Falcon CORS middleware does not work properly

Question

I'm using Falcon CORS to allow access to my web service only from several domains. But it does not work properly.

Let me explain, if we take a look at my implementation:

ALLOWED_ORIGINS = ['*']
crossdomain_origin = CORS(allow_origins_list=[ALLOWED_ORIGINS], log_level='DEBUG')

app = falcon.API(middleware=[RequireJSON(), JSONTranslator(), cors.middleware])

When I make any post request to my API service, I get this warning:

Aborting response due to origin not allowed

But, then I get the correct response from my API.
Here is an official docs about this module: https://github.com/lwcolton/falcon-cors

Answer 1

Your code does not match the falcon-cors documentation's example:

import falcon
from falcon_cors import CORS    
cors = CORS(allow_origins_list=['http://test.com:8080'])    
api = falcon.API(middleware=[cors.middleware])
#                            ^^^^^^^^^^^^^^^

Note the cors.middleware variable is being passed into the api call. In your code you are creating crossdomain_origin but not passing it into the API setup.

If this does not solve it, please provide a working code example, including the Falcon resource classes, that is easy to test and reproduce, and I'm happy to try to assist.

edit:

From comments below, it sounds like falcon-cors is working properly, rather the problem may be origin header was being omitted from the request.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

The Origin header indicates the origin of the cross-site access request or preflight request.

Answer 2

Side note:

ORIGIN '*' does not work on some browsers.. notably IE. In the past I've had to dynamically set the ORIGIN header to the 'host' name requested in the HTTP headers in order to support a wildcard domain host for a site I setup.

Answer 3

There's is another way to implement this without using falcon-cors

You might want to look at this on the official documentation - how-do-i-implement-cors-with-falcon

class CORSComponent:

    def process_response(self, req, resp, resource, req_succeeded):
        resp.set_header('Access-Control-Allow-Origin', '*')

        if (req_succeeded
            and req.method == 'OPTIONS'
            and req.get_header('Access-Control-Request-Method')
        ):
            # NOTE: This is a CORS preflight request. Patch the
            #   response accordingly.

            allow = resp.get_header('Allow')
            resp.delete_header('Allow')

            allow_headers = req.get_header(
                'Access-Control-Request-Headers',
                default='*'
            )

            resp.set_headers((
                ('Access-Control-Allow-Methods', allow),
                ('Access-Control-Allow-Headers', allow_headers),
                ('Access-Control-Max-Age', '86400'),  # 24 hours
            ))

When using the above approach, OPTIONS requests must also be special-cased in any other middleware or hooks you use for auth, content-negotiation, etc. For example, you will typically skip auth for preflight requests because it is simply unnecessary; note that such request do not include the Authorization header in any case.

You can now put this in middleware

api = falcon.API(middleware=[
    CORSComponent()
])

Answer 4

I tried as guided by lwcolton on github here

And also set allow_all_headers=True, allow_all_methods=True

i.e. same as @Ryan comment

from falcon_cors import CORS

cors = CORS(
    allow_all_origins=True,
    allow_all_headers=True,
    allow_all_methods=True,
)

api = falcon.API(middleware=[cors.middleware])