diff --git a/docs/configuration.rst b/docs/configuration.rst index 91282d3..c750cf4 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -23,6 +23,19 @@ CORS_ALLOW_HEADERS (:py:class:`~typing.List` or :py:class:`str`) Headers to accept from the client. Headers in the :http:header:`Access-Control-Request-Headers` request header (usually part of the preflight OPTIONS request) matching headers in this list will be included in the :http:header:`Access-Control-Allow-Headers` response header. +CORS_ALLOW_PRIVATE_NETWORK (:py:class:`bool`) + If True, the response header :http:header:`Access-Control-Allow-Private-Network` + will be set with the value 'true' whenever the request header + :http:header:`Access-Control-Request-Private-Network` has a value 'true'. + + If False, the reponse header :http:header:`Access-Control-Allow-Private-Network` + will be set with the value 'false' whenever the request header + :http:header:`Access-Control-Request-Private-Network` has a value of 'true'. + + If the request header :http:header:`Access-Control-Request-Private-Network` is + not present or has a value other than 'true', the response header + :http:header:`Access-Control-Allow-Private-Network` will not be set. + CORS_ALWAYS_SEND (:py:class:`bool`) Usually, if a request doesn't include an :http:header:`Origin` header, the client did not request CORS. This means we can ignore this request. @@ -83,6 +96,7 @@ Default values ~~~~~~~~~~~~~~ * CORS_ALLOW_HEADERS: "*" +* CORS_ALLOW_PRIVATE_NETWORK: True * CORS_ALWAYS_SEND: True * CORS_AUTOMATIC_OPTIONS: True * CORS_EXPOSE_HEADERS: None diff --git a/flask_cors/core.py b/flask_cors/core.py index 5358036..bd011f4 100644 --- a/flask_cors/core.py +++ b/flask_cors/core.py @@ -36,7 +36,7 @@ 'CORS_MAX_AGE', 'CORS_SEND_WILDCARD', 'CORS_AUTOMATIC_OPTIONS', 'CORS_VARY_HEADER', 'CORS_RESOURCES', 'CORS_INTERCEPT_EXCEPTIONS', - 'CORS_ALWAYS_SEND'] + 'CORS_ALWAYS_SEND', 'CORS_ALLOW_PRIVATE_NETWORK'] # Attribute added to request object by decorator to indicate that CORS # was evaluated, in case the decorator and extension are both applied # to a view. @@ -56,7 +56,8 @@ vary_header=True, resources=r'/*', intercept_exceptions=True, - always_send=True) + always_send=True, + allow_private_network=True) def parse_resources(resources): @@ -186,7 +187,8 @@ def get_cors_headers(options, request_headers, request_method): if ACL_REQUEST_HEADER_PRIVATE_NETWORK in request_headers \ and request_headers.get(ACL_REQUEST_HEADER_PRIVATE_NETWORK) == 'true': - headers[ACL_RESPONSE_PRIVATE_NETWORK] = 'true' + allow_private_network = 'true' if options.get('allow_private_network') else 'false' + headers[ACL_RESPONSE_PRIVATE_NETWORK] = allow_private_network # This is a preflight request # http://www.w3.org/TR/cors/#resource-preflight-requests diff --git a/flask_cors/extension.py b/flask_cors/extension.py index 6361dcc..abf5caf 100644 --- a/flask_cors/extension.py +++ b/flask_cors/extension.py @@ -138,6 +138,22 @@ class CORS(object): Default : True :type vary_header: bool + + :param allow_private_network: + If True, the response header `Access-Control-Allow-Private-Network` + will be set with the value 'true' whenever the request header + `Access-Control-Request-Private-Network` has a value 'true'. + + If False, the reponse header `Access-Control-Allow-Private-Network` + will be set with the value 'false' whenever the request header + `Access-Control-Request-Private-Network` has a value of 'true'. + + If the request header `Access-Control-Request-Private-Network` is + not present or has a value other than 'true', the response header + `Access-Control-Allow-Private-Network` will not be set. + + Default : True + :type allow_private_network: bool """ def __init__(self, app=None, **kwargs): diff --git a/flask_cors/version.py b/flask_cors/version.py index 1a3bef5..4391764 100644 --- a/flask_cors/version.py +++ b/flask_cors/version.py @@ -1 +1 @@ -__version__ = '4.0.1' +__version__ = '4.0.2'