Skip to content

Commit

Permalink
V5: Breaking: Change default to disable private network access
Browse files Browse the repository at this point in the history
  • Loading branch information
corydolphin committed Aug 30, 2024
1 parent 561ed26 commit d8808aa
Show file tree
Hide file tree
Showing 4 changed files with 18 additions and 19 deletions.
28 changes: 14 additions & 14 deletions docs/configuration.rst
Original file line number Diff line number Diff line change
Expand Up @@ -54,37 +54,37 @@ CORS_INTERCEPT_EXCEPTIONS (:py:class:`bool`)
Whether to deal with Flask exception handlers or leave them alone (with respect to CORS headers).

CORS_MAX_AGE (:py:class:`~datetime.timedelta`, :py:class:`int` or :py:class:`str`)
The maximum time for which this CORS request may be cached.
The maximum time for which this CORS request may be cached.
This value is set as the :http:header:`Access-Control-Max-Age` header.

CORS_METHODS (:py:class:`~typing.List` or :py:class:`str`)
The method(s) which the allowed origins are allowed to access.
These are included in the :http:header:`Access-Control-Allow-Methods` response headers to the preflight OPTIONS requests.

.. _cors_origins_setting:

CORS_ORIGINS (:py:class:`~typing.List`, :py:class:`str` or :py:class:`re.Pattern`)
The origin(s) to allow requests from.
An origin configured here that matches the value of the :http:header:`Origin` header in a preflight OPTIONS request is returned as the value of the :http:header:`Access-Control-Allow-Origin` response header.

CORS_RESOURCES (:py:class:`~typing.Dict`, :py:class:`~typing.List` or :py:class:`str`)
The series of regular expression and (optionally) associated CORS options to be applied to the given resource path.
The series of regular expression and (optionally) associated CORS options to be applied to the given resource path.

If the value is a dictionary, it's keys must be regular expressions matching resources, and the values must be another dictionary of configuration options, as described in this section.
If the argument is a list, it is expected to be a list of regular expressions matching resources for which the app-wide configured options are applied.
If the argument is a string, it is expected to be a regular expression matching resources for which the app-wide configured options are applied.

If the argument is a list, it is expected to be a list of regular expressions matching resources for which the app-wide configured options are applied.

If the argument is a string, it is expected to be a regular expression matching resources for which the app-wide configured options are applied.

CORS_SEND_WILDCARD (:py:class:`bool`)
If :ref:`CORS_ORIGINS <cors_origins_setting>` is ``"*"`` and this is true, then the :http:header:`Access-Control-Allow-Origin` response header's value with be ``"*"`` as well, instead of the value of the :http:header:`Origin` request header.

CORS_SUPPORTS_CREDENTIALS (:py:class:`bool`)
Allows users to make authenticated requests.
If true, injects the :http:header:`Access-Control-Allow-Credentials` header in responses.
This allows cookies and credentials to be submitted across domains.
:note: This option cannot be used in conjunction with a "*" origin
Allows users to make authenticated requests.
If true, injects the :http:header:`Access-Control-Allow-Credentials` header in responses.
This allows cookies and credentials to be submitted across domains.

:note: This option cannot be used in conjunction with a "*" origin

CORS_VARY_HEADER: (:py:class:`bool`)
Enables or disables the injection of the :http:header:`Vary` response header is set to ``Origin``.
Expand All @@ -96,7 +96,7 @@ Default values
~~~~~~~~~~~~~~

* CORS_ALLOW_HEADERS: "*"
* CORS_ALLOW_PRIVATE_NETWORK: True
* CORS_ALLOW_PRIVATE_NETWORK: False
* CORS_ALWAYS_SEND: True
* CORS_AUTOMATIC_OPTIONS: True
* CORS_EXPOSE_HEADERS: None
Expand Down
5 changes: 2 additions & 3 deletions flask_cors/core.py
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@
resources=r'/*',
intercept_exceptions=True,
always_send=True,
allow_private_network=True)
allow_private_network=False)


def parse_resources(resources):
Expand Down Expand Up @@ -185,8 +185,7 @@ def get_cors_headers(options, request_headers, request_method):
if options.get('supports_credentials'):
headers[ACL_CREDENTIALS] = 'true' # case sensitive

if ACL_REQUEST_HEADER_PRIVATE_NETWORK in request_headers \
and request_headers.get(ACL_REQUEST_HEADER_PRIVATE_NETWORK) == 'true':
if request_headers.get(ACL_REQUEST_HEADER_PRIVATE_NETWORK) == 'true':
allow_private_network = 'true' if options.get('allow_private_network') else 'false'
headers[ACL_RESPONSE_PRIVATE_NETWORK] = allow_private_network

Expand Down
2 changes: 1 addition & 1 deletion flask_cors/version.py
Original file line number Diff line number Diff line change
@@ -1 +1 @@
__version__ = '4.0.2'
__version__ = '5.0.0'
2 changes: 1 addition & 1 deletion tests/decorator/test_private_network_headers.py
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ def test_default(self):
""" The default behavior should be to allow private network access.
"""
resp = self.get('/test_default', origin='www.example.com', headers={ACL_REQUEST_HEADER_PRIVATE_NETWORK:'true'})
self.assertTrue(ACL_RESPONSE_PRIVATE_NETWORK in resp.headers)
self.assertFalse(resp.headers.get('ACL_RESPONSE_PRIVATE_NETWORK'))

resp = self.get('/test_default')
self.assertFalse(ACL_RESPONSE_PRIVATE_NETWORK in resp.headers)
Expand Down

0 comments on commit d8808aa

Please sign in to comment.