Skip to content

Setting up CORS

When reading tiles from an S3 bucket, its is important that CORS requests from WBC are allowed. When using the Wherobots provided buckets this is already done. If you are using your own bucket, you will need to ensure that the Wherobots domain is allow-listed in the bucket's CORS policy.

What is CORS?

CORS (Cross-Origin Resource Sharing) is a security feature implemented in web browsers that restricts web pages from making requests to a different domain than the one that served the original page. This is a security feature to prevent malicious websites from making requests to other websites on your behalf. You can learn more from wikipedia.

Why is this Required?

PMTiles requests are made over http(s) to leverage range requests. Range requests are the basis of the magic that makes reading tiles directly from a PMTiles archive fast without having a dedicated tile server. Since these requests are over http(s) and not directly via the S3 api (ie through an aws sdk) CORS comes into play.

How to allow Cross Origin requests from Wherobots Cloud?

To allow CORS requests from Wherobots Cloud, you will need to add a CORS policy to your S3 bucket. If this is the only use of CORS you have, we recommend the following policy:

[
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "GET",
            "HEAD"
        ],
        "AllowedOrigins": [
            "https://wbc.wherobots.com"
        ],
        "ExposeHeaders": [
            "x-amz-request-id"
        ]
    }
]

If you have other use cases for CORS, you will need to collate those rules with the one above. You can learn more about S3 CORS configuration from the AWS documentation.