TechQA.

Flask-CORS returns random Access-Control-Allow-Origin if Origin request header is not provided

194 views Asked by At

I want to enable CORS in my Flask application with a predefined set of allowed origins, as documented here:

from flask import Flask
from flask_cors import CORS

app = Flask(__name__)
CORS(app, origins=['http://localhost:3000', 'https://app.my_domain.com'])

The problem is that if I don't specify the Origin header in my request to the server, an arbitrary value for the Access-Control-Allow-Origin response header will be returned.

So for example, if my web application running on https://app.my_domain.com sends a GET request to the backend without specifying the Origin request header, the backend returns the following response header:

Access-Control-Allow-Origin: http://localhost:3000

This seems not correct to me. How is this mechanism intended to be used?

python flask cors flask-cors
Original Q&A
1

There are 1 answers

0
Abdul Aziz Barkat On BEST ANSWER

It seems Flask-Cors has an undocumented option called always_send which defaults to True (See GitHub code and a relevant issue). What this option does is that it returns the origins even if the "Origin" header is not present.

To fix the issue you simply need to set the option to False:

CORS(app, origins=['http://localhost:3000', 'https://app.my_domain.com'], always_send=False)

Related Questions in PYTHON

Related Questions in FLASK

Related Questions in CORS

Related Questions in FLASK-CORS

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions