Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CORSMiddleware always add access-control-allow-credentials regardless of Origin #2560

Closed
VinnieV opened this issue Apr 2, 2024 · 0 comments
Closed

CORSMiddleware always add access-control-allow-credentials regardless of Origin #2560

VinnieV opened this issue Apr 2, 2024 · 0 comments

Comments

@VinnieV
Copy link

VinnieV commented Apr 2, 2024
edited by polar-sh bot

I noticed when setting the allow_credentials to true, the server will always responds with the header access-control-allow-credentials: true:
e.g. config:

app.add_middleware(
    CORSMiddleware,
    allow_origins=["localhost:9999"],  # Allows only specified origins
    allow_credentials=True,  # Disallows sending cookies or auth headers with cross-origin requests
    allow_methods=["GET", "POST"],  # Restrict methods
    allow_headers=[],  # Restrict headers
    max_age=3600,  # Sets how long the results of a preflight request can be cached
)

Then when executing the following request:

GET / HTTP/1.1
Host: localhost:9999
Origin: localhost:9999

The server would respond with both HTTP headers as expected;

HTTP/1.1 404 Not Found
access-control-allow-credentials: true
access-control-allow-origin: localhost:9999
vary: Origin

{"detail":"Not Found"}

And when a wrong origin is provided:

GET / HTTP/1.1
Host: localhost:9999
Origin: localhost:1111

The server still responds with the credentials header but not the origin header:

HTTP/1.1 404 Not Found
access-control-allow-credentials: true

{"detail":"Not Found"}

Now according to the browser specifications, as long as there is no access-control-allow-origin header, it will also not process that credentials header. So thats really good and make sure this is not a security issue.
However, I think its misleading and would prefer that the CORSMiddleware only returns that credentials header when the Origin is valid. Unless there is some obscure reason why you would still want to send that credentials header.

Relevant code:
https://github.com/encode/starlette/blob/master/starlette/middleware/cors.py#L41:L42
Which should probably be moved to a location where it validates the origin.

Important

  • We're using Polar.sh so you can upvote and help fund this issue.
  • We receive the funding once the issue is completed & confirmed by you.
  • Thank you in advance for helping prioritize & fund our backlog.
Fund with Polar
@encode encode locked and limited conversation to collaborators Apr 2, 2024
@Kludex Kludex converted this issue into discussion #2561 Apr 2, 2024

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@VinnieV