This behavior is quite surprising and most probably not what is intended.
I would say that, according to the principle of least surprise, configuring CORS more than once for the same application should either (preferably) overwrite the previous configuration, or alternatively raise an error.
When (by mistake), CORS for a flask application is configured more than once, like so:
this results in multiple
cors_after_request
functions added to the flask application, which are all called sequentially for each request.So effectively, the most permissive options for any matched resource are applied:
This behavior is quite surprising and most probably not what is intended.
I would say that, according to the principle of least surprise, configuring CORS more than once for the same application should either (preferably) overwrite the previous configuration, or alternatively raise an error.