1

If you curl my image 

curl -i https://local-spaces.fra1.digitaloceanspaces.com/test.jpg

you will see that there is no Access-Control-Allow-Origin header in the response.

If you curl like this, the header is set:

curl -H "Origin: http://example.com/" -i https://local-spaces.fra1.digitaloceanspaces.com/test.jpg

Now I wonder, because all big CDN pages always set the Access-Control-Allow-Origin: *, even when Sec-Fetch-Mode: no-cors.

To test it, do this:

curl -i https://scontent.cdninstagram.com/vp/02a788f9e7f55880601ed240a0e3142a/5E29CBDE/t51.2885-15/sh0.08/e35/s640x640/72271766_155986088835033_6677460235579468035_n.jpg\?_nc_ht\=scontent.cdninstagram.com

or

curl -i https://loremflickr.com/480/640/girl,boy,man,men,woman\?lock\=4446
Philipp Mochine
  • 155
  • 1
  • 10

2 Answers2

1

The support reached out to me:

At the moment, there isn't any way to force this. Without an Origin set, the header will not be served. It is possible to use a proxy service, however that may not be the best fit for most use cases.

Philipp Mochine
  • 155
  • 1
  • 10
0

It looks like Digital Ocean Spaces don't allow * CORS headers in their UI. I ended up having to use Just CORS (https://justcors.com) which is a proxy that adds CORS headers to responses, to circumvent this.

Herman
  • 1
  • Welcome to Server Fault! Can you please declare your affiliation with `justcors.com`? – Paul Nov 24 '21 at 18:51
  • 1
    Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Nov 30 '21 at 18:25