JavaScript How to restrict AWS S3 access using CORS? restrict access using permission set,restrict access using xhost,restrict

How do I set up CORS on Amazon S3 to allow only approved domains to access a JS script in my S3 bucket? Currently, I have CORS set as follows on my S3 bucket:

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
    <CORSRule>
        <AllowedOrigin>www.someapproveddomain.com</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
        <MaxAgeSeconds>3000</MaxAgeSeconds>
        <AllowedHeader>Authorization</AllowedHeader>
    </CORSRule>
</CORSConfiguration>

Yet any domain can access and run script hello.js (which resides in the S3 bucket) as demonstrated at JSFiddle. Does anyone what I'm doing wrong? Or, maybe I'm just misunderstanding what CORS is supposed to do?

Answer:1

Instead of trying to solve this with CORS, you need to solve it using an S3 Bucket Policy that restricts access to a specific HTTP referrer. This is documented here.

This is the example bucket policy given by AWS:

{
  "Version":"2012-10-17",
  "Id":"http referer policy example",
  "Statement":[
    {
      "Sid":"Allow get requests originating from www.example.com and example.com.",
      "Effect":"Allow",
      "Principal":"*",
      "Action":"s3:GetObject",
      "Resource":"arn:aws:s3:::examplebucket/*",
      "Condition":{
        "StringLike":{"aws:Referer":["http://www.example.com/*","http://example.com/*"]}
      }
    }
  ]
}

Note that the HTTP referrer is fairly easy for an attacker to spoof.

Answer:2

So basically I am using a jquery plug-in called blueprint split layout. The code for it can be found at: http://tympanus.net/Blueprints/SplitLayout/index.html. I modified the code to fit with my ...

So basically I am using a jquery plug-in called blueprint split layout. The code for it can be found at: http://tympanus.net/Blueprints/SplitLayout/index.html. I modified the code to fit with my ...

I would like to use JavaScript to read the entire content of a txt file on Google Drive or Dropbox into a string variable. I've seen similar questions, but I would like to have it done purely with ...

I would like to use JavaScript to read the entire content of a txt file on Google Drive or Dropbox into a string variable. I've seen similar questions, but I would like to have it done purely with ...

  1. javascript read text file
  2. javascript read text file into array
  3. javascript read text file from url
  4. javascript read text file from server
  5. javascript read text file into variable
  6. javascript read text file line by line
  7. javascript read text from webpage
  8. javascript read text from image
  9. javascript read text from pdf
  10. javascript read text file example
  11. javascript read text from clipboard
  12. javascript read text file line by line example
  13. javascript read text input value
  14. javascript read text file from local
  15. javascript read text box
  16. javascript read text file from disk
  17. javascript read text file as string
  18. javascript read text input
  19. javascript read text from textarea
  20. javascript read text file into table

I'm using jointjs to draw graphs. I'm wondering how to listen to the mouse click event on an element? I found on http://www.jointjs.com/api#joint.dia.Element, there is only change:position option but ...

I'm using jointjs to draw graphs. I'm wondering how to listen to the mouse click event on an element? I found on http://www.jointjs.com/api#joint.dia.Element, there is only change:position option but ...

I have 100 tables on this page and each has a checkbox. My goal is to download the contents of each table that has the corresponding checkbox checked to one cvs file. Here is the code for the table. ...

I have 100 tables on this page and each has a checkbox. My goal is to download the contents of each table that has the corresponding checkbox checked to one cvs file. Here is the code for the table. ...