Closed gsakkis closed 7 years ago
@gsakkis,
There is no way to set origins
to *
and supports_credentials
to true
.
So, to handle this condition we need code to be like this. Let me know if I understood the problem wrong way. If this is correct docs need to be updated.
@ganeshparsads what do you mean there is no way? I just gave an example that demonstrates the issue (actually bug) along with a fix.
I think you are both right. It is currently possible for Flask-CORS to return these headers in the situation, as @gsakkis has shown.
@ganeshparsads you are correct in that it is not valid for browsers to receive these headers.
I will create an update per @gsakkis's diff to fix this issue.
This should be fixed. @gsakkis thank you very much for the bug report (and fix :D)
CORS(app, supports_credentials=True)
causes the server to returnAccess-Control-Allow-Credentials: true
andAccess-Control-Allow-Origin: *
, which afaict is invalid. The cause is thealways_send=True
default option; making itFalse
doesn't trigger the bug.Probable fix: