Flask-CORS

Warnings

• breaking In version 6.0.0, the path specificity ordering for CORS rules changed to improve specificity. This might alter how CORS rules are applied if your application relied on the previous, less specific ordering. Additionally, `urllib.unquote_plus` was replaced with `urllib.unquote`, and request path matching became case-sensitive.
  Fix: Review your CORS configurations, especially those with multiple resource paths, to ensure they match the new specificity order. Test cross-origin requests thoroughly to confirm expected behavior. Ensure your application's request paths are consistently cased if matching rules rely on it.
• breaking Version 5.0.0 introduced a breaking change by defaulting to disable private network access. This was a security enhancement. If your application needs to make requests to private network resources from a public-facing origin, you will need to explicitly re-enable this functionality.
  Fix: If your application requires private network access, consult the Flask-CORS documentation for the specific configuration option to re-enable it. Typically, this involves setting a configuration flag.
• breaking Version 4.0.0 dropped support for Python versions older than 3.8. Applications running on Python 3.7 or earlier will not be able to upgrade to Flask-CORS 4.0.0 or newer.
  Fix: Upgrade your Python environment to 3.8 or newer before upgrading to Flask-CORS 4.0.0+.
• gotcha Enabling `supports_credentials=True` allows browsers to send cookies and HTTP authentication headers with cross-origin requests. While necessary for authenticated requests, it introduces security implications and should always be used in conjunction with robust CSRF protection.
  Fix: Implement CSRF protection (e.g., Flask-WTF CSRFProtect) when `supports_credentials=True` is enabled. Carefully define `origins` to restrict access to trusted domains only.
• gotcha Using `origins='*'` (allowing all origins) is generally not recommended for production environments due to security risks. It can expose your API to unintended access.
  Fix: Always specify a list of explicit, trusted `origins` (e.g., `origins=['http://localhost:3000', 'https://your-frontend.com']`) instead of `*` in production deployments.
• gotcha When specifying `origins` in `CORS` or `@cross_origin`, ensure you include the full schema (http/https) and the port number (if not the default 80 or 443). For example, `http://localhost:8000` is correct, while `localhost:8000` or `http://localhost` (if on a non-default port) might not work.
  Fix: Always provide complete origin URLs, including schema and port, in the `origins` list or string.

Install

• pip install Flask-CORS Install latest version

Imports

• CORS

  from flask_cors import CORS

  The `flask.ext` prefix was deprecated and removed in Flask 0.11. Direct import from `flask_cors` is the correct approach.
• cross_origin

  from flask_cors import cross_origin

Quickstart

This quickstart demonstrates enabling CORS globally for an entire Flask application and also for a specific route using the `@cross_origin` decorator. Global enablement is done by initializing `CORS(app)`. For fine-grained control, the `@cross_origin` decorator allows specifying allowed origins, methods, and credential support for individual routes.

from flask import Flask
from flask_cors import CORS
import os

app = Flask(__name__)
CORS(app) # Enable CORS for all routes, for all origins and methods

@app.route("/")
def hello_world():
    return "Hello, cross-origin-world!"

# Example of specific CORS for an API endpoint
@app.route("/api/data")
@cross_origin(origins="http://localhost:3000", methods=["GET", "POST"], supports_credentials=True)
def get_data():
    return {"message": "Data from API!"}

if __name__ == '__main__':
    app.run(debug=True, port=int(os.environ.get('PORT', 5000)))