Asked

What’s the correct CORS configuration for allowing direct uploads in S3 ?

Any website should be able to show the images (GET), but files should only be uploadable from https://wip.chat.

Here's what I'm thinking:

https://gist.github.com/marckohlbrugge/b493e74ca764f99ea3f94bd6e112d4ac

CORS security is implemented in browsers. And not something on the origin. If you setup your S3 bucket to allow public uploads, even if that's from WIP.chat using CORS, anybody can upload anything to your S3 bucket outside of a browser, by issuing direct POST/PUT calls.

Thanks, that's a fair point. That said, it still seems wise to specify the origin within the CORS configuration so unknowing users (using regular browsers) can't be tricked into uploading to my S3 bucket. I guess that's the point of the origin being configurable by S3?

I am not sure what use cases are there that require public uploads to be honest except running an image hosting site.

Also pretty sure nobody would try to trick uploading the user to upload something to your s3 bucket. But instead upload something themselves and then distribute it.

What you need to do is create a single-use policy, something like explained here - https://stackoverflow.com/a/18901867/551713

Ah yes, I already generate a policy so only signed in users can upload files to our S3 buckets. And files that aren't attached to a saved database entry (e.g. a comment) are automatically pruned.

So I think things are pretty safe as is. Just wondering if there are any best practices otherwise.

Sign in to answer 😃