You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I noticed when setting the allow_credentials to true, the server will always responds with the header access-control-allow-credentials: true:
e.g. config:
app.add_middleware(
CORSMiddleware,
allow_origins=["localhost:9999"], # Allows only specified originsallow_credentials=True, # Disallows sending cookies or auth headers with cross-origin requestsallow_methods=["GET", "POST"], # Restrict methodsallow_headers=[], # Restrict headersmax_age=3600, # Sets how long the results of a preflight request can be cached
)
Then when executing the following request:
GET / HTTP/1.1
Host: localhost:9999
Origin: localhost:9999
The server would respond with both HTTP headers as expected;
HTTP/1.1 404 Not Found
access-control-allow-credentials: true
access-control-allow-origin: localhost:9999
vary: Origin
{"detail":"Not Found"}
And when a wrong origin is provided:
GET / HTTP/1.1
Host: localhost:9999
Origin: localhost:1111
The server still responds with the credentials header but not the origin header:
HTTP/1.1 404 Not Found
access-control-allow-credentials: true
{"detail":"Not Found"}
Now according to the browser specifications, as long as there is no access-control-allow-origin header, it will also not process that credentials header. So thats really good and make sure this is not a security issue.
However, I think its misleading and would prefer that the CORSMiddleware only returns that credentials header when the Origin is valid. Unless there is some obscure reason why you would still want to send that credentials header.
This discussion was converted from issue #2560 on April 02, 2024 09:02.
Heading
Bold
Italic
Quote
Code
Link
Numbered list
Unordered list
Task list
Attach files
Mention
Reference
Menu
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
I noticed when setting the
allow_credentialsto true, the server will always responds with the headeraccess-control-allow-credentials: true:e.g. config:
Then when executing the following request:
The server would respond with both HTTP headers as expected;
And when a wrong origin is provided:
The server still responds with the credentials header but not the origin header:
Now according to the browser specifications, as long as there is no
access-control-allow-originheader, it will also not process that credentials header. So thats really good and make sure this is not a security issue.However, I think its misleading and would prefer that the CORSMiddleware only returns that credentials header when the Origin is valid. Unless there is some obscure reason why you would still want to send that credentials header.
Relevant code:
https://github.com/encode/starlette/blob/master/starlette/middleware/cors.py#L41:L42
Which should probably be moved to a location where it validates the origin.
Important
Beta Was this translation helpful? Give feedback.
All reactions