A Flask extension adding a decorator for CORS support
Project description
A Flask extension for handling Cross Origin Resource Sharing (CORS), making cross-origin AJAX possible.
Installation
Install the extension with using pip, or easy_install.
$ pip install -U flask-cors
Usage
This extension enables CORS support either via a decorator, or a Flask extension. There are three examples shown in the examples directory, showing the major use cases. The suggested configuration is the simple_example.py, or the app_example.py.
Simple Usage
In the simplest case, initialize the Flask-Cors extension with default arguments in order to allow CORS on all routes.
app = Flask(__name__)
cors = CORS(app)
@app.route("/")
def helloWorld():
return "Hello, cross-origin-world!"
Resource specific CORS
Alternatively, a list of resources and associated settings for CORS can be supplied, selectively enables CORS support on a set of paths on your app.
Note: this resources parameter can also be set in your application’s config.
app = Flask(__name__)
cors = CORS(app, resources={r"/api/*": {"origins": "*"}})
@app.route("/api/v1/users")
def list_users():
return "user example"
Route specific CORS via decorator
This extension also exposes a simple decorator to decorate flask routes with. Simply add @cross_origin() below a call to Flask’s @app.route(..) incanation to accept the default options and allow CORS on a given route.
@app.route("/")
@cross_origin() # allow all origins all methods.
def helloWorld():
return "Hello, cross-origin-world!"
Options
origins
Default : ‘*’
The origin, or list of origins to allow requests from. The origin(s) may be regular expressions, exact origins, or else an asterisk.
methods
Default : [GET, HEAD, POST, OPTIONS, PUT, PATCH, DELETE]
The method or list of methods which the allowed origins are allowed to access.
headers
Default : None
The header or list of header field names which can be used when this resource is accessed by allowed origins.
expose_headers
Default : None
The header or list of headers which are are safe to expose to browsers.
supports_credentials
Default : False
Allows users to make authenticated requests. If true, injects the Access-Control-Allow-Credentials header in responses.
max_age
Default : None
The maximum time for which this CORS request maybe cached. This value is set as the Access-Control-Max-Age header.
send_wildcard
Default : True
If True, and the origins parameter is *, a wildcard Access-Control-Allow-Origin header is sent, rather than the request’s Origin header.
always_send
Default : True
If True, CORS headers are sent even if there is no Origin in the request’s headers.
automatic_options
Default : True
If True, CORS headers will be returned for OPTIONS requests. For use with cross domain POST requests which preflight OPTIONS requests, you will need to specifically allow the Content-Type header. ** Only applicable for use in the decorator**
vary_header
Default : True
If True, the header Vary: Origin will be returned as per suggestion by the W3 implementation guidelines. Setting this header when the Access-Control-Allow-Origin is dynamically generated (e.g. when there is more than one allowed origin, and an Origin than ‘*’ is returned) informs CDNs and other caches that the CORS headers are dynamic, and cannot be re-used. If False, the Vary header will never be injected or altered.
Application-wide options
Alternatively, you can set all parameters except automatic_options in an app’s config object. Setting these at the application level effectively changes the default value for your application, while still allowing you to override it on a per-resource basis, either via the CORS Flask-Extension and regular expressions, or via the @cross_origin() decorator.
The application-wide configuration options are identical to the keyword arguments to cross_origin, creatively prefixed with CORS_
CORS_ORIGINS
CORS_METHODS
CORS_HEADERS
CORS_EXPOSE_HEADERS
CORS_ALWAYS_SEND
CORS_MAX_AGE
CORS_SEND_WILDCARD
CORS_ALWAYS_SEND
Using JSON with CORS
When using JSON cross origin, browsers will issue a pre-flight OPTIONS request for POST requests. In order for browsers to allow POST requests with a JSON content type, you must allow the Content-Type header. The simplest way to do this is to simply set the CORS_HEADERS configuration value on your application, e.g:
app.config['CORS_HEADERS'] = 'Content-Type'
Documentation
For a full list of options, please see the full documentation
Tests
A simple set of tests is included in test/. To run, install nose, and simply invoke nosetests or python setup.py test to exercise the tests.
Contributing
Questions, comments or improvements? Please create an issue on Github, tweet at @wcdolphin or send me an email.
Credits
This Flask extension is based upon the Decorator for the HTTP Access Control written by Armin Ronacher.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distributions
Hashes for Flask_Cors-1.10.1-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 718af47cd256f58ad4438636ba71c8a2b4fd4fb008375cd43a355838f3f4fa96 |
|
MD5 | cfbec9812b59bc23445b027b0b695962 |
|
BLAKE2b-256 | cbb62bfca617006be005678332d31efd95effdd9e825aedee4b78ab2aa8c0877 |
Hashes for Flask_Cors-1.10.1-py2-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 1df3b631be159cbc0fb2e3d7ed9861a41db1be974563c5289f8fc415a2cf5a81 |
|
MD5 | 93bcdbb3226f9c809d8cdc485151c1a8 |
|
BLAKE2b-256 | 34f8be627e40c2283e2f8efb4fa970f6dd9acecf043622e1d45b5bf84d530c1b |