X-CSRFToken not send in Access-Control-Allow-Headers about flask-cors HOT 4 CLOSED

I believe that should work, though flask-CORS expects that multiple headers
will be provided as a list.

I will test this tonight and confirm.

Thanks for the report!
On Tue, Oct 28, 2014 at 12:07 PM Oleg Marshev [email protected]
wrote:

X-CSRFToken not sent in Access-Control-Allow-Headers when added as
following:
cors = CORS(app, headers="X-CSRFToken, Content-Type")

The solution was to add resp.headers[ACL_HEADERS] = options.get('headers')
here https://github.com/wcdolphin/flask-cors/blob/master/flask_
cors.py#L251

The question is this a bug or CORS is somehow not properly configured?

—
Reply to this email directly or view it on GitHub
#78.

from flask-cors.

Hi Oleg, I attempted to reproduce your issue but was unable to.

Access-Control-Allow-Headers is only applicable for preflight requests, but in version 1.9.0 (currently released) they are sent for all methods if specified.

Can you confirm that you are not using the decorator in addition to the Appwide middleware/extension? If the decorator is used, it will take precedence over the middleware.

If not, could you help to post a larger code snippet, and or explain how you are verifying that the headers are not being sent as expected?

Random note -- I see that you work at edX? I work in the Twitter Boston office in the same building as one of your offices.

The script:

from flask.ext.cors import CORS
from flask import Flask


app = Flask(__name__)
cors = CORS(app, headers="X-CSRFToken, Content-Type")

@app.route("/")
def example():
    return "Hello World!"

if __name__ == '__main__':
    with app.test_client() as c:
        for verb in ('get','options'):
            print "Headers for %s /:\n%s" % (
                verb.upper(),
                getattr(c, verb)().headers
            )

Output:

Headers for GET /:
Content-Type: text/html; charset=utf-8
Content-Length: 12
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-CSRFToken, Content-Type


Headers for OPTIONS /:
Content-Type: text/html; charset=utf-8
Allow: HEAD, OPTIONS, GET
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-CSRFToken, Content-Type
Access-Control-Allow-Methods: DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT
Content-Length: 0

from flask-cors.

Thank you @wcdolphin ! You are right. The issue was on our side. annotator-store(we are using) app after_request re-wrote the headers.

Random note -- I see that you work at edX? I work in the Twitter Boston office in the same building as one of your offices.

I am from Kyiv, Ukraine working as a part of a remote team. Nice to meet you :-)

from flask-cors.

Please feel free to close this issue.

from flask-cors.