V5: Breaking: Change default to disable private network access (#368)

corydolphin · Aug 30, 2024 · c851476 · c851476
1 parent 561ed26
commit c851476
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 17 deletions.
diff --git a/docs/configuration.rst b/docs/configuration.rst
@@ -54,37 +54,37 @@ CORS_INTERCEPT_EXCEPTIONS (:py:class:`bool`)
    Whether to deal with Flask exception handlers or leave them alone (with respect to CORS headers).
 
 CORS_MAX_AGE (:py:class:`~datetime.timedelta`, :py:class:`int` or :py:class:`str`)
-   The maximum time for which this CORS request may be cached. 
+   The maximum time for which this CORS request may be cached.
    This value is set as the :http:header:`Access-Control-Max-Age` header.
 
 CORS_METHODS (:py:class:`~typing.List` or :py:class:`str`)
    The method(s) which the allowed origins are allowed to access.
    These are included in the :http:header:`Access-Control-Allow-Methods` response headers to the preflight OPTIONS requests.
-   
+
 .. _cors_origins_setting:
 
 CORS_ORIGINS (:py:class:`~typing.List`, :py:class:`str` or :py:class:`re.Pattern`)
    The origin(s) to allow requests from.
    An origin configured here that matches the value of the :http:header:`Origin` header in a preflight OPTIONS request is returned as the value of the :http:header:`Access-Control-Allow-Origin` response header.
 
 CORS_RESOURCES (:py:class:`~typing.Dict`, :py:class:`~typing.List` or :py:class:`str`)
-   The series of regular expression and (optionally) associated CORS options to be applied to the given resource path.                       
-   
+   The series of regular expression and (optionally) associated CORS options to be applied to the given resource path.
+
    If the value is a dictionary, it's keys must be regular expressions matching resources, and the values must be another dictionary of configuration options, as described in this section.
-   
-   If the argument is a list, it is expected to be a list of regular expressions matching resources for which the app-wide configured options are applied.     
-   
-   If the argument is a string, it is expected to be a regular expression matching resources for which the app-wide configured options are applied.        
+
+   If the argument is a list, it is expected to be a list of regular expressions matching resources for which the app-wide configured options are applied.
+
+   If the argument is a string, it is expected to be a regular expression matching resources for which the app-wide configured options are applied.
 
 CORS_SEND_WILDCARD (:py:class:`bool`)
    If :ref:`CORS_ORIGINS <cors_origins_setting>` is ``"*"`` and this is true, then the :http:header:`Access-Control-Allow-Origin` response header's value with be ``"*"`` as well, instead of the value of the :http:header:`Origin` request header.
 
 CORS_SUPPORTS_CREDENTIALS (:py:class:`bool`)
-   Allows users to make authenticated requests. 
-   If true, injects the :http:header:`Access-Control-Allow-Credentials` header in responses. 
-   This allows cookies and credentials to be submitted across domains.                 
-   
-   :note: This option cannot be used in conjunction with a "*" origin  
+   Allows users to make authenticated requests.
+   If true, injects the :http:header:`Access-Control-Allow-Credentials` header in responses.
+   This allows cookies and credentials to be submitted across domains.
+
+   :note: This option cannot be used in conjunction with a "*" origin
 
 CORS_VARY_HEADER: (:py:class:`bool`)
    Enables or disables the injection of the :http:header:`Vary` response header is set to ``Origin``.
@@ -96,7 +96,7 @@ Default values
 ~~~~~~~~~~~~~~
 
 * CORS_ALLOW_HEADERS: "*"
-* CORS_ALLOW_PRIVATE_NETWORK: True
+* CORS_ALLOW_PRIVATE_NETWORK: False
 * CORS_ALWAYS_SEND: True
 * CORS_AUTOMATIC_OPTIONS: True
 * CORS_EXPOSE_HEADERS: None

diff --git a/flask_cors/core.py b/flask_cors/core.py
@@ -57,7 +57,7 @@
                        resources=r'/*',
                        intercept_exceptions=True,
                        always_send=True,
-                       allow_private_network=True)
+                       allow_private_network=False)
 
 
 def parse_resources(resources):

diff --git a/flask_cors/version.py b/flask_cors/version.py
@@ -1 +1 @@
-__version__ = '4.0.2'
+__version__ = '5.0.0'
diff --git a/tests/decorator/test_private_network_headers.py b/tests/decorator/test_private_network_headers.py
@@ -37,7 +37,7 @@ def test_default(self):
         """ The default behavior should be to allow private network access.
         """
         resp = self.get('/test_default', origin='www.example.com', headers={ACL_REQUEST_HEADER_PRIVATE_NETWORK:'true'})
-        self.assertTrue(ACL_RESPONSE_PRIVATE_NETWORK in resp.headers)
+        self.assertFalse(resp.headers.get('ACL_RESPONSE_PRIVATE_NETWORK'))
 
         resp = self.get('/test_default')
         self.assertFalse(ACL_RESPONSE_PRIVATE_NETWORK in resp.headers)