search

corydolphin / flask-cors

Cross Origin Resource Sharing ( CORS ) support for Flask
https://flask-cors.readthedocs.io/en/latest/index.html
MIT License
884 stars 139 forks source link

Configuring a flask application more than once should overwrite previous configuration #301

Open bernd-stahl opened 2 years ago

bernd-stahl commented 2 years ago

When (by mistake), CORS for a flask application is configured more than once, like so:

from connexion import FlaskApp
from flask_cors import CORS
application = FlaskApp(import_name, specification_dir=specification_dir)
CORS(application.app, origins='*')
CORS(application.app, origins=r'https://.*\.mydomain.com')

this results in multiple cors_after_request functions added to the flask application, which are all called sequentially for each request.

So effectively, the most permissive options for any matched resource are applied:

2021-12-10 09:48:27,042 MainThread no-request [DEBUG] flask_cors.extension.extension.init_app: Configuring CORS with resources: {'/*': {'origins': ['.*'], 'methods': 'DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT', 'allow_headers': ['.*'], 'expose_headers': None, 'supports_credentials': False, 'max_age': None, 'send_wildcard': False, 'automatic_options': True, 'vary_header': True, 'resources': '/*', 'intercept_exceptions': True, 'always_send': True}}
2021-12-10 09:48:27,042 MainThread no-request [DEBUG] flask_cors.extension.extension.init_app: Configuring CORS with resources: {'/*': {'origins': ['https://.*\\.mydomain.com'], 'methods': 'DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT', 'allow_headers': ['.*'], 'expose_headers': None, 'supports_credentials': False, 'max_age': None, 'send_wildcard': False, 'automatic_options': True, 'vary_header': True, 'resources': '/*', 'intercept_exceptions': True, 'always_send': True}}
...
2021-12-10 09:48:35,335 Thread-1 26f21dcd-797a-4832-9ecc-347807ad9738 [DEBUG] flask_cors.extension.extension.cors_after_request: Request to '/my-service/api/ui/' matches CORS resource '/*'. Using options: {'origins': ['https://.*\\.mydomain.com'], 'methods': 'DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT', 'allow_headers': ['.*'], 'expose_headers': None, 'supports_credentials': False, 'max_age': None, 'send_wildcard': False, 'automatic_options': True, 'vary_header': True, 'resources': '/*', 'intercept_exceptions': True, 'always_send': True}
2021-12-10 09:48:35,335 Thread-1 26f21dcd-797a-4832-9ecc-347807ad9738 [DEBUG] flask_cors.core.core.set_cors_headers: Settings CORS headers: MultiDict([])
2021-12-10 09:48:35,335 Thread-1 26f21dcd-797a-4832-9ecc-347807ad9738 [DEBUG] flask_cors.extension.extension.cors_after_request: Request to '/my-service/api/ui/' matches CORS resource '/*'. Using options: {'origins': ['.*'], 'methods': 'DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT', 'allow_headers': ['.*'], 'expose_headers': None, 'supports_credentials': False, 'max_age': None, 'send_wildcard': False, 'automatic_options': True, 'vary_header': True, 'resources': '/*', 'intercept_exceptions': True, 'always_send': True}
2021-12-10 09:48:35,336 Thread-1 26f21dcd-797a-4832-9ecc-347807ad9738 [DEBUG] flask_cors.core.core.set_cors_headers: Settings CORS headers: MultiDict([('Access-Control-Allow-Origin', '*')])

This behavior is quite surprising and most probably not what is intended.

I would say that, according to the principle of least surprise, configuring CORS more than once for the same application should either (preferably) overwrite the previous configuration, or alternatively raise an error.