Configuring a flask application more than once should overwrite previous configuration

[bernd-stahl]

When (by mistake), CORS for a flask application is configured more than once, like so:

from connexion import FlaskApp
from flask_cors import CORS
application = FlaskApp(import_name, specification_dir=specification_dir)
CORS(application.app, origins='*')
CORS(application.app, origins=r'https://.*\.mydomain.com')

this results in multiple cors_after_request functions added to the flask application, which are all called sequentially for each request.

So effectively, the most permissive options for any matched resource are applied:

2021-12-10 09:48:27,042 MainThread no-request [DEBUG] flask_cors.extension.extension.init_app: Configuring CORS with resources: {'/*': {'origins': ['.*'], 'methods': 'DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT', 'allow_headers': ['.*'], 'expose_headers': None, 'supports_credentials': False, 'max_age': None, 'send_wildcard': False, 'automatic_options': True, 'vary_header': True, 'resources': '/*', 'intercept_exceptions': True, 'always_send': True}}
2021-12-10 09:48:27,042 MainThread no-request [DEBUG] flask_cors.extension.extension.init_app: Configuring CORS with resources: {'/*': {'origins': ['https://.*\\.mydomain.com'], 'methods': 'DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT', 'allow_headers': ['.*'], 'expose_headers': None, 'supports_credentials': False, 'max_age': None, 'send_wildcard': False, 'automatic_options': True, 'vary_header': True, 'resources': '/*', 'intercept_exceptions': True, 'always_send': True}}
...
2021-12-10 09:48:35,335 Thread-1 26f21dcd-797a-4832-9ecc-347807ad9738 [DEBUG] flask_cors.extension.extension.cors_after_request: Request to '/my-service/api/ui/' matches CORS resource '/*'. Using options: {'origins': ['https://.*\\.mydomain.com'], 'methods': 'DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT', 'allow_headers': ['.*'], 'expose_headers': None, 'supports_credentials': False, 'max_age': None, 'send_wildcard': False, 'automatic_options': True, 'vary_header': True, 'resources': '/*', 'intercept_exceptions': True, 'always_send': True}
2021-12-10 09:48:35,335 Thread-1 26f21dcd-797a-4832-9ecc-347807ad9738 [DEBUG] flask_cors.core.core.set_cors_headers: Settings CORS headers: MultiDict([])
2021-12-10 09:48:35,335 Thread-1 26f21dcd-797a-4832-9ecc-347807ad9738 [DEBUG] flask_cors.extension.extension.cors_after_request: Request to '/my-service/api/ui/' matches CORS resource '/*'. Using options: {'origins': ['.*'], 'methods': 'DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT', 'allow_headers': ['.*'], 'expose_headers': None, 'supports_credentials': False, 'max_age': None, 'send_wildcard': False, 'automatic_options': True, 'vary_header': True, 'resources': '/*', 'intercept_exceptions': True, 'always_send': True}
2021-12-10 09:48:35,336 Thread-1 26f21dcd-797a-4832-9ecc-347807ad9738 [DEBUG] flask_cors.core.core.set_cors_headers: Settings CORS headers: MultiDict([('Access-Control-Allow-Origin', '*')])

This behavior is quite surprising and most probably not what is intended.

I would say that, according to the principle of least surprise, configuring CORS more than once for the same application should either (preferably) overwrite the previous configuration, or alternatively raise an error.