Then, try a request from one of the allowed origins. You may see the request fail CORS authorization due to the presence of multiple values for the Access-Control-Allow-Origin header.
Specifies an origin. Only a single origin can be specified. If the server supports clients from multiple origins, it must return the origin for the specific client making the request.
Meaning, the server must not set each value provided in the allow_origins argument. See blacksheep/server/cors.py where the values are joined together with ", ".
The correct behavior would be to inspect the value of the Origin header sent in the request, and compare it to the values in the allow_origins setting. If there is a match, set the Access-Control-Allow-Origin response header to the matched value. If there is no match, omit the header.
Relatedly, the port of an origin is significant, but may be omitted, in which case the default port for the scheme is used. For example http://example.foo is implied to be http://example.foo:80. The current code for matching the origin doesn't seem to take this into account. If you specify an allowed origin of http://example.foo:80 the CORS middleware will not match requests from http://example.foo
Set up an app with settings similar to:
Then, try a request from one of the allowed origins. You may see the request fail CORS authorization due to the presence of multiple values for the
Access-Control-Allow-Origin
header.Documentation for this header states:
Meaning, the server must not set each value provided in the
allow_origins
argument. Seeblacksheep/server/cors.py
where the values are joined together with", "
.The correct behavior would be to inspect the value of the
Origin
header sent in the request, and compare it to the values in theallow_origins
setting. If there is a match, set theAccess-Control-Allow-Origin
response header to the matched value. If there is no match, omit the header.Relatedly, the port of an origin is significant, but may be omitted, in which case the default port for the scheme is used. For example
http://example.foo
is implied to behttp://example.foo:80
. The current code for matching the origin doesn't seem to take this into account. If you specify an allowed origin ofhttp://example.foo:80
the CORS middleware will not match requests fromhttp://example.foo