[英]Flask, add Access-Control-Allow-Private-Network true to CORS preflight
Chrome 警告:
站点从 a.network 请求资源,由于其用户的 privileged.network position,它只能访问该资源。这些请求将设备和服务器暴露给 inte.net,增加了跨站点请求伪造 (CSRF) 攻击的风险和/或信息泄露。 为了减轻这些风险,Chrome 将要求非公共子资源选择通过预检请求访问,并将在 Chrome 101(2022 年 4 月)中开始阻止它们。 要解决此问题,请确保对 private.network 资源的预检请求的响应将 Access-Control-Allow-Private-Network header 设置为 true。
我正在使用 flask,但不确定如何将此 header 添加到预检检查中。 我可以手动将 header 添加到响应中,但是如何将 header 添加到预检检查中?
我正在使用Flask-Cors ,这是代码:
app = Flask(__name__)
cors = CORS(app)
app.config['CORS_HEADERS'] = 'Content-Type'
我放弃了Flask-Cors package,并做了我自己的实现:
""" Note:
We need to use functools wraps, or else @route thinks all functions
are named the same, and errors out that a route is overriding another
Test Preflight with:
curl -i -X OPTIONS http://127.0.0.1:5000/foo/
Then test reponse with:
curl -i http://127.0.0.1:5000/api/foo/
"""
from functools import wraps
from flask import Response, request
def add_cors_preflight_headers(response):
allow_request = 'foo' in request.origin
if allow_request:
response.headers['Access-Control-Allow-Origin'] = request.origin
if request.method == 'OPTIONS':
response.headers['Access-Control-Allow-Methods'] = 'GET, OPTIONS'
response.headers['Access-Control-Allow-Headers'] = 'Content-Type'
# Allow chrome to access private network ajax requests
response.headers['Access-Control-Allow-Private-Network'] = 'true'
return response
def handle_cors(func):
@wraps(func)
def decorator(*args, **kwargs):
if request.method == 'OPTIONS':
response = Response()
else:
response = func(*args, **kwargs)
response = add_cors_preflight_headers(response)
return response
return decorator
然后使用如下(注意我们是如何为允许的方法添加选项的):
@app.route("/api/foo/", methods=['GET', 'OPTIONS'])
@handle_cors
def get_foo():
return Response({'foo': 'hello world!'})
飞行前响应FLASK CORS中Access-Control-Allow-Methods不允许使用方法PUT
[英]Method PUT is not allowed by Access-Control-Allow-Methods in preflight response FLASK CORS
“请求 header 字段 Access-Control-Allow-Origin 在预检响应中被 Access-Control-Allow-Headers 不允许”尽管 CORS 配置有效
[英]“Request header field Access-Control-Allow-Origin is not allowed by Access-Control-Allow-Headers in preflight response” despite valid CORS config
Flask CORS - 重定向上没有Access-control-allow-origin标头()
[英]Flask CORS - no Access-control-allow-origin header present on a redirect()
被 CORS 策略阻止:No"Access-Control-Allow-Origin" Using Flask
[英]Blocked by CORS policy: No"Access-Control-Allow-Origin" Using Flask
Flask / Flask-CORS:缺少CORS标头“ Access-Control-Allow-Origin”
[英]Flask/Flask-CORS: CORS header ‘Access-Control-Allow-Origin’ missing
Python Flask CORS - 没有“访问控制允许来源”Z099FB995346F31C95EZF6 上存在请求的资源
[英]Python Flask CORS - No 'Access-Control-Allow-Origin' header is present on the requested resource
如何允许 CORS 与 Flask 获得对预检请求的响应没有 http 正常状态
[英]How to allow CORS with Flask getting Response to preflight request does not have http ok status
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.