search

corydolphin / flask-cors

Cross Origin Resource Sharing ( CORS ) support for Flask
https://flask-cors.readthedocs.io/en/latest/index.html
MIT License
879 stars 139 forks source link

Wildcard origin sent despite supports_credentials=True #202

Closed gsakkis closed 7 years ago

gsakkis commented 7 years ago

CORS(app, supports_credentials=True) causes the server to return Access-Control-Allow-Credentials: true and Access-Control-Allow-Origin: *, which afaict is invalid. The cause is the always_send=True default option; making it False doesn't trigger the bug.

Probable fix:

diff --git a/flask_cors/core.py b/flask_cors/core.py
index 0ef2b1e..f30fd33 100644
--- a/flask_cors/core.py
+++ b/flask_cors/core.py
@@ -134,15 +134,15 @@ def get_cors_origins(options, request_origin):
     elif options.get('always_send'):
         if wildcard:
             # If wildcard is in the origins, even if 'send_wildcard' is False,
             # simply send the wildcard. It is the most-likely to be correct
             # thing to do (the only other option is to return nothing, which)
             # pretty is probably not whawt you want if you specify origins as
             # '*'
-            return ['*']
+            return ['*'] if not options['supports_credentials'] else None
         else:
             # Return all origins that are not regexes.
             return sorted([o for o in origins if not probably_regex(o)])

     # Terminate these steps, return the original request untouched.
     else:
         LOG.debug("The request did not contain an 'Origin' header. This means the browser or client did not request CORS, ensure the Origin Header is set.")
ganeshparsads commented 7 years ago

@gsakkis, There is no way to set origins to * and supports_credentials to true. So, to handle this condition we need code to be like this. Let me know if I understood the problem wrong way. If this is correct docs need to be updated.

gsakkis commented 7 years ago

@ganeshparsads what do you mean there is no way? I just gave an example that demonstrates the issue (actually bug) along with a fix.

corydolphin commented 7 years ago

I think you are both right. It is currently possible for Flask-CORS to return these headers in the situation, as @gsakkis has shown.

@ganeshparsads you are correct in that it is not valid for browsers to receive these headers.

I will create an update per @gsakkis's diff to fix this issue.

corydolphin commented 7 years ago

This should be fixed. @gsakkis thank you very much for the bug report (and fix :D)