Spoold is a free, privacy-first developer toolbox. Paste into the Magic Box and it detects JSON, HTML, JWT, curl, OpenAPI, CSV, timestamps, and more—then suggests the best tool. You can also browse the full catalog by category. No sign-up is required.

Is Spoold free to use?

Yes. Core tools are free. Heavy work runs in your browser so your payloads are not processed on Spoold servers for formatting, decoding, and similar utilities.

Is my data safe with Spoold?

Tool processing for supported client-side utilities happens in your browser. Encrypted share links are designed so only people with the link can read the payload. Review the Privacy Policy for details on cookies, optional ads, and third-party services.

What tools are available?

Spoold ships 65+ tools including JSON formatter and diff, JSON Schema validation, YAML and TOML converters, HTML and Markdown preview, JWT decode and sign, OpenAPI/Swagger viewer with curl, GraphQL formatter, curl to code and curl compare, certificate viewer, CSV preview, regex tester, Mermaid, code editor, LLM token utilities, QR codes, and many encoding and text utilities.

Does Spoold show ads?

The site may display advertisements or sponsored placements to help keep the service free. House promotions highlight other Spoold tools. Ads do not change the fact that supported tools process your pasted content locally in the browser. You can read how to manage ad cookies and opt-outs in the Privacy Policy.

Can I use keyboard shortcuts?

Yes. Press Cmd or Ctrl+K to open tool search, use / from the homepage, and use per-tool shortcuts (shown in the UI) such as jj for JSON and hh for HTML where configured.

R2 Presigned URL CORS: Fix Browser Upload and Download Errors | Spoold Blog

A valid R2 presigned URL can still fail in the browser

Presigned URLs handle permission, but CORS handles browser access. If your React, Next.js, Vue, or plain JavaScript app uploads directly to Cloudflare R2, the bucket still needs a CORS policy that matches the request origin, method, and headers. Use Spoold's S3/R2 CORS Generator & Debugger to test the exact request shape.

Why presigned URLs need CORS

A presigned URL proves that the request is authorized. It does not bypass the browser's same-origin rules. When JavaScript sends a PUT, POST, or GET to an R2 custom domain or public bucket URL, the browser checks whether R2 allows that frontend origin. If the CORS policy is missing or incomplete, the browser blocks the response.

Common R2 presigned URL CORS failures

Browser symptom	Likely cause	Fix
No Access-Control-Allow-Origin header	Origin not listed	Add the exact app origin
Preflight request does not pass	PUT or POST missing	Add the upload method
Content-Type is not allowed	Header missing	Add Content-Type to AllowedHeaders
x-amz-meta-* blocked	Metadata header missing	Add exact metadata header or x-amz-*
ETag is undefined in JS	Header not exposed	Add ETag to ExposeHeaders

Recommended CORS policy for R2 presigned PUT uploads

Start with a narrow origin list. Include localhost only for development. Add only the methods and headers your upload code sends.

[
  {
    "AllowedOrigins": [
      "https://app.example.com",
      "http://localhost:3000"
    ],
    "AllowedMethods": ["PUT", "POST", "HEAD"],
    "AllowedHeaders": [
      "Content-Type",
      "x-amz-acl",
      "x-amz-meta-*"
    ],
    "ExposeHeaders": ["ETag"],
    "MaxAgeSeconds": 3600
  }
]

What to inspect in DevTools

Open the Network tab and find the failed OPTIONS request.
Copy the Origin request header exactly.
Copy Access-Control-Request-Method. It should match an allowed method.
Copy Access-Control-Request-Headers. Every listed header must be allowed.
Paste those values into the R2 CORS debugger and compare the generated fixed config.

Headers that often surprise upload code

Upload libraries and fetch wrappers can add headers you did not type manually. Watch for Content-Type, Content-MD5, x-amz-checksum-*, x-amz-acl, and custom metadata headers. If the browser sends a header during preflight, the R2 CORS policy needs to allow it.

Why curl succeeds while the browser fails

curl does not enforce browser CORS. It can upload to a valid presigned URL even when the bucket policy would block JavaScript. To simulate browser behavior with curl, send an Origin header and, for preflight checks, an OPTIONS request with Access-Control-Request-Method.

curl -i -X OPTIONS 'https://files.example.com/upload/object.jpg' \
  -H 'Origin: https://app.example.com' \
  -H 'Access-Control-Request-Method: PUT' \
  -H 'Access-Control-Request-Headers: Content-Type,x-amz-acl'

Use the debugger before changing backend code

If the presigned URL works outside the browser, start with CORS. Paste your current policy into the S3/R2 CORS debugger, enter the exact browser request details, and apply the smallest fixed policy that passes.

R2 Presigned URL CORS: Fix Browser Upload and Download Errors

Why presigned URLs need CORS

Common R2 presigned URL CORS failures

Recommended CORS policy for R2 presigned PUT uploads

What to inspect in DevTools

Headers that often surprise upload code

Why curl succeeds while the browser fails

Use the debugger before changing backend code

Related Tools

URL Parser

JSON Formatter

Related Articles

Cloudflare R2 CORS Generator: Create Bucket CORS JSON for Browser Apps

S3 CORS Policy Generator: Create AWS Bucket CORS JSON for Browser Uploads

Fix Cloudflare R2 CORS Error: Preflight, Origin, Headers, and ETag

Try It Now