Flask，添加 Access-Control-Allow-Private-Network true 到 CORS preflight

Question

Chrome warns: Chrome 警告：

A site requested a resource from a.network that it could only access because of its users' privileged.network position. These requests expose devices and servers to the inte.net, increasing the risk of a cross-site request forgery (CSRF) attack, and/or information leakage.站点从 a.network 请求资源，由于其用户的 privileged.network position，它只能访问该资源。这些请求将设备和服务器暴露给 inte.net，增加了跨站点请求伪造 (CSRF) 攻击的风险和/或信息泄露。 To mitigate these risks, Chrome will require non-public subresources to opt-into being accessed with a preflight request and will start blocking them in Chrome 101 (April 2022).为了减轻这些风险，Chrome 将要求非公共子资源选择通过预检请求访问，并将在 Chrome 101（2022 年 4 月）中开始阻止它们。 To fix this issue, ensure that response to the preflight request for the private.network resource has the Access-Control-Allow-Private-Network header set to true.要解决此问题，请确保对 private.network 资源的预检请求的响应将 Access-Control-Allow-Private-Network header 设置为 true。

I am using flask, but unsure how to add this header to the preflight check.我正在使用 flask，但不确定如何将此 header 添加到预检检查中。 I can add a header to the responses manually, but how to add a header to the preflight check?我可以手动将 header 添加到响应中，但是如何将 header 添加到预检检查中？

I am using Flask-Cors and this is the code:我正在使用Flask-Cors ，这是代码：

app = Flask(__name__)
cors = CORS(app)
app.config['CORS_HEADERS'] = 'Content-Type'

Answer 1

I dropped the Flask-Cors package, and made my own implementation:我放弃了Flask-Cors package，并做了我自己的实现：

""" Note:
    We need to use functools wraps, or else @route thinks all functions
    are named the same, and errors out that a route is overriding another

Test Preflight with:
    curl -i -X OPTIONS http://127.0.0.1:5000/foo/
Then test reponse with:
    curl -i http://127.0.0.1:5000/api/foo/
"""

from functools import wraps

from flask import Response, request


def add_cors_preflight_headers(response):
    allow_request = 'foo' in request.origin
    if allow_request:
        response.headers['Access-Control-Allow-Origin'] = request.origin

    if request.method == 'OPTIONS':
        response.headers['Access-Control-Allow-Methods'] = 'GET, OPTIONS'
        response.headers['Access-Control-Allow-Headers'] = 'Content-Type'
        # Allow chrome to access private network ajax requests
        response.headers['Access-Control-Allow-Private-Network'] = 'true'
    return response


def handle_cors(func):
    @wraps(func)
    def decorator(*args, **kwargs):
        if request.method == 'OPTIONS':
            response = Response()
        else:
            response = func(*args, **kwargs)
        response = add_cors_preflight_headers(response)
        return response

    return decorator

Then used as follows (note how we add options to the allowed methods):然后使用如下（注意我们是如何为允许的方法添加选项的）：

@app.route("/api/foo/", methods=['GET', 'OPTIONS'])
@handle_cors
def get_foo():
    return Response({'foo': 'hello world!'})

Flask，添加 Access-Control-Allow-Private-Network true 到 CORS preflight

问题描述

1 个解决方案

解决方案1
2 2022-03-26 14:46:44

Flask，添加 Access-Control-Allow-Private-Network true 到 CORS preflight

问题描述

1 个解决方案

解决方案1 2 2022-03-26 14:46:44

解决方案1
2 2022-03-26 14:46:44