Allow Browser Uploads by Setting a CORS Policy

r2

// what it does

Applies a CORS ruleset from a JSON file (an array of rules with `AllowedOrigins`, `AllowedMethods`, `AllowedHeaders`). You need this whenever a browser talks to R2 directly — presigned-URL uploads or fetches from your frontend origin against a public/custom domain.

// shell

$ wrangler r2 bucket cors set my-bucket --file=./cors.json
$ wrangler r2 bucket cors list my-bucket

// gotcha

If the request's origin isn't in `AllowedOrigins`, the browser blocks the PUT/GET with a CORS error even though R2 itself is fine. Policy changes can take a short time to propagate.