tencent cloud

Tencent Cloud EdgeOne

Release Notes and Announcements
Release Notes
Security Announcement
Announcements
Product Introduction
Overview
Strengths
Use Cases
Comparison Between EdgeOne and CDN Products
Use Limits
Purchase Guide
Description of Trial Plan Experience Benefits
Free Plan Guide
Billing Overview
Billing Items
Subscriptions
Renewals
Instructions for overdue and refunds
Comparison of EdgeOne Plans
About "clean traffic" billing instructions
DDoS Protection Capacity Description
Getting Started
Choose business scenario
Quick access to website security acceleration
Quick deploying a website with Pages
Domain Service&Origin Configuration
Domain Service
HTTPS Certificate
Origin Configuration
Site Acceleration
Overview
Access Control
Smart Acceleration
Cache Configuration
File Optimization
Network Optimization
URL Rewrite
Modifying Header
Modify the response content
Rule Engine
Image&Video Processing
Speed limit for single connection download
DDoS & Web Protection
Overview
DDoS Protection
Web Protection
Bot Management
API Discovery(Beta)
Edge Functions
Overview
Getting Started
Operation Guide
Runtime APIs
Sample Functions
Best Practices
Pages
L4 Proxy
Overview
Creating an L4 Proxy Instance
Modifying an L4 Proxy Instance
Disabling or Deleting an L4 Proxy Instance
Batch Configuring Forwarding Rules
Obtaining Real Client IPs
Data Analysis&Log Service
Log Service
Data Analysis
Alarm Service
Site and Billing Management
Billing Management
Site Management
Version Management
General Policy
General Reference
Configuration Syntax
Request and Response Actions
Country/region and Corresponding Codes
Terraform
Overview
Installing and Configuring Terraform
Practical Tutorial
EdgeOne Skill User Guide
Automatic Warm-up/Cache Purge
Resource Abuse/hotlinking Protection Practical
HTTPS Related Practices
Acceleration Optimization
Scheduling Traffic
Data Analysis and Alerting
Log Platform Integration Practices
Configuring Origin Servers for Cloud Object Storage (Such As COS)
CORS Response Configuration
API Documentation
History
Introduction
API Category
Making API Requests
Site APIs
Acceleration Domain Management APIs
Site Acceleration Configuration APIs
Edge Function APIs
Alias Domain APIs
Security Configuration APIs
Layer 4 Application Proxy APIs
Content Management APIs
Data Analysis APIs
Log Service APIs
Billing APIs
Certificate APIs
Origin Protection APIs
Load Balancing APIs
Diagnostic Tool APIs
Custom Response Page APIs
API Security APIs
DNS Record APIs
Content Identifier APIs
Legacy APIs
Ownership APIs
Image and Video Processing APIs
Multi-Channel Security Gateway APIs
Version Management APIs
Data Types
Error Codes
FAQs
Product Features FAQs
DNS Record FAQs
Domain Configuration FAQs
Site Acceleration FAQs
Data and Log FAQs
Security Protection-related Queries
Origin Configuration FAQs
Troubleshooting
Reference for Abnormal Status Codes
Troubleshooting Guide for EdgeOne 4XX/5XX Status Codes
520/524 Status Code Troubleshooting Guide
521/522 Status Code Troubleshooting Guide
Tool Guide
Agreements
Service Level Agreement
Origin Protection Enablement Conditions of Use
TEO Policy
Privacy Policy
Data Processing And Security Agreement
Contact Us
Glossary
DocumentationTencent Cloud EdgeOnePractical TutorialCORS Response Configuration

CORS Response Configuration

PDF
Focus Mode
Font Size
Last updated: 2025-12-24 15:05:55

Overview

Cross-Origin Resource Sharing (CORS) is an HTTP header-based mechanism that allows a server to indicate origins (domains, protocols, or ports) other than its own, enabling browsers to permit these origins to access and load their own resources. Currently, many HTML pages load resources such as CSS stylesheets, images, and scripts from different domains. Therefore, addressing cross-domain issues is particularly important.
The CORS standard makes the server declare which sources can use browser to access resources on the server by adding new HTTP response headers.

Cross-Origin Response Headers

Header Field
Description
Access-Control-Allow-Origin
Values support constants and variables. Among them:
Constant: support input *, multiple domain names, IPs, or a mix of domain names and IPs (must contain http:// or https://, such as http://test.com,http://1.1.1.1. Multi-values can be separated by English commas, and up to 1000 characters can be entered.
Variable: Match the required cross-origin originating domain via the Origin request header, using the header value ${http.request.headers["Origin"]}.
Access-Control-Allow-Methods
Used to set the allowed HTTP request methods for cross-origin, you can simultaneously set multiple methods, such as POST, GET, OPTIONS. Multi-values can be separated by English commas, and up to 1000 characters can be entered.
Access-Control-Max-Age
Used to specify the valid time of preflight request, unit: Seconds, support input 0 ~ 2147483647 integer values.
For non-simple cross-origin requests, an additional HTTP query request, called a "pre-request," is required before formal communication to determine whether the cross-origin request is safe and acceptable. The following requests are deemed non-simple cross-origin requests: - Requests initiated via methods other than GET, HEAD, or POST - POST requests with data types other than application/x-www-form-urlencoded, multipart/form-data, or text/plain, such as application/xml or text/xml - Requests using custom request headers, such as Access-Control-Max-Age: 1728000, indicating that no additional pre-request is needed for cross-origin access to the resource within 1728000 seconds.
Note:
If you set cross-origin response headers on EdgeOne, the response Access-Control-Allow-Origin header requires that the client request carries the Origin header and this header exactly matches any value set in Access-Control-Allow-Origin.
If the origin server has set a cross-origin response header and EdgeOne adds a cross-origin response header simultaneously, two response headers will appear, which will cause a cross-origin error. Additionally, if cross-origin responses are handled by the origin server, the origin response must include the Vary: Origin header, and the vary feature must be enabled on EdgeOne.

Configuration Example

Scenario One: CORS Header Response Only Allows Access to Specified Domain Page Resources

If your business scenario involves cross-domain access, currently the resources of the business domain www.example.com only allow page access acceleration domains from example.com, site.com. See the steps below.
1. Log in to the Tencent Cloud EdgeOne console, enter Service Overview in the left menu bar, and click the site to be configured under Website Security Acceleration.
2. On the site details page, click Site Acceleration > Rule Engine to open the Rule Engine page.
3. On the rule engine page, click Create Rule and select Add Blank Rule.
4. On the Rule Editing Page, set the match type to HOST equal www.example.com.
Set both the match type and the HTTP request header Origin Header Value equal to *.example.com, *.site.com.
5. Click Operation > Selection Box, and in the pop-up operation list, select the operation as Modify HTTP Node Response Header.
6. Select type as Set, header name as Access-Control-Allow-Origin, and header value set to ${http.request.headers["Origin"]}.

7. Click Save and Publish to complete the configuration.
8. Behavior description takes effect.
When the client request carries Origin: http://www.example.com, EdgeOne will respond with Access-Control-Allow-Origin: http://www.example.com.
When the client request carries Origin: http://www.site.com, EdgeOne will respond with Access-Control-Allow-Origin: http://www.site.com.
When the client request carries Origin: http://www.abc.com, EdgeOne will not respond with the cross-origin response header Access-Control-Allow-Origin.
When the client request does not carry Origin, EdgeOne will not respond with the cross-origin response header Access-Control-Allow-Origin.

Scenario Two: CORS Header Response Supports All Domain Name Access to Page Resources

If your business scenario involves cross-domain access, currently the resources of the business domain www.example.com allow all page access acceleration domains. See the steps below.
1. Log in to the Tencent Cloud EdgeOne console, enter Service Overview in the left menu bar, and click the site to be configured under Website Security Acceleration.
2. On the site details page, click Site Acceleration > Rule Engine to open the Rule Engine page.
3. On the rule engine page, click Create Rule and select Add Blank Rule.
4. On the Rule Editing Page, set the match type to HOST equal www.example.com.
5. Click Operation > Selection Box, and in the pop-up operation list, select the operation as Modify HTTP Node Response Header.
6. Select type as Set, header name as Access-Control-Allow-Origin, and header value set to *.

7. Click Save and Publish to complete the configuration.
8. Behavior description takes effect.
When the client request carries Origin, EdgeOne will respond with Access-Control-Allow-Origin: *.
When the client request does not carry Origin, EdgeOne will not respond with the cross-origin response header Access-Control-Allow-Origin.
Previous Topic: Configuring Origin Servers for Cloud Object Storage (Such As COS)Next Topic: History

Help and Support

Was this page helpful?

Help us improve! Rate your documentation experience in 5 mins.

Feedback