Comments (6)
Hey @Taiiwo, sorry for the delay here. Thanks so much for adding an issue, I really appreciate the time it takes.
Can you please share the settings you passed to Flask-Cors? I cannot replicate the behavior you are seeing. If you pass *
as one of the allowed origins, I would expect that the request's Origin
header will be returned as the Access-Control-Allow-Origin
header.
from flask-cors.
I'm not sure what else I can send you. Here's a picture of the failed ajax request:
Here's the FireFox error message:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://phantas.ml/recruitment/cms/login. (Reason: CORS header 'Access-Control-Allow-Origin' does not match 'http://localhost:8080, *').
Here's the contents of the application at phantas.ml/recruitment/cms
:
import pymongo
import hashlib
import json
import util
import os
from flask import Flask
from flask import request
from flask.ext.cors import CORS
from bson.objectid import ObjectId
app = Flask(__name__)
CORS(app)
... some other functions ...
@app.route('/login', methods=['POST'])
def login():
# everything below this line is just part of my project, and should be useless to you
if request.method == "POST":
user = request.form['user']
passw = request.form['passw']
else:
return "False"
# get user collection
users = util.get_collection('users')
# find the user in the collection
user_data = users.find_one({"user": user})
# if the login details match up
if user_data and user_data['passw'] == util.sha512(user + passw):
# create a salt so the same session key is only valid once
session_salt = util.sha512(os.urandom(512))
# add the salt to the database so we can verify it later
util.update_user(user_data['_id'], {"session_salt": session_salt})
# construct a session key from the salt
session_key = util.sha512(session_salt + user_data['passw'])
userID = str(user_data['_id'])
del user_data['_id']# delete sensitive variables
del user_data['passw']# ^^^^^^^^^^^^^^^^^^^^^^^^
del user_data['session_salt']# ^^^^^^^^^^^^^^^^^
# User logged in. Gibbe (session) cookies
return json.dumps({
"session": session_key,
"userID": userID,
"details": user_data
})
else:
return "False"
I didn't do anything else other than install flask and flask-cors from pip. I've played around with a few things, but nothing seems to work. I'm using simplehttpserver for my local client, but that shouldn't affect anything.
from flask-cors.
Hey @Taiiwo,
So, I think there may be a few things going on here.
- Can you confirm the version of flask-cors you are using? There should be no case in which comma-separated values are returned as of 2.X.
- From a comparison of the Origin and Host headers, it seems that you are making a request from
http://localhost:8080
tohttp://phantas.ml
. Is that what you expect?
from flask-cors.
The server is running flask-cors
version 2.1.2. Here's some other info:
taiiwo@taiiwo:~/wwwphantas.ml$ pip show flask-cors
---
Metadata-Version: 1.1
Name: Flask-Cors
Version: 2.1.2
Summary: A Flask extension adding a decorator for CORS support
Home-page: https://github.com/corydolphin/flask-cors
Author: Cory Dolphin
Author-email: [email protected]
License: MIT
Location: /usr/local/lib/python2.7/dist-packages
Requires: Flask, Six
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
You are using pip version 7.1.2, however version 8.0.2 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
Yep. To explain my setup: I have a local PC hosting some HTML files using apache2 for windows (I've also tried using python -m SimpleHTTPServer
in Cygwin, same error). The local HTML files are making an AJAX request to the remote server "phantas.ml" running apache2 with mod_wsgi installed and pointing to the python script specified above.
I intend to have the HTML files hosted on the server as well, but was trying to set up a local test environment to design the pages.
Note: If you want to test using my server, I've changed the location from ://phantas.ml/recruitment/cms
to //phantas.ml/gpol/cms
.
from flask-cors.
UPDATE: I only get the error when using mod_wsgi. It works fine if I run python FlaskScript.py
. Could it be my apache/mod_wsgi implementation?
from flask-cors.
Hmm. It sounds like something else is at play here. My hypothesis is that
your Apache config is injecting the Access-Control-Allow-Origin: "*"
header, which is corrupting things.
Can you confirm the headers your receive when not using Flask-Cors?
On Mon, Jan 25, 2016 at 8:18 AM Taiiwo [email protected] wrote:
UPDATE: I only get the error when using mod_wsgi. It works fine if I run python
FlaskScript.py. Could it be my apache/mod_wsgi implementation?—
Reply to this email directly or view it on GitHub
#143 (comment)
.
from flask-cors.
Related Issues (20)
- enforcing same origin policy with flask-cors HOT 14
- Next.JS API Call to Flask API POST Endpoint - `Access-Control-Allow-Credentials` is not set properly
- Package prints unexpected DEBUG messages when app runs HOT 2
- Unknown keyword arguments silently ignored HOT 2
- Want to know the next version update time. HOT 1
- Project is dead? HOT 2
- CORS partially fails when making requests with axios in React HOT 3
- Access to fetch at 'http://127.0.0.1:5000/account/summary' from origin 'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled. HOT 2
- v4.0.0 isn't in CHANGELOG.md HOT 1
- two releases 4.0.0 and v4.0.0 HOT 2
- All private network requests unintentionally allowed
- Random Access-Control-Allow-Origin value being returned if Origin request header is not provided HOT 1
- The `4.0.0` release is incorrectly marked as supporting Python 2
- Who to contact for security issues HOT 2
- appropriate citation for the module? HOT 3
- python 3.12 HOT 2
- CORS issue HOT 1
- Read the Docs is configured to build from a non-existent branch HOT 2
- CVE-2024-1681 response/patching HOT 2
- Security Issue CVE-2024-1681 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from flask-cors.