Comments (5)
Good call, that is a great point.
The current implementation makes it a little bit tricky to differentiate between a regex and a string, but we should be able to come up with something to achieve this.
As for the 'always_send' option, I initially had this option, but removed it due to the complexity of determining what to do if a regex is passed as the origin. It is probably better to just add smarter validation to catch such an issue earlier.
Can you describe the browser bugs you were running into? They would be great test cases to have.
Thanks for the great suggestions and detailed issue. I am happy to take a look at implementing some of these changes later this week, but would be honored if you have any time to take a crack at it, and would be happy to review and continue your work.
Thanks,
Cory
from flask-cors.
I appreciate the need for contributions but unfortunately I'll be bogged down for a while :( If you don't get to it very quickly I could be able to get to it some time next week or so, in which case we should have a chat about what the preferred way of doing so is.
When it comes to always sending the Vary
header, I've run across some bugs – especially with Chrome – such as this one. I believe we run across a similar thing this morning, although I can't be entirely sure, when moving from our app using *
to using specific origins. Searching around, it seems like several people have solved it by just always issuing the header, and it doesn't seem to do any harm.
Thanks for the library in any case, it has replaced our homegrown utility in production as of today.
from flask-cors.
Understandable :-) I figured I'd make the pitch regardless.
That bug is similar to one I have struggled with in the past. Definitely a
good motivation for an 'always_send' option.
I'll take a look and see if I can get something together :-).
On Tue, Apr 12, 2016 at 1:41 PM Christoffer Torris Olsen <
[email protected]> wrote:
I appreciate the need for contributions but unfortunately I'll be bogged
down for a while :( If you don't get to it very quickly I could be able to
get to it some time next week or so, in which case we should have a chat
about what the preferred way of doing so is.When it comes to always sending the Vary header, I've run across some
bugs – especially with Chrome – such as this one
https://bugs.chromium.org/p/chromium/issues/detail?id=409090. I believe
we run across a similar thing this morning, although I can't be entirely
sure, when moving from our app using * to using specific origins.
Searching around, it seems like several people have solved it by just
always issuing the header, and it doesn't seem to do any harm.—
You are receiving this because you commented.Reply to this email directly or view it on GitHub
#148 (comment)
from flask-cors.
This also impacted the default configuration to allow '*'. That means the default behavior was pretty broken for caching.
Great find, thanks for the report!
from flask-cors.
This should be fixed in 2.1.3 https://github.com/corydolphin/flask-cors/releases/tag/2.1.3.
Please let me know if this is still biting you.
Thanks so much for the detailed report!
Cory
from flask-cors.
Related Issues (20)
- enforcing same origin policy with flask-cors HOT 14
- Next.JS API Call to Flask API POST Endpoint - `Access-Control-Allow-Credentials` is not set properly
- Package prints unexpected DEBUG messages when app runs HOT 2
- Unknown keyword arguments silently ignored HOT 2
- Want to know the next version update time. HOT 1
- Project is dead? HOT 2
- CORS partially fails when making requests with axios in React HOT 3
- Access to fetch at 'http://127.0.0.1:5000/account/summary' from origin 'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled. HOT 2
- v4.0.0 isn't in CHANGELOG.md HOT 1
- two releases 4.0.0 and v4.0.0 HOT 2
- All private network requests unintentionally allowed
- Random Access-Control-Allow-Origin value being returned if Origin request header is not provided HOT 1
- The `4.0.0` release is incorrectly marked as supporting Python 2
- Who to contact for security issues HOT 2
- appropriate citation for the module? HOT 3
- python 3.12 HOT 2
- CORS issue
- Read the Docs is configured to build from a non-existent branch HOT 2
- CVE-2024-1681 response/patching HOT 2
- Security Issue CVE-2024-1681 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from flask-cors.