R2 is always public despite CORS

I was testing R2, uploading jpegs, connecting the bucket to a subdomain so that it can be accessed publicly. Everything was fine and I can access the images with bucket.mydomain.com/myimage.jpg in the browser.

However, when I tried adding a CORS policy through dashboard like below, I can still view my images attached to a localhost:3000 website. Shouldn’t it be blocked according to the doc? I’m pretty new to cloudflare and web serving in general. My goal is to use R2 to serve images to only my website, preventing hotlinking/spamming.

[
  {
    "AllowedOrigins": [
      "https://mydomain.com"
    ],
    "AllowedMethods": [
      "GET"
    ]
  }
]

Side question, why does the amount of operations go up even when I’m not accessing R2? Like class B operation counts went up by 50 overnight. My R2 files aren’t being used anywhere.

I’ve resolved my main question.

I misunderstood what CORS policy do. I think it will only add a header which tells the browser to prevent js from accessing the response body. This doesn’t apply to hotlinking or viewing the image through browser url.

What I need in my case is a firewall (domain > security > WAF > custom rules), with a rule to filter request by the referer.

Side question, why does the amount of operations go up even when I’m not accessing R2? Like class B operation counts went up by 50 overnight. My R2 files aren’t being used anywhere.

Also found out what happened here. After introducing firewall, I caught a lot of unknown requests from different countries, probably crawlers or bots.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.