[Feature Suggestion] Configurable response status code to invalid CORS request #326
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Configurable CORS response code when CORS request is invalid
Thank you for taking look at this PR!
In summary
invalid_cors_status_code
Access-Control-Allowed-Origin
is not in response header200
same as current behaviour.The default behaviour is SAME as current behaviour.
Details
Background
According to CORS document from WHATWG, CORS protocol can take any response code to CORS request as long as response header contains CORS headers like
Access-Control-Allow-Origin
.It does not specify response code and response body.
But, there might be some wishes like 'Not to return response to invalid CORS request' for security'. From the WHATWG doc,
So I implemented the feature.
Feature
Add
invalid_cors_status_code
argument for CORS configuration toflask_cors.CORS
andflask_cors.cross_origin
.Note:
Now, Flask-Cors responses to the CORS request with status
200
and response body.To maintain the backward compatibility, the argument default value is
200
and does not change response body wheninvalid_cors_status_code
is not passed or passed200
.Personally, response code to the invalid CORS request should be
403
like Spring Security or401
if it should be authenticated.At least Client Error Response Code in Mozilla HTPP response code doc should be returned, which is from
400
to499
.So, by setting variable
INVALID_CORS_STATUS_MIN = 400
andINVALID_CORS_STATUS_MAX = 499
inflask_cors/core.py
, this feature filtersinvalid_cors_status_code
.If other value like
302
is set toinvalid_cors_status_code
, this sets response status200
(set inINVALID_CORS_DEFAULT_STATUS
) and response body''
(set inINVALID_CORS_RESPONSE_DATA
).Checked with
nosetests --with-coverage --cover-package=flask_cors
.Thank you so much!