Setting comma separated `Access-Control-Allow-Origin` values is not supported by FireFox. about flask-cors HOT 6 CLOSED

Hey @Taiiwo, sorry for the delay here. Thanks so much for adding an issue, I really appreciate the time it takes.

Can you please share the settings you passed to Flask-Cors? I cannot replicate the behavior you are seeing. If you pass * as one of the allowed origins, I would expect that the request's Origin header will be returned as the Access-Control-Allow-Origin header.

from flask-cors.

I'm not sure what else I can send you. Here's a picture of the failed ajax request:

Here's the FireFox error message:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://phantas.ml/recruitment/cms/login. (Reason: CORS header 'Access-Control-Allow-Origin' does not match 'http://localhost:8080, *').

Here's the contents of the application at phantas.ml/recruitment/cms:

import pymongo
import hashlib
import json
import util
import os
from flask import Flask
from flask import request
from flask.ext.cors import CORS
from bson.objectid import ObjectId

app = Flask(__name__)
CORS(app)

... some other functions ...

@app.route('/login', methods=['POST'])
def login():
    # everything below this line is just part of my project, and should be useless to you
    if request.method == "POST":
        user = request.form['user']
        passw = request.form['passw']
    else:
        return "False"
    # get user collection
    users = util.get_collection('users')
    # find the user in the collection
    user_data = users.find_one({"user": user})
    # if the login details match up
    if user_data and user_data['passw'] == util.sha512(user + passw):
        # create a salt so the same session key is only valid once
        session_salt = util.sha512(os.urandom(512))
        # add the salt to the database so we can verify it later
        util.update_user(user_data['_id'], {"session_salt": session_salt})
        # construct a session key from the salt
        session_key = util.sha512(session_salt + user_data['passw'])
        userID = str(user_data['_id'])
        del user_data['_id']# delete sensitive variables
        del user_data['passw']# ^^^^^^^^^^^^^^^^^^^^^^^^
        del user_data['session_salt']# ^^^^^^^^^^^^^^^^^
        # User logged in. Gibbe (session) cookies
        return json.dumps({
            "session": session_key,
            "userID": userID,
            "details": user_data
        })
    else:
        return "False"

I didn't do anything else other than install flask and flask-cors from pip. I've played around with a few things, but nothing seems to work. I'm using simplehttpserver for my local client, but that shouldn't affect anything.

from flask-cors.

Hey @Taiiwo,

So, I think there may be a few things going on here.

1. Can you confirm the version of flask-cors you are using? There should be no case in which comma-separated values are returned as of 2.X.
2. From a comparison of the Origin and Host headers, it seems that you are making a request from http://localhost:8080 to http://phantas.ml. Is that what you expect?

from flask-cors.

The server is running flask-cors version 2.1.2. Here's some other info:

taiiwo@taiiwo:~/wwwphantas.ml$ pip show flask-cors
---
Metadata-Version: 1.1
Name: Flask-Cors
Version: 2.1.2
Summary: A Flask extension adding a decorator for CORS support
Home-page: https://github.com/corydolphin/flask-cors
Author: Cory Dolphin
Author-email: [email protected]
License: MIT
Location: /usr/local/lib/python2.7/dist-packages
Requires: Flask, Six
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
You are using pip version 7.1.2, however version 8.0.2 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.

Yep. To explain my setup: I have a local PC hosting some HTML files using apache2 for windows (I've also tried using python -m SimpleHTTPServer in Cygwin, same error). The local HTML files are making an AJAX request to the remote server "phantas.ml" running apache2 with mod_wsgi installed and pointing to the python script specified above.

I intend to have the HTML files hosted on the server as well, but was trying to set up a local test environment to design the pages.

Note: If you want to test using my server, I've changed the location from ://phantas.ml/recruitment/cms to //phantas.ml/gpol/cms.

from flask-cors.

UPDATE: I only get the error when using mod_wsgi. It works fine if I run python FlaskScript.py. Could it be my apache/mod_wsgi implementation?

from flask-cors.

Hmm. It sounds like something else is at play here. My hypothesis is that
your Apache config is injecting the Access-Control-Allow-Origin: "*"
header, which is corrupting things.

Can you confirm the headers your receive when not using Flask-Cors?

On Mon, Jan 25, 2016 at 8:18 AM Taiiwo [email protected] wrote:

UPDATE: I only get the error when using mod_wsgi. It works fine if I run python
FlaskScript.py. Could it be my apache/mod_wsgi implementation?

—
Reply to this email directly or view it on GitHub
#143 (comment)
.

from flask-cors.