Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

V5: Breaking: Change default to disable private network access #368

Merged
merged 1 commit into from
Aug 30, 2024
+17 −17
Merged

V5: Breaking: Change default to disable private network access #368

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 14 additions & 14 deletions docs/configuration.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,37 +54,37 @@ CORS_INTERCEPT_EXCEPTIONS (:py:class:`bool`)
Whether to deal with Flask exception handlers or leave them alone (with respect to CORS headers).

CORS_MAX_AGE (:py:class:`~datetime.timedelta`, :py:class:`int` or :py:class:`str`)
The maximum time for which this CORS request may be cached.
The maximum time for which this CORS request may be cached.
This value is set as the :http:header:`Access-Control-Max-Age` header.

CORS_METHODS (:py:class:`~typing.List` or :py:class:`str`)
The method(s) which the allowed origins are allowed to access.
These are included in the :http:header:`Access-Control-Allow-Methods` response headers to the preflight OPTIONS requests.

.. _cors_origins_setting:

CORS_ORIGINS (:py:class:`~typing.List`, :py:class:`str` or :py:class:`re.Pattern`)
The origin(s) to allow requests from.
An origin configured here that matches the value of the :http:header:`Origin` header in a preflight OPTIONS request is returned as the value of the :http:header:`Access-Control-Allow-Origin` response header.

CORS_RESOURCES (:py:class:`~typing.Dict`, :py:class:`~typing.List` or :py:class:`str`)
The series of regular expression and (optionally) associated CORS options to be applied to the given resource path.
The series of regular expression and (optionally) associated CORS options to be applied to the given resource path.

If the value is a dictionary, it's keys must be regular expressions matching resources, and the values must be another dictionary of configuration options, as described in this section.
If the argument is a list, it is expected to be a list of regular expressions matching resources for which the app-wide configured options are applied.
If the argument is a string, it is expected to be a regular expression matching resources for which the app-wide configured options are applied.

If the argument is a list, it is expected to be a list of regular expressions matching resources for which the app-wide configured options are applied.

If the argument is a string, it is expected to be a regular expression matching resources for which the app-wide configured options are applied.

CORS_SEND_WILDCARD (:py:class:`bool`)
If :ref:`CORS_ORIGINS <cors_origins_setting>` is ``"*"`` and this is true, then the :http:header:`Access-Control-Allow-Origin` response header's value with be ``"*"`` as well, instead of the value of the :http:header:`Origin` request header.

CORS_SUPPORTS_CREDENTIALS (:py:class:`bool`)
Allows users to make authenticated requests.
If true, injects the :http:header:`Access-Control-Allow-Credentials` header in responses.
This allows cookies and credentials to be submitted across domains.
:note: This option cannot be used in conjunction with a "*" origin
Allows users to make authenticated requests.
If true, injects the :http:header:`Access-Control-Allow-Credentials` header in responses.
This allows cookies and credentials to be submitted across domains.

:note: This option cannot be used in conjunction with a "*" origin

CORS_VARY_HEADER: (:py:class:`bool`)
Enables or disables the injection of the :http:header:`Vary` response header is set to ``Origin``.
Expand All @@ -96,7 +96,7 @@ Default values
~~~~~~~~~~~~~~

* CORS_ALLOW_HEADERS: "*"
* CORS_ALLOW_PRIVATE_NETWORK: True
* CORS_ALLOW_PRIVATE_NETWORK: False
* CORS_ALWAYS_SEND: True
* CORS_AUTOMATIC_OPTIONS: True
* CORS_EXPOSE_HEADERS: None
Expand Down
2 changes: 1 addition & 1 deletion flask_cors/core.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@
resources=r'/*',
intercept_exceptions=True,
always_send=True,
allow_private_network=True)
allow_private_network=False)


def parse_resources(resources):
Expand Down
2 changes: 1 addition & 1 deletion flask_cors/version.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1 @@
__version__ = '4.0.2'
__version__ = '5.0.0'
2 changes: 1 addition & 1 deletion tests/decorator/test_private_network_headers.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ def test_default(self):
""" The default behavior should be to allow private network access.
"""
resp = self.get('/test_default', origin='www.example.com', headers={ACL_REQUEST_HEADER_PRIVATE_NETWORK:'true'})
self.assertTrue(ACL_RESPONSE_PRIVATE_NETWORK in resp.headers)
self.assertFalse(resp.headers.get('ACL_RESPONSE_PRIVATE_NETWORK'))

resp = self.get('/test_default')
self.assertFalse(ACL_RESPONSE_PRIVATE_NETWORK in resp.headers)
Expand Down