For compatibility with browser access to Wasabi as a web server, the Wasabi server will return the cross-origin resource sharing (CORS) headers when the header “Origin” is given in an HTTP request. Additionally, the server supports the HTTP method OPTIONS on either buckets or objects to CORS headers needed for a browser pre-flight test before accessing Wasabi.
Different from AWS, Wasabi returns the settings that will allow the browser full access to Wasabi. Hence, Wasabi does not support the AWS functions that allow a PUT and GET on a bucket with the “cors” parameter in the URL. Note that allowing the browser full access to data does not affect the security of access to any objects, and all access policies will still be enforced.
The following are the HTTP headers returned by default when the header “Origin” is given in an HTTP request:
Access-Control-Allow-Headers: *
Access-Control-Allow-Methods: GET, HEAD, POST, PUT, DELETE, MOVE, OPTIONS
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: *
Access-Control-Max-Age: 86400