Using CORS in private buckets
Because browsers are specifically mandated to strip user-headers from CORS requests, it is not possible to use the AUTHORIZATION header in download requests from private buckets when those requests come from a browser.
Use the alternative authentication method of appending the authentication string to the download URL. For example, to download the file helloworld.html from a public bucket publichello the url might be:
To download a similar file from a bucket privatehello might be:
Please note: Although web standards are to ignore case in the headers, URLS are case sensitive. Authorization must have the first letter capitalized, and the remainder in lower case.