Sudden CORS issue on R2 presigned PUT URL — any recent changes in Workers or R2?
I’ve been using Cloudflare R2 with presigned PUT URLs generated through a Cloudflare Worker for a long time without issues. The frontend directly uploads to R2 using the signed URL, and everything worked perfectly — until recently.
Now, I’m suddenly getting this browser error:
Access to XMLHttpRequest at 'https://<bucket>.<account>.r2.cloudflarestorage.com/...'
from origin 'http://localhost:5173' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
The strange part is that nothing changed in my code or CORS settings. My R2 CORS config still allows the correct origins, methods (PUT, GET, etc.), and custom headers like:
x-amz-meta-client_id
x-amz-meta-file_id
If I remove these metadata headers from the PUT request, the upload succeeds — but with them, it fails. Using curl with the same presigned URL still works fine, so the signature is valid. It only breaks in the browser.
This makes me think Cloudflare may have recently adjusted CORS behavior or header validation for R2 presigned URLs.
I just want to ask:
Has anyone else started seeing this same CORS issue recently?
Were there any updates or internal changes in Cloudflare R2 or Workers that could explain this behavior?
Is there a new best practice for uploading directly from the browser with metadata — or should I switch to presigned POST or proxy uploads through a Worker instead?0 Replies