha256"
],
"ExposeHeaders": [
"ETag",
"x-amz-meta-",
"x-amz-server-side-encryption",
"x-amz-request-id",
"x-amz-id-2"
]
}
]

boldpix•11/17/24, 4:24 PM

Hi erveryone
In a free plan, what is the specific meaning of "Operation", and what is the difference between Class A and Class B that results in a different price?

Erisa•11/17/24, 4:47 PM

1 operation = 1 request from r2

class a is writes and deletes
clsss b is reads

Erisa•11/17/24, 4:48 PM

full details here https://developers.cloudflare.com/r2/pricing/#class-a-operations

Cloudflare Docs

Pricing | Cloudflare R2 docs

R2 charges based on the total volume of data stored, along with two classes of operations on that data:

EErisa 1 operation = 1 request from r2 class a is writes and deletes clsss b is reads

boldpix•11/17/24, 5:52 PM

Thank you so much
I read the link on the difference between both classes, but because it is specialized, I didn't understand it well, that's why I have a question:
Does "reading" mean just showing the file to the user? Is it possible to download the small file in Class B?

Original message was deleted

boldpix•11/17/24, 5:59 PM

Thanks, very nice

ryantg•11/17/24, 6:28 PM

Is there a way to see the bandwidth used by our buckets? I would like to compare our current usage to the pricing of other services (like DO Spaces). I know that R2 doesn't charge for bandwidth, but I would still like to see it.

Rryantg Is there a way to see the bandwidth used by our buckets? I would like to compare...

Hello, I’m Allie!•11/17/24, 6:36 PM

You can see bandwidth used if you are using a custom domain, by going to HTTP Traffic | Analytics, then applying a

Host

Host

filter that covers your Custom Domain

ryantg•11/17/24, 6:37 PM

I agree that it's hard to beat free. However, we have some users experience strange issues - it seems like their work networks are sometimes resolving our CF-managed domain in very strange ways. I can't yet tell if it's their vpn rules being wack, or if CF is blocking their vpn in some way.

ryantg•11/17/24, 6:38 PM

Seems like the former. Our domain is resolving to other IPs

ryantg•11/17/24, 6:38 PM

This is a fresh domain that we've only ever used with CF, so it's odd.

ryantg•11/17/24, 6:43 PM

Like, one person pinged my domain and received an Akamai ip address in return

SyntaxJuggler•11/18/24, 12:13 AM

How can I use R2 object storage with public access assigning my domain to it, when trying to get access from domain it writes 401, is there any possibility to bypass it at least partially for some files or folders?

red2green•11/18/24, 1:00 AM

Any very large customers using r2?

xiechao•11/18/24, 2:58 AM

May I ask where there is a Steam communication group

Mmaco6517 How to allow access to video.wikidata from one domain only? i have set the rule ...

maco6517•11/18/24, 3:01 AM

help

xiechao•11/18/24, 3:12 AM

May I ask where there is a Steam communication group

xiechao•11/18/24, 3:12 AM

hellow

Xxiechao May I ask where there is a Steam communication group

Hello, I’m Allie!•11/18/24, 5:20 AM

Do you mean #stream ?

HHello, I’m Allie!Do you mean #stream ?

xiechao•11/18/24, 7:34 AM

yes

Catfish•11/18/24, 10:49 AM

May I ask for help here?

Catfish•11/18/24, 10:50 AM

fine

Catfish•11/18/24, 10:50 AM

I'm having problems for being charged for R2 Infrequent Access bucket

Catfish•11/18/24, 10:51 AM

yeah i know

Catfish•11/18/24, 10:51 AM

the problem is I don't have a Infrequent Access bucket

Catfish•11/18/24, 10:52 AM

no, all standard buckets do not have this kind of rules

Catfish•11/18/24, 10:53 AM

going to ask for help with tickets

Catfish•11/18/24, 10:53 AM

thanks for your help

Catfish•11/18/24, 10:53 AM

no but I did created it before

Catfish•11/18/24, 10:54 AM

then deleted it after one sec

Catfish•11/18/24, 10:54 AM

I know

Catfish•11/18/24, 10:54 AM

-_-

Catfish•11/18/24, 10:54 AM

craps

Catfish•11/18/24, 10:55 AM

hope you have nice day thanks

Catfish•11/18/24, 10:55 AM

it's more than one month

Catfish•11/18/24, 10:56 AM

I did read the manual

Catfish•11/18/24, 10:57 AM

I know, even more than 2 months

Catfish•11/18/24, 10:57 AM

even not storing anything

Catfish•11/18/24, 10:58 AM

I have a ticket opened for this, just being here to see if I have any luck to get the answer

Catfish•11/18/24, 10:58 AM

:cloudflare:

Original message was deleted

Catfish•11/18/24, 11:02 AM

I'll check for that thanks

Catfish•11/18/24, 11:03 AM

you are right, it does...

Catfish•11/18/24, 11:04 AM

dc > support ticket

Catfish•11/18/24, 11:13 AM

looks like I will have to create a new bucket and move all data from old bucket

I am utterly perplexed by R2's CORS configuration. With valid configuration, I am unable to fetch mo

Troubleshooting 403 / CORS issues with R2

If you are using a Custom domain

If you don't have a `cf-cache-statuscf-cache-status` header

If you are using the S3 API

If it's actually CORS

Similar Threads

Similar Threads

Troubleshooting 403 / CORS issues with R2

If you are using a Custom domain

If you don't have a
`cf-cache-status`
`cf-cache-status`
`cf-cache-status`
`cf-cache-status` header

If you are using the S3 API

If it's actually CORS

Similar Threads

I am utterly perplexed by R2's CORS configuration. With valid configuration, I am unable to fetch mo

Troubleshooting 403 / CORS issues with R2

If you are using a Custom domain

If you don't have a cf-cache-statuscf-cache-status header

If you are using the S3 API

If it's actually CORS

Similar Threads

Similar Threads

Troubleshooting 403 / CORS issues with R2

If you are using a Custom domain

If you don't have a cf-cache-statuscf-cache-statuscf-cache-statuscf-cache-status header

If you are using the S3 API

If it's actually CORS

Similar Threads

If you don't have a `cf-cache-statuscf-cache-status` header

If you don't have a
`cf-cache-status`
`cf-cache-status`
`cf-cache-status`
`cf-cache-status` header