docs(installation): expand and reorganize S3 CORS documentation #12161

poikilotherm · poikilotherm · commit bac4fbe8035f · 2026-02-13T17:39:14.000+01:00
- Clarify CORS requirements for direct uploads and downloads
- Add cross-references to Dataverse CORS settings
- Provide step-by-step instructions and examples for AWS CLI and Minio
- Refactor guidance on ensuring origin compatibility between Dataverse and S3
diff --git a/doc/sphinx-guides/source/_static/installation/cors/cors.json b/doc/sphinx-guides/source/_static/installation/cors/cors.json
@@ -0,0 +1,10 @@
+{
+    "CORSRules": [
+        {
+            "AllowedOrigins": ["*"],
+            "AllowedHeaders": ["*"],
+            "AllowedMethods": ["PUT", "GET"],
+            "ExposeHeaders": ["ETag", "Accept-Ranges", "Content-Encoding", "Content-Range"]
+        }
+    ]
+}
diff --git a/doc/sphinx-guides/source/_static/installation/cors/cors.xml b/doc/sphinx-guides/source/_static/installation/cors/cors.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
+    <CORSRule>
+        <AllowedOrigin>*</AllowedOrigin>
+        <AllowedHeader>*</AllowedHeader>
+        <AllowedMethod>PUT</AllowedMethod>
+        <AllowedMethod>GET</AllowedMethod>
+        <ExposeHeader>ETag</ExposeHeader>
+        <ExposeHeader>Accept-Ranges</ExposeHeader>
+        <ExposeHeader>Content-Encoding</ExposeHeader>
+        <ExposeHeader>Content-Range</ExposeHeader>
+    </CORSRule>
+</CORSConfiguration>
diff --git a/doc/sphinx-guides/source/installation/big-data-support.rst b/doc/sphinx-guides/source/installation/big-data-support.rst
@@ -49,47 +49,74 @@ The following features are disabled when S3 direct upload is enabled.
 - Creation of NcML auxiliary files (See :ref:`netcdf-and-hdf5`.)
 - Extraction of a geospatial bounding box from NetCDF and HDF5 files (see :ref:`netcdf-and-hdf5`) unless :ref:`dataverse.netcdf.geo-extract-s3-direct-upload` is set to true.
 
+
 .. _cors-s3-bucket:
 
 Allow CORS for S3 Buckets
 ~~~~~~~~~~~~~~~~~~~~~~~~~
 
-**IMPORTANT:** One additional step that is required to enable direct uploads via a Dataverse installation and for direct download to work with previewers and direct upload to work with dvwebloader (:ref:`folder-upload`) is to allow cross site (CORS) requests on your S3 store.
-The example below shows how to enable CORS rules (to support upload and download) on a bucket using the AWS CLI command line tool. Note that you may want to limit the AllowedOrigins and/or AllowedHeaders further.  https://github.com/gdcc/dataverse-previewers/wiki/Using-Previewers-with-download-redirects-from-S3 has some additional information about doing this.
+**IMPORTANT:** This additional step of allowing cross-site request to your S3 buckets is required to enable direct uploads via a Dataverse installation, direct download to work with previewers, or direct upload to work with *dvwebloader* (:ref:`folder-upload`).
+
+To successfully enable direct uploads (e.g. :ref:`folder-upload`) or direct downloads (e. g. consumed by previewers), you must both:
+* Enable CORS in Dataverse (see :ref:`dataverse.cors`).
+* Configure a matching/compatible CORS policy on each S3 bucket (and any CDN/proxy in front of it) that will be used.
 
-Dataverse itself will only emit the necessary ``Access-Control-*`` headers to browsers when CORS has been explicitly enabled via the JVM/MicroProfile setting :ref:`dataverse.cors.origin <dataverse.cors.origin>`. You must both:
+**NOTE:** Make sure the bucket's CORS configuration ``AllowedOrigins`` is at least as permissive as the origins you configure in :ref:`dataverse.cors.origin`.
+If the bucket allows the wildcard ``*`` but the Dataverse application only allows a subset, the browser will still enforce the more restrictive application response!
 
-* Configure an appropriate ``dataverse.cors.origin`` value (single origin, comma-separated list, or ``*``) on the Dataverse application server; and
-* Configure a matching/compatible CORS policy on each S3 bucket (and any CDN/proxy in front of it) that will be used for direct upload or for redirect (download-redirect) operations consumed by previewers.
+Detailed information for the most common S3 admin tools around CORS:
 
-If you specify multiple origins in ``dataverse.cors.origin`` Dataverse will echo back the requesting origin (when it matches) and will include ``Vary: Origin`` so that shared caches do not serve one origin's response to another. If you configure ``*`` Dataverse will respond with ``Access-Control-Allow-Origin: *`` (note that browsers will not allow credentialed requests with a wildcard).
+- `AWS <https://docs.aws.amazon.com/AmazonS3/latest/userguide/enabling-cors-examples.html>`_
+- `Minio mc <https://docs.min.io/enterprise/aistor-object-store/reference/cli/mc-cors>`_
+- `s3cmd <https://servicedesk.surf.nl/wiki/spaces/WIKI/pages/215253125/Object+Store+S3+CORS+Policies>`_
 
-Make sure the bucket CORS configuration ``AllowedOrigins`` is at least as permissive as the origins you configure in ``dataverse.cors.origin``. If the bucket allows ``*`` but the Dataverse application only allows a subset, the browser will still enforce the more restrictive application response.
+Get Current CORS Policy on Bucket
++++++++++++++++++++++++++++++++++
 
 If you'd like to check the CORS configuration on your bucket before making changes:
 
-``aws s3api get-bucket-cors --bucket <BUCKET_NAME>``
+.. tabs::
+   .. group-tab:: AWS CLI
+      :code:`aws s3api get-bucket-cors --bucket <BUCKET_NAME>`
+
+   .. group-tab:: Minio Client (mc)
+      :code:`mc cors get <STORE_NAME>/<BUCKET_NAME>`
+
+Set CORS Policy on Bucket
++++++++++++++++++++++++++
+
+The examples below shows how to enable CORS rules (to support upload and download) on a bucket.
+
+**Note:** You may want to limit the ``AllowedOrigins`` and/or ``AllowedHeaders`` further.
+`GDCC/dataverse-previewers <https://github.com/gdcc/dataverse-previewers/wiki/Using-Previewers-with-download-redirects-from-S3>`_ has some additional information about doing this.
+
+Both JSON and XML format are explained in detail in `AWS Docs <https://docs.aws.amazon.com/AmazonS3/latest/userguide/ManageCorsUsing.html#cors-example-1>`_.
+
+.. tabs::
+  .. group-tab:: AWS CLI
+    Create a file :download:`cors.json </_static/installation/cors/cors.json>` as follows:
+
+    .. literalinclude:: /_static/installation/cors/cors.json
+        :name: aws-cors
+        :language: json
+
+    Proceed with making the changes:
+
+    :code:`aws s3api put-bucket-cors --bucket <BUCKET_NAME> --cors-configuration file://cors.json`
 
-To proceed with making changes:
+    Alternatively, you can enable CORS using the AWS S3 web interface, using json-encoded rules as in the example above.
 
-``aws s3api put-bucket-cors --bucket <BUCKET_NAME> --cors-configuration file://cors.json``
+  .. group-tab:: Minio Client (mc)
+    Create a file :download:`cors.xml </_static/installation/cors/cors.xml>` as follows:
 
-with the contents of the file cors.json as follows:
+    .. literalinclude:: /_static/installation/cors/cors.xml
+        :name: xml-cors
+        :language: xml
 
-.. code-block:: json
+    Proceed with making the changes:
 
-        {
-          "CORSRules": [
-             {
-                "AllowedOrigins": ["*"],
-                "AllowedHeaders": ["*"],
-                "AllowedMethods": ["PUT", "GET"],
-                "ExposeHeaders": ["ETag", "Accept-Ranges", "Content-Encoding", "Content-Range"]
-             }
-          ]
-        }
+    :code:`mc cors set <STORE_NAME>/<BUCKET_NAME> ./cors.xml`
 
-Alternatively, you can enable CORS using the AWS S3 web interface, using json-encoded rules as in the example above. 
 
 .. _s3-tags-and-direct-upload:
 
