WSGI for Cross Origin Resource Sharing (CORS)
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.



This is a WSGI middleware that answers CORS preflight requests and adds the needed header to the response. For CORS see:


Either plug it in programmatically as in this pyramid example:

def app(global_config, **settings):
    """ This function returns a WSGI application.

    It is usually called by the PasteDeploy framework during
    ``paster serve``.

    def get_root(request):
        return {}

    config = Configurator(root_factory=get_root, settings=settings)
    # whatever it takes to config your app goes here

    from wsgicors import CORS
    return CORS(config.make_wsgi_app(), headers="*", methods="*", maxage="180", origin="*")

or plug it into your wsgi pipeline via paste ini to let it serve by waitress for instance:

 use = egg:mysuperapp#app

 # wsgi server configuration

 use = egg:waitress#main
 host =
 port = 6543

 pipeline =

 use = egg:wsgicors#middleware
 # define a "free" policy
 free_methods=HEAD, OPTIONS, GET

 # define a "subdom" policy
 subdom_origin= https://*
 subdom_expose_headers=Foo, Doom

 # define a combination of policies, they are evaluated in the order given by the policy keyword
 # the first that matches the request's origin will be used
 # policy matching strategy
 # matchstrategy=firstmatch

Keywords are:

  • origin
  • headers
  • methods
  • credentials
  • maxage

for origin:

  • use copy which will copy whatever origin the request comes from
  • a space separated list of hostnames - they can also contain wildcards like * or ? (fnmatch lib is used for matching). If a match is found the original host is returned.
  • any other literal will be be copied verbatim (like * for instance to allow any source)

for headers:

  • use * which will allow whatever header is asked for
  • any other literal will be be copied verbatim

for expose_headers:

  • use * to allow access to any header the client might wish to access
  • any other literal will be be copied verbatim

for methods:

  • use * which will allow whatever method is asked for
  • any other literal will be be copied verbatim (like POST, PATCH, PUT, DELETE for instance)

for credentials:

  • use true
  • anything else will be ignored (that is no response header for Access-Control-Allow-Credentials is sent)

for maxage:

  • give the number of seconds the answer can be used by a client, anything nonempty will be copied verbatim

As can be seen in the example above, a policy needs to be created with the policy keyword. The options need then be prefixed with the policy name and a _. The policy keyword itself can be a comma separated list. If so the origin of the request is matched against the origins defined in the policies and the first matching is the policy used. An alternative matching strategy would be verbmatch, that selects the first of the listed that also matches the request method. To switch between the strategies use the

matchstrategy keyword:

  • use firstmatch (the default) to select the first of the policies that matches on the origin keyword
  • use verbmatch to select the first of the policies that matches on the methods and origin keyword