Open lavenderses opened 1 year ago
@corydolphin Here are some examples!
from flask import Flask, jsonify
from flask_cors import CORS
app = Flask('FlaskCorsAppBasedExample')
CORS(app, origins=['https://valid.com'])
@app.route("/api/v1/users/")
def list_users():
return jsonify(user="joe")
if __name__ == "__main__":
app.run()
# Returns 'Access-Control-Allow-Origin' header
$ curl -v -H 'Origin: https://valid.com' http://localhost:5000/api/v1/users/
> GET /api/v1/users/ HTTP/1.1
> Host: localhost:5000
> Origin: https://valid.com
>
< HTTP/1.1 200 OK
< Content-Type: application/json
< Access-Control-Allow-Origin: https://valid.com
<
{
"user": "joe"
}
# DOES NOT returns 'Access-Control-Allow-Origin' header
$ curl -v -H 'Origin: https://INVALID.com' http://localhost:5000/api/v1/users/
> GET /api/v1/users/ HTTP/1.1
> Host: localhost:5000
> Origin: https://INVALID.com
< HTTP/1.1 200 OK
< Content-Type: application/json
<
{
"user": "joe"
}
from flask import Flask, jsonify
from flask_cors import CORS
app = Flask('FlaskCorsAppBasedExample')
# Add 'invalid_cors_status_code' argumemnt
CORS(app, origins=['https://valid.com'], invalid_cors_status_code=403)
@app.route("/api/v1/users/")
def list_users():
return jsonify(user="joe")
if __name__ == "__main__":
app.run()
# Returns 'Access-Control-Allow-Origin' header
$ curl -v -H 'Origin: https://valid.com' http://localhost:5000/api/v1/users/
> GET /api/v1/users/ HTTP/1.1
> Host: localhost:5000
> Origin: https://valid.com
< HTTP/1.1 200 OK
< Content-Type: application/json
< Access-Control-Allow-Origin: https://valid.com
{
"user": "joe"
}
# RETURNS 403(FORBIDDEN) and empty content
curl -v -H 'Origin: https://INVALID.com' http://localhost:5000/api/v1/users/
> GET /api/v1/users/ HTTP/1.1
> Host: localhost:5000
> Origin: https://INVALID.com
< HTTP/1.1 403 FORBIDDEN
< Content-Type: application/json
Configurable CORS response code when CORS request is invalid
Thank you for taking look at this PR!
In summary
invalid_cors_status_code
Access-Control-Allowed-Origin
is not in response header200
same as current behaviour.The default behaviour is SAME as current behaviour.
Details
Background
According to CORS document from WHATWG, CORS protocol can take any response code to CORS request as long as response header contains CORS headers like
Access-Control-Allow-Origin
. It does not specify response code and response body.But, there might be some wishes like 'Not to return response to invalid CORS request' for security'. From the WHATWG doc,
So I implemented the feature.
Feature
Add
invalid_cors_status_code
argument for CORS configuration toflask_cors.CORS
andflask_cors.cross_origin
.Note:
Now, Flask-Cors responses to the CORS request with status
200
and response body. To maintain the backward compatibility, the argument default value is200
and does not change response body wheninvalid_cors_status_code
is not passed or passed200
.Personally, response code to the invalid CORS request should be
403
like Spring Security or401
if it should be authenticated. At least Client Error Response Code in Mozilla HTPP response code doc should be returned, which is from400
to499
. So, by setting variableINVALID_CORS_STATUS_MIN = 400
andINVALID_CORS_STATUS_MAX = 499
inflask_cors/core.py
, this feature filtersinvalid_cors_status_code
. If other value like302
is set toinvalid_cors_status_code
, this sets response status200
(set inINVALID_CORS_DEFAULT_STATUS
) and response body''
(set inINVALID_CORS_RESPONSE_DATA
).Checked with
nosetests --with-coverage --cover-package=flask_cors
.Thank you so much!