Skip to content
Permalink
Browse files

[IMP] support Access-Control-Allow-Credentials

Support for CORS was introduced in version 8.0 but there still lack support for
with Access-Control-Allow-Credentials header, which is required to access user
credentials.

This commit aims to support that use-case.

useful links:
9cce88a
https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials
https://www.w3.org/TR/cors/#access-control-allow-credentials-response-header

Closes #[TBD]
  • Loading branch information...
johandem committed Mar 15, 2019
1 parent bbedcdb commit bf8c6a85ece6eba010923f8013986d140377bb0d
Showing with 3 additions and 0 deletions.
  1. +3 −0 odoo/http.py
@@ -451,6 +451,7 @@ def route(route=None, **kw):
:param methods: A sequence of http methods this route applies to. If not
specified, all methods are allowed.
:param cors: The Access-Control-Allow-Origin cors directive value.
:param bool cors_credentials: The Access-Control-Allow-Credentials header.
:param bool csrf: Whether CSRF protection should be enabled for the route.
Defaults to ``True``. See :ref:`CSRF Protection
@@ -1212,6 +1213,8 @@ def set_default(self, template=None, qcontext=None, uid=None):
# Support for Cross-Origin Resource Sharing
if request.endpoint and 'cors' in request.endpoint.routing:
self.headers.set('Access-Control-Allow-Origin', request.endpoint.routing['cors'])
if request.endpoint.routing.get('cors_credentials') == True:
self.headers.set('Access-Control-Allow-Credentials', 'true')
methods = 'GET, POST'
if request.endpoint.routing['type'] == 'json':
methods = 'POST'

0 comments on commit bf8c6a8

Please sign in to comment.
You can’t perform that action at this time.