-
-
Notifications
You must be signed in to change notification settings - Fork 6.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clarify that widecards and credentials are mutually exclusive #9829
base: master
Are you sure you want to change the base?
Conversation
allow_*
and allow credentials are mutually exclusive
7c8c60f
to
744014a
Compare
allow_*
and allow credentials are mutually exclusive290b84c
to
aed2eab
Compare
📝 Docs preview for commit aed2eab at: https://64a80cf9108c130ff6b58e0a--fastapi.netlify.app |
I have updated the text to have the URL link in the same style of the others |
📝 Docs preview for commit 79be865 at: https://64a80efdd265ed09a70724c2--fastapi.netlify.app |
📝 Docs preview for commit ac116f6 at: https://64a81057d6e710060b1ac4d9--fastapi.netlify.app |
According to the Mozilla documentation, wildcards cannot be used in conjunction with credentials in CORS requests. This is not limited to `allow_origins` but it covers most of the `allow_*` See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#credentialed_requests_and_wildcards
ac116f6
to
89c94f2
Compare
📝 Docs preview for commit 89c94f2 at: https://80e66bd9.fastapitiangolo.pages.dev |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@wwnbb @iudeen I saw that you guys approved this change, but isn't the current suggested correction still wrong?
allow_credentials
, allow_origins
, allow_methods
, and allow_headers
are independent of each other.
What the original text [1] tried to convey was that allow_credentials=True
in combination with allow_origins=['*']
is a security risk, because that would allow any third-party origin to access sensitive information stored in cookies. However, there's no mechanism in FastAPI that prohibits this configuration.
[1] Also,
allow_origins
cannot be set to['*']
for credentials to be allowed, origins must be specified.
By the way, can you guys review #9930 , #11263 , #11339 and #11362 ? Those are minor changes.
@@ -58,7 +58,7 @@ The following arguments are supported: | |||
* `allow_origin_regex` - A regex string to match against origins that should be permitted to make cross-origin requests. e.g. `'https://.*\.example\.org'`. | |||
* `allow_methods` - A list of HTTP methods that should be allowed for cross-origin requests. Defaults to `['GET']`. You can use `['*']` to allow all standard methods. | |||
* `allow_headers` - A list of HTTP request headers that should be supported for cross-origin requests. Defaults to `[]`. You can use `['*']` to allow all headers. The `Accept`, `Accept-Language`, `Content-Language` and `Content-Type` headers are always allowed for <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests" class="external-link" rel="noopener" target="_blank">simple CORS requests</a>. | |||
* `allow_credentials` - Indicate that cookies should be supported for cross-origin requests. Defaults to `False`. Also, `allow_origins` cannot be set to `['*']` for credentials to be allowed, origins must be specified. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Change that line to this:
allow_credentials
- Indicates whether cookies should be supported for cross-origin requests. Defaults toFalse
. You should not useallow_credentials=True
in combination withallow_origins=['*']
, as this configuration would allow any third-party origin to access sensitive information stored in cookies, which is a security risk.
According to the Mozilla documentation. Wildcards cannot be used in conjunction with credentials in CORS requests. This is not limited to
allow_origins
but it covers most of theallow_*
See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#credentialed_requests_and_wildcards