Enabling cross-origin resource sharing (CORS)

🚧

On this page:

Why can't I display the raw data of my file on the CGC?

Cloud storage providers may implement additional security measures limiting access to the contents of stored objects. This may prevent you from viewing the content of some aliases, even when the files are otherwise readable and can be used as inputs to computation.

For instance, access to Amazon S3 buckets and objects is managed entirely via Amazon's access policies in most cases. The Volumes API uses this mechanism to authenticate with Amazon when reading from and writing to your buckets.

This mechanism, however, does not always work. For instance, we receive the following error when we try to access and view the contents of an alias on the visual interface of the CGC in a standards-compliant Web browser.

1332

Note that clicking Display raw data differs from other operations involving aliases on the CGC. When you use an alias as an input to computation, view it in the Seven Bridges Genome Browser, or download the alias to a local computer, you authenticate with Amazon Web Services using the credentials you used to configure your S3 bucket.

However, when the CGC visual interface tries to display the content of an alias in a browser window, Amazon S3 requires the Web application be hosted in the same domain as the content that it is trying to show. When this requirement is not met, the queried service (Amazon S3) will reject the incoming request even if it is otherwise valid, as shown below:

This security requirement protects websites and Web services from malicious and potentially insecure access by Web applications written, hosted, and maintained by a third party. In this case, the Amazon S3 Web service does not know or trust the CGC Web application and will not allow it access to your Amazon S3 bucket's contents even if you used the proper credentials to authenticate.

Cross-origin resource sharing

There is, however, a way for two Web services to state that they trust each other via Cross-origin resource sharing (CORS).

CORS is a mechanism for Web services to announce that they will listen to certain requests from Web applications not hosted on their own servers. Note that CORS merely allows the outside applications to talk to the service. It does not grant access to content. Access has to be handled through a dedicated authentication mechanism – in our case, Amazon or Google accounts and policies.

Therefore, you will need to enable CORS on your Amazon S3, Google Cloud Storage or Microsoft Azure buckets if you'd like to view the contents of your attached storage on the Cancer Genomics Cloud.

How to enable CORS on your Amazon S3 buckets

To enable CORS on your Amazon S3 bucket, follow these steps:

  1. Log into the AWS Management Console.
  2. Click Services and select S3.
  3. Select your desired bucket.
  4. In the right-hand panel, click Permissions.
  5. Click Edit CORS Configuration.
  6. In the pop-up dialog, paste the following text:
[
    {
        "AllowedOrigins": [
            "*"
        ],
        "AllowedMethods": [
            "GET"
        ],
        "MaxAgeSeconds": 3000,
        "ExposeHeaders": [
             "Content-Range",
             "Content-Length",
             "ETag"
        ],
        "AllowedHeaders": [
            "Authorization",
            "Content-Range",
            "Accept",
            "Content-Type",
            "Origin",
            "Range"
        ]
    }
]
  1. Click Save.

That's it! You should now be able to view your S3 files on the CGC.

How to enable CORS on your Google Cloud Storage buckets

To enable CORS on your Google Cloud Storage bucket, follow these steps:

  1. Create a file named sb-cors.json with the content as follows:
[
    {
        "origin": ["*"],
        "method": ["GET"],
        "maxAgeSeconds": 3000,
        "responseHeader": ["Authorization", "Content-Range", "Accept", "Content-Type", "Origin", "Range"]
    }
]
  1. Run the following command in the command line, replacing BUCKET-NAME with the name of your bucket:
gsutil cors set sb-cors.json gs://BUCKET-NAME/

That's it! You should now be able to view your Google Cloud Storage files on the CGC.

How to enable CORS on your Microsoft Azure storage account

To enable Cross-Origin Resource Sharing on the storage account that contains the container you want to connect to the CGC, follow the steps below:

  1. Open the storage account that holds the container you want to connect, and select Resource sharing (CORS) from the menu on the left.
  2. Select the Blob service tab and enter the following values in the edit fields:
    • Allowed origins: Enter *
    • Allowed methods: Select GET
    • Allowed headers: Copy and paste the following list "Authorization", "Content-Range", "Accept", "Content-Type", "Origin", "Range" 
    • Exposed headers: Copy and paste the following list "Content-Range", "Content-Length", "ETag"
    • Max age:Enter 3000