Falcon CORS middleware does not work properly

Question

I'm using Falcon CORS to allow access to my web service only from several domains. But it does not work properly.

Let me explain, if we take a look at my implementation:

ALLOWED_ORIGINS = ['*']
crossdomain_origin = CORS(allow_origins_list=[ALLOWED_ORIGINS], log_level='DEBUG')

app = falcon.API(middleware=[RequireJSON(), JSONTranslator(), cors.middleware])

When I make any post request to my API service, I get this warning:

Aborting response due to origin not allowed

But, then I get the correct response from my API.
Here is an official docs about this module: https://github.com/lwcolton/falcon-cors

Alex G Rice · Accepted Answer · 2016-12-20T18:18:26.083

6

Your code does not match the falcon-cors documentation's example:

import falcon
from falcon_cors import CORS    
cors = CORS(allow_origins_list=['http://test.com:8080'])    
api = falcon.API(middleware=[cors.middleware])
#                            ^^^^^^^^^^^^^^^

Note the cors.middleware variable is being passed into the api call. In your code you are creating crossdomain_origin but not passing it into the API setup.

If this does not solve it, please provide a working code example, including the Falcon resource classes, that is easy to test and reproduce, and I'm happy to try to assist.

edit:

From comments below, it sounds like falcon-cors is working properly, rather the problem may be origin header was being omitted from the request.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

The Origin header indicates the origin of the cross-site access request or preflight request.

edited Dec 20 '16 at 18:18

answered Dec 20 '16 at 17:24

Alex G Rice

1,561
11
16

Sorry, that's my fault, i make import of crossdomain_origin as cors, so thats mistake only in code example, but not in my project – Denys Lytvinyuk Dec 20 '16 at 17:42
OK please post a minimal example that reproduces the issue, there is no other way for others to help more. – Alex G Rice Dec 20 '16 at 17:44
What version of python? What is the contents of the `config` module? Resources dict is empty- please give a working example. It's not runnable without these things. https://gist.github.com/ is sometimes useful too, because you can post multiple files into one gist. – Alex G Rice Dec 20 '16 at 17:53
if you have a time and you interested in this problem, we can have few minutes skypecall, where i can explain my problem to you more wide – Denys Lytvinyuk Dec 20 '16 at 18:03
Sorry I am not able to do that. Please see this for additional help (How to create a Minimal, Complete, and Verifiable example) http://stackoverflow.com/help/mcve – Alex G Rice Dec 20 '16 at 18:05
I found that if pass to request an http header "origin", i do not get such warning, but i don't get error that origin is not allowed – Denys Lytvinyuk Dec 20 '16 at 18:08
1

Also helpful: https://stackoverflow.com/questions/42715002/cors-failure-in-with-python-falcon-even-with-heads-for-auth-pre-flight#comment90356354_42716126 – Ryan Aug 05 '18 at 19:17

score 4 · Answer 2 · answered Feb 03 '20 at 09:17

4

I tried as guided by lwcolton on github here

And also set allow_all_headers=True, allow_all_methods=True

i.e. same as @Ryan comment

from falcon_cors import CORS

cors = CORS(
    allow_all_origins=True,
    allow_all_headers=True,
    allow_all_methods=True,
)

api = falcon.API(middleware=[cors.middleware])

answered Feb 03 '20 at 09:17

Nam G VU

33,193
69
233
372

why use it at all if you're just going to pass everything through? – lps Aug 26 '22 at 22:05
It is a code base/sample for us to set True/False or go further to set specific ip whitelist later – Nam G VU Aug 27 '22 at 02:03

score 1 · Answer 3 · answered Mar 20 '19 at 20:36

1

Side note:

ORIGIN '*' does not work on some browsers.. notably IE. In the past I've had to dynamically set the ORIGIN header to the 'host' name requested in the HTTP headers in order to support a wildcard domain host for a site I setup.

answered Mar 20 '19 at 20:36

Jeff

121
1
8

We can forget IE ^^ Irs Edge now – Nam G VU Aug 29 '22 at 03:12

score 1 · Answer 4 · answered May 20 '20 at 17:39

There's is another way to implement this without using falcon-cors

You might want to look at this on the official documentation - how-do-i-implement-cors-with-falcon

class CORSComponent:

    def process_response(self, req, resp, resource, req_succeeded):
        resp.set_header('Access-Control-Allow-Origin', '*')

        if (req_succeeded
            and req.method == 'OPTIONS'
            and req.get_header('Access-Control-Request-Method')
        ):
            # NOTE: This is a CORS preflight request. Patch the
            #   response accordingly.

            allow = resp.get_header('Allow')
            resp.delete_header('Allow')

            allow_headers = req.get_header(
                'Access-Control-Request-Headers',
                default='*'
            )

            resp.set_headers((
                ('Access-Control-Allow-Methods', allow),
                ('Access-Control-Allow-Headers', allow_headers),
                ('Access-Control-Max-Age', '86400'),  # 24 hours
            ))

When using the above approach, OPTIONS requests must also be special-cased in any other middleware or hooks you use for auth, content-negotiation, etc. For example, you will typically skip auth for preflight requests because it is simply unnecessary; note that such request do not include the Authorization header in any case.

You can now put this in middleware

api = falcon.API(middleware=[
    CORSComponent()
])

Falcon CORS middleware does not work properly

4 Answers4