Sudden CORS issue on R2 presigned PUT URL — any recent changes in Workers or R2?
I’ve been using Cloudflare R2 with presigned PUT URLs generated through a Cloudflare Worker for a long time without issues. The frontend directly uploads to R2 using the signed URL, and everything worked perfectly — until recently.
Now, I’m suddenly getting this browser error:
The strange part is that nothing changed in my code or CORS settings. My R2 CORS config still allows the correct origins, methods (PUT, GET, etc.), and custom headers like:
If I remove these metadata headers from the PUT request, the upload succeeds — but with them, it fails. Using curl with the same presigned URL still works fine, so the signature is valid. It only breaks in the browser.
This makes me think Cloudflare may have recently adjusted CORS behavior or header validation for R2 presigned URLs.
I just want to ask:
Has anyone else started seeing this same CORS issue recently?
Were there any updates or internal changes in Cloudflare R2 or Workers that could explain this behavior?
Is there a new best practice for uploading directly from the browser with metadata — or should I switch to presigned POST or proxy uploads through a Worker instead?
Now, I’m suddenly getting this browser error:
Access to XMLHttpRequest at 'https://<bucket>.<account>.r2.cloudflarestorage.com/...'
from origin 'http://localhost:5173' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.The strange part is that nothing changed in my code or CORS settings. My R2 CORS config still allows the correct origins, methods (PUT, GET, etc.), and custom headers like:
x-amz-meta-client_idx-amz-meta-file_idIf I remove these metadata headers from the PUT request, the upload succeeds — but with them, it fails. Using curl with the same presigned URL still works fine, so the signature is valid. It only breaks in the browser.
This makes me think Cloudflare may have recently adjusted CORS behavior or header validation for R2 presigned URLs.
I just want to ask:
Has anyone else started seeing this same CORS issue recently?
Were there any updates or internal changes in Cloudflare R2 or Workers that could explain this behavior?
Is there a new best practice for uploading directly from the browser with metadata — or should I switch to presigned POST or proxy uploads through a Worker instead?
Welcome to the official Cloudflare Developers server. Here you can ask for help and stay updated with the latest news
85,042Members
Resources
Similar Threads
Was this page helpful?
