Cloudflare Developers•14mo ago

The referrer header can be faked by clients very easily.

maco6517•11/18/24, 6:55 PM

I use this rule and it works for the WordPress website, but for the website with this custom jw player it doesn't work.

Original message was deleted

maco6517•11/18/24, 6:57 PM

yes it's correct, if I remove the rule it works

SSouthpaw The referrer header can be faked by clients very easily.

maco6517•11/18/24, 6:58 PM

So do you have any solution to prevent others from using my link?

SouthpawOP•11/18/24, 6:59 PM

No clue

Original message was deleted

maco6517•11/18/24, 6:59 PM

yes because i am using this rule it will work when i delete this rule

SouthpawOP•11/18/24, 7:00 PM

CORS has to be respected by the client, though.

Original message was deleted

maco6517•11/18/24, 7:03 PM

This is a domain using WordPress theme it works when I add Referer to the rule

Original message was deleted

maco6517•11/18/24, 7:06 PM

So what kind of blocking?

maco6517•11/18/24, 7:06 PM

Not absolute but not everyone can use my link huhu

Original message was deleted

maco6517•11/18/24, 7:08 PM

you mean like this

Original message was deleted

maco6517•11/18/24, 7:11 PM

Like now, right?

Original message was deleted

maco6517•11/18/24, 7:13 PM

Original message was deleted

maco6517•11/18/24, 7:16 PM

https://video.wikidata.top/ab.mp4 it still works with other site

Original message was deleted

maco6517•11/18/24, 7:24 PM

I thought cors meant that only the cosplay.baby site could use that link

maco6517•11/18/24, 7:25 PM

If just to make that link playable, I leave the old cors and delete the firewall rule and it still works

SyntaxJuggler•11/18/24, 11:29 PM

How can I use R2 object storage with public access assigning my domain to it, when trying to get access from domain it writes 401, is there any possibility to bypass it at least partially for some files or folders?

Original message was deleted

SyntaxJuggler•11/18/24, 11:31 PM

I did so, but as far as I understood that this approach requires authorization to receive files, this method does not suit me

SyntaxJuggler•11/18/24, 11:35 PM

I got it, I'll check my use of r2 again in this case

thaiel•11/18/24, 11:40 PM

Hi, I created a R2 object storage but Im seeing that the operations type A and B are incrementing when I wasn't using it.
It incremented over 200 the A type, and 150 the B type. It's not a lot but Im just really curious why this is happening because I didn't use the functions that in docs appears to be the triggers of

thaiel•11/18/24, 11:40 PM

If someone can answer my doubt would be really nice

fritex•11/19/24, 1:38 AM

Can't even open it

sorry :NotLikeThis:

Original message was deleted

thaiel•11/19/24, 4:13 PM

oh really? it has to be that then, thank you man

Manoj•11/19/24, 7:26 PM

why am I getting this again and again. Curl seems to be working fine -

curl 'https://test-bucket.14a1ed97e3dde8ef3b6e6391d4114bce.r2.cloudflarestorage.com/user-2/mushroom_biryani.mp4?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=a1ec215a5d56c9d44054874dc2c73e3d%2F20241119%2Fauto%2Fs3%2Faws4_request&X-Amz-Date=20241119T192449Z&X-Amz-Expires=6000&X-Amz-Signature=26022bca58f3f7e04a223f19c64cc4946e50a713d0e23ff9f136b604621dc749&X-Amz-SignedHeaders=host&x-id=GetObject' \
-H 'sec-ch-ua-platform: "macOS"' \
-H 'Referer: https://test.fileloom.com:3000/' \
-H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36' \
-H 'Accept: application/json, text/plain, /' \
-H 'sec-ch-ua: "Google Chrome";v="131", "Chromium";v="131", "Not_A Brand";v="24"' \
-H 'Content-Type: application/octet-stream' \
-H 'sec-ch-ua-mobile: ?0'

my bucket cors policy -
[
{
"AllowedOrigins": [
"https://test.fileloom.com:3000",
"https://www.fileloom.com",
"https://fileloom.com",
"https://www.alpha.fileloom.com",
"https://alpha.fileloom.com"
],
"AllowedMethods": [
"GET"
]
}
]

my request page - https://test.fileloom.com:3000/4Fyd

Flare•11/19/24, 7:27 PM

Troubleshooting 403 / CORS issues with R2

So, your assets aren't loading because you are getting a CORS error despite having setup everything correctly?
Let's try troubleshooting.

In your browser console, do you see a 401/403 error right above the CORS error? If yes, then you aren't actually dealing with a CORS issue! If you do have a CORS issue, head to the last section.

If you are using a Custom domain

Go to the Network tab and find the failing request (you may need to reload the page, since only requests after opening the developer tools are logged).
You need to check the response headers for the following two headers:

```
cf-cache-status
```
```
cf-cache-status
```
cf-mitigatedcf-mitigated

### If you have a cf-mitigatedcf-mitigated header

Your request was blocked by one of your WAF rules. Go to Security Events and look for what service blocked your request.

If you don't have a

cf-cache-status

cf-cache-status

header

Your request was blocked by Hotlink Protection.
Go to your dashboard and disable it or write a configuration rule to only disable on your Custom domain

If you are using the S3 API

Your request is very likely incorrectly signed.
Try executing the request via curl to inspect the real response returned by the S3 api and then tackle that issue.
Once your request is correctly signed, you'll receive the proper CORS headers.

If it's actually CORS

Here are some common issues with CORS configurations:

ExposeHeadersExposeHeaders is missing headers like
```
ETag
```
```
ETag
```
AllowedHeadersAllowedHeaders is missing headers like
```
Authorization
```
```
Authorization
```
or Content-TypeContent-Type
AllowedMethodsAllowedMethods is missing methods like
```
POST
```
```
POST
```
/PUTPUT (you do not need to include OPTIONSOPTIONS)

Manoj•11/19/24, 7:33 PM

ExposeHeaders is missing headers like ETag
AllowedHeaders is missing headers like Authorization or Content-Type
AllowedMethods is missing methods like POST/PUT (you do not need to include OPTIONS)

this worked, why do we even need to include these ?, expalin and I can download the files just by visiting urls, not sure if the AllowedOrigins headers is working fine,

[
{
"AllowedOrigins": [
"https://test.fileloom.com:3000",
"https://www.fileloom.com",
"https://fileloom.com",
"https://www.alpha.fileloom.com",
"https://alpha.fileloom.com"
],
"AllowedMethods": [
"GET"
],
"AllowedHeaders": [
"Content-Type",
"Authorization"
],
"ExposeHeaders": [
"ETag"
],
"MaxAgeSeconds": 3600
}
]

Cc - @Flare

Nik•11/19/24, 11:59 PM

Is there a way to enable CORS headers, even on error responses? I'm encountering this on 404 and 416s, which are valid and expected for my usecase.

eli•11/20/24, 1:12 AM

I’m having a lot of users complaining images aren’t loading, I tried disabling caching and purging, as well as getting rid of my rules about external referer headers (although this rule allowed my website) but people are still reporting issues

eli•11/20/24, 1:13 AM

I haven’t encountered any issues, seems they are all in Europe (although this may just be due to demographics), anyone know how I can troubleshoot this?

Fernando Dilland•11/20/24, 6:09 AM

I don't plan to do this, but can copyrighted music be stored on R2 for personal consumption and not for internet broadcast?

praneethpike•11/20/24, 6:46 AM

Hi newbie here! I'm running into an SSL handshake error whenever my github action is trying to upload files to r2 storage. Is this a known issue? Does anyone have a fix for this?

GooningChatter•11/20/24, 7:55 AM

Will there be an Oceania R2 location hint someday to match D1 Oceania location hint?
Or should I just point my D1 Oceania to R2 APAC....

Original message was deleted

GooningChatter•11/20/24, 9:00 AM

figured, thanks

anxidashu•11/20/24, 9:56 AM

These two mp4 file are in the same r2 bucket. The second one support Range Requests, but the first one didn't, why?

anxidashu•11/20/24, 9:57 AM

the first mp4 file can play correctly in my local computer

anxidashu•11/20/24, 10:05 AM

ok, how to do setting?

anxidashu•11/20/24, 10:08 AM

the dashbaord is down now...

anxidashu•11/20/24, 10:09 AM

is it possible to upgrade the limit of 500MB

anxidashu•11/20/24, 10:10 AM

what is the difference if I disable caching

anxidashu•11/20/24, 10:10 AM

and the corrent way is ?

anxidashu•11/20/24, 10:11 AM

can i swich mp4 file to hls using cloudflare

anxidashu•11/20/24, 10:13 AM

if using hls, How to deal if user want to download a mp4 file

anxidashu•11/20/24, 10:15 AM

concat the hls pieces instantly if user request?

anxidashu•11/20/24, 10:16 AM

thank you, very helpful

Ppraneethpike Hi newbie here! I'm running into an SSL handshake error whenever my github actio...

praneethpike•11/20/24, 12:44 PM

anyone has an idea about this?

boldpix•11/20/24, 1:14 PM

Hello everyone
I'm not a developer, but I know a few things about it and I'm setting up a service that will use R2 for storage. Can anyone recommend any resources or videos to help me get started?

Tarky•11/20/24, 2:20 PM

Hello, I have a question, if I want to access an image uploaded to a R2 bucket from a website, lets say in a html <img> tag, do I need to put the whole bucket into a public domain?

Pierre•11/20/24, 3:25 PM

Hi,

It seems like I am barely able to get 2MB/s on some of my objects today. Transfers starts fast and gets heavily throttled after few seconds, to KB/s. Is anyone else experiencing this?

Pierre•11/20/24, 3:26 PM

Looks like this with rclone

object: 27% /229.059Mi, 16.979Ki/s, 2h45m54s
object: 36% /173.697Mi, 16.979Ki/s, 1h50m15s
object:  1% /6.459Gi, 187.285Ki/s, 9h53m12s
object:  1% /4.457Gi, 208.671Ki/s, 6h7m1s

object: 27% /229.059Mi, 16.979Ki/s, 2h45m54s
object: 36% /173.697Mi, 16.979Ki/s, 1h50m15s
object:  1% /6.459Gi, 187.285Ki/s, 9h53m12s
object:  1% /4.457Gi, 208.671Ki/s, 6h7m1s

Tried from multiple locations, home fiber as well as cloud VMs

TTarky Hello, I have a question, if I want to access an image uploaded to a R2 bucket f...

埃

埃菲尔铁塔•11/20/24, 3:27 PM

I have a similar question, how do I access the files in the bucket, other than using the public bucket, I did the development using the s3 sdk and found the pre-signed url to provide the download of the file, but I can't seem to set the url without the time limit

The referrer header can be faked by clients very easily.

Troubleshooting 403 / CORS issues with R2

If you are using a Custom domain

If you don't have a
`cf-cache-status`
`cf-cache-status`
header

If you are using the S3 API

If it's actually CORS

Similar Threads

Similar Threads

Troubleshooting 403 / CORS issues with R2

If you are using a Custom domain

If you don't have a
`cf-cache-status`
`cf-cache-status`
header

If you are using the S3 API

If it's actually CORS

Similar Threads

The referrer header can be faked by clients very easily.

Troubleshooting 403 / CORS issues with R2

If you are using a Custom domain

If you don't have a cf-cache-statuscf-cache-status header

If you are using the S3 API

If it's actually CORS

Similar Threads

Similar Threads

Troubleshooting 403 / CORS issues with R2

If you are using a Custom domain

If you don't have a cf-cache-statuscf-cache-status header

If you are using the S3 API

If it's actually CORS

Similar Threads

If you don't have a
`cf-cache-status`
`cf-cache-status`
header

If you don't have a
`cf-cache-status`
`cf-cache-status`
header