Hi!
I noticed when using the CORS(app, origins=[...], resources={...}) constructor that the origins in the root level are ignore. A simple example application would be
from flask import Flask
from flask_cors import CORS
app = Flask(__name__)
CORS(
app,
origins=["http://localhost:5000"],
resources={"/a": {"origins": "*"}}
)
@app.route("/a")
def helloWorld():
return "Hello, cross-origin-world!"
@app.route("/b")
def helloYou():
return "Hello, localhost!"
app.run(host='localhost', port=5000)
Running this and then using curl, you can see:
If commenting out the resources={...} line then both endpoints have the CORS header, but specific to the localhost origin. Is this intended behavior?
In my particular use case, this came up with an authenticated API (so the origin must not be *) that also contained a swagger.json endpoint that should be public. The idea was that we could make the swagger.json resource served with a * origin, and all other resources served with the listed origins.
Hi!
I noticed when using the
CORS(app, origins=[...], resources={...})constructor that the origins in the root level are ignore. A simple example application would beRunning this and then using curl, you can see:
Access-Control-Allow-Origin: *as expectedAccess-Control-Allow-OriginheaderIf commenting out the
resources={...}line then both endpoints have the CORS header, but specific to the localhost origin. Is this intended behavior?In my particular use case, this came up with an authenticated API (so the origin must not be
*) that also contained aswagger.jsonendpoint that should be public. The idea was that we could make theswagger.jsonresource served with a*origin, and all other resources served with the listed origins.