Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Setting up CORS for multiple domains #46

Open
smlbiobot opened this issue May 24, 2020 · 4 comments
Open

Setting up CORS for multiple domains #46

smlbiobot opened this issue May 24, 2020 · 4 comments

Comments

@smlbiobot
Copy link

Per Mozilla docs there can only be one Access-Control-Allow-Origin header present.

To limit access to specific domains, nginx allows you to regex test the incoming host and to match it in the header:

f ($http_origin ~* "^https?://dev\.example\.com$" ) {
    add_header Access-Control-Allow-Origin $http_origin;
}

How would I go about doing this with this library? I’ve tried putting a list of domains in the origins keyword, as suggested in the Flask-CORS docs but it simply uses the first value in the list.

@ashleysommer
Copy link
Owner

ashleysommer commented May 25, 2020

Hi @smlbiobot
Sorry I'm having trouble following your question. Seems like you have three different points?

Per Mozilla docs there can only be one Access-Control-Allow-Origin header present.

Correct. If Sanic-CORS is adding more than one, that is a bug. Please file an issue about that.

To limit access to specific domains, nginx allows you to regex test the incoming host and to match it in the header.

Can you rephrase that in a different way? Do you mean nginx checks the HTTP Host header in the Request, and adds it to the Access-Control-Allow-Origin header in the response? Generally a HTTP 'Host' is a different concept than a CORS 'Origin', careful not to confuse them.

How would I go about doing this with this library? I’ve tried putting a list of domains in the origins keyword, as suggested in the Flask-CORS docs

Sanic-CORS is a direct port from Flask-CORS, so most of the documentation from Flask-CORS should still apply to Sanic-CORS, including that for the list of valid origins. The test suite still passes for that feature, so should still work as per the documentation.

it simply uses the first value in the list

That might be a bug, one which may not be picked up by the test suite. I can try to reproduce it and let you know.

@smlbiobot
Copy link
Author

smlbiobot commented May 30, 2020

Hi @ashleysommer let me explain what I needed. The way I understand how the Access-Control-Allow-Origin header works is that you can’t specific multiple domains to it, but that it is suggested the server adding the header could simply respond to the request by allowing the specific domain depending on where the request is coming from.

Sample code:

cors = CORS(
    app,
    resources={
        r"/static/*": {
            "origins": [
                "https://example.com",
                "https://subdomain.example.com",
                "https://subdomain2.example.com",
            ]
        }
    },
    methods=['GET'],
)

Expected behavior: Depending on which domain is requesting the resource, it should add these headers:

example.com is requesting:

Access-Control-Allow-Origin: https://example.com

subdomain.example.com is requesting:

Access-Control-Allow-Origin: https://subdomain.example.com

random.com is request:
No header is added.

When I am using this library right now, it always returns the first domain. So e.g. when I request from subdomain.example.com, I get this header:

Access-Control-Allow-Origin: https://example.com

Needless to say, that resulted in me not being able to use the resource.

Also if it’s important, I am testing this on localhost only, but setting up multiple localhost hostname e.g.:

dev.local
localhost

and I can see even if I had added both to the origins, that only the first item in the list ever gets return.

@rhazz
Copy link

rhazz commented Jul 3, 2020

same need.

@ashleysommer
Copy link
Owner

Ok, this might be caused by something in the porting process between Flask-CORS and Sanic-CORS. Just surprising that the test-suite doesn't pick this up.
I don't have any time to investigate it or make a fix, but certainly can review and accept pull-requests.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants