Tornado server: enable CORS requests

Question

I have a simple tornado server which has the class:

class BaseHandler(tornado.web.RequestHandler):
    def set_default_headers(self):
        print "setting headers!!!"
        self.set_header("Access-Control-Allow-Origin", "*")

When a regular (no CORS) request is made, the server answers as expected, including the Access-Control-Allow-Origin header. But when I make a post request coming from different domain (using jQuery.post), the response is 404 and an error is displayed: "XMLHttpRequest cannot load http://dev-machine:8090/handshake. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8090' is therefore not allowed access. The response had HTTP status code 404."

Can you tell if I miss something? (another header/other configuration/anything else)

that `pass` there is superfluous/wrong. – Marcus Müller Feb 07 '16 at 14:34 — Marcus Müller, Feb 07 '16 at 14:34

score 44 · Accepted Answer · edited Sep 05 '21 at 12:06

Your code is missing preflight, the OPTIONS request.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS:

The Cross-Origin Resource Sharing standard works by adding new HTTP headers that allow servers to describe the set of origins that are permitted to read that information using a web browser. Additionally, for HTTP request methods that can cause side-effects on user data (in particular, for HTTP methods other than GET, or for POST usage with certain MIME types), the specification mandates that browsers "preflight" the request, soliciting supported methods from the server with an HTTP OPTIONS request method, and then, upon "approval" from the server, sending the actual request with the actual HTTP request method. Servers can also notify clients whether "credentials" (including Cookies and HTTP Authentication data) should be sent with requests.

To implement preflight handler simply add options handler with the same headers and no body.

class BaseHandler(tornado.web.RequestHandler):

    def set_default_headers(self):
        print "setting headers!!!"
        self.set_header("Access-Control-Allow-Origin", "*")
        self.set_header("Access-Control-Allow-Headers", "x-requested-with")
        self.set_header('Access-Control-Allow-Methods', 'POST, GET, OPTIONS')

    def post(self):
        self.write('some post')

    def get(self):
        self.write('some get')

    def options(self, *args):
        # no body
        # `*args` is for route with `path arguments` supports
        self.set_status(204)
        self.finish()

edit

I've added x-requested-with header to allowed list. And here is simple jquery sample:

 $.ajax({
   url: "http://some_tornado/api",
   type: "POST",
   crossDomain: true,
   data: 'some_data',
   success: function (response) {
     alert(response);
   },
   error: function (xhr, status) {
     alert("error");
   }
 });

And some really good article about cors - http://dev.housetrip.com/2014/04/17/unleash-your-ajax-requests-with-cors/

does it mean I should change my JS post and create an "options" request? — benams, Feb 08 '16 at 09:36
I've added samples. Basically preflight is done by browser under the hood. — kwarunek, Feb 08 '16 at 10:16
Yeah, I found it after posted this comment. Thank you, it was really helpful! — benams, Feb 08 '16 at 15:57
When I use ``self.get_argument`` in options or get/post method in tornado I can hardly get any argument value. — Marshal Chen, Jan 10 '17 at 07:49
what would be the XMLHttpRequest version of `crossDomain: true` ? — Nikhil VJ, Mar 28 '18 at 15:57
Tornado content-type support is limited: https://stackoverflow.com/questions/45415555/tornado-post-request-missing-argument — kmiklas, Nov 11 '20 at 20:08
In my case everything was good except one little detail: `self.set_header("Access-Control-Allow-Headers", "*")` with this last bit of information it worked. — Mattia Baldari, Sep 28 '22 at 12:41

score 9 · Answer 2 · edited May 23 '17 at 11:54

The answer by kwarunek led me to the solution for my trouble with the PUT and the DELETE request. The only thing is, that the solution is over-appropriate for the example with GET and POST. In this case the line

self.set_header("Access-Control-Allow-Origin", "*")

is actually sufficient (if the browser doesn't block CORS before all). It is though most relevant for the PUT and DELETE requests. What happens here on the network level can be slightly more complex than in the GET/POST case.

"If the request is a "non-simple" request, the browser first sends a data-less "preflight" OPTIONS request, to verify that the server will accept the request. A request is non-simple when using an HTTP verb other than GET or POST (e.g. PUT, DELETE)." cf. non-simple requests

class BaseHandler(tornado.web.RequestHandler):

    def set_default_headers(self):
        print("setting headers!!!")
        self.set_header("Access-Control-Allow-Origin", "*")
        self.set_header("Access-Control-Allow-Headers", "x-requested-with")
        self.set_header('Access-Control-Allow-Methods', ' PUT, DELETE, OPTIONS')

    def options(self):
        # no body
        self.set_status(204)
        self.finish()

Now all handlers that inherit from BaseHandler are fully CORS-capable:

class MyHandler(BaseHandler):

    def put(self):
        self.write('some post')

    def delete(self):
        self.write('some get')

score 4 · Answer 3 · answered Mar 27 '18 at 04:16

Even with the previous answers I still got the following CORS error:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://127.0.0.1:9999/home?message=Input%20to%20API.. (Reason: missing token ‘access-control-allow-origin’ in CORS header ‘Access-Control-Allow-Headers’ from CORS preflight channel).

and the solution is to also allow the headers:

class BaseHandler(tornado.web.RequestHandler):

    def set_default_headers(self):
        print("setting headers!!!")
        self.set_header("access-control-allow-origin", "*")
        self.set_header("Access-Control-Allow-Headers", "x-requested-with")
        self.set_header('Access-Control-Allow-Methods', 'GET, PUT, DELETE, OPTIONS')
        # HEADERS!
        self.set_header("Access-Control-Allow-Headers", "access-control-allow-origin,authorization,content-type") 

    def options(self):
        # no body
        self.set_status(204)
        self.finish()

Worked for me with: self.set_header("Access-Control-Allow-Headers", "*") — Svyat P., Sep 18 '18 at 12:01
thanks for showing that we can keep multiple values in Access-Control-Allow-Headers by separating them with comma. — Nikhil VJ, Jul 31 '20 at 11:42

score 2 · Answer 4 · answered Jan 09 '20 at 08:27

2

This worked for me.

def set_default_headers(self):
    self.set_header("Content-Type", "application/json")
    self.set_header("Access-Control-Allow-Origin", "*")
    self.set_header("Access-Control-Allow-Headers", "content-type")
    self.set_header('Access-Control-Allow-Methods', 'POST, GET, OPTIONS, PATCH, PUT')

answered Jan 09 '20 at 08:27

Binh Ho

3,690
1
31
31

This works. And the fact that it took me so long to find a solution to this completely trivial bs is just unbelievable. Also had to define `def options(self):` – Mihkel Mark May 23 '20 at 00:44

score 0 · Answer 5 · answered Mar 08 '23 at 16:58

Some of the existing answer are working, but they are adding unnecessary headers. The default header is Access-Control-Allow-Origin and the rest of the Access-Control-* headers only need to be set for the preflight (OPTIONS) request.

class CorsHandler(tornado.web.RequestHandler):
    def set_default_headers(self):
        self.set_header("Access-Control-Allow-Origin", "*")

    def options(self, *args):
        self.set_header("Access-Control-Allow-Methods", "*")
        self.set_header("Access-Control-Request-Credentials", "true")
        self.set_header("Access-Control-Allow-Private-Network", "true")
        self.set_header("Access-Control-Allow-Headers", "*")
        self.set_status(204)  # No Content

You inherit from the CorsHandler to enable CORS for your other handlers.

Warning: The * and true values are insecure and you should set them to match your environment.

Relevant reading:

Tornado server: enable CORS requests

5 Answers5

Linked