

Amazon S3 - Cross Origin Resource Sharing Support - jeffbarr
http://aws.typepad.com/aws/2012/08/amazon-s3-cross-origin-resource-sharing.html

======
theli0nheart
Hah, about time.

About 6 months ago I rewrote the Let's Crate (<https://letscrate.com>) backend
to work exclusively with Amazon S3 Direct POST uploads. Getting upload
progress to work with that was a royal PITA, but in the end I got it working.
If you're interested in how, perhaps that's a good subject for a far more
lengthy post on how to write extremely convoluted Javascript. I gave myself a
pat on the back (no flash, yay!) and vowed to never do anything like that
again.

As requested: Basically, the gist is that you accept the upload via a local JS
file that acts as a conduit. You then turn the dropped / selected file object
into a blob object and transfer that blob JS file that lives on S3 (using
postMessage and a hidden iframe). That JS file on S3 is what actually performs
the upload and tracks the upload progress. On progress events, I send back
postMessage payloads to the local JS file to show updates to the user.

Convoluted, but it works. :)

~~~
tectonic
I'd really like to hear about how you did this. Any chance of open sourcing
it?

~~~
theli0nheart
Sure! Although now that this is supported natively it seems like more of an
academic exercise than anything else.

If any others have interest (reply to this comment if you do), I can turn it
into a library and put it on Github.

~~~
mattyb
+1!

------
nathancahill
Yes! Fonts in Firefox will work now!

------
akoumjian
It's been 3.5 long years since first feature request, but thank you!

------
RoboTeddy
Finally, I won't have to proxy s3 requests through my own nginxes.

I've pled for this feature in the AWS forum, over their commercial support
(which I bought just to bug them about this), and to werner vogels directly.

Thanks jeffbarr!

~~~
jeffbarr
You are very welcome!

~~~
EthanEtienne
Thank you so much man, you saved me and my team a bunch of development next
week. ABSOLUTELY PERFECT TIMING!! We used the iframe trick, but it sucked.
This is MUCH, MUCH, MUCH better, thank you!!!!

------
ceejayoz
OK, now how about CloudFront?

~~~
jeffbarr
I am researching that with the team as we speak. Need to make sure that the
right headers are passed back from CloudFront to the S3 origin.

~~~
grandalf
it works

~~~
logical42
rather beautifully, might i add.

~~~
kateray
How did you get it to work? I've been wracking my brain over this but can't
configure it correctly
[http://stackoverflow.com/questions/12358173/correct-s3-cloud...](http://stackoverflow.com/questions/12358173/correct-s3-cloudfront-
cors-configuration)

------
chao-
As excited as I am about this finally happening, I was so pissed about having
to deal with this issue over and over (e.g. JS files describing WebGL models),
that I was on the verge of starting a service to provide the layer of
redirection with CORS support, ala what Heroku does for EC2. I was actually
getting a bit psyched for it, because I was convinced Amazon didn't care about
ever implementing this.

At least now I won't launch something only to have Amazon eat my lunch when
they finally came around to providing this much-needed feature.

~~~
petervandijck
Adding a feature people want to AWS isn't a business, they'll always launch it
eventually :)

------
TazeTSchnitzel
Great.

Could somebody explain CORS to me? How is making the server you're contacting
specify it wants to receive requests, in the response header, secure? The
request has already been made!

~~~
muriithi
If the request is made by a web page from a different server it would
ordinarily be rejected because of the same origin policy.

Using CORS allows you to specify which servers you can accept requests from
unless of course you are using ; Access-Control-Allow-Origin: *

More info ; <https://developer.mozilla.org/en-US/docs/HTTP_access_control>
<http://en.wikipedia.org/wiki/Cross-origin_resource_sharing>

~~~
TazeTSchnitzel
Doesn't it keep a risk of XSS attacks though, since the CORS policy is only
disovered AFTER the request is made?

~~~
charliesome
The request is still made regardless, your JavaScript just won't be able to
access the response without a CORS header set.

~~~
MatthewPhillips
The request isn't actually made (at least not your request). The browser sends
an OPTIONS request to get the CORS policy and then will block your request if
its not allowed.

Edit: My above comment is slightly incorrect. If the request is "simple" it
will be made and then you'll be blocked if it doesn't fit the CORS policy. If
the request is not deemed "simple" (according to some rules you can look up in
the spec) then the OPTIONS flow occurs.

~~~
TazeTSchnitzel
Ah I see. I wondered if it dd some such thing. That's good to know.

------
rhmontv
Can anybody Show me an working example of a working html/JavaScript script
which uploads to S3 directly over html. Never worked with html5 Upload before.
Where can i get more information how this will work? Is it a normal form send
with additional fields for authentication? I really have no clue and would be
very happy to be pointed into right direction.

Thanks in advance

------
jeromeparadis
Great timing. I recently began working on a project where I ran into the
problem of cross-domain fonts in Firefox trying to serve static assets from S3
to CloudFront. Had to resort using my own nginx proxy through CloudFront for
fonts and add an additional request to the page. Finally, problem solved!

------
purephase
This must have been difficult to work out. My thanks (or condolences?) to
Amazon for this. It will make my life a bit easier!

------
logical42
oh my god it is about friggin' time.

------
46Bit
Awesome. Will this allow us to load images into canvas without security
errors?

------
throw_away
somewhat shocked they pushed Friday before the weekend.

~~~
notatoad
pretty good strategy if you ask me. amazon has to have engineers working seven
days a week anyways, if they push new stuff on a friday afternoon then it gets
a couple days of low usage before all their customers get back to work on
monday and try to implement it.

~~~
nickm12
Sure, critical systems have round-the-clock coverage, but pushing big changes
before the weekend is still not optimal. If there is an emergency, you'd
rather have most of your workforce available, awake, and at work.

