earlymorning.dev / Firebase / Setting the bucket CORS header

Setting the bucket CORS header

Some read operations require the client's domain to be whitelisted by a CORS header. We list the authorized domains in a cors.json file and send it to Google through the CLI, with gcloud storage.

cors.json

[
    {
        "origin": ["https://imagetales.io", "http://localhost:5173"],
        "method": ["GET"],
        "maxAgeSeconds": 3600
    }
]

Send the json file:

gcloud storage buckets update gs://imagetales.firebasestorage.app --cors-file=cors.json

Describe the existing bucket CORS config

gcloud storage buckets describe gs://imagetales.firebasestorage.app --format="default(cors_config)"

read operations that require a CORS whitelist

Generally, those are browser reads relying on asynchronous (background) fetches rather than navigating to the URL through an anchor tag:

  • getBlob(fileRef) to get a Blob, which uses fetch() under the hood.
  • getBytes(fileRef) to get an ArrayBuffer, which uses fetch() under the hood.
  • using fetch() manually with a bearer URL we got with getDownloadURL() or that we stored somewhere before.
earlymorning logo

© Antoine Weber 2026 - All rights reserved

earlymorning.dev / Firebase / Setting the bucket CORS header

Setting the bucket CORS header

Some read operations require the client's domain to be whitelisted by a CORS header. We list the authorized domains in a cors.json file and send it to Google through the CLI, with gcloud storage.

cors.json

[
    {
        "origin": ["https://imagetales.io", "http://localhost:5173"],
        "method": ["GET"],
        "maxAgeSeconds": 3600
    }
]

Send the json file:

gcloud storage buckets update gs://imagetales.firebasestorage.app --cors-file=cors.json

Describe the existing bucket CORS config

gcloud storage buckets describe gs://imagetales.firebasestorage.app --format="default(cors_config)"

read operations that require a CORS whitelist

Generally, those are browser reads relying on asynchronous (background) fetches rather than navigating to the URL through an anchor tag:

  • getBlob(fileRef) to get a Blob, which uses fetch() under the hood.
  • getBytes(fileRef) to get an ArrayBuffer, which uses fetch() under the hood.
  • using fetch() manually with a bearer URL we got with getDownloadURL() or that we stored somewhere before.