OPTIONSObject
Last Updated:2021-12-08
Interface Description
Before sending the cross-origin request, the browser sends a preflight request (OPTIONS) and carries the specific source domain, HTTP method, and header information for BOS to decide whether a real request is sent. This interface responds to this request.
Permission Description
The authentication is not required for the operation of the OPTIONS Object.
Request
-
Request syntax
OPTIONS /<ObjectKey> HTTP/1.1 Host: <BucketName>.bj.bcebos.com Origin: Origin Access-Control-Request-Method: HTTPMethod Access-Control-Request-Headers: RequestHeader
-
Request parameters
None
-
Request header field
Name Description Required? Origin Request source field, which is used to identify the crossfield request and only allows one method. Type: String. Default value: None. Yes Access-Control-Request-Method The method is used in the actual request, and only one method is allowed. Type: String. The value is “PUT/GET/DELETE/POST/HEAD”, and no default value is set. Yes Access-Control-Request-Headers The Headers used in the actual request, except for the simple headers. Multiple headers are separated with commas. Type: String. Default value: None. No -
Request element
None
Response
-
Response header field
Name Description Access-Control-Allow-Credentials Check whether the BOS server allows the client to contain the cookie in the request. It takes effect only when it is allowed by both client and server. BOS returns “Allow” when the request is passed. That is, the value is true
, which is case-sensitive.Access-Control-Allow-Headers List of headers allowed in the request. If any header in the request is not allowed, the CORS rule matching fails, and it returns a header that does not start with Access-Control-. Multiple headers are separated by commas. Note: It returns the list of headers for this request only regardless of whether more headers allowed are configured in the configuration file. Access-Control-Allow-Methods HTTP method to allow the request. If this request is not allowed, it does not contain this header and all Access-Control-* related headers. Type: String. Note: It returns a list of all allowedMethods, which not just contains the method for this request. Access-Control-Allow-Origin Origin contained in the request. If it is not allowed, it does not contain this header and all Access-Control-* related headers. Type: String. Access-Control-Expose-Headers List of headers allowed to access in JavaScript program on request side. It corresponds to the exposeHeaders in the configuration file. Type: String. Access-Control-Max-Age Time for the browser to cache the preflight results (second) Type: integer. -
Response element
None
Considerations
- When it receives the OPTIONS request, CORS reads the CORS rules corresponding to the bucket and then checks the corresponding permission. It checks rules in turn during the whole check, uses the first matching rule to allow the request, and returns the corresponding header. If all rules fail to match, no CORS related headers are attached.
Three conditions must be met for successful CORS rule matching:
- The origin of the request must match one item of allowedOrigins.
- The method corresponding to the Access-Control-Request-Method header of OPTIONS request must match one item of allowedMethods.
- Each header contained in Access-Control-Request-Headers of the OPTIONS request must match one item of allowedHeaders. As long as one item of allowedHeaders does not match, it fails to match as a whole.
Example
-
Request example
OPTIONS /object HTTP/1.1 Host: BucketName.bj.bcebos.com Origin: http://www.example.com Access-Control-Request-Method: GET Access-Control-Request-Headers: x-bce-test
-
Response example
HTTP/1.1 200 OK x-bce-request-id: 4db2b34d-654d-4d8a-b49b-3049ca786409 Date: Wed, 06 Apr 2016 06:34:40 GMT Access-Control-Allow-Origin: http://www.example.com Access-Control-Allow-Methods: GET, HEAD, DELETE Access-Control-Allow-Headers: x-bce-test Access-Control-Expose-Headers: user-custom-expose-header Access-Control-Max-Age: 3600 Access-Control-Allow-Credentials: true Content-Length: 0 Server: BceBos