search

corydolphin / flask-cors

Cross Origin Resource Sharing ( CORS ) support for Flask
https://flask-cors.readthedocs.io/en/latest/index.html
MIT License
889 stars 140 forks source link

Why is "allow_headers" now a case-sensitive match? #187

Closed satterly closed 8 years ago

satterly commented 8 years ago

With version 3.x the list of headers returned by Access-Control-Allow-Headers is now a case-sensitive match against the list of headers defined in the CORS_ALLOW_HEADERS setting.

For example, with version 2.1.3 if the setting for "allow_headers" was ...

CORS_ALLOW_HEADERS = ['Content-Type', 'Authorization']

... then the following works ...

$ http OPTIONS :5000 Origin:http://localhost:5001 Access-Control-Request-Headers:'authorization, Content-type' Access-Control-Request-Method:GET
OPTIONS / HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Access-Control-Request-Headers: authorization, Content-type
Access-Control-Request-Method: GET
Connection: keep-alive
Content-Length: 0
Host: localhost:5000
Origin: http://localhost:5001
User-Agent: HTTPie/0.9.3

HTTP/1.0 200 OK
Access-Control-Allow-Headers: Content-type, authorization
Access-Control-Allow-Methods: DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT
Access-Control-Allow-Origin: http://localhost:5001
Allow: HEAD, GET, POST, OPTIONS
Content-Length: 0
Content-Type: text/html; charset=utf-8
Date: Tue, 06 Sep 2016 13:36:22 GMT
Server: Werkzeug/0.11.11 Python/2.7.9

However, with version 3.x it does not return the Access-Control-Allow-Headers header because there was no case-sensitive match.

$ http OPTIONS :5000 Origin:http://localhost:5001 Access-Control-Request-Headers:'authorization, Content-type' Access-Control-Request-Method:GET
OPTIONS / HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Access-Control-Request-Headers: authorization, Content-type
Access-Control-Request-Method: GET
Connection: keep-alive
Content-Length: 0
Host: localhost:5000
Origin: http://localhost:5001
User-Agent: HTTPie/0.9.3

HTTP/1.0 200 OK
Access-Control-Allow-Methods: DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT
Access-Control-Allow-Origin: http://localhost:5001
Allow: HEAD, GET, POST, OPTIONS
Content-Length: 0
Content-Type: text/html; charset=utf-8
Date: Tue, 06 Sep 2016 13:39:34 GMT
Server: Werkzeug/0.11.11 Python/2.7.9

This breaks CORS on most browsers including Chrome and Firefox. However, not on IE apparently.

corydolphin commented 8 years ago

Headers should be case insensitive, this is a bad bug. Good catch. I will fix this tonight.

satterly commented 8 years ago

Thanks for the quick fix. I can confirm this works for me.

corydolphin commented 8 years ago

@satterly glad to hear it!

Thanks a lot for taking the time to make such a detailed report, it made it much easier to fix :-)

Let me know if you have any other feedback around this package :-)

satterly commented 8 years ago

You're welcome. I know what it's like trying to bugfix based on other people's Github issues.

As for feedback, some more debug logging would have helped me with this. But now that it's fixed I'm not sure it's worth spending much more time on.