Clarify that widecards and credentials are mutually exclusive #9829
Conversation
dfioravanti
changed the title
allow_* and allow credentials are mutually exclusive
dfioravanti
force-pushed
the
patch-1
branch
2 times, most recently
from
7c8c60f
to
744014a
Compare
dfioravanti
changed the title
allow_* and allow credentials are mutually exclusive
dfioravanti
changed the title
dfioravanti
force-pushed
the
patch-1
branch
2 times, most recently
from
290b84c
to
aed2eab
Compare
|
📝 Docs preview for commit aed2eab at: https://64a80cf9108c130ff6b58e0a--fastapi.netlify.app |
|
I have updated the text to have the URL link in the same style of the others |
|
📝 Docs preview for commit 79be865 at: https://64a80efdd265ed09a70724c2--fastapi.netlify.app |
|
📝 Docs preview for commit ac116f6 at: https://64a81057d6e710060b1ac4d9--fastapi.netlify.app |
According to the Mozilla documentation, wildcards cannot be used in conjunction with credentials in CORS requests. This is not limited to `allow_origins` but it covers most of the `allow_*` See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#credentialed_requests_and_wildcards
dfioravanti
force-pushed
the
patch-1
branch
from
ac116f6
to
89c94f2
Compare
|
📝 Docs preview for commit 89c94f2 at: https://80e66bd9.fastapitiangolo.pages.dev |
There was a problem hiding this comment.
@wwnbb @iudeen I saw that you guys approved this change, but isn't the current suggested correction still wrong?
allow_credentials, allow_origins, allow_methods, and allow_headers are independent of each other.
What the original text [1] tried to convey was that allow_credentials=True in combination with allow_origins=['*'] is a security risk, because that would allow any third-party origin to access sensitive information stored in cookies. However, there's no mechanism in FastAPI that prohibits this configuration.
[1] Also,
allow_originscannot be set to['*']for credentials to be allowed, origins must be specified.
By the way, can you guys review #9930 , #11263 , #11339 and #11362 ? Those are minor changes.
| @@ -58,7 +58,7 @@ The following arguments are supported: | |||
| * `allow_origin_regex` - A regex string to match against origins that should be permitted to make cross-origin requests. e.g. `'https://.*\.example\.org'`. | |||
| * `allow_methods` - A list of HTTP methods that should be allowed for cross-origin requests. Defaults to `['GET']`. You can use `['*']` to allow all standard methods. | |||
| * `allow_headers` - A list of HTTP request headers that should be supported for cross-origin requests. Defaults to `[]`. You can use `['*']` to allow all headers. The `Accept`, `Accept-Language`, `Content-Language` and `Content-Type` headers are always allowed for <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests" class="external-link" rel="noopener" target="_blank">simple CORS requests</a>. | |||
| * `allow_credentials` - Indicate that cookies should be supported for cross-origin requests. Defaults to `False`. Also, `allow_origins` cannot be set to `['*']` for credentials to be allowed, origins must be specified. | |||
There was a problem hiding this comment.
Change that line to this:
allow_credentials- Indicates whether cookies should be supported for cross-origin requests. Defaults toFalse. You should not useallow_credentials=Truein combination withallow_origins=['*'], as this configuration would allow any third-party origin to access sensitive information stored in cookies, which is a security risk.
According to the Mozilla documentation. Wildcards cannot be used in conjunction with credentials in CORS requests. This is not limited to
allow_originsbut it covers most of theallow_*See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#credentialed_requests_and_wildcards