HHK1
commented
4 years ago Actually this has been implemented in #268 ! Would love to have this merged @corydolphin 🙏
Open HHK1 opened 4 years ago
HHK1
commented
4 years ago Actually this has been implemented in #268 ! Would love to have this merged @corydolphin 🙏
Current behaviour
Right now, the origins that are allowed are passed during the wrapping of the app. They are static and cannot be injected dynamically.
Desired behaviour
My use case is the following: I'm exchanging an http-only session cookie against a JWT on a centralized auth server. The front client is a SPA hosted on a lot of different domains. I need to set allow-credentials to True, and need an actual whitelist. I can't inject the full list of domains during the app creation: it's too large, and I want to be able to add some in a database without having to reload the flask app.
I'd like to have a hook where I have access to the request headers, and return what should be injected in the Allow-Origin response header. That way I can compare the origin against my dynamic whitelist, and return the origin only if it's a match.