CORS Support #66
Comments
Yes, absolutely! |
See also: CSP Are there any other security/access response header types that we'll want to consider, too? |
Here are the settings I use on the server-side:
The only other one I know of is On the client end the preflight will possibly send As far as configuration goes, I'm a fan of a decorator on methods, or something more global that you can add to the routes (since we already know what's there) For Content-Security-Policy headers, it doesn't seem to be pertinent for API pages? If apistar is only for API calls, I don't know that CSP applies in this case. |
Okay, I'm gonna restrict this to "CORS Support" for now. However API Star really will be a general purpose framework, just with a primary focus on APIs. (Example, we'll be serving up API docs, which requires us to have both HTML templating and static files support) Yeah we could potentially think about alternative names, but it's tricky! 🤔 💭 |
how about I was a bit confused when you started adding templates, ORM, etc. because |
Yeah I get that, we're actually using it to serve images for another API we're building, had to drop into WSGI support to achieve that. How would you go about adding CORS support in an "apistar"-kinda way? |
At the moment, returning 'Response' (You shouldn't need to drop to WSGI now, right?) One obvious option for now might be introducing an ['HTTP']['DEFAULT_HEADERS'] settings. How does that sound as a starting point? |
Sorry, WSGI was for the images (not CORS), because it seems like apistar wants to utf8 encode the Response. CORS isn't a default header, we need to add support for every endpoint to allow an HTTP OPTIONS with these headers. So if POST /foo the browser will send an OPTIONS /foo first, and is expecting the CORS headers |
So, OPTIONS requests will currently result in raising a Dealing with OPTIONS requests somewhere around there is probably a sensible thing to do, eg. We could raise a different kind of exception specific to Happy to see either (1) the code that @kinabalu is currently using to work around the lack of support, or (2) a pull request with a first stab and handling this. I'd probably suggest looking to https://github.com/ottoyiu/django-cors-headers/blob/master/corsheaders/middleware.py when it comes to implementation. |
I'm going to put a newcomer label on this one, because I think it's something that someone could at least take a first go at...
|
Happy to take this up, having a bit of trouble figuring out how to inject settings though. Even just importing into the |
Circular import dependency maybe? |
Definitely could be, here's the full stack trace... if it was a circular import dependency how would that get resolved:
|
Take a look at App.init. You'll see that there's already a couple of other imports that we defer. Might need to do the same with 'routing' |
Looking at that, I'm assuming you mean |
|
|
It looks like you don't have it imported at all in this case ^. Feel free to point me at a gist of what you have, or make a failing pull request and I'll help you get that properly resolved. |
Righty, that's a bit fiddly ATM, due to a circular annotation dependency. |
As a workaround in the interm I'd suggest using a WSGI middleware to resolve this. Something like...
There's a couple of existing examples, one package here https://github.com/may-day/wsgicors and a snippet here pallets/werkzeug#131 (comment) |
Very quick and dirty hack to fix encode#66
Hello all, |
Is there a short term workaround for this in 0.2.x? |
Just upgraded one of my projects to 0.3.x and had to change the middleware, thought this might be of use to someone. I have no idea if this is the recommended way, but it "works":
|
works with wsgicors from apistar.frameworks.wsgi import WSGIApp as App
from wsgicors import CORS
class CORSApp(App):
def __call__(self, environ, start_response):
cors = CORS(super().__call__, headers='*', methods='*', maxage='180', origin='*')
return cors(environ, start_response)
app = CORSApp(routes=routes, settings=settings) |
Hi! I tried methods by both @kinabalu and @castaneai but none of them worked :( Is there any other fix for this CORS problem I would really appreciate some help soon ^_^ |
@ratulotron it would be better if you showed a sample project where you're trying to use it, I've tried both methods and they appear to work fine. |
I made a little package to add CORS functionality to a WSGI App here: https://github.com/Bogdanp/apistar_cors . It uses wsgicors under the hood. |
Event hooks will be coming in #400. We'll actually have proper, sensible, nice answers for basic functionality like CORS. ✨ |
Closing this off given that 0.6 is moving to a framework-agnostic suite of API tools, and will no longer include the server. See https://discuss.apistar.org/t/api-star-as-a-framework-independant-tool/614 and #624. For functionality like CORS support I'd like to see us building out ASGI middleware, rather than framework-specific APIs that end up having to be implemented and re-implemented. |
Using any API from the browser obviously requires support for CORS. Django and Flask have several ways to integrate this, and I'd love to see that in this project. Not sure what the most effective way to enable this is.
In a small API I built just recently, I've got it hardcoded, but it would be great to identify the headers, and turn it on.
The text was updated successfully, but these errors were encountered: