From e3cd47d0e297a7a5a73cd4921eec865920d2cccd Mon Sep 17 00:00:00 2001 From: Rodrigo Chacon Date: Thu, 31 Jan 2013 02:43:42 -0200 Subject: [PATCH] Use header Origin in response headers when available Since the RFC [1] doesn't allow wildcards for credentialed requests, add the requested Origin into the response headers. [1] https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS#Requests_with_credentials --- httpbin/core.py | 3 ++- test_httpbin.py | 4 ++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/httpbin/core.py b/httpbin/core.py index 4bbad50..14a2df2 100644 --- a/httpbin/core.py +++ b/httpbin/core.py @@ -43,7 +43,8 @@ sentry = Sentry(app) # ----------- @app.after_request def set_cors_headers(response): - response.headers['Access-Control-Allow-Origin'] = '*' + response.headers['Access-Control-Allow-Origin'] = request.headers.get('Origin', '*') + if request.method == 'OPTIONS': response.headers['Access-Control-Allow-Credentials'] = 'true' response.headers['Access-Control-Allow-Methods'] = 'GET, POST, PUT, DELETE, PATCH, OPTIONS' diff --git a/test_httpbin.py b/test_httpbin.py index 1924179..4287270 100755 --- a/test_httpbin.py +++ b/test_httpbin.py @@ -45,6 +45,10 @@ class HttpbinTestCase(unittest.TestCase): response = self.app.get('/get') self.assertEquals(response.headers.get('Access-Control-Allow-Origin'), '*') + def test_set_cors_headers_after_request_with_request_origin(self): + response = self.app.get('/get', headers={'Origin': 'origin'}) + self.assertEquals(response.headers.get('Access-Control-Allow-Origin'), 'origin') + def test_set_cors_headers_with_options_verb(self): response = self.app.open('/get', method='OPTIONS') self.assertEquals(response.headers.get('Access-Control-Allow-Origin'), '*')