Access-Control-Allow-Origin returns incorrect value

[Tonkonozhenko]

Hi

We have a high-load service with like ~50rps on each container. In the app I have next endpoint:

empty_response = Response(response=content, content_type=content_type, headers={
        'Cache-Control': 'no-cache, no-store, must-revalidate',
        'Pragma': 'no-cache',
        'Expires': '0',
    })

@app.route("/hello", strict_slashes=False, methods=['GET', 'POST'])
@cross_origin()
def hello():
    ...
    return empty_response

I run the app in env with GUNICORN_CMD_ARGS="-b 0.0.0.0:80 --workers 2 --threads 10".

It looks like result of Access-Control-Allow-Origin is incorrect and it relates to the previous or other concurrent request.

While writing the issue I realized that probably it's because of building Response outside of the action. WDYT about this?

Thanks, Alex

[corydolphin]

Ahh, yes. You are entirely correct. We depend on mutating the response object to know whether or not CORS has been evaluated to ensure the decorator and the app-level middleware do not "fight". There may be a better way to handle this, but currently that is what we do, sadly.

Similarly, we mutate the headers dictionary, so reuse at that layer would cause problems as well. We could defensively copy, but that doesn't seem like a common pattern in Python.