For those who came here for 403 at the OPTIONS request of cross-access to s3 and did not find what they were looking for, maybe my experience in this can help.
tldr; browsers are designed to set the source to zero in 302 redirects from another source
I also ran into the CORS problem when pre-querying a resource from the recycle bin, a resource that was otherwise available when browsing directly.
I tuned CORS to a bucket with properly accepted headers and origins. Something like the following.
<?xml version="1.0" encoding="UTF-8"?> <CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <CORSRule> <AllowedOrigin>http://localhost:8080</AllowedOrigin> <AllowedMethod>GET</AllowedMethod> <AllowedMethod>HEAD</AllowedMethod> <MaxAgeSeconds>3000</MaxAgeSeconds> <AllowedHeader>authorization</AllowedHeader> </CORSRule> </CORSConfiguration>
Then i got an error
Access to XMLHttpRequest at 'https://[REDACTED].s3.amazonaws.com/[REDACTED]?AWSAccessKeyId=[REDACTED]' (redirected from '[REDACTED]') from origin 'null' has been blocked by CORS policy: Response to preflight request does not pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
After checking the request headers, it became clear that the only suspicious thing was Origin, which had the value "null".
Access-Control-Request-Headers: authorization Access-Control-Request-Method: GET Origin: null Referer: [REDACTED] User-Agent: [REDACTED]
As it turns out, browsers are designed to set the source to zero in 302 redirects from another source due to security issues. More details here .
There is no solution to this problem, except to not redirect. I had to redesign the server resource that was redirecting to provide a link for direct access to s3 bbject instead.