You can perform this operation to obtain CORS configuration information about a specified bucket.

Only users granted the s3:GetBucketCORS permission can perform this operation. By default, only the bucket owner can perform this operation. The bucket owner can allow other users to perform this operation by granting them the permission.

Request Syntax

GET /?cors HTTP/1.1
Date: date
Authorization: authorization

Request Parameters

This request contains no parameter.

Request Headers

This request uses common headers. For details, see Common Request Headers.

Request Elements

This request contains no element.

Response Syntax

HTTP/1.1 status_code
Content-Type:  application/xml
Date: date
Content-Length: length

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<CORSConfiguration xmlns="">

Response Headers

This response uses common headers. For details, see Common Response Headers.

Response Elements

This response contains elements to detail the CORS configuration. Table 1 describes the elements.

Table 1 CORS configuration elements




Indicates the root element of CORSRules. The maximum size is 64 KB.

Type: container

Ancestor: none


Indicates a CORS rule. CORSConfiguration can contain a maximum of 100 rules.

Type: container

Ancestor: CORSConfiguration


Indicates the unique identifier of a rule. The value can contain a maximum of 255 characters.

Type: string

Ancestor: Rule


Indicates a method that is allowed by a CORS rule.

Type: string

Valid values: GET, PUT, HEAD, POST, and DELETE

Ancestor: Rule


Indicates an origin (character string indicating a domain name) that is allowed by a CORS rule. Each AllowedOrigin can contain at most one wildcard (*).

Type: string

Ancestor: Rule


Indicates which headers are allowed in a PUT Bucket CORS request via the Access-Control-Request-Headers header. If a request contains Access-Control-Request-Headers, only a CORS request that matches the configuration of AllowedHeader is considered as a valid request. Each AllowedHeader can contain at most one wildcard (*) and cannot contain spaces.

Type: string

Ancestor: Rule


Indicates the response time of CORS that can be cached by a client. It is expressed in seconds.

Each CORSRule can contain at most one MaxAgeSeconds. MaxAgeSeconds can be set to a negative value.

Type: integer

Ancestor: Rule


Indicates a supplemented header in CORS responses. The header provides additional information for clients. It cannot contain spaces.

Type: string

Ancestor: Rule

Error Responses

This response may contain one special error, as described in Table 2.

Table 2 Special error

Error Code


HTTP Status Code


Indicates that the CORS configuration of buckets does not exist.

404 Not Found

For other errors, see Table 1.