Certain error codes not having all header information

corydolphin / flask-cors

Cross Origin Resource Sharing ( CORS ) support for Flask

https://flask-cors.readthedocs.io/en/latest/index.html

MIT License

889 stars 140 forks source link

Certain error codes not having all header information #192

Closed suederade closed 7 years ago

suederade commented 7 years ago

The error responses that are being received on the front end are missing Access-Control-Allow-Credentials header on 400, 401, and 403.

The status codes also come back as 0 in the XHR response.

corydolphin commented 7 years ago

Hey Steven, where are the errors being generated by in the case of 400?

If you are using the app-extension (v.s. the decorator), it should automatically wrap exceptions, unless you are in development mode (due to a flask peculiarity)

suederade commented 7 years ago

This is how it's setup and we are not developing in debug or in development:

api = Blueprint('api_v1', __name__)
CORS(api, supports_credentials=True)

This is how we are generating them:

raise RequestException("Message", status_code=4xx)

class RequestException(Exception):
    def __init__(self, message, status_code=None, payload=None):
        Exception.__init__(self)
        self.message = message
        if status_code is not None:
            self.status_code = status_code
        self.payload = payload

    def to_dict(self):
        rv = dict(self.payload or ())
        rv['errorMessage'] = self.message
        return rv

@app.errorhandler(RequestException)
def handle_request_error(error):
    response = jsonify(error.to_dict())
    response.status_code = error.status_code
    return response

corydolphin commented 7 years ago

Hmm. In your snippet, is the "@app.errorhandler" call referencing the Flask App instance, or the api blueprint instance? Flask-CORS is only attached to the blueprint you referenced, so it will not know about the app instance.

suederade commented 7 years ago

We also have the entire app wrapped: CORS(app).

LrsK commented 7 years ago

I have a related question. Is it possible to disable the CORS-headers on 401, 404 etc responses? I am thinking that in the case where an API is password protected, the system should leak as little as possible about the CORS-details, e.g. the Access-Control-Allow-Origin header. This header could contain further endpoint information.

However, if the headers need to be there to adhere to the spec, then disregard this.

corydolphin commented 7 years ago

Good callout.

Cookies are not allowed to be submitted across origins by default by Flask-CORS, due to the security risk.

In other cases, browsers use pre-flight requests to ascertain CORS information. This information is not private, and should not be treated as such, since it may always be accessed outside of the browser.