Skip to content

Configuring a flask application more than once should overwrite previous configuration #301

Description

@bernd-stahl

When (by mistake), CORS for a flask application is configured more than once, like so:

from connexion import FlaskApp
from flask_cors import CORS
application = FlaskApp(import_name, specification_dir=specification_dir)
CORS(application.app, origins='*')
CORS(application.app, origins=r'https://.*\.mydomain.com')

this results in multiple cors_after_request functions added to the flask application, which are all called sequentially for each request.

So effectively, the most permissive options for any matched resource are applied:

2021-12-10 09:48:27,042 MainThread no-request [DEBUG] flask_cors.extension.extension.init_app: Configuring CORS with resources: {'/*': {'origins': ['.*'], 'methods': 'DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT', 'allow_headers': ['.*'], 'expose_headers': None, 'supports_credentials': False, 'max_age': None, 'send_wildcard': False, 'automatic_options': True, 'vary_header': True, 'resources': '/*', 'intercept_exceptions': True, 'always_send': True}}
2021-12-10 09:48:27,042 MainThread no-request [DEBUG] flask_cors.extension.extension.init_app: Configuring CORS with resources: {'/*': {'origins': ['https://.*\\.mydomain.com'], 'methods': 'DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT', 'allow_headers': ['.*'], 'expose_headers': None, 'supports_credentials': False, 'max_age': None, 'send_wildcard': False, 'automatic_options': True, 'vary_header': True, 'resources': '/*', 'intercept_exceptions': True, 'always_send': True}}
...
2021-12-10 09:48:35,335 Thread-1 26f21dcd-797a-4832-9ecc-347807ad9738 [DEBUG] flask_cors.extension.extension.cors_after_request: Request to '/my-service/api/ui/' matches CORS resource '/*'. Using options: {'origins': ['https://.*\\.mydomain.com'], 'methods': 'DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT', 'allow_headers': ['.*'], 'expose_headers': None, 'supports_credentials': False, 'max_age': None, 'send_wildcard': False, 'automatic_options': True, 'vary_header': True, 'resources': '/*', 'intercept_exceptions': True, 'always_send': True}
2021-12-10 09:48:35,335 Thread-1 26f21dcd-797a-4832-9ecc-347807ad9738 [DEBUG] flask_cors.core.core.set_cors_headers: Settings CORS headers: MultiDict([])
2021-12-10 09:48:35,335 Thread-1 26f21dcd-797a-4832-9ecc-347807ad9738 [DEBUG] flask_cors.extension.extension.cors_after_request: Request to '/my-service/api/ui/' matches CORS resource '/*'. Using options: {'origins': ['.*'], 'methods': 'DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT', 'allow_headers': ['.*'], 'expose_headers': None, 'supports_credentials': False, 'max_age': None, 'send_wildcard': False, 'automatic_options': True, 'vary_header': True, 'resources': '/*', 'intercept_exceptions': True, 'always_send': True}
2021-12-10 09:48:35,336 Thread-1 26f21dcd-797a-4832-9ecc-347807ad9738 [DEBUG] flask_cors.core.core.set_cors_headers: Settings CORS headers: MultiDict([('Access-Control-Allow-Origin', '*')])

This behavior is quite surprising and most probably not what is intended.

I would say that, according to the principle of least surprise, configuring CORS more than once for the same application should either (preferably) overwrite the previous configuration, or alternatively raise an error.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions