#R2 CORS

i use "*"

?r2-4xx-cors

Troubleshooting 403 / CORS issues with R2

So, your assets aren't loading because you are getting a CORS error despite having setup everything correctly?
Let's try troubleshooting.

In your browser console, do you see a 401/403 error right above the CORS error? If yes, then you aren't actually dealing with a CORS issue! If you do have a CORS issue, head to the last section.

If you are using a Custom domain

Go to the Network tab and find the failing request (you may need to reload the page, since only requests after opening the developer tools are logged).
You need to check the response headers for the following two headers:

• cf-cache-status
• cf-mitigated

If you have a cf-mitigated header

Your request was blocked by one of your WAF rules. Go to Security Events and look for what service blocked your request.

If you don't have a cf-cache-status header

Your request was blocked by Hotlink Protection.
Go to your dashboard and disable it or write a configuration rule to only disable on your Custom domain

If you are using the S3 API

Your request is very likely incorrectly signed.
Try executing the request via curl to inspect the real response returned by the S3 api and then tackle that issue.
Once your request is correctly signed, you'll receive the proper CORS headers.

If it's actually CORS

Here are some common issues with CORS configurations:

• ExposeHeaders is missing headers like ETag
• AllowedHeaders is missing headers like Authorization or Content-Type
• AllowedMethods is missing methods like POST/PUT (you do not need to include OPTIONS)