search

corydolphin / flask-cors

Cross Origin Resource Sharing ( CORS ) support for Flask
https://flask-cors.readthedocs.io/en/latest/index.html
MIT License
889 stars 140 forks source link

Request header field Content-Type is not allowed by Access-Control-Allow-Headers in preflight response. in Google-Chrome #199

Closed b3g00d closed 7 years ago

b3g00d commented 7 years ago

Hi, I'm using lastest version of flask-CORS: This is my example code:

endpoints = Blueprint('api', __name__)
api = Api(endpoints)
CORS(endpoints, resources='/login', allow_headers='*',
     origins='*', methods='*', expose_headers='Authorization')
api.add_resource(Login, '/login')

Of cource I already read your lastest docs and knew allow_headers default is '*'. But when I send a request OPTIONS like this:

http OPTIONS :5000/login Access-Control-Request-Headers:Content-Type

HTTP/1.0 200 OK
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Authorization
Allow: POST, OPTIONS
Content-Length: 0
Content-Type: text/html; charset=utf-8
Date: Wed, 22 Mar 2017 10:14:56 GMT
Server: Werkzeug/0.12.1 Python/2.7.12

I don't have Access-Control-Allow-Headers in response. and Google-Chrome return a error Request header field Content-Type is not allowed by Access-Control-Allow-Headers in preflight response.. I already change to a list, string but not working at all. NOTE: I already read this issue #145

cuonglm commented 7 years ago

Remove methods='*' and it will works. You must read the document more carefully

methods (list or string) –
The method or list of methods which the allowed origins are allowed to access for non-simple requests.

Default : [GET, HEAD, POST, OPTIONS, PUT, PATCH, DELETE]
corydolphin commented 7 years ago

Thanks @Gnouc!

Hmm, this seems like something we should make Flask-CORS catch. It would be great to validate the list of methods passed, and verify that they are valid.