search

corydolphin / flask-cors

Cross Origin Resource Sharing ( CORS ) support for Flask
https://flask-cors.corydolphin.com/
MIT License
877 stars 137 forks source link

Only CORS on OPTIONS? #247

Open mbrucher opened 5 years ago

mbrucher commented 5 years ago

I'm trying to fix a problem with CORS on my web app. I have the following CORS call:

CORS(app, resources=[r'/api/*', r'/auth/*'], origins=[r'^https://.*xxxx\.org$'], supports_credentials=True, vary_header=True)

I see the OPTIONS call in Chrome's debug as expected:

access-control-allow-credentials: true
access-control-allow-headers: content-type
access-control-allow-methods: DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT
access-control-allow-origin: https://xxxx.xxxx.org
allow: POST, OPTIONS

But then the POST call fails and I don't see the call on the backend:

'Access to XMLHttpRequest at 'https://api.xxxx.xxxx.org/search' from origin 'https://xxxx.xxxx.org' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.'

Is there something I missed that I should check? The headers are lower case, maybe that's the problem?

mbrucher commented 5 years ago

I thought it was a JWT issue as well, as it happens only on flask-JWT-extended protected entry points, but it looks like if I remove the protection and put it in the code (so instead of being JWT->CORS->code, it's CORS->code->JWT), I still hav the same problems and no calls to the API.

corydolphin commented 5 years ago

Hey @mbrucher sorry for the delay.

If you enable debug logging, there should be more verbose information on the Python side about what is happening, and why. Offhand, that configuration looks good to me.

Set logging.getLogger('flask_cors').level = logging.DEBUG to enable verbose logging.

Cheers, Cory