On ajax cross domain request flask respond after a long time . For example 10 seconds. If I call url from browser it respond fastly, but with cors and on ajax request flask wait a long time. I'm working on localhost.

I am using the middleware in my blueprinted flask app:

from flask_cors import CORS
CORS(app)

The correct CORS headers are not set on the error pages, which results in a CORS error on the front-end every time the server throws an error. Am I doing something wrong?

I was having this issue with my own simple CORS handling, and found flask-cors, only to find it has the same problem.

The docs for after_request point out that the function may not be called if there is an unhandled exception: http://flask.pocoo.org/docs/0.10/api/#flask.Flask.after_request

The result is that the client ends up getting a no-cors header error instead of a 500 server error

Attempting to pass a blueprint object to the flask.ext.cors.CORS results in the following traceback

  File "/usr/lib/python3.4/site-packages/flask_cors/extension.py", line 59, in __init__
    self.init_app(app, **kwargs)
  File "/usr/lib/python3.4/site-packages/flask_cors/extension.py", line 64, in init_app
    options = get_cors_options(app, self._options, kwargs)
  File "/usr/lib/python3.4/site-packages/flask_cors/core.py", line 263, in get_cors_options
    options.update(get_app_kwarg_dict(appInstance))
  File "/usr/lib/python3.4/site-packages/flask_cors/core.py", line 278, in get_app_kwarg_dict
    for k in CONFIG_OPTIONS
  File "/usr/lib/python3.4/site-packages/flask_cors/core.py", line 279, in <genexpr>
    if app.config.get(k) is not None
AttributeError: 'Blueprint' object has no attribute 'config'

I was using flask-cors for my flask application which failed to enable CORS for blueprints where blueprints were registered along with url_prefix as their property. However, when I removed url_prefix and manually added prefix in blueprints, CORS seemed to be working fine.

Example

This code works properly

from flask import Flask, make_response
from flask_cors import CORS

from tracer.blueprints.auth import app as auth_blueprint
from tracer.blueprints.url import app as url_blueprint

app = Flask(__name__)
CORS(app)

app.register_blueprint(auth_blueprint)
app.register_blueprint(url_blueprint)

if __name__ == '__main__':
    app.run(host='0.0.0.0')

This code doesn't allow CORS

.
.
app.register_blueprint(auth_blueprint, url_prefix='/auth')
app.register_blueprint(url_blueprint, url_prefix='/url')
.
.

I'm trying to use flask-cors for the development configuration for a flask-restful api, simplified below:

import config

from flask import Flask, request
from flask_restful import Api, Resource
from flask_cors import CORS

app = Flask(__name__)
app.config.from_object('config.DevelopmentConfig')
api = Api(app)
if app.config['CORS_ENABLED'] is True:
    CORS(app, origins="http://127.0.0.1:8080", allow_headers=[
        "Content-Type", "Authorization", "Access-Control-Allow-Credentials"],
        supports_credentials=True)


@app.before_request
def authorize_token():
    if request.endpoint != 'token':
        try:
            authorize_jwt(request)
        except Exception as e:
            return "401 Unauthorized\n{}\n\n".format(e), 401


class GetToken(Resource):
    def post(self):
        token = generate_jwt()
        return token       # token sent to client to return in subsequent requests in Authorization header


# requires authentication through before_request decorator
class Test(Resource):
    def get(self):
        return {"test": "testing"}


api.add_resource(GetToken, '/token', endpoint='token')
api.add_resource(Test, '/test', endpoint='test')

if __name__ == '__main__':
    app.run()

But whatever I try I always get the error 'Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.'

Without the JWT auth piece, everything else works fine. (And the JWT auth works fine without flask-cors.) Seems like the hangup is something with using flask-cors with the before_request decorator (?).

Any suggestions?

Not sure why I'm getting this error when trying to allow CORS on my flask app. Here's my server:

#library imports
from flask import Flask
from flask_cors import CORS, cross_origin

app = Flask(__name__)
CORS(app, resources={r"/*": {"origins": "*"}})
app.config['CORS_HEADERS'] = 'Content-Type'

@app.route('/img', methods=['POST'])
def image_upload():
    if not request.json:
        abort(400)
    print(request.json)
    return jsonify('working')

if __name__ == "__main__":
    app.run(host= "0.0.0.0", debug=True, port = 5000, threaded=True)
    print("Running dev server on port 5000")

Now on my frontend, when I attempt to make a POST request to /img, I get the error in the title. The full error is:

XMLHttpRequest cannot load http://0.0.0.0:5000/img. Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'. Origin 'http://localhost:8080' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

Right now, there is only a py2 wheel being released. This PR will cause bdist_wheel to build a universal py2.py3 wheel instead. It also tells the Travis release task to upload the wheel to PyPI in addition to the sdist which is the only one uploaded by default

Hey y'all, I've setup version 2.1.2 of the Flask-Cors extension, with version 0.11.1 of Flask and version of 0.9.2 of Flask-OAuthlib, like so:

from flask import Flask
from flask_cors import CORS
from flask_oauthlib.provider import OAuth2Provider

app = Flask(__name__)

oauth = OAuth2Provider(app)
oauth.init_app(app)

CORS(app, supports_credentials=True)

And it supports pre-flight OPTIONS requests just fine, but for some reason, it is hitting some hangups when it attempts to setup CORS headers on actual requests:

127.0.0.1 - - [16/Aug/2016 13:44:45] "OPTIONS /api/oauth/token HTTP/1.1" 200 -
127.0.0.1 - - [16/Aug/2016 13:44:47] "POST /api/oauth/token HTTP/1.1" 500 -
Traceback (most recent call last):
  File "/Applications/MAMP/htdocs/truesouth/lib/python3.4/site-packages/flask/app.py", line 2000, in __call__
    return self.wsgi_app(environ, start_response)
  File "/Applications/MAMP/htdocs/truesouth/lib/python3.4/site-packages/flask/app.py", line 1991, in wsgi_app
    response = self.make_response(self.handle_exception(e))
  File "/Applications/MAMP/htdocs/truesouth/lib/python3.4/site-packages/flask_cors/extension.py", line 188, in wrapped_function
    return cors_after_request(app.make_response(f(*args, **kwargs)))
  File "/Applications/MAMP/htdocs/truesouth/lib/python3.4/site-packages/flask/app.py", line 1567, in handle_exception
    reraise(exc_type, exc_value, tb)
  File "/Applications/MAMP/htdocs/truesouth/lib/python3.4/site-packages/flask/_compat.py", line 33, in reraise
    raise value
  File "/Applications/MAMP/htdocs/truesouth/lib/python3.4/site-packages/flask/app.py", line 1988, in wsgi_app
    response = self.full_dispatch_request()
  File "/Applications/MAMP/htdocs/truesouth/lib/python3.4/site-packages/flask/app.py", line 1643, in full_dispatch_request
    response = self.process_response(response)
  File "/Applications/MAMP/htdocs/truesouth/lib/python3.4/site-packages/flask/app.py", line 1862, in process_response
    response = handler(response)
  File "/Applications/MAMP/htdocs/truesouth/lib/python3.4/site-packages/flask_cors/extension.py", line 175, in cors_after_request
    set_cors_headers(resp, res_options)
  File "/Applications/MAMP/htdocs/truesouth/lib/python3.4/site-packages/flask_cors/core.py", line 217, in set_cors_headers
    resp.headers.add(k, v)
AttributeError: 'dict' object has no attribute 'add'

Here is the actual resp.headers object referenced in the last line of the stack trace:

{'Cache-Control': 'no-store', 'Content-Type': 'application/json', 'Pragma': 'no-cache'}

Any idea what could be causing this? It seems like maybe Flask-OAuthlib is using a dict for the headers object and Flask-Cors is expecting a set.

See how ACL_REQUEST_HEADERS is never used.

Something like this seems missing: https://github.com/cancan101/flask-cors/commit/4f9364414772be7df1a1de5dfc12f1ae79725d76

Hi,

I'm trying to get this work so that when I login I issue an 'Access-Control-Allow-Credentials', 'true' header. So that I can have authenticated cross-domain ajax calls. I've got a simple prototype working, but now I'm trying to get this all to work in a larger flask application using the flask-security extension.

Here's what I've tried for setting up CORS. I've also tried using @cross_origin(supports_credentials=True) on a view that also requires a login.

cors = CORS(app, resources={r"/api/*": {"origins": "*"}, r"/login": {"supports_credentials": True}})

I don't get any of the CORS headers. Here's what I see in the debug output.

DEBUG:flask.ext.cors:Enabling <function home at 0x1039e2b70> for cross_origin using options:{'supports_credentials': True}
DEBUG:runestone.cors:Request to '/login' matches CORS resource '/login'. Using options: {'origins': ['.*'], 'supports_credentials': True, 'methods': 'DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT', 'intercept_exceptions': True, 'automatic_options': True, 'send_wildcard': False, 'vary_header': True, 'allow_headers': ['.*'], 'resources': {'/api/*': {'origins': '*'}, '/login': {'supports_credentials': True}}}
DEBUG:runestone.cors:'Origin' header was not set, which means CORS was not requested, skipping
DEBUG:runestone.cors:Settings CORS headers: MultiDict([])
INFO:werkzeug:127.0.0.1 - - [22/May/2015 14:44:59] "GET /login HTTP/1.1" 302 -
DEBUG:runestone.cors:No CORS rule matches

I don't know if it matters but I have the auth stuff in a blueprint of its own.

Any ideas on where I might be going wrong? The debug output is confusing to me because it seems to recognize that I want CORS on the login, request, but then later says that CORS was not requested.

Thanks,

Brad

The latest version of flask-cors is Jan 6, 2021. When will the next version be released? I've been using this version for over 2 years. So, I'd like to know when the next version is updated. Thank you.

When passing additional, or misspelled, keyword arguments to CORS, and probably elsewhere, they are silently ignored.

This means that a CORS(app, rigins=["mydomain.com"], send_wildcard=True) would produce false positive * wildcards for any domain.

Is there a design reason that leftover unknown keyword arguments can't be raised as an error?

There are small typos in:

• docs/configuration.rst
• tests/decorator/test_exception_interception.py

Fixes:

• Should read enabled rather than enbaled.
• Should read matching rather than maching.

Semi-automated pull request generated by https://github.com/timgates42/meticulous/blob/master/docs/NOTE.md

My web app includes flask-cors as a dependency. In the log file, there are frequent messages like:

DEBUG .../venv/lib/python3.10/site-packages/flask_cors/core.py:247 Settings CORS headers: MultiDict([])

The default log level in my app in logging.INFO and I do not see it overridden anywhere. How did this logger get enabled in core.py?

I'm trying to pass in a cookie to a Flask API POST Endpoint

export async function login(username, password, csrfToken, sessionCookie) {
  console.log(sessionCookie);
  const res = await fetch(buildLink("api/login/"), {
    method: "POST",
    credentials: "include",
    headers: {
      "Content-Type": "application/json",
      "X-CSRFToken": csrfToken,
    },
    body: {
      username: username,
      password: password,
      cookie: sessionCookie,
    },
  });
  const user = await res.json();
  console.log(user);
  return user;
}

However, the error I get when making this request in the browser is

Access to fetch at 'http://127.0.0.1:2476/api/login/' from origin 'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'.

My set-up using flask-cors is

login_manager = LoginManager()
login_manager.init_app(app)
login_manager.session_protection = "strong"
csrf = CSRFProtect(app)
cors = CORS(
    app,
    resources={
        r"*": {
            "origins": [
                "http://localhost:8080",
                "http://localhost:3000",
                "http://127.0.0.1:3000",
                "http://127.0.0.1:8080",
            ]
        }
    },
    expose_headers=["Content-Type", "X-CSRFToken"],
    supports_credentials=True,
)

While this library is used to enable cors, is there an option to disable the default wildcard value in CORS_ORIGIN without explictly defining trusted domains in a string/list so it defaults back to same origin policy?