def _prepare_response(resource, dct, last_modified=None, etag=None, status=200): """ Prepares the response object according to the client request and available renderers, making sure that all accessory directives (caching, etag, last-modified) are present. :param resource: the resource involved. :param dct: the dict that should be sent back as a response. :param last_modified: Last-Modified header value. :param etag: ETag header value. :param status: response status. .. versionchanged:: 0.0.5 Support for Cross-Origin Resource Sharing (CORS). .. versionadded:: 0.0.4 """ if request.method == "OPTIONS": resp = app.make_default_options_response() else: # obtain the best match between client's request and available mime # types, along with the corresponding render function. mime, renderer = _best_mime() # invoke the render function and obtain the corresponding rendered item rendered = globals()[renderer](**dct) # build the main wsgi rensponse object resp = make_response(rendered, status) resp.mimetype = mime # cache directives if request.method == "GET": if resource: cache_control = config.DOMAIN[resource]["cache_control"] expires = config.DOMAIN[resource]["cache_expires"] else: cache_control = config.CACHE_CONTROL expires = config.CACHE_EXPIRES if cache_control: resp.headers.add("Cache-Control", cache_control) if expires: resp.expires = time.time() + expires # etag and last-modified if etag: resp.headers.add("ETag", etag) if last_modified: resp.headers.add("Last-Modified", date_to_str(last_modified)) if "Origin" in request.headers and config.X_DOMAINS is not None: if isinstance(config.X_DOMAINS, basestring): domains = [config.X_DOMAINS] else: domains = config.X_DOMAINS methods = app.make_default_options_response().headers["allow"] resp.headers.add("Access-Control-Allow-Origin", ", ".join(domains)) resp.headers.add("Access-Control-Allow-Methods", methods) resp.headers.add("Access-Control-Allow-Max-Age", 21600) return resp
def wrapped_function(*args, **kwargs): if automatic_options and request.method == 'OPTIONS': resp = current_app.make_default_options_response() else: resp = make_response(f(*args, **kwargs)) if not attach_to_all and request.method != 'OPTIONS': return resp h = resp.headers # http://www.w3.org/TR/cors/#access-control-allow-origin-response-header # If origin header from client is in list of domains allowed, # return back to client in Access-Control-Allow-Origin header in # response. origin_allowed = None if request.headers.get('Origin') is None: abort(400) if origin is None and any(request.headers.get('Origin') in o for o in current_app.config['ORIGINS_ALLOWED']): origin_allowed = request.headers.get('Origin') elif origin is not None and any(request.headers.get('Origin') in o for o in (current_app.config['ORIGINS_ALLOWED'] + origin)): origin_allowed = request.headers.get('Origin') else: current_app.logger.warn('The remote IP [%s] requested a forbidden resource=[%s]. Returning 403.' % (request.remote_addr, request.url)) abort(403) h['Access-Control-Allow-Credentials'] = 'true' h['Access-Control-Allow-Origin'] = origin_allowed h['Access-Control-Allow-Methods'] = get_methods() h['Access-Control-Max-Age'] = str(max_age) if headers is not None: h['Access-Control-Allow-Headers'] = headers return resp
def get_methods(): """Get methods.""" if methods is not None: return methods options_resp = current_app.make_default_options_response() return options_resp.headers['allow']
def app_before_request(): # cors response if request.method == "OPTIONS": resp = current_app.make_default_options_response() cors_headers = make_cors_headers() resp.headers.extend(cors_headers) return resp
def wrapped_function(*args, **kwargs): # Determine origins when in the context of a request origins = _origins or current_app.config.get('CORS_ORIGINS', '*') origins_str = str(origins) wildcard = origins_str == '*' if(not isinstance(origins, string_types) and isinstance(origins, collections.Iterable)): origins_str = ', '.join(origins) # Determine headers when in the context of the request headers = _headers or current_app.config.get('CORS_HEADERS') if (not isinstance(headers, string_types) and isinstance(headers, collections.Iterable)): headers = ', '.join(x for x in headers) # If the Origin header is not present terminate this set of steps. # The request is outside the scope of this specification. request_origin = request.headers.get('Origin', '') if 'Origin' not in request.headers and not always_send: return make_response(f(*args, **kwargs)) # If the value of the Origin header is not a case-sensitive match # for any of the values in list of origins, do not set any # additional headers and terminate this set of steps. elif(not wildcard and not always_send and request_origin not in origins): return make_response(f(*args, **kwargs)) if automatic_options and request.method == 'OPTIONS': resp = current_app.make_default_options_response() else: resp = make_response(f(*args, **kwargs)) # Add a single Access-Control-Allow-Origin header, with either # the value of the Origin header or the string "*" as value. if wildcard: # If the `origins` param is '*', either send the request's # origin, or `*` if send_wildcard: resp.headers[ACL_ORIGIN] = origins else: req_origin = request.headers.get('Origin', '*') resp.headers[ACL_ORIGIN] = req_origin # If not 'wildcard', send the string-joined-form of the # origins header else: resp.headers[ACL_ORIGIN] = origins_str resp.headers[ACL_METHODS] = methods if max_age: resp.headers[ACL_MAX_AGE] = str(max_age) if headers is not None: resp.headers[ACL_HEADERS] = headers if supports_credentials: resp.headers[ACL_CREDENTIALS] = 'true' return resp
def wrapped_function(*args, **kwargs): if request.method == 'OPTIONS': resp = current_app.make_default_options_response() resp.headers['Access-Control-Allow-Methods'] = 'GET, POST, OPTIONS' resp.headers['Access-Control-Allow-Headers'] = request.environ['HTTP_ACCESS_CONTROL_REQUEST_HEADERS'] else: if request.data: input = json.loads(request.data) else: input = json.loads('{}') print 'Recieved:', input result_d = {"error" : False} try: f(input, result_d) except Exception as e: print ">> Error >>", e result_d["error"] = True result = str(json.dumps(result_d)) print 'Returning:', result resp = make_response(result) resp.headers['Access-Control-Allow-Origin'] = request.environ.get('HTTP_ORIGIN','*') resp.headers['Access-Control-Allow-Cedentials'] = 'true' resp.headers['Access-Control-Allow-Max-Age'] = '86400' #print resp.response #print resp.headers return resp
def get_methods(): if methods is not None: print('got here3') return methods options_resp = current_app.make_default_options_response() return options_resp.headers['allow']
def get_methods(): if methods is not None: return methods options_resp = current_app.make_default_options_response() options = ', '.join({options_resp.headers['allow'], 'OPTIONS'}) return options
def wrapper(*args, **kwargs): default_options_response = current_app.make_default_options_response() if not methods: # NOTE: default_options_response might not have 'allow' header # for example, when there is an error handler on the application level (not on blueprint). allowed_methods = default_options_response.headers['allow'].split(', ') else: allowed_methods = ', '.join(sorted(method.upper() for method in methods)) if not headers: allowed_headers = 'Accept, Accept-Language, Content-Language, Content-Type' else: allowed_headers = ', '.join(headers) crossdomain_headers = { 'Access-Control-Allow-Origin': origin, 'Access-Control-Allow-Methods': allowed_methods, 'Access-Control-Allow-Headers': allowed_headers } if request.method == 'OPTIONS': default_options_response.headers.extend(crossdomain_headers) return default_options_response # NOTE: func might raise an exception (i.e BadRequest), currently this error is not catched so # execution stops here before headers are set for CORS. crossdomain_response = func(*args, **kwargs) crossdomain_response.headers.extend(crossdomain_headers) return crossdomain_response
def wrapped_function(*args, **kwargs): # Get a hold of the request origin origin = request.environ.get('HTTP_ORIGIN') if automatic_options and request.method == 'OPTIONS': resp = current_app.make_default_options_response() else: resp = make_response(f(*args, **kwargs)) if not attach_to_all and request.method != 'OPTIONS': return resp h = resp.headers # if the origin matches any of our allowed origins set the # access control header appropriately allow_origin = (origin if origin is not None and allowed_origins is not None and origin in allowed_origins else None) h['Access-Control-Allow-Origin'] = allow_origin h['Access-Control-Allow-Methods'] = get_methods() h['Access-Control-Max-Age'] = str(max_age) if credentials: h['Access-Control-Allow-Credentials'] = 'true' if headers is not None: h['Access-Control-Allow-Headers'] = headers return resp
def wrapped_function(*args, **kwargs): if not 'Origin' in request.headers and not always_send: return make_response(f(*args, **kwargs)) elif not wildcard and not always_send and not request.headers.get('Origin', '') in origins: return make_response(f(*args, **kwargs)) if request.method == 'OPTIONS': resp = current_app.make_default_options_response() else: resp = make_response(f(*args, **kwargs)) h = resp.headers if wildcard: if send_wildcard: h[AccessControlAllowOrigin] = origins else: h[AccessControlAllowOrigin] = request.headers.get('Origin', '*') else: h[AccessControlAllowOrigin] = request.headers.get('Origin') h['Access-Control-Allow-Methods'] = methods if max_age: h['Access-Control-Max-Age'] = str(max_age) if headers is not None: h['Access-Control-Allow-Headers'] = headers return resp
def inner(*args, **kwargs): if request.method=='OPTIONS': resp=current_app.make_default_options_response() else: resp=fn(*args,**kwargs) resp=make_response(resp) return add_cors_headers(resp)
def get_methods(): if methods is not None: return methods # if not provided, make the default response options, which will allow all methods that are implemented. options_resp = current_app.make_default_options_response() return options_resp.headers['allow']
def app_before_request(): # cors response if request.method == 'OPTIONS': resp = current_app.make_default_options_response() cors_headers = make_cors_headers() resp.headers.extend(cors_headers) return resp elif request.path.strip('/') in SYS_ICON_LIST: return make_response('', 204) # for browser default icons if request.endpoint == 'uploads.get_uploads': return base_url = current_app.config.get('BASE_URL') uploads_url = current_app.config.get('UPLOADS_URL') if app.debug or not MEM['loaded']: MEM['curr_app'] = load_curr_app(current_app) MEM['files'] = load_all_files(current_app, MEM['curr_app']) MEM['loaded'] = True g.curr_app = MEM['curr_app'] g.files = MEM['files'] g.request_remote_addr = get_remote_addr() g.request_path = request.path g.curr_base_url = base_url g.uploads_url = uploads_url g.request_url = get_request_url(g.curr_base_url, g.request_path) g.query_map = {}
def decorated(*args, **kwargs): if request.method == 'OPTIONS': resp = app.make_default_options_response() else: resp = make_response(f(*args, **kwargs)) # CORS domains = app.config.get('X_DOMAINS') headers = app.config.get('X_HEADERS') max_age = app.config.get('X_MAX_AGE') allow_credentials = app.config.get('X_ALLOW_CREDENTIALS') expose_headers = app.config.get('X_EXPOSE_HEADERS') origin = request.headers.get('Origin') if origin and domains: if isinstance(domains, str): domains = [domains] if headers is None: headers = [] elif isinstance(headers, str): headers = [headers] if expose_headers is None: expose_headers = [] elif isinstance(expose_headers, str): expose_headers = [expose_headers] allow_credentials = allow_credentials is True methods = app.make_default_options_response().headers.get( 'allow', '') h = resp.headers if '*' in domains: h['Access-Control-Allow-Origin'] = origin h['Vary'] = 'Origin' elif any(re.match(re.escape(domain), origin) for domain in domains): h['Access-Control-Allow-Origin'] = origin else: h['Access-Control-Allow-Origin'] = '' h['Access-Control-Allow-Headers'] = ', '.join(headers) h['Access-Control-Expose-Headers'] = ', '.join(expose_headers) h['Access-Control-Allow-Methods'] = methods h['Access-Control-Max-Age'] = str(max_age) return resp
def crossdomain(origin=None, methods=None, headers=None, max_age=21600, attach_to_all=True, automatic_options=True): """ :param origin: '*' to allow all origins, otherwise a string with a URL or a list of URLs that might access the resource. :param methods: Optionally a list of methods that are allowed for this view. If not provided it will allow all methods that are implemented :param headers: Optionally a list of headers that are allowed for this request. :param max_age: The number of seconds as integer or timedelta object for which the preflighted request is valid. :param attach_to_all: True if the decorator should add the access control headers to all HTTP methods or False if it should only add them to OPTIONS responses. :param automatic_options: If enabled the decorator will use the default Flask OPTIONS response and attach the headers there, otherwise the view :return: http://flask.pocoo.org/snippets/56/ """ if methods is not None: methods = ', '.join(sorted(x.upper() for x in methods)) else: options_resp = current_app.make_default_options_response() methods = options_resp.headers['allow'] if headers is not None and not isinstance(headers, basestring): headers = ', '.join(x.upper() for x in headers) if not isinstance(origin, basestring): origin = ', '.join(origin) if isinstance(max_age, timedelta): max_age = max_age.total_seconds() def decorator(f): def wrapped_function(*args, **kwargs): if automatic_options and request.method == 'OPTIONS': resp = current_app.make_default_options_response() else: resp = make_response(f(*args, **kwargs)) if not attach_to_all and request.method != 'OPTIONS': return resp h = resp.headers h['Access-Control-Allow-Origin'] = origin h['Access-Control-Allow-Methods'] = methods h['Access-Control-Max-Age'] = str(max_age) if headers is not None: h['Access-Control-Allow-Headers'] = headers return resp f.provide_automatic_options = False return update_wrapper(wrapped_function, f) return decorator
def wrapped_function(*args, **kwargs): if automatic_options and request.method == 'OPTIONS': resp = current_app.make_default_options_response() else: resp = make_response(f(*args, **kwargs)) if not attach_to_all and request.method != 'OPTIONS': return resp
def get_methods(): """ Determines which methods are allowed """ if methods is not None: return methods options_resp = current_app.make_default_options_response() return options_resp.headers['allow']
def get_methods(): ''' utils method for obtaining methods ''' if methods is not None: return methods options_resp = current_app.make_default_options_response() return options_resp.headers['allow']
def get_methods(): # if we have specified methods, return the list if methods is not None: return methods # return default OPTIONS response options_resp = current_app.make_default_options_response() return options_resp.headers['allow']
def summarize(): print 'printed' resp = current_app.make_default_options_response() h = resp.headers h['Access-Control-Allow-Origin'] = '*' #print request.form['aDoc'] #myValues = request.get_json(force=True) #print myValues resp.data= theLSA.sumDoc(request.form['aDoc']) return resp
def wrapped_function(*args, **kwargs): if request.method == 'OPTIONS': resp = current_app.make_default_options_response() else: resp = make_response(f(*args, **kwargs)) h = resp.headers h['Access-Control-Allow-Origin'] = origin h['Access-Control-Allow-Methods'] = get_methods() if headers is not None: h['Access-Control-Allow-Headers'] = headers return resp
def before_request(): if request.method == 'OPTIONS': resp = current_app.make_default_options_response() h = resp.headers if 'ACCESS_CONTROL_REQUEST_HEADERS' in request.headers: h['Access-Control-Allow-Headers'] = request.headers['ACCESS_CONTROL_REQUEST_HEADERS'] h['Access-Control-Allow-Origin'] = "*" h['Access-Control-Allow-Methods'] = request.headers['Access-Control-Request-Method'] return resp
def app_before_request(): if request.method == "OPTIONS": resp = current_app.make_default_options_response() cors_headers = { "Access-Control-Allow-Headers": "Origin, Accept, Content-Type, Authorization", "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS, HEAD", "Access-Control-Allow-Origin": "*" } resp.headers.extend(cors_headers) return resp return
def decorated_function(*args, **kwargs): if True and request.method == 'OPTIONS': resp = current_app.make_default_options_response() else: resp = make_response(f(*args, **kwargs)) if not True and request.method != 'OPTIONS': return resp h = resp.headers h['Content-Type'] = "application/json" return resp
def allowALLTheThings(response): this = current_app.make_default_options_response() allowed = this.headers['allow'] headers = request.headers.get('Access-Control-Request-Headers', '*') response.headers.add('Access-Control-Allow-Origin', '*') response.headers.add('Access-Control-Allow-Headers', headers) response.headers.add('Access-Control-Allow-Methods', allowed) response.headers.add('Access-Control-Allow-Credentials', 'true') return response
def get_methods(): if methods is not None: return methods options_resp = current_app.make_default_options_response() try: return options_resp.headers["Allow"] except: # This might not be present on all requests. Let is 404 instead of 500. pass
def wrapped_function(*args, **kwargs): # Handle setting of Flask-Cors parameters options = get_cors_options(current_app, _options) if options.get('automatic_options') and request.method == 'OPTIONS': resp = current_app.make_default_options_response() else: resp = make_response(f(*args, **kwargs)) set_cors_headers(resp, options) setattr(resp, FLASK_CORS_EVALUATED, True) return resp
def wrapped_function(*args, **kwargs): if automatic_options and request.method == 'OPTIONS': resp = current_app.make_default_options_response() else: resp = make_response( f( *args, **kwargs ) ) if not attach_to_all and request.method != 'OPTIONS': return resp h = resp.headers h['Access-Control-Allow-Origin'] = origin h['Access-Control-Allow-Methods'] = get_methods() h['Access-Control-Max-Age'] = str( max_age ) if headers is not None: h['Access-Control-Allow-Headers'] = headers return resp
def wrapped_function(*args, **kwargs): if automatic_options and request.method == 'OPTIONS': resp = current_app.make_default_options_response() else: resp = make_response(f(*args, **kwargs)) if not attach_to_all and request.method != 'OPTIONS': return resp h = resp.headers h['Access-Control-Allow-Origin'] = origin h['Access-Control-Allow-Methods'] = get_methods() h['Access-Control-Max-Age'] = str(max_age) h['Access-Control-Allow-Headers'] = "Origin, X-Requested-With, Content-Type, Accept, Authorization " h['Access-Control-Allow-Credentials'] = 'true' return resp
def get_methods(): if methods is not None: return ', '.join(sorted(x.upper() for x in methods)) options_resp = current_app.make_default_options_response() return options_resp.headers['allow']
def options(self): """ Allow CORS for specific origins """ resp = current_app.make_default_options_response() return add_cors_headers(response)
def make_decision_options(): """ Handles the OPTIONS requests to the /decision endpoint. """ resp = current_app.make_default_options_response() return insert_headers(resp)
def get_methods(): if methods is not None: return methods options_resp = current_app.make_default_options_response() return options_resp.headers['allow']
def before_request(): if request.method == 'OPTIONS': response = current_app.make_default_options_response() response = prepare_headers(response) response.headers['Access-Control-Allow-Headers'] = 'content-type, authorization, if-match' return response
def _prepare_response(resource, dct, last_modified=None, etag=None, status=200): """ Prepares the response object according to the client request and available renderers, making sure that all accessory directives (caching, etag, last-modified) are present. :param resource: the resource involved. :param dct: the dict that should be sent back as a response. :param last_modified: Last-Modified header value. :param etag: ETag header value. :param status: response status. .. versionchanged:: 0.0.9 Support for Python 3.3. .. versionchanged:: 0.0.7 Support for Rate-Limiting. .. versionchanged:: 0.0.6 Support for HEAD requests. .. versionchanged:: 0.0.5 Support for Cross-Origin Resource Sharing (CORS). .. versionadded:: 0.0.4 """ if request.method == 'OPTIONS': resp = app.make_default_options_response() else: # obtain the best match between client's request and available mime # types, along with the corresponding render function. mime, renderer = _best_mime() # invoke the render function and obtain the corresponding rendered item rendered = globals()[renderer](**dct) # build the main wsgi rensponse object resp = make_response(rendered, status) resp.mimetype = mime # cache directives if request.method in ('GET', 'HEAD'): if resource: cache_control = config.DOMAIN[resource]['cache_control'] expires = config.DOMAIN[resource]['cache_expires'] else: cache_control = config.CACHE_CONTROL expires = config.CACHE_EXPIRES if cache_control: resp.headers.add('Cache-Control', cache_control) if expires: resp.expires = time.time() + expires # etag and last-modified if etag: resp.headers.add('ETag', etag) if last_modified: resp.headers.add('Last-Modified', date_to_str(last_modified)) # CORS if 'Origin' in request.headers and config.X_DOMAINS is not None: if isinstance(config.X_DOMAINS, str): domains = [config.X_DOMAINS] else: domains = config.X_DOMAINS if config.X_HEADERS is None: headers = [] elif isinstance(config.X_HEADERS, str): headers = [config.X_HEADERS] else: headers = config.X_HEADERS methods = app.make_default_options_response().headers['allow'] resp.headers.add('Access-Control-Allow-Origin', ', '.join(domains)) resp.headers.add('Access-Control-Allow-Headers', ', '.join(headers)) resp.headers.add('Access-Control-Allow-Methods', methods) resp.headers.add('Access-Control-Allow-Max-Age', 21600) # Rate-Limiting limit = get_rate_limit() if limit and limit.send_x_headers: resp.headers.add('X-RateLimit-Remaining', str(limit.remaining)) resp.headers.add('X-RateLimit-Limit', str(limit.limit)) resp.headers.add('X-RateLimit-Reset', str(limit.reset)) return resp
def options_response(): if request.method == 'OPTIONS': logger.debug('responding to OPTIONS request') resp = current_app.make_default_options_response() return resp
def upload_options(): print "OPTIONS CALL" return current_app.make_default_options_response()
def _prepare_response(resource, dct, last_modified=None, etag=None, status=200, headers=None): """ Prepares the response object according to the client request and available renderers, making sure that all accessory directives (caching, etag, last-modified) are present. :param resource: the resource involved. :param dct: the dict that should be sent back as a response. :param last_modified: Last-Modified header value. :param etag: ETag header value. :param status: response status. .. versionchanged:: 0.7 Add support for regexes in X_DOMAINS values. Closes #660. ETag value now surrounded by double quotes. Closes #794. .. versionchanged:: 0.6 JSONP Support. .. versionchanged:: 0.4 Support for optional extra headers. Fix #381. 500 instead of 404 if CORS is enabled. .. versionchanged:: 0.3 Support for X_MAX_AGE. .. versionchanged:: 0.1.0 Support for optional HATEOAS. .. versionchanged:: 0.0.9 Support for Python 3.3. .. versionchanged:: 0.0.7 Support for Rate-Limiting. .. versionchanged:: 0.0.6 Support for HEAD requests. .. versionchanged:: 0.0.5 Support for Cross-Origin Resource Sharing (CORS). .. versionadded:: 0.0.4 """ if request.method == 'OPTIONS': resp = app.make_default_options_response() else: # obtain the best match between client's request and available mime # types, along with the corresponding render function. mime, renderer = _best_mime() # invoke the render function and obtain the corresponding rendered item rendered = globals()[renderer](dct) # JSONP if config.JSONP_ARGUMENT: jsonp_arg = config.JSONP_ARGUMENT if jsonp_arg in request.args and 'json' in mime: callback = request.args.get(jsonp_arg) rendered = "%s(%s)" % (callback, rendered) # build the main wsgi rensponse object resp = make_response(rendered, status) resp.mimetype = mime # extra headers if headers: for header, value in headers: if header != 'Content-Type': resp.headers.add(header, value) # cache directives if request.method in ('GET', 'HEAD'): if resource: cache_control = config.DOMAIN[resource]['cache_control'] expires = config.DOMAIN[resource]['cache_expires'] else: cache_control = config.CACHE_CONTROL expires = config.CACHE_EXPIRES if cache_control: resp.headers.add('Cache-Control', cache_control) if expires: resp.expires = time.time() + expires # etag and last-modified if etag: resp.headers.add('ETag', '"' + etag + '"') if last_modified: resp.headers.add('Last-Modified', date_to_rfc1123(last_modified)) # CORS origin = request.headers.get('Origin') if origin and config.X_DOMAINS: if isinstance(config.X_DOMAINS, str): domains = [config.X_DOMAINS] else: domains = config.X_DOMAINS if config.X_HEADERS is None: headers = [] elif isinstance(config.X_HEADERS, str): headers = [config.X_HEADERS] else: headers = config.X_HEADERS if config.X_EXPOSE_HEADERS is None: expose_headers = [] elif isinstance(config.X_EXPOSE_HEADERS, str): expose_headers = [config.X_EXPOSE_HEADERS] else: expose_headers = config.X_EXPOSE_HEADERS # The only accepted value for Access-Control-Allow-Credentials header # is "true" allow_credentials = config.X_ALLOW_CREDENTIALS is True methods = app.make_default_options_response().headers.get('allow', '') if '*' in domains: resp.headers.add('Access-Control-Allow-Origin', origin) resp.headers.add('Vary', 'Origin') elif any(re.match(re.escape(domain), origin) for domain in domains): resp.headers.add('Access-Control-Allow-Origin', origin) else: resp.headers.add('Access-Control-Allow-Origin', '') resp.headers.add('Access-Control-Allow-Headers', ', '.join(headers)) resp.headers.add('Access-Control-Expose-Headers', ', '.join(expose_headers)) resp.headers.add('Access-Control-Allow-Methods', methods) resp.headers.add('Access-Control-Max-Age', config.X_MAX_AGE) if allow_credentials: resp.headers.add('Access-Control-Allow-Credentials', "true") # Rate-Limiting limit = get_rate_limit() if limit and limit.send_x_headers: resp.headers.add('X-RateLimit-Remaining', str(limit.remaining)) resp.headers.add('X-RateLimit-Limit', str(limit.limit)) resp.headers.add('X-RateLimit-Reset', str(limit.reset)) return resp
def get_methods(): resp = current_app.make_default_options_response() return resp.headers["allow"]
def options(self, *args, **kwargs): ''' Restangular, and angular.js need an OPTIONS method ''' resp = current_app.make_default_options_response() return {}, resp.status, resp.headers
def _prepare_response(resource, dct, last_modified=None, etag=None, status=200, headers=None): """ Prepares the response object according to the client request and available renderers, making sure that all accessory directives (caching, etag, last-modified) are present. :param resource: the resource involved. :param dct: the dict that should be sent back as a response. :param last_modified: Last-Modified header value. :param etag: ETag header value. :param status: response status. .. versionchanged:: 0.7 Add support for regexes in X_DOMAINS_RE. Closes #660, #974. ETag value now surrounded by double quotes. Closes #794. .. versionchanged:: 0.6 JSONP Support. .. versionchanged:: 0.4 Support for optional extra headers. Fix #381. 500 instead of 404 if CORS is enabled. .. versionchanged:: 0.3 Support for X_MAX_AGE. .. versionchanged:: 0.1.0 Support for optional HATEOAS. .. versionchanged:: 0.0.9 Support for Python 3.3. .. versionchanged:: 0.0.7 Support for Rate-Limiting. .. versionchanged:: 0.0.6 Support for HEAD requests. .. versionchanged:: 0.0.5 Support for Cross-Origin Resource Sharing (CORS). .. versionadded:: 0.0.4 """ if request.method == "OPTIONS": resp = app.make_default_options_response() else: # obtain the best match between client's request and available mime # types, along with the corresponding render function. mime, renderer_cls = _best_mime() # invoke the render function and obtain the corresponding rendered item rendered = renderer_cls().render(dct) # JSONP if config.JSONP_ARGUMENT: jsonp_arg = config.JSONP_ARGUMENT if jsonp_arg in request.args and "json" in mime: callback = request.args.get(jsonp_arg) rendered = "%s(%s)" % (callback, rendered) # build the main wsgi response object resp = make_response(rendered, status) resp.mimetype = mime # extra headers if headers: for header, value in headers: if header != "Content-Type": resp.headers.add(header, value) # cache directives if request.method in ("GET", "HEAD"): if resource: cache_control = config.DOMAIN[resource]["cache_control"] expires = config.DOMAIN[resource]["cache_expires"] else: cache_control = config.CACHE_CONTROL expires = config.CACHE_EXPIRES if cache_control: resp.headers.add("Cache-Control", cache_control) if expires: resp.expires = time.time() + expires # etag and last-modified if etag: resp.headers.add("ETag", '"' + etag + '"') if last_modified: resp.headers.add("Last-Modified", date_to_rfc1123(last_modified)) # CORS origin = request.headers.get("Origin") if origin and (config.X_DOMAINS or config.X_DOMAINS_RE): if config.X_DOMAINS is None: domains = [] elif isinstance(config.X_DOMAINS, str): domains = [config.X_DOMAINS] else: domains = config.X_DOMAINS if config.X_DOMAINS_RE is None: domains_re = [] elif isinstance(config.X_DOMAINS_RE, str): domains_re = [config.X_DOMAINS_RE] else: domains_re = config.X_DOMAINS_RE # precompile regexes and ignore invalids domains_re_compiled = [] for domain_re in domains_re: try: domains_re_compiled.append(re.compile(domain_re)) except re.error: continue if config.X_HEADERS is None: headers = [] elif isinstance(config.X_HEADERS, str): headers = [config.X_HEADERS] else: headers = config.X_HEADERS if config.X_EXPOSE_HEADERS is None: expose_headers = [] elif isinstance(config.X_EXPOSE_HEADERS, str): expose_headers = [config.X_EXPOSE_HEADERS] else: expose_headers = config.X_EXPOSE_HEADERS # The only accepted value for Access-Control-Allow-Credentials header # is "true" allow_credentials = config.X_ALLOW_CREDENTIALS is True methods = app.make_default_options_response().headers.get("allow", "") if "*" in domains: resp.headers.add("Access-Control-Allow-Origin", origin) resp.headers.add("Vary", "Origin") elif any(origin == domain for domain in domains): resp.headers.add("Access-Control-Allow-Origin", origin) elif any(domain.match(origin) for domain in domains_re_compiled): resp.headers.add("Access-Control-Allow-Origin", origin) else: resp.headers.add("Access-Control-Allow-Origin", "") resp.headers.add("Access-Control-Allow-Headers", ", ".join(headers)) resp.headers.add("Access-Control-Expose-Headers", ", ".join(expose_headers)) resp.headers.add("Access-Control-Allow-Methods", methods) resp.headers.add("Access-Control-Max-Age", config.X_MAX_AGE) if allow_credentials: resp.headers.add("Access-Control-Allow-Credentials", "true") # Rate-Limiting limit = get_rate_limit() if limit and limit.send_x_headers: resp.headers.add("X-RateLimit-Remaining", str(limit.remaining)) resp.headers.add("X-RateLimit-Limit", str(limit.limit)) resp.headers.add("X-RateLimit-Reset", str(limit.reset)) return resp
def handle_preflight(): return current_app.make_default_options_response()