Comments (5)
alexbotello
commented on July 23, 2024
1
Okay, I’ll put a PR in at some point today when I have time.
from starlette.
alexbotello
commented on July 23, 2024
Sounds good.
Also, on the subject of the Vary: Origin header, it looks like we should be setting that header for specified origins as well.
From https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#The_HTTP_response_headers
If the server specifies a single origin rather than the "*" wildcard, then the server should also include Origin in the Vary response header — to indicate to clients that server responses will differ based on the value of the Origin request header.
from starlette.
tomchristie
commented on July 23, 2024
Gotcha, yup. Setting the Vary header on standard responses is complicated by the fact that it may already be set, so you need to make so to add-or-include "Origin" in the header value. I guess we should probably start by only considering the no credentialed "wildcard" origins part of this.
from starlette.
alexbotello
commented on July 23, 2024
Here's the current idea I'm playing with..
async def send(self, message, send=None, request_headers=None):
...
...
origin = request_headers.get("origin")
cookie = request_headers.get("cookie")
vary = request_headers.get("vary")
if cookie and self.allow_all_origins:
headers["Vary"] = f"{vary}, Origin" if vary else "Origin"
self.simple_headers["Access-Control-Allow-Origin"] = origin
elif not self.allow_all_origins and self.is_allowed_origin(origin=origin):
headers["Access-Control-Allow-Origin"] = originfrom starlette.
tomchristie
commented on July 23, 2024
Cool. Possibly use has_cookie = "cookie" in request_headers just to avoid any Falsey-evaluating edge cases. Also, vary: origin ought to get set in any case except "self.allow_all_origins".
from starlette.
Related Issues (20)
- Enable `branch = true` for `coverage.run` HOT 4
- Fetching API docs occasionally fails at starlette framework middleware issue with streaming large responses
- links on the release-notes not found. HOT 1
- Add `Partitioned` cookie attribute HOT 2
- `RuntimeError("No response returned")` in `BaseHTTPMiddleware` HOT 11
- Incompatibility with anyio v3
- TestClient DeprecationWarning with httpx 0.27.0 HOT 5
- Bug: `_TemplateResponse` is still relying on `request` key from `context` which maybe different from `request` argument to `TemplateResponse`. HOT 4
- How to change the value of request body?
- A `RuntimeError: Stream consumed` error is raised when `request.body()` is read in the custom middleware
- CORSMiddleware always add access-control-allow-credentials regardless of Origin
- ValueError when null byte in URL HOT 2
- responses.py - appears UTF incompatible (Line 58 and probably other places)
- Double path unquote inside _TestClientTransport.__init__ method
- [FeatureRequest] Cant configure request.stream() chunk size -- always 128kb per chunk read HOT 1
- 0.35.0 refactor of root_path handling is potentially returning incorrect route
- pathsend causing issues with BaseHTTPMiddleware
- Python 3.13.0b2: KeyError: 'content-type' in `test_debug_html[asyncio]` and `test_debug_html[trio]`
- Python 3.13.0b2: `test_gzip_ignored_for_responses_with_encoding_set[trio]` fails with a `ValueError: I/O operation on closed file` HOT 3
- [Websockets] RuntimeError: Cannot call "receive" once a disconnect message has been received. HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from starlette.