399e94043f
With the introduction of set_defaults, as well as new documentation features for default values in oslo_config, the CORS middleware has been placed in the odd position where its configuration behaves inconsistently. If you configure via add_origin, then defaults set in set_defaults are not honored. If you configure via multiple configuration blocks ([cors.foo]), then the defaults are also not honored. Additionally, with the conversion of allowed_origin into a list_opt, there is less direct need for multiple config-block parsing. In order to ensure that the middleware behaves consistently with the rest of oslo, as well as adheres to a set of basic sane assumptions made by consumers, this patch deprecates the code path that searches oslo's configuration for multiple [cors.*] blocks. Subsequent patches will add additional deprecation flags to this end. Change-Id: I49c15ccc2dce03b0dea33ec45ef6e271e58582da
3.4 KiB
CORS Middleware
This middleware provides a comprehensive, configurable implementation of the CORS (Cross Origin Resource Sharing) specification as oslo-supported python wsgi middleware.
Note
While this middleware supports the use of the * wildcard origin in the specification, this feature is not recommended for security reasons. It is provided to simplify basic use of CORS, practically meaning "I don't care how this is used." In an intranet setting, this could lead to leakage of data beyond the intranet and therefore should be avoided.
Quickstart
First, include the middleware in your application:
from oslo_middleware import cors
app = cors.CORS(your_wsgi_application)Secondly, add as many allowed origins as you would like:
app.add_origin(allowed_origin='https://website.example.com:443',
allow_credentials=True,
max_age=3600,
allow_methods=['GET','PUT','POST','DELETE'],
allow_headers=['X-Custom-Header'],
expose_headers=['X-Custom-Header'])
# ... add more origins here.Configuration for oslo_config
A factory method has been provided to simplify configuration of your CORS domain, using oslo_config:
from oslo_middleware import cors
from oslo_config import cfg
app = cors.CORS(your_wsgi_application, cfg.CONF)In your application's config file, then include a configuration block something like this:
[cors]
allowed_origin=https://website.example.com:443,https://website2.example.com:443
max_age=3600
allow_methods=GET,POST,PUT,DELETE
allow_headers=X-Custom-Header
expose_headers=X-Custom-HeaderIf your software requires specific headers or methods for proper operation, you may include these as latent properties. These will be evaluated in addition to any found in configuration:
from oslo_middleware import cors
app = cors.CORS(your_wsgi_application)
app.set_latent(allow_headers=['X-System-Header'],
expose_headers=['X-System-Header'],
allow_methods=['GET','PATCH'])Configuration for pastedeploy
If your application is using pastedeploy, the following configuration block will add CORS support.:
[filter:cors]
paste.filter_factory = oslo_middleware.cors:filter_factory
allowed_origin=https://website.example.com:443,https://website2.example.com:443
max_age=3600
allow_methods=GET,POST,PUT,DELETE
allow_headers=X-Custom-Header
expose_headers=X-Custom-HeaderIf your application is using pastedeploy, but would also like to use the existing configuration from oslo_config in order to simplify the points of configuration, this may be done as follows.:
[filter:cors]
paste.filter_factory = oslo_middleware.cors:filter_factory
oslo_config_project = oslo_project_name
# Optional field, in case the program name is different from the project:
oslo_config_program = oslo_project_name-api
# This method also permits setting latent properties, for any origins set
# in oslo config.
latent_allow_headers=X-Auth-Token
latent_expose_headers=X-Auth-Token
latent_methods=GET,PUT,POSTConfiguration Options
oslo.middleware.cors
Module Documentation
oslo_middleware.cors