Request for feedback on Flask-Cors
- Cory Dolphin
- 2013-12-30 @ 20:52
This is my first post to the mailing list, so go easy :-)
I recently wrote a CORS extension for Flask, largely following the
sharpening a few things and hopefully packaging it in such a way that it
can be easily consumed. The repository, and simple unit tests can be found
on Github <https://github.com/wcdolphin/flask-cors>, or simply installed
from pypi <https://pypi.python.org/pypi?:action=display&name=Flask-Cors>.
The goal of the extension is to allow support for cross origin resource
sharing (CORS) using a simple decorator. I would love feedback from the
community on whether or not this extension is useful, and see if any more
seasoned Flask developers have any feedback on implementation.
I am considering extending the extension to attach itself to the
after_request hook, allowing CORS support for all routes and requests. Upon
initialization, a list of allowed origins, and secondary options, i.e.
max-age, etc, could be set, globally across all routes. With such an
implementation, it could be important to provide an ignored list of routes,
or provide a decorator to exclude certain routes.
I worry about the security implications of users adding such support
without fully considering the consequences of exposing routes to cross
domain requests. What do you think about such an implementation?
It would be an honor to hear any questions, concerns or feedback of any
Happy holidays and new years to all!