CD
Cloudflare Developers•7mo ago
Yozamu

Questions about CORS and R2 usage

Hello, I've started using CloudFlare with R2 today. I've added my site to be able to add it as custom domain for my bucket. However there are two points I'm worried about: - I don't want my bucket to be accessed from anywhere and would prefer to allow only some origins to access it. I've tried to set a CORS policy, but it doesn't seem to get applied. Any idea why ? - I'm also worried about the analytics part, both global and R2-related. It seems I've already had 670 requests overall, and 169 + 209 operations of class A and B respectively. Which seems a bit weird to me since I'm the only one accessing the data right now, and there are only a few dozen files uploaded... Hence I'm not sure how I could've reached that numbers Any hint is appreciated
6 Replies
Chaika
Chaika•7mo ago
#r2 would probably be better for those questions (hence why there isn't a tag in this channel for r2) for 1, you'd have to share the cors policy and such for 2, actions in the dashboard count as well. Anytime you view your buckets, look at bucket details, list buckets, etc Class As: lists all the buckets, lists all of the objects/files, you likely created a bucket, if you upload a file via the dashboard. Class Bs would be getting file information, bucket information, bucket location, lifecycle config, etc
Yozamu
YozamuOP•7mo ago
Oh right maybe was it too specific to be asked there.. For 1 I've just set something "simple" I guess : 
[
  {
    "AllowedOrigins": [
      "https://www.mywebsite.com",
      "https://staging.mywebsite.com"
    ],
    "AllowedMethods": [
      "GET",
      "HEAD"
    ],
    "AllowedHeaders": [
      "Authorization"
    ],
    "ExposeHeaders": [],
    "MaxAgeSeconds": 3000
  }
]
[
  {
    "AllowedOrigins": [
      "https://www.mywebsite.com",
      "https://staging.mywebsite.com"
    ],
    "AllowedMethods": [
      "GET",
      "HEAD"
    ],
    "AllowedHeaders": [
      "Authorization"
    ],
    "ExposeHeaders": [],
    "MaxAgeSeconds": 3000
  }
]
(note: I've never written a CORS policy before) For 2, I've only uploaded once, but maybe each time I click R2 it does list the buckets and/or when I select mine to go check the settings and update them, it would count? 🤔 If so that would be good enough as an explanation, however I still don't get how the analytics points so much requests in germany and USA (among others), where I'm not
Chaika
Chaika•7mo ago
CORS Policies aren't about defining restrictions, they're about allowing things. Simple resources like images/links are corp, not cors https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy. Of course, that all trusts the browser is properly forwarding origin header and such. Anyone can reverse proxy your assets directly and there isn't a magical restriction you can do to stop that, other then small things like blocking ips/migitation/etc
For 2, I've only uploaded once, but maybe each time I click R2 it does list the buckets and/or when I select mine to go check the settings and update them, it would count? 🤔
Yes, all your dashboard actions count What do you mean "Germany and usa"? Those sound like Website Analytics and not R2 Analytics. R2 Anaytics don't show countries
Yozamu
YozamuOP•7mo ago
If CORS does not restrict anything, then I wonder what's its point 🤔 I'll have to dig a bit further. My goal was just to prevent massive requesting from anywhere that wouldn't be my own application. Yes, my issue regarding usage was for both R2 and website, since bucket is new and website isn't shared with anyone. But if R2 usage comes from myself, I'm less worried about web analytics. I was just afraid that I was getting my bucket requests spammed already (With the sentence "Build rich client-side web applications and selectively allow cross-origin access to your bucket by setting up a CORS policy", I've understood that it was about controlling access)
Chaika
Chaika•7mo ago
CORS is a security mechancism mainly aimed at dynamic content/actions (https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#what_requests_use_cors), and not resources embedded in a page. The most practical example is you don't want a random website like hacker.com to be able to send a http request to google.com/change_password and force changing of the password. For R2, actions like uploading files it matters for. Embedded images/scripts fall under corp Because of the importance of protecting those actions, CORS is enforced by default, and you setup a CORS configuration to poke holes in it and allow more cross-domain/origin actions (generally). CORS can also allow you to expose some more headers and such.
Yozamu
YozamuOP•7mo ago
So CORS is indeed controlling access right? I don't understand why it can be used there to poke holes and not "prevent" some stuff. Just because unauthorized requests won't count towards request count is a reason to deny access. My app basically embeds a game, and resources are loaded from there. No reason to make them accessible from somewhere else
Want results from more Discord servers?
Add your server