Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add option to force CORS headers in responses #562

Merged
merged 2 commits into from
Sep 29, 2021
Merged

Add option to force CORS headers in responses #562

merged 2 commits into from
Sep 29, 2021

Conversation

leplatrem
Copy link
Contributor

No description provided.

jwhitlock
jwhitlock reviewed Sep 23, 2021
View reviewed changes
cornice/cors.py Outdated
Comment on lines 116 to 117
if any([o == "*" for o in service.cors_origins_for(method)]):
response.headers['Access-Control-Allow-Origin'] = '*'
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm considering if this test branch needs to be higher. It seems to me that you shouldn't allow both * and a hostname origin, but if you do, the * should be preferred to the value of the Origin: request.

I'm installing the project to better understand the settings.

Copy link

@jwhitlock jwhitlock Sep 23, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I updated the test locally to check the value of the Access-Control-Allow-Origin, and added a second test that set the request header Origin: notmyidea.org. I then tried some variants for cors_origins on the bacon Service. Here are the values of the Access-Control-Allow-Origin header:

cors_origins No Origin Origin: notmyidea.org
('*',) * *
('*', 'notmyidea.org') * *
('notmyidea.org',) No header, but response notmyidea.org

So, my proposed corner case is not valid, and the docs appear to be correct.

However, it seems always_cors allows the Origin check to be skipped, which seems like it could be a problem for some configurations. Maybe when always_cors is set but * is not in cors_origins, the code should fall back to checking the origin?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch! I added some tests and changed the shape of the patch, which also makes the code paths clearer IMO :)

Thanks for being so thorough!

jwhitlock
jwhitlock approved these changes Sep 28, 2021
View reviewed changes
Copy link

@jwhitlock jwhitlock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm getting the same results as before:

cors_origins No Origin Origin: notmyidea.org
('*',) * *
('*', 'notmyidea.org') * *
('notmyidea.org',) No header, but response notmyidea.org

However, with the newly refactored code, it is clearer that the the case of cors_origins=('notmyidea.org',) and no Origin header is the same in the original code, and this fix is now targeted at the desired case (returning Access-Control-Allow-Origin: * when there is no Origin).

Thanks @leplatrem!

@leplatrem leplatrem merged commit 271e27b into master Sep 29, 2021
@leplatrem leplatrem deleted the add-option-force-cors branch September 29, 2021 12:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jwhitlock jwhitlock jwhitlock approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@leplatrem @jwhitlock