search

corydolphin / flask-cors

Cross Origin Resource Sharing ( CORS ) support for Flask
https://flask-cors.corydolphin.com/
MIT License
873 stars 140 forks source link

decorator `allow_headers` kwarg doesn't seem to have effect (`is not allowed by Access-Control-Allow-Headers` error) #279

Closed jshhrrsn closed 3 years ago

jshhrrsn commented 3 years ago

I'm using the decorator to set the CORS headers, and I keep getting back an error:

... has been blocked by CORS policy: Request header field x-requested-with is not allowed by Access-Control-Allow-Headers in preflight response.

CORS_HEADERS = dict(
    supports_credentials=True,
    always_send=True,
    automatic_options=True,
    vary_header=True,
    allow_headers=["Content-Type", "X-Requested-With", "x-requested-with"],
    origins=[
       'x.y.z.com'
    ])

@my_blueprint.route('/some_route', methods=["POST", "PUT"])
@cross_origin(**CORS_HEADERS)
def some_route():
    ...

Here's the headers (note the absence of x-requested-with):

image

Please can you advise if I'm missing something in my setup or if this is an issue?

Many thanks!

jshhrrsn commented 3 years ago

I added a set_trace to core.get_cors_options locally to inspect the serialized options and that does include the correct allow_headers:

{'origins': 'x.y.z.com', 'allow_headers': ['Content-Type', 'X-Requested-With', 'x-requested-with']...}

not sure what I'm missing here - any help greatly appreciated!

doandzhiFt commented 3 years ago

Hello, I have the same problem. I would really appreciate some help.

jshhrrsn commented 3 years ago

@doandzhiFt It was a while ago since we had this issue, but I think, in the end, it wasn't an issue with the library but rather that our CloudFormation wasn't configured with the matching specification. I.e. the app was set up to accept those headers but the server running the application hadn't been configured to do so.