Closed Taiiwo closed 8 years ago
corydolphin
commented
8 years ago Hey @Taiiwo, sorry for the delay here. Thanks so much for adding an issue, I really appreciate the time it takes.
Can you please share the settings you passed to Flask-Cors? I cannot replicate the behavior you are seeing. If you pass * as one of the allowed origins, I would expect that the request's Origin header will be returned as the Access-Control-Allow-Origin header.
Taiiwo
commented
8 years ago I'm not sure what else I can send you. Here's a picture of the failed ajax request:
Here's the FireFox error message:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://phantas.ml/recruitment/cms/login. (Reason: CORS header 'Access-Control-Allow-Origin' does not match 'http://localhost:8080, *').
Here's the contents of the application at phantas.ml/recruitment/cms:
import pymongo
import hashlib
import json
import util
import os
from flask import Flask
from flask import request
from flask.ext.cors import CORS
from bson.objectid import ObjectId
app = Flask(__name__)
CORS(app)
... some other functions ...
@app.route('/login', methods=['POST'])
def login():
# everything below this line is just part of my project, and should be useless to you
if request.method == "POST":
user = request.form['user']
passw = request.form['passw']
else:
return "False"
# get user collection
users = util.get_collection('users')
# find the user in the collection
user_data = users.find_one({"user": user})
# if the login details match up
if user_data and user_data['passw'] == util.sha512(user + passw):
# create a salt so the same session key is only valid once
session_salt = util.sha512(os.urandom(512))
# add the salt to the database so we can verify it later
util.update_user(user_data['_id'], {"session_salt": session_salt})
# construct a session key from the salt
session_key = util.sha512(session_salt + user_data['passw'])
userID = str(user_data['_id'])
del user_data['_id']# delete sensitive variables
del user_data['passw']# ^^^^^^^^^^^^^^^^^^^^^^^^
del user_data['session_salt']# ^^^^^^^^^^^^^^^^^
# User logged in. Gibbe (session) cookies
return json.dumps({
"session": session_key,
"userID": userID,
"details": user_data
})
else:
return "False"I didn't do anything else other than install flask and flask-cors from pip. I've played around with a few things, but nothing seems to work. I'm using simplehttpserver for my local client, but that shouldn't affect anything.
corydolphin
commented
8 years ago Hey @Taiiwo,
So, I think there may be a few things going on here.
http://localhost:8080 to http://phantas.ml. Is that what you expect?Taiiwo
commented
8 years ago The server is running flask-cors version 2.1.2. Here's some other info:
taiiwo@taiiwo:~/wwwphantas.ml$ pip show flask-cors
---
Metadata-Version: 1.1
Name: Flask-Cors
Version: 2.1.2
Summary: A Flask extension adding a decorator for CORS support
Home-page: https://github.com/corydolphin/flask-cors
Author: Cory Dolphin
Author-email: corydolphin@gmail.com
License: MIT
Location: /usr/local/lib/python2.7/dist-packages
Requires: Flask, Six
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
You are using pip version 7.1.2, however version 8.0.2 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.Yep. To explain my setup: I have a local PC hosting some HTML files using apache2 for windows (I've also tried using python -m SimpleHTTPServer in Cygwin, same error). The local HTML files are making an AJAX request to the remote server "phantas.ml" running apache2 with mod_wsgi installed and pointing to the python script specified above.
I intend to have the HTML files hosted on the server as well, but was trying to set up a local test environment to design the pages.
Note: If you want to test using my server, I've changed the location from ://phantas.ml/recruitment/cms to //phantas.ml/gpol/cms.
Taiiwo
commented
8 years ago UPDATE: I only get the error when using mod_wsgi. It works fine if I run python FlaskScript.py. Could it be my apache/mod_wsgi implementation?
corydolphin
commented
8 years ago Hmm. It sounds like something else is at play here. My hypothesis is that your Apache config is injecting the Access-Control-Allow-Origin: "*" header, which is corrupting things.
Can you confirm the headers your receive when not using Flask-Cors?
On Mon, Jan 25, 2016 at 8:18 AM Taiiwo notifications@github.com wrote:
UPDATE: I only get the error when using mod_wsgi. It works fine if I run python FlaskScript.py. Could it be my apache/mod_wsgi implementation?
— Reply to this email directly or view it on GitHub https://github.com/corydolphin/flask-cors/issues/143#issuecomment-174560808 .
Using version 2.1.2, initialising using:
When making an AJAX request from a local machine on a non-standard port to an external server serving the above code running Flask 0.10.1 on Apache with mod_wsgi, the server responds with
Access-Control-Allow-Origin: "http://localhost:8080, *". Such comma separated lists are not supported by FireFox, and gives the following error in the JavaScript debugging console:Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://hostna.me/app/route. (Reason: CORS header 'Access-Control-Allow-Origin' does not match 'http://localhost:8080, *').