I want to enable CORS in my Flask application with a predefined set of allowed origins, as documented here:
from flask import Flask
from flask_cors import CORS
app = Flask(__name__)
CORS(app, origins=['http://localhost:3000', 'https://app.my_domain.com'])
The problem is that if I don't specify the Origin header in my request to the server, an arbitrary value for the Access-Control-Allow-Origin response header will be returned.
So for example, if my web application running on https://app.my_domain.com sends a GET request to the backend without specifying the Origin request header, the backend returns the following response header:
I want to enable CORS in my Flask application with a predefined set of allowed origins, as documented here:
The problem is that if I don't specify the
Origin
header in my request to the server, an arbitrary value for theAccess-Control-Allow-Origin
response header will be returned.So for example, if my web application running on
https://app.my_domain.com
sends aGET
request to the backend without specifying theOrigin
request header, the backend returns the following response header:Access-Control-Allow-Origin: http://localhost:3000
This seems not correct to me. How is this mechanism intended to be used?