Skip to main content

ASGI middleware for applying CORS headers to an ASGI application

Project description

asgi-cors

PyPI CircleCI License

ASGI middleware for applying CORS headers to an ASGI application.

Installation

pip install asgi-cors

Some background on CORS

CORS stands for Cross-Origin Resource Sharing. It is a web standard that allows applications to opt-in to allowing JavaScript running on other domains to make fetch() calls that can retrieve data from the application.

See MDN's CORS article for more background.

The easiest way to allow scripts running on other domains to access data from an application is to add the following HTTP header:

Access-Control-Allow-Origin: *

This will allow scripts running on ANY domain to make fetch() calls against the application. For public data this is often fine, but there are situations where this may not be what you want to do: one example might be code that runs behind a VPN and needs to allow specific, trusted hosts to load data without opening itself up to every site on the internet.

For these cases, the server needs to inspect the Origin header from the client and return that Origin in the above header. For example, an incoming request from http://localhost:8000 might be judged as trusted - in which case the application server needs to reply like so:

Access-Control-Allow-Origin: http://localhost:8000

Note that the Access-Control-Allow-Origin header can only return a single value. This means that if you want to allow requests from multiple origins you need to dynamically whitelist those origins and return a different header value depending on the incoming request.

How to use this middleware

We will assume you have an existing ASGI app, in a variable called app.

First, import the asgi_cors function:

from asgi_cors import asgi_cors

To enable CORS headers for everywhere (by adding the Access-Control-Allow-Origin: * header to every request), do this:

app = asgi_cors(app, allow_all=True)

If you wish to only allow it from a specific host, use the following:

app = asgi_cors(app, hosts=[
    "https://www.example.com"
])

Now JavaScript executing on https://www.example.com will be able to call your API. You can test this out by opening up example.com in your browser, opening your browser's devtools console and pasting in the following JavaScript:

fetch("https://your-api.com/").then(r => r.json()).then(d => console.log(d))

You can include multiple hosts in the list.

Finally, if you want to open your application up to requests from a wildcard-defined selection of hosts, use the following:

app = asgi_cors(app, host_wildcards=[
    "http://localhost:800*",
    "http://*.example.com"
])

This will enable access from any JavaScript running on a local host server on ports 8000 through 8009 - or from any subdomain of example.com.

Using the middleware as a decorator

If you are defining your ASGI application directly as a function, you can use the asgi_cors_decorator function decorator like so:

from asgi_cors import asgi_cors_decorator


@asgi_cors_decorator(allow_all=True)
async def my_asgi_app(scope, recieve, send):
    # Your app goes here

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distribution

asgi_cors-0.2-py3-none-any.whl (3.4 kB view details)

Uploaded Python 3

File details

Details for the file asgi_cors-0.2-py3-none-any.whl.

File metadata

  • Download URL: asgi_cors-0.2-py3-none-any.whl
  • Upload date:
  • Size: 3.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.13.0 pkginfo/1.5.0.1 requests/2.21.0 setuptools/40.6.2 requests-toolbelt/0.9.1 tqdm/4.31.1 CPython/3.6.8

File hashes

Hashes for asgi_cors-0.2-py3-none-any.whl
Algorithm Hash digest
SHA256 d1379842866bb7c48ec558094b59707e4ae717158ad279ca23daa5e22420d566
MD5 e72e1d25cddac443816da46914f01994
BLAKE2b-256 a233925b88e68aeab74130b1771fd802887caee587d0361865855023052ea862

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page