Using regex still requires two origins for Vary about flask-cors HOT 5 CLOSED

Good call, that is a great point.

The current implementation makes it a little bit tricky to differentiate between a regex and a string, but we should be able to come up with something to achieve this.

As for the 'always_send' option, I initially had this option, but removed it due to the complexity of determining what to do if a regex is passed as the origin. It is probably better to just add smarter validation to catch such an issue earlier.

Can you describe the browser bugs you were running into? They would be great test cases to have.

Thanks for the great suggestions and detailed issue. I am happy to take a look at implementing some of these changes later this week, but would be honored if you have any time to take a crack at it, and would be happy to review and continue your work.

Thanks,
Cory

from flask-cors.

I appreciate the need for contributions but unfortunately I'll be bogged down for a while :( If you don't get to it very quickly I could be able to get to it some time next week or so, in which case we should have a chat about what the preferred way of doing so is.

When it comes to always sending the Vary header, I've run across some bugs – especially with Chrome – such as this one. I believe we run across a similar thing this morning, although I can't be entirely sure, when moving from our app using * to using specific origins. Searching around, it seems like several people have solved it by just always issuing the header, and it doesn't seem to do any harm.

Thanks for the library in any case, it has replaced our homegrown utility in production as of today.

from flask-cors.

Understandable :-) I figured I'd make the pitch regardless.

That bug is similar to one I have struggled with in the past. Definitely a
good motivation for an 'always_send' option.

I'll take a look and see if I can get something together :-).

On Tue, Apr 12, 2016 at 1:41 PM Christoffer Torris Olsen <
[email protected]> wrote:

I appreciate the need for contributions but unfortunately I'll be bogged
down for a while :( If you don't get to it very quickly I could be able to
get to it some time next week or so, in which case we should have a chat
about what the preferred way of doing so is.

When it comes to always sending the Vary header, I've run across some
bugs – especially with Chrome – such as this one
https://bugs.chromium.org/p/chromium/issues/detail?id=409090. I believe
we run across a similar thing this morning, although I can't be entirely
sure, when moving from our app using * to using specific origins.
Searching around, it seems like several people have solved it by just
always issuing the header, and it doesn't seem to do any harm.

—
You are receiving this because you commented.

Reply to this email directly or view it on GitHub
#148 (comment)

from flask-cors.

This also impacted the default configuration to allow '*'. That means the default behavior was pretty broken for caching.

Great find, thanks for the report!

from flask-cors.

This should be fixed in 2.1.3 https://github.com/corydolphin/flask-cors/releases/tag/2.1.3.

Please let me know if this is still biting you.

Thanks so much for the detailed report!
Cory

from flask-cors.