search

corydolphin / flask-cors

Cross Origin Resource Sharing ( CORS ) support for Flask
https://flask-cors.corydolphin.com/
MIT License
867 stars 140 forks source link

Random Access-Control-Allow-Origin value being returned if Origin request header is not provided #338

Closed Laugslander closed 7 months ago

Laugslander commented 7 months ago

I want to enable CORS in my Flask application with a predefined set of allowed origins, as documented here:

from flask import Flask
from flask_cors import CORS

app = Flask(__name__)
CORS(app, origins=['http://localhost:3000', 'https://app.my_domain.com'])

The problem is that if I don't specify the Origin header in my request to the server, an arbitrary value for the Access-Control-Allow-Origin response header will be returned.

So for example, if my web application running on https://app.my_domain.com sends a GET request to the backend without specifying the Origin request header, the backend returns the following response header:

Access-Control-Allow-Origin: http://localhost:3000

This seems not correct to me. How is this mechanism intended to be used?

Laugslander commented 7 months ago

The solution is to set the undocument always_send parameter to False:

CORS(app, origins=['http://localhost:3000', 'https://app.my_domain.com'], always_send=False)

Related: