search

falconry / falcon

The no-magic web data plane API and microservices framework for Python developers, with a focus on reliability, correctness, and performance at scale.
https://falcon.readthedocs.io/en/stable/
Apache License 2.0
9.51k stars 937 forks source link

Clarify mutual exclusivity of `cors_enable=True` and `falcon.CORSMiddleware` #1930

Closed forana closed 3 years ago

forana commented 3 years ago

A tired/frustrated reader (such as myself) might see https://falcon.readthedocs.io/en/stable/api/cors.html#usage and incorrectly interpret the example code comments to mean that a "correct" solution requires both setting cors_enable=True in the App constructor, and passing a falcon.CORSMiddleware object to it. This is incorrect, but in a very subtle way - because the CORSMiddleware header effectively consumes the Allow header from the response (https://github.com/falconry/falcon/blob/7efb46f4068428eb62b422b4b3c2e40129e5a914/falcon/middleware.py#L112-L113), a request including the Access-Control-Request-Method header will receive a response with access-control-allow-methods: None.

CaselIT commented 3 years ago

Hi,

I agree that that section may benefit for a clarification. It would be great if you could suggest a change!

forana commented 3 years ago

Hi,

I agree that that section may benefit for a clarification. It would be great if you could suggest a change!

Made a PR: https://github.com/falconry/falcon/pull/1933 - happy to update that however maintainers would like.