Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow-Control-Access-Origin header duplicated or none present in headers. #48

Open
garcia-0E opened this issue Aug 31, 2020 · 6 comments
Open

Allow-Control-Access-Origin header duplicated or none present in headers. #48

garcia-0E opened this issue Aug 31, 2020 · 6 comments

Comments

@garcia-0E
Copy link

garcia-0E commented Aug 31, 2020
edited
Loading

Hello to everyone. I've been using Sanic-Cors for a while now and there's never been any bug or conflict, however i'm getting this message : **Access to XMLHttpRequest at 'https://srv.celpago.com/bank/plaid/issue' from origin 'https://dev.celpago.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.** when handling error responses for some endpoints.

I'm using Sanic 20.6.3 and i don't know if incompability exists for this version. I disabled **automatic_options** to handle preflight requests myself but didn't work either. Any clue on what could be causing this?
@ashleysommer
Copy link
Owner

Hi @ray-t1
I'm going to need more information about how you've got Sanic-CORS set up, how you've configured it.
By default the wildcard origin is allowed, it will generate Access-Control-Allow-Origin = "*" for all routes, but if you have set it up differently, you will need to add "dev.celpago.com" to your list of allowed origins.

@syntaxkim
Copy link

I also had a same issue. When the request handler didn't raise any error, the 'Access-Control-Allow-Origin' header is correctly present on the response header, otherwise, when the app raises an exception while processing a request, that header is not present and the browser console logs CORS error message.
One workaround is that you turn off the sanic-cors extension and use sanic's middleware to explicitly add "Access-Control-Allow-Origin" header to the response for every response even an exception is raised. Below is an example.

app = Sanic("car_locator")

@app.middleware("response")
async def update_headers(request, response):
    origin = request.headers.get("origin")
    response.headers.update({"Access-Control-Allow-Origin": origin})

@lahsuk
Copy link

lahsuk commented Sep 20, 2020
edited
Loading

I'm using sanic_cors 0.10.0.post1 with sanic_jwt_extended and also getting double headers in OPTIONS.
Here is what the response header looks like:

HTTP/1.1 200 OK
Keep-Alive: 5
Access-Control-Allow-Origin: http://localhost:9095
Access-Control-Allow-Headers: authorization
Access-Control-Max-Age: None
Access-Control-Allow-Methods: DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT
Vary: Origin
Access-Control-Allow-Origin: http://localhost:9095
Access-Control-Allow-Headers: authorization
Access-Control-Max-Age: None
Access-Control-Allow-Methods: DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT
Vary: Origin
Content-Length: 0
Content-Type: text/plain

And here is the code for this:

from sanic import Sanic
from sanic.response import text
from sanic_cors import CORS
from sanic_jwt_extended import JWTManager, create_access_token, jwt_required

app = Sanic(__name__)
CORS(app, automatic_options=True)

# Setup the Sanic-JWT-Extended extension
app.config["JWT_SECRET_KEY"] = "my_secret"
JWTManager(app)


@app.route("/", ["GET"])
@jwt_required
async def index(request):
    return text("hello")


@app.route("/login", ["GET"])
async def login(request):
    return text(await create_access_token(request.app, identity="user"))


if __name__ == "__main__":
    app.run(port=7000, debug=True)

sanic: 19.9.0
sanic-jwt-extended: 0.3.1
sanic_cors: 0.10.0.post1

Edit: sanic_cors v.0.10.0.post3 solves this

@lahsuk lahsuk mentioned this issue Sep 21, 2020
Closed
@ashleysommer
Copy link
Owner

@lahsuk
Your comment above seems to be about duplicated headers, not missing headers.
Is it related to the missing headers that @ray-t1 describes?

@ray-t1 You titled this post "duplicated or not present in headers" however your post is only about not-present headers. What is the issue you are seeing with duplicated?

@lahsuk
Copy link

lahsuk commented Sep 21, 2020

@ashleysommer yes, the first problem that I encountered in 0.10.0.post1 was duplicate headers. Since this issue has the same title, I thought it would go here.
The duplicated problem is solved in 0.10.0.post3 but the problem of Allow-Control-Access-Origin not present still persists for error responses.
I've issued a pull-request that solves no headers being present in async error responses.

@garcia-0E
Copy link
Author

I've seen both, duplicated and non present headers. I have a custom error handler and find out a workaround for specific error codes (that's how i handle the various errors in my system) adding the CORS header if not present or removing it if it is duplicated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fixed issue #48 where the headers were not being set for async exceptions. lahsuk/sanic-cors
4 participants
@ashleysommer @garcia-0E @lahsuk @syntaxkim