CORS Headers bug?

[Clement-O]

Hi!
I'm currently using Falcon as my back-end on a side project.
I have my API on one subdomain and all my mini front-end on other subdomain (sharing the same domain).
I read your test files and did some test on my side, but it seems that I came across some bugs.

1. if resp.get_header('Access-Control-Allow-Origin') is None: l.92 falcon.middleware.CORSMiddleware seems to be always False and equals to "*".
   Wrote a custom CORSMiddleware without this line (and some modifications to use regex with origin) and it worked fine (meaning, adding the correct Origin / Credentials headers)
   Having this line block the Credentials header to be added..

2. allow = resp.get_header('Allow') l.102 falcon.middleware.CORSMiddleware seems to be always "None"
   Wrote a custom router doing nothing more than the default one except some logging.
   From what I understood, .add_route() create the mapping HTTP-Request / Handler (POST -> on_post). It automatically add a function to this mapping for HTTP OPTIONS Request if it does not exist in the resource. This function is supposed to add the 'Allow' & 'Content-Length' Headers, which in turn is used by the CORSMiddleware to add the "Access-Control-Allow-Methods" Header.
   My log inside this function never appear. My guess is that this function is never called, which explain the "Allow=None" Header. I'm not sure though, I might misunderstanding things or missing part of the big picture.
   Weirdly enough, both Chrome and Firefox does not seems to care and allow the POST request to fire..

Below is a very simple test file I made with a bare falcon and nothing else (should work as is, granted falcon 3.0 is installed)

from falcon import asgi
from falcon import testing
from falcon.middleware import CORSMiddleware


class DummyResource():
    async def on_post(self, req, resp):
        resp.media = {"msg": "test"}
    
    async def on_get(self, req, resp):
        resp.media = {"msg": "test"}


class BaseFalconTest(testing.TestCase):
    def setUp(self):
        super(BaseFalconTest, self).setUp()
        self.middlewares = [CORSMiddleware(allow_origins="localhost", allow_credentials="localhost")]
        self.app = asgi.App(cors_enable=True, middleware=self.middlewares)
        self.app.add_route("/test", DummyResource())


class TestCORS(BaseFalconTest):
    def test_origin_header(self):
        response = self.simulate_get(path="/test", headers={"Origin": "localhost"})

        self.assertEqual(response.status_code, 200)
        self.assertEqual(response.json, {"msg": "test"})

        self.assertEqual(response.headers["Access-Control-Allow-Origin".lower()], "*")
        self.assertNotIn("Access-Control-Allow-Credentials".lower(), response.headers)

    def test_method_options(self):
        response = self.simulate_options(
            path="/test",
            headers={
                "Origin": "localhost",
                "Access-Control-Request-Method": "POST",
            },
        )

        self.assertEqual(response.status_code, 200)

        # False, assertion fails. Access-Control-Allow-Methods is None
        self.assertEqual(response.headers["Access-Control-Allow-Methods".lower()], "GET, POST")

Would like to hear more about it 😁

[vytas7]

Hi @Clement-O!
I believe the framework is functioning as expected, at least from what I can see.
It is not a bug per se, but a usability bug, which is already tracked as #1977. I have rescheduled it for the upcoming 4.0 release since you're not the first one to get hit by this. (You are also welcome to contribute by tackling this one 🙂 )

Having tweaked your test slightly, it seems to pass as expected:

from falcon import asgi
from falcon import testing
from falcon.middleware import CORSMiddleware


class DummyResource:
    async def on_post(self, req, resp):
        resp.media = {'msg': 'test'}

    async def on_get(self, req, resp):
        resp.media = {'msg': 'test'}


class BaseFalconTest(testing.TestCase):
    def setUp(self):
        super(BaseFalconTest, self).setUp()
        self.middlewares = [
            CORSMiddleware(
                allow_origins='localhost', allow_credentials='localhost'
            )
        ]
        self.app = asgi.App(middleware=self.middlewares)
        self.app.add_route('/test', DummyResource())


class TestCORS(BaseFalconTest):
    def test_origin_header(self):
        response = self.simulate_get(
            path='/test', headers={'Origin': 'localhost'}
        )

        self.assertEqual(response.status_code, 200)
        self.assertEqual(response.json, {'msg': 'test'})

        self.assertEqual(
            response.headers['Access-Control-Allow-Origin'], 'localhost'
        )
        self.assertEqual(
            response.headers['Access-Control-Allow-Credentials'], 'true'
        )

    def test_method_options(self):
        response = self.simulate_options(
            path='/test',
            headers={
                'Origin': 'localhost',
                'Access-Control-Request-Method': 'POST',
            },
        )

        self.assertEqual(response.status_code, 200)

        # False, assertion fails. Access-Control-Allow-Methods is None
        self.assertEqual(
            response.headers['Access-Control-Allow-Methods'.lower()],
            'GET, POST',
        )

The main change I made here is not passing cors_enable + an instance of CORSMiddleware together.

[Clement-O]

Hi @vytas7 !
Thanks for the quick and clear response!
Indeed is works perfectly fine without the cors_enable!
Should've read the issues before hand, it was clearly explained...
To be fair, even the documentation concerning CORS is clear. Should've take my time to read everything 😂 .

I don't think you should change something to your code and handling of cors_enable + CORSMiddleware, it's perfectly stated in the doc, issues and now here. That's more an "end user" problem rather than yours, you did your job correctly, documented, I was just the one not respecting that.

Thanks again for your time! 😄