Comments (4)
I have decided to implement the regexp approach and released version v1.8.0 to Pypi with the new feature.
Please give it a try and let me know what you think!
from flask-cors.
@marcoqu at the moment, there is no way to do this.
Currently, Flask-Cors only supports *, null or the exact domain. Can you explain your use case a little bit so I can better understand how to add support for this?
The way I imagine this could work would be to alter the handling of the origins
parameter to be either a string, regex, or list of regexes or strings.
This should be straightforward to implement, with the exception of the interaction with the always_send
parameter. If there is a regex supplied in the list of origins, always_send
must be false, as it is impossible to determine which origin to return.
An alternative is to allow a user to specify a single callable as the 'origin' parameter. Some function which will be invoked within the context of the request and expected to return a string of the origin to set.
I would love your feedback on this potential implementation and your thoughts.
This conversation and thought process has made me realize that the current implementation actually suffers from a potential security flaw:
Because the list of origin's to Flask-Cors is serialized before the request's origin is searched for in the serialized version, domains which are not a strict match, but actually a sub string of an allowed domain will be enabled.
Since origins will have an http prefix, I don't believe it can actually occur, but I will patch this nonetheless.
I look forward to hearing back!
CORY
from flask-cors.
Looks like Django-Cors has this, but does not support an always_send style option.
I think it makes sense to add this and simply document the behavior in combination with always_send.
I really wish there was a way to combine Django-Cors and Flask-Cors with a layer of abstraction to handle the determination of which headers to set, and or settings... I would rustle something up, but I fear it would be more work than benefit.
from flask-cors.
Hi Cory, thanks for the feedback.
My use case is exactly like the example I provided: I have various subdomains, dynamically generated (ie: user1.example.com
, user2.example.com
... etc.) and all of them should be allowed to access the main api that resides on the main domain (example.com/api
).
Right now I have to provide access to any origin "*"
, but I'd prefer to limit access to my own domain and subdomains.
Allowing regex or list of regexes in the origins parameter would allow this to work. Providing a function to determine if the current origin should be allowed or not is even more flexible, and it would allow all kind of solutions (database lookups, ip geolocation...).
I don't have a strong preference: the regexp solution is probably simpler to use, the callable is more complete, but it would probably need some usage examples...
Thanks!
m
from flask-cors.
Related Issues (20)
- enforcing same origin policy with flask-cors HOT 14
- Next.JS API Call to Flask API POST Endpoint - `Access-Control-Allow-Credentials` is not set properly
- Package prints unexpected DEBUG messages when app runs HOT 2
- Unknown keyword arguments silently ignored HOT 2
- Want to know the next version update time. HOT 1
- Project is dead? HOT 2
- CORS partially fails when making requests with axios in React HOT 3
- Access to fetch at 'http://127.0.0.1:5000/account/summary' from origin 'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled. HOT 2
- v4.0.0 isn't in CHANGELOG.md HOT 1
- two releases 4.0.0 and v4.0.0 HOT 2
- All private network requests unintentionally allowed
- Random Access-Control-Allow-Origin value being returned if Origin request header is not provided HOT 1
- The `4.0.0` release is incorrectly marked as supporting Python 2
- Who to contact for security issues HOT 2
- appropriate citation for the module? HOT 3
- python 3.12 HOT 2
- CORS issue
- Read the Docs is configured to build from a non-existent branch HOT 2
- CVE-2024-1681 response/patching HOT 2
- Security Issue CVE-2024-1681 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from flask-cors.