Skip to content

CORS headers not injected when specifying root origins and per-resource origins #248

Description

@afiorillo

Hi!
I noticed when using the CORS(app, origins=[...], resources={...}) constructor that the origins in the root level are ignore. A simple example application would be

from flask import Flask
from flask_cors import CORS

app = Flask(__name__)
CORS(
    app,
    origins=["http://localhost:5000"],
    resources={"/a": {"origins": "*"}}
)

@app.route("/a")
def helloWorld():
  return "Hello, cross-origin-world!"

@app.route("/b")
def helloYou():
  return "Hello, localhost!"

app.run(host='localhost', port=5000)

Running this and then using curl, you can see:

If commenting out the resources={...} line then both endpoints have the CORS header, but specific to the localhost origin. Is this intended behavior?

In my particular use case, this came up with an authenticated API (so the origin must not be *) that also contained a swagger.json endpoint that should be public. The idea was that we could make the swagger.json resource served with a * origin, and all other resources served with the listed origins.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions