Skip to content

Wildcard origin sent despite supports_credentials=True #202

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
gsakkis opened this issue Jun 22, 2017 · 4 comments
Closed

Wildcard origin sent despite supports_credentials=True #202

gsakkis opened this issue Jun 22, 2017 · 4 comments

Comments

@gsakkis
Copy link

gsakkis commented Jun 22, 2017
edited
Loading

CORS(app, supports_credentials=True) causes the server to return Access-Control-Allow-Credentials: true and Access-Control-Allow-Origin: *, which afaict is invalid. The cause is the always_send=True default option; making it False doesn't trigger the bug.

Probable fix:

diff --git a/flask_cors/core.py b/flask_cors/core.py
index 0ef2b1e..f30fd33 100644
--- a/flask_cors/core.py
+++ b/flask_cors/core.py
@@ -134,15 +134,15 @@ def get_cors_origins(options, request_origin):
     elif options.get('always_send'):
         if wildcard:
             # If wildcard is in the origins, even if 'send_wildcard' is False,
             # simply send the wildcard. It is the most-likely to be correct
             # thing to do (the only other option is to return nothing, which)
             # pretty is probably not whawt you want if you specify origins as
             # '*'
-            return ['*']
+            return ['*'] if not options['supports_credentials'] else None
         else:
             # Return all origins that are not regexes.
             return sorted([o for o in origins if not probably_regex(o)])
 
     # Terminate these steps, return the original request untouched.
     else:
         LOG.debug("The request did not contain an 'Origin' header. This means the browser or client did not request CORS, ensure the Origin Header is set.")
@ganeshparsads
Copy link

ganeshparsads commented Jun 27, 2017
edited
Loading

@gsakkis,
There is no way to set origins to * and supports_credentials to true.
So, to handle this condition we need code to be like this. Let me know if I understood the problem wrong way. If this is correct docs need to be updated.

@gsakkis
Copy link
Author

gsakkis commented Jun 27, 2017

@ganeshparsads what do you mean there is no way? I just gave an example that demonstrates the issue (actually bug) along with a fix.

@corydolphin
Copy link
Owner

I think you are both right. It is currently possible for Flask-CORS to return these headers in the situation, as @gsakkis has shown.

@ganeshparsads you are correct in that it is not valid for browsers to receive these headers.

I will create an update per @gsakkis's diff to fix this issue.

@corydolphin corydolphin mentioned this issue Jun 27, 2017
Merged
@corydolphin
Copy link
Owner

This should be fixed. @gsakkis thank you very much for the bug report (and fix :D)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gsakkis @corydolphin @ganeshparsads