From 5e8ff63bad16c962f7243797e5bceb99290cf009 Mon Sep 17 00:00:00 2001 From: Cory Dolphin Date: Fri, 30 Aug 2024 09:45:26 -0700 Subject: [PATCH] V5: Breaking: Change default to disable private network access --- docs/configuration.rst | 28 +++++++++---------- flask_cors/core.py | 4 +-- flask_cors/version.py | 2 +- .../decorator/test_private_network_headers.py | 2 +- 4 files changed, 18 insertions(+), 18 deletions(-) diff --git a/docs/configuration.rst b/docs/configuration.rst index c750cf4..d7459d3 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -54,13 +54,13 @@ CORS_INTERCEPT_EXCEPTIONS (:py:class:`bool`) Whether to deal with Flask exception handlers or leave them alone (with respect to CORS headers). CORS_MAX_AGE (:py:class:`~datetime.timedelta`, :py:class:`int` or :py:class:`str`) - The maximum time for which this CORS request may be cached. + The maximum time for which this CORS request may be cached. This value is set as the :http:header:`Access-Control-Max-Age` header. CORS_METHODS (:py:class:`~typing.List` or :py:class:`str`) The method(s) which the allowed origins are allowed to access. These are included in the :http:header:`Access-Control-Allow-Methods` response headers to the preflight OPTIONS requests. - + .. _cors_origins_setting: CORS_ORIGINS (:py:class:`~typing.List`, :py:class:`str` or :py:class:`re.Pattern`) @@ -68,23 +68,23 @@ CORS_ORIGINS (:py:class:`~typing.List`, :py:class:`str` or :py:class:`re.Pattern An origin configured here that matches the value of the :http:header:`Origin` header in a preflight OPTIONS request is returned as the value of the :http:header:`Access-Control-Allow-Origin` response header. CORS_RESOURCES (:py:class:`~typing.Dict`, :py:class:`~typing.List` or :py:class:`str`) - The series of regular expression and (optionally) associated CORS options to be applied to the given resource path. - + The series of regular expression and (optionally) associated CORS options to be applied to the given resource path. + If the value is a dictionary, it's keys must be regular expressions matching resources, and the values must be another dictionary of configuration options, as described in this section. - - If the argument is a list, it is expected to be a list of regular expressions matching resources for which the app-wide configured options are applied. - - If the argument is a string, it is expected to be a regular expression matching resources for which the app-wide configured options are applied. + + If the argument is a list, it is expected to be a list of regular expressions matching resources for which the app-wide configured options are applied. + + If the argument is a string, it is expected to be a regular expression matching resources for which the app-wide configured options are applied. CORS_SEND_WILDCARD (:py:class:`bool`) If :ref:`CORS_ORIGINS ` is ``"*"`` and this is true, then the :http:header:`Access-Control-Allow-Origin` response header's value with be ``"*"`` as well, instead of the value of the :http:header:`Origin` request header. CORS_SUPPORTS_CREDENTIALS (:py:class:`bool`) - Allows users to make authenticated requests. - If true, injects the :http:header:`Access-Control-Allow-Credentials` header in responses. - This allows cookies and credentials to be submitted across domains. - - :note: This option cannot be used in conjunction with a "*" origin + Allows users to make authenticated requests. + If true, injects the :http:header:`Access-Control-Allow-Credentials` header in responses. + This allows cookies and credentials to be submitted across domains. + + :note: This option cannot be used in conjunction with a "*" origin CORS_VARY_HEADER: (:py:class:`bool`) Enables or disables the injection of the :http:header:`Vary` response header is set to ``Origin``. @@ -96,7 +96,7 @@ Default values ~~~~~~~~~~~~~~ * CORS_ALLOW_HEADERS: "*" -* CORS_ALLOW_PRIVATE_NETWORK: True +* CORS_ALLOW_PRIVATE_NETWORK: False * CORS_ALWAYS_SEND: True * CORS_AUTOMATIC_OPTIONS: True * CORS_EXPOSE_HEADERS: None diff --git a/flask_cors/core.py b/flask_cors/core.py index bd011f4..e52b315 100644 --- a/flask_cors/core.py +++ b/flask_cors/core.py @@ -57,7 +57,7 @@ resources=r'/*', intercept_exceptions=True, always_send=True, - allow_private_network=True) + allow_private_network=False) def parse_resources(resources): @@ -186,7 +186,7 @@ def get_cors_headers(options, request_headers, request_method): headers[ACL_CREDENTIALS] = 'true' # case sensitive if ACL_REQUEST_HEADER_PRIVATE_NETWORK in request_headers \ - and request_headers.get(ACL_REQUEST_HEADER_PRIVATE_NETWORK) == 'true': + and request_headers.get(ACL_REQUEST_HEADER_PRIVATE_NETWORK) == 'true': allow_private_network = 'true' if options.get('allow_private_network') else 'false' headers[ACL_RESPONSE_PRIVATE_NETWORK] = allow_private_network diff --git a/flask_cors/version.py b/flask_cors/version.py index 4391764..a0f6658 100644 --- a/flask_cors/version.py +++ b/flask_cors/version.py @@ -1 +1 @@ -__version__ = '4.0.2' +__version__ = '5.0.0' diff --git a/tests/decorator/test_private_network_headers.py b/tests/decorator/test_private_network_headers.py index 47d4c4a..6446a41 100644 --- a/tests/decorator/test_private_network_headers.py +++ b/tests/decorator/test_private_network_headers.py @@ -37,7 +37,7 @@ def test_default(self): """ The default behavior should be to allow private network access. """ resp = self.get('/test_default', origin='www.example.com', headers={ACL_REQUEST_HEADER_PRIVATE_NETWORK:'true'}) - self.assertTrue(ACL_RESPONSE_PRIVATE_NETWORK in resp.headers) + self.assertFalse(resp.headers.get('ACL_RESPONSE_PRIVATE_NETWORK')) resp = self.get('/test_default') self.assertFalse(ACL_RESPONSE_PRIVATE_NETWORK in resp.headers)