Regular expression or wildcard origins

[marcoqu]

Is there any way to specify origins in a regular expression, so that urls matching the pattern are allowed? Eg: all subdomains from a given domain.. r"https?://\w*\.?example\.com:?\d*/?.*"

[corydolphin]

@marcoqu at the moment, there is no way to do this.

Currently, Flask-Cors only supports *, null or the exact domain. Can you explain your use case a little bit so I can better understand how to add support for this?

The way I imagine this could work would be to alter the handling of the origins parameter to be either a string, regex, or list of regexes or strings.

This should be straightforward to implement, with the exception of the interaction with the always_send parameter. If there is a regex supplied in the list of origins, always_send must be false, as it is impossible to determine which origin to return.

An alternative is to allow a user to specify a single callable as the 'origin' parameter. Some function which will be invoked within the context of the request and expected to return a string of the origin to set.

I would love your feedback on this potential implementation and your thoughts.

This conversation and thought process has made me realize that the current implementation actually suffers from a potential security flaw:
Because the list of origin's to Flask-Cors is serialized before the request's origin is searched for in the serialized version, domains which are not a strict match, but actually a sub string of an allowed domain will be enabled.

Since origins will have an http prefix, I don't believe it can actually occur, but I will patch this nonetheless.

I look forward to hearing back!
CORY

[corydolphin]

Looks like Django-Cors has this, but does not support an always_send style option.

I think it makes sense to add this and simply document the behavior in combination with always_send.

I really wish there was a way to combine Django-Cors and Flask-Cors with a layer of abstraction to handle the determination of which headers to set, and or settings... I would rustle something up, but I fear it would be more work than benefit.

[marcoqu]

Hi Cory, thanks for the feedback.
My use case is exactly like the example I provided: I have various subdomains, dynamically generated (ie: user1.example.com, user2.example.com... etc.) and all of them should be allowed to access the main api that resides on the main domain (example.com/api).
Right now I have to provide access to any origin "*", but I'd prefer to limit access to my own domain and subdomains.

Allowing regex or list of regexes in the origins parameter would allow this to work. Providing a function to determine if the current origin should be allowed or not is even more flexible, and it would allow all kind of solutions (database lookups, ip geolocation...).
I don't have a strong preference: the regexp solution is probably simpler to use, the callable is more complete, but it would probably need some usage examples...

Thanks!
m

[corydolphin]

I have decided to implement the regexp approach and released version v1.8.0 to Pypi with the new feature.

Please give it a try and let me know what you think!