Fix GCP Cloud Storage Bucket Cors Errors
When working with GCP Cloud Storage, you may encounter a configuration error that prevents your deployment from working. This guide explains the most common mistake with bucket cors and shows the exact fix.
A Common Mistake
Configuring CORS on a storage bucket but using incorrect origin or method values, causing browser-based applications to fail with CORS errors.
The incorrect command:
gsutil cors set cors.json gs://my-bucket
# cors.json:
# [{"origin": ["*"], "responseHeader": ["*"], "method": ["GET", "POST"], "maxAgeSeconds": 3600}]
Error output:
Setting CORS configuration on gs://my-bucket...
Browser console shows:
Access to fetch at 'https://storage.googleapis.com/my-bucket/data.json' from origin 'https://app.example.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
The wildcard origin '*' does not work with credentials (cookies, authorization headers).
The Correct Approach
The right way to configure bucket cors in GCP Cloud Storage:
gsutil cors set cors.json gs://my-bucket
# cors.json:
# [{"origin": ["https://app.example.com", "https://staging.app.example.com"], "responseHeader": ["Content-Type", "x-goog-meta-custom"], "method": ["GET", "HEAD", "OPTIONS"], "maxAgeSeconds": 86400}]
Successful result:
Setting CORS configuration on gs://my-bucket...
CORS is now configured for the specific application origins. Browser requests from app.example.com are allowed with GET/HEAD/OPTIONS methods.
How to Prevent This
Specify explicit origins instead of wildcards. Include OPTIONS in methods for preflight requests. Set maxAgeSeconds to 86400 to reduce preflight requests. Test CORS with curl -H "Origin: https://app.example.com" -H "Access-Control-Request-Method: GET" -X OPTIONS -v https://storage.googleapis.com/my-bucket/data.json. Use gsutil cors get gs://bucket to verify.
FAQ
Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro. Secure your cloud with DodaTech.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro