Enabling cross-origin resource sharing (CORS)
Why can't I display the raw data of my file on the Platform?
Cloud storage providers may implement additional security measures limiting access to the contents of stored objects. This may prevent you from viewing the content of some aliases, even when the files are otherwise readable and can be used as inputs to computation.
For instance, access to Amazon S3 buckets and objects is managed entirely via Amazon's access policies in most cases. The Volumes API uses this mechanism to authenticate with Amazon when reading from and writing to your buckets.
This mechanism, however, does not always work. For instance, we receive the following error when we try to access and view the contents of an alias on the visual interface of the Platform in a standards-compliant Web browser.
Note that clicking Display raw data differs from other operations involving aliases on the Platform. When you use an alias as an input to computation, view it in the Seven Bridges Genome Browser, or download the alias to a local computer, you authenticate with Amazon Web Services using the credentials you used to configure your S3 bucket.
However, when the Platform visual interface tries to display the content of an alias in a browser window, Amazon S3 requires the Web application be hosted in the same domain as the content that it is trying to show. When this requirement is not met, the queried service (Amazon S3) will reject the incoming request even if it is otherwise valid, as shown below:
This security requirement protects websites and Web services from malicious and potentially insecure access by Web applications written, hosted, and maintained by a third party. In this case, the Amazon S3 Web service does not know or trust the Platform Web application and will not allow it access to your Amazon S3 bucket's contents even if you used the proper credentials to authenticate.
Cross-origin resource sharing
There is, however, a way for two Web services to state that they trust each other via Cross-origin resource sharing (CORS).
CORS is a mechanism for Web services to announce that they will listen to certain requests from Web applications not hosted on their own servers. Note that CORS merely allows the outside applications to talk to the service. It does not grant access to content. Access has to be handled through a dedicated authentication mechanism – in our case, Amazon or Google accounts and policies.
Therefore, you will need to enable CORS on your Amazon S3 or Google Cloud Storage buckets if you'd like to view the contents of your aliases on the Platform visual interface.
How to enable CORS on your Amazon S3 buckets
To enable CORS on your Amazon S3 bucket, follow these steps:
- Log into the AWS Management Console.
- Click Services and select S3.
- Select your desired bucket.
- In the right-hand panel, click Permissions.
- Click Edit CORS Configuration.
- In the pop-up dialog, paste the following text:
<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
<AllowedOrigin>*</AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<MaxAgeSeconds>3000</MaxAgeSeconds>
<ExposeHeader>Content-Range</ExposeHeader>
<ExposeHeader>Content-Length</ExposeHeader>
<ExposeHeader>ETag</ExposeHeader>
<AllowedHeader>Authorization</AllowedHeader>
<AllowedHeader>Content-Range</AllowedHeader>
<AllowedHeader>Accept</AllowedHeader>
<AllowedHeader>Content-Type</AllowedHeader>
<AllowedHeader>Origin</AllowedHeader>
<AllowedHeader>Range</AllowedHeader>
</CORSRule>
</CORSConfiguration>
- Click Save.
That's it! You should now be able to view your S3 files on the Platform.
How to enable CORS on your Google Cloud Storage buckets
To enable CORS on your Google Cloud Storage bucket, follow these steps:
- Create a file named sb-cors.json with the content as follows:
[
{
"origin": ["*"],
"method": ["GET"],
"maxAgeSeconds": 3000,
"responseHeader": ["Authorization", "Content-Range", "Accept", "Content-Type", "Origin", "Range"]
}
]
- Run the following command in the command line, replacing
BUCKET-NAME
with the name of your bucket:
gsutil cors set sb-cors.json gs://BUCKET-NAME/
That's it! You should now be able to view your Google Cloud Storage files on the Platform.
How to enable CORS on your Microsoft Azure storage account
To enable Cross-Origin Resource Sharing on the storage account that contains the container you want to connect to Platform, follow the steps below:
- Open the storage account that holds the container you want to connect, and select Resource sharing (CORS) from the menu on the left.
- Select the Blob service tab and enter the following values in the edit fields:
- Allowed origins: Enter
*
- Allowed methods: Select
GET
- Allowed headers: Copy and paste the following list
"Authorization", "Content-Range", "Accept", "Content-Type", "Origin", "Range"
- Exposed headers: Copy and paste the following list
"Content-Range", "Content-Length", "ETag"
- Max age:Enter
3000
- Allowed origins: Enter
Updated 7 months ago