R2 Cloudflare - Get object, ID account visible in the link (security)

kaimi · September 15, 2022, 7:18am

Hello,

I have some questions about R2 Cloudflare

I have images, videos and others in the R2 bucket and when I retrieve them I have a link of this type:

“ID_CLOUDFARE.r2.cloudflarestorage.com/BUCKET_NAME/…”

I would like to know if I can directly display an image / video and others directly via this link on my site or it poses a real security problem that we can see my cloudfare ID and the name of the bucket.

I tried to create a blob link with the Cloudflare link received but it’s impossible, I have this error:

“Access to XMLHttpRequest at ‘ID_CLOUDFARE.r2.cloudflarestorage.com/BUCKET_NAME/…’ from origin ‘mywebsite.net’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.”

is it impossible to create a blob with a cloudfare r2 link ?

Thank you

Bye

Judge · September 15, 2022, 2:35pm

For now, the only way would be a worker. See this which details a simple worker to get started, but you’d need to extend it to have proper access control and CORS headers: Get started guide · Cloudflare R2 docs

Otherwise, please read:

KianNH · September 15, 2022, 2:41pm

FYI public buckets that are available via a CNAME on your domain are coming very, very soon - and will solve both points.

kaimi · September 15, 2022, 3:00pm

Thank you for the answer.

But is making my CloudFare ID public really a big security issue?

KianNH · September 15, 2022, 3:00pm

I wouldn’t go posting it everywhere for the sake of it but it isn’t really sensitive, no.

No-one can do anything with it unless they had an API token/key of yours.

system · September 18, 2022, 3:00pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.