Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Configuring a flask application more than once should overwrite previous configuration #301

Open
bernd-stahl opened this issue Dec 10, 2021 · 0 comments

Comments

@bernd-stahl
Copy link

When (by mistake), CORS for a flask application is configured more than once, like so:

from connexion import FlaskApp
from flask_cors import CORS
application = FlaskApp(import_name, specification_dir=specification_dir)
CORS(application.app, origins='*')
CORS(application.app, origins=r'https://.*\.mydomain.com')

this results in multiple cors_after_request functions added to the flask application, which are all called sequentially for each request.

So effectively, the most permissive options for any matched resource are applied:

2021-12-10 09:48:27,042 MainThread no-request [DEBUG] flask_cors.extension.extension.init_app: Configuring CORS with resources: {'/*': {'origins': ['.*'], 'methods': 'DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT', 'allow_headers': ['.*'], 'expose_headers': None, 'supports_credentials': False, 'max_age': None, 'send_wildcard': False, 'automatic_options': True, 'vary_header': True, 'resources': '/*', 'intercept_exceptions': True, 'always_send': True}}
2021-12-10 09:48:27,042 MainThread no-request [DEBUG] flask_cors.extension.extension.init_app: Configuring CORS with resources: {'/*': {'origins': ['https://.*\\.mydomain.com'], 'methods': 'DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT', 'allow_headers': ['.*'], 'expose_headers': None, 'supports_credentials': False, 'max_age': None, 'send_wildcard': False, 'automatic_options': True, 'vary_header': True, 'resources': '/*', 'intercept_exceptions': True, 'always_send': True}}
...
2021-12-10 09:48:35,335 Thread-1 26f21dcd-797a-4832-9ecc-347807ad9738 [DEBUG] flask_cors.extension.extension.cors_after_request: Request to '/my-service/api/ui/' matches CORS resource '/*'. Using options: {'origins': ['https://.*\\.mydomain.com'], 'methods': 'DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT', 'allow_headers': ['.*'], 'expose_headers': None, 'supports_credentials': False, 'max_age': None, 'send_wildcard': False, 'automatic_options': True, 'vary_header': True, 'resources': '/*', 'intercept_exceptions': True, 'always_send': True}
2021-12-10 09:48:35,335 Thread-1 26f21dcd-797a-4832-9ecc-347807ad9738 [DEBUG] flask_cors.core.core.set_cors_headers: Settings CORS headers: MultiDict([])
2021-12-10 09:48:35,335 Thread-1 26f21dcd-797a-4832-9ecc-347807ad9738 [DEBUG] flask_cors.extension.extension.cors_after_request: Request to '/my-service/api/ui/' matches CORS resource '/*'. Using options: {'origins': ['.*'], 'methods': 'DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT', 'allow_headers': ['.*'], 'expose_headers': None, 'supports_credentials': False, 'max_age': None, 'send_wildcard': False, 'automatic_options': True, 'vary_header': True, 'resources': '/*', 'intercept_exceptions': True, 'always_send': True}
2021-12-10 09:48:35,336 Thread-1 26f21dcd-797a-4832-9ecc-347807ad9738 [DEBUG] flask_cors.core.core.set_cors_headers: Settings CORS headers: MultiDict([('Access-Control-Allow-Origin', '*')])

This behavior is quite surprising and most probably not what is intended.

I would say that, according to the principle of least surprise, configuring CORS more than once for the same application should either (preferably) overwrite the previous configuration, or alternatively raise an error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant