Skip to main content

A Flask extension adding a decorator for CORS support

Project description


|Build Status| |Latest Version| |Downloads| |Supported Python versions|

A Flask extension for handling Cross Origin Resource Sharing (CORS),
making cross-origin AJAX possible.


Install the extension with using pip, or easy\_install.

.. code:: bash

$ pip install -U flask-cors


This extension enables CORS support either via a decorator, or a Flask
extension. There are three examples shown in the
`examples <>`__
directory, showing the major use cases. The suggested configuration is
`simple\ <>`__,
or the
`app\ <>`__.

Simple Usage

In the simplest case, initialize the Flask-Cors extension with default
arguments in order to allow CORS on all routes.

.. code:: python

app = Flask(__name__)
cors = CORS(app)

def helloWorld():
return "Hello, cross-origin-world!"

Resource specific CORS

Alternatively, a list of resources and associated settings for CORS can
be supplied, selectively enables CORS support on a set of paths on your

Note: this resources parameter can also be set in your application's

.. code:: python

app = Flask(__name__)
cors = CORS(app, resources={r"/api/*": {"origins": "*"}})

def list_users():
return "user example"

Route specific CORS via decorator

This extension also exposes a simple decorator to decorate flask routes
with. Simply add ``@cross_origin()`` below a call to Flask's
``@app.route(..)`` incanation to accept the default options and allow
CORS on a given route.

.. code:: python

@cross_origin() # allow all origins all methods.
def helloWorld():
return "Hello, cross-origin-world!"



Default : '\*'

The origin, or list of origins to allow requests from. The origin(s) may
be regular expressions, exact origins, or else an asterisk.



The method or list of methods which the allowed origins are allowed to


Default : None

The header or list of header field names which can be used when this
resource is accessed by allowed origins.


Default : None

The header or list of headers which are are safe to expose to browsers.


Default : False

Allows users to make authenticated requests. If true, injects the
``Access-Control-Allow-Credentials`` header in responses.


Default : None

The maximum time for which this CORS request maybe cached. This value is
set as the ``Access-Control-Max-Age`` header.


Default : True

If True, and the origins parameter is ``*``, a wildcard
``Access-Control-Allow-Origin`` header is sent, rather than the
request's ``Origin`` header.


Default : True

If True, CORS headers are sent even if there is no ``Origin`` in the
request's headers.


Default : True

| If True, CORS headers will be returned for OPTIONS requests. For use
with cross domain POST requests which preflight OPTIONS requests, you
will need to specifically allow the Content-Type header.
| \*\* Only applicable for use in the decorator\*\*


Default : True

If True, the header Vary: Origin will be returned as per suggestion by
the W3 implementation guidelines. Setting this header when the
``Access-Control-Allow-Origin`` is dynamically generated (e.g. when
there is more than one allowed origin, and an Origin than '\*' is
returned) informs CDNs and other caches that the CORS headers are
dynamic, and cannot be re-used. If False, the Vary header will never be
injected or altered.

Application-wide options

Alternatively, you can set all parameters **except automatic\_options**
in an app's config object. Setting these at the application level
effectively changes the default value for your application, while still
allowing you to override it on a per-resource basis, either via the CORS
Flask-Extension and regular expressions, or via the ``@cross_origin()``

The application-wide configuration options are identical to the keyword
arguments to ``cross_origin``, creatively prefixed with ``CORS_``


Using JSON with CORS

When using JSON cross origin, browsers will issue a pre-flight OPTIONS
request for POST requests. In order for browsers to allow POST requests
with a JSON content type, you must allow the Content-Type header. The
simplest way to do this is to simply set the CORS\_HEADERS configuration
value on your application, e.g:

.. code:: python

app.config['CORS_HEADERS'] = 'Content-Type'


For a full list of options, please see the full
`documentation <>`__


A simple set of tests is included in ``test/``. To run, install nose,
and simply invoke ``nosetests`` or ``python test`` to exercise
the tests.


Questions, comments or improvements? Please create an issue on
`Github <>`__, tweet at
`@wcdolphin <>`__ or send me an email.


This Flask extension is based upon the `Decorator for the HTTP Access
Control <>`__ written by Armin

.. |Build Status| image::
.. |Latest Version| image::
.. |Downloads| image::
.. |Supported Python versions| image::
.. |License| image::

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

Flask-Cors-1.7.4.tar.gz (15.3 kB view hashes)

Uploaded source

Built Distributions

Flask_Cors-1.7.4-py3-none-any.whl (10.0 kB view hashes)

Uploaded 3 3

Flask_Cors-1.7.4-py2-none-any.whl (10.0 kB view hashes)

Uploaded 2 7

Supported by

AWS AWS Cloud computing Datadog Datadog Monitoring Facebook / Instagram Facebook / Instagram PSF Sponsor Fastly Fastly CDN Google Google Object Storage and Download Analytics Huawei Huawei PSF Sponsor Microsoft Microsoft PSF Sponsor NVIDIA NVIDIA PSF Sponsor Pingdom Pingdom Monitoring Salesforce Salesforce PSF Sponsor Sentry Sentry Error logging StatusPage StatusPage Status page