HTML5 CORS implementation

  • Hi

    I've upgraded to the latest version of krpano from the version ... imagine my shock when nothing was loading in HTML5 because all the files i use (tiles and images) are on Amazon.
    Ok so after a few hours of cursing and trial and error my conclusion is HTML5 cors option only works with OFF

    As you might already know the buckets on amazon have the option to set up "CORS Configuration" as they call it ... it uses an xml that defines the response headers .... here are my settings:

    <?xml version="1.0" encoding="UTF-8"?>
    <CORSConfiguration xmlns="">

    as you might expected it does not work. so how should the krpano security tag look like to only allow GET requests to my bucket?


  • some updates ....

    the xml for that url is here =>
    this is the link build be me ... the pb is i get an error only on HTML5 on Desktop browsers and on the default browser on Android 4.1.2
    what works is IOS and Chrome for Android
    so the error i get is this

    Viewport target-densitydpi is not supported. 
    Uncaught Error: SecurityError: DOM Exception 18


  • Hi,

    the problem in your example is that there is NO 'Access-Control-Allow-Origin: *' http header at your tiles!

    Check the headers either with the Chrome/Firefox browser developers tools, so use sites like this:…/l2_r_02_02.jpg

    Here as comparions a tile from the Tokyo example: (hosted on Amazons Cloudfrount CDN servers)…/4/l6_r_4_1.jpg

    The 'Access-Control-Allow-Origin' header is very important for loading files from other servers in HTML5.

    Some browser still allow loading images without that header, but then they require not setting the CORS flag on image on the client-side - this can be done in krpano with the cros="off" setting. Normally (=according to the CORS specification) the 'autonomy' CORS setting should also allow loading images without Access-Control-Allow-Origin header, but many browsers seems to ignore that.

    So as conclusion - ALWAYS set the Access-Control-Allow-Origin on the server when loading images from other domain - then it should work without problems anywhere.

    About the server setup itself - this depends on the server software and provider itself - please see also here:

    And when using CDN servers keep in mind that they typically would cache the headers too, so that the cached files need to invalidated when changing the headers!

    Best regards,

  • Amazon CORS works only when in the request, the header "Origin" is present. Simple example in curl:

    curl -v -H "Origin: https://localhost" ""

    < HTTP/1.1 200 OK

    < Access-Control-Allow-Origin: *
    < Access-Control-Allow-Methods: GET
    < Access-Control-Expose-Headers: x-amz-server-side-encryption, x-amz-request-id, x-amz-id-2
    < Access-Control-Max-Age: 3000
    < Vary: Origin, Access-Control-Request-Headers, Access-Control-Request-Method
    < Last-Modified: Mon, 24 Nov 2014 11:06:13 GMT
    < ETag: "16b05db1fc883a053cc5b60274ddca73"
    < Accept-Ranges: bytes
    < Content-Type: application/octet-stream
    < Content-Length: 578256
    < Server: AmazonS3

    When this header is not present, Amazon bucket does not return the needed Access-Control-Allow-Origin. My question is then, how krpano has to be configured to send this header within the image fetch request? <security cors=""></security> is not helping...

  • i wrote up a tutorial for configuring AWS S3 for krpano and other panoramas here, CORS config info included -…eb-services-s3/

    just configure your bucket as shown in the tutorial and upload your panos, all permissions and cors etc will be set properly for all files automatically, no need to make any changes to krpanotools output files or set file permissions manually etc


  • The answer from Sam worked. You need both, to add CORS configuration and to add Policy bucket through the amazon S3 panel. Nothing else is required from the xml side.

    Thanks !

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!