Set arbitrary headers for APIG (will enable CORS)

[amir-mehler]

Currently I can define a resource like this:

@app.route('/scalars', methods=['GET', 'OPTIONS'])
def scalars():
return { 'mau': 27048, 'wau: 7003 }'

The OPTIONS will help me with enabling CORS in APIG But I'm still missing the 'Access-Control-Allow-Origin' header, so I enable it manually in the console after each deploy.

One approach would be to configure headers in the method.
Another would be to call the "Enable CORS" magic button in APIG.

WDYT?

[jamesls]

I think having something similar to what the console has via "Enable CORS" would be great to add. Marking as a feature request.

[zaga1]

Even if I go into AWS API Gateway console and select 'Access-Control-Allow-Origin' it still gives the error in the browser of not having the CORS header?

[beaucronin]

👍 very important for me as well to be able to enable CORS from chalice

[mlapida]

+1 - having the ability to enable CORS on deploy would be fantastic.

@zaga1 you'll need to enable CORS for each resource then deploy the API from the console.

[howardroark]

Is everyone enabling CORS in the console right now? Or is no one really building APIs meant for the browser with this? Would really like to try this, but don't have any server to server use cases.

[chrisgilmerproj]

Yes, this is how I'm doing this. It's a bit more manual than I'd like but it will do for now.

[jamesls]

Taking a look now.

[jamesls]

I've been playing around with this feature and I think there's a few use cases I can envision. Would like to hear what others think about this:

1. Enable CORS for a single route:

@app.route('/corsenabled', enable_cors=True)
def yescors():
    return {'hello': 'cors'}

This would mimic the behavior of the "Enable CORS" in the console. Would default to '*' for the allow origin header.

2. Enable CORs for the entire app. If you just want cors enabled for every view function, you can specify this when creating your app:

from chalice import Chalice

# enable_cors=True when creating the `Chalice` object.
app = Chalice(app_name='foo', enable_cors=True)

# Every route is enabled with CORs by default.
@app.route('/')
def yescors():
    return {'hello': 'cors'}


@app.route('/foo')
def foo():
    return {'hello': 'cors again'}

# Can still turn it off if you want:
@app.route('/no_cors', enable_cors=False)
def foo():
    return {'hello': 'cors again'}

3. Customized CORS configuration

from chalice import Chalice, CORSConfig

app = Chalice(app_name='foo')

cors = CORSConfig(allow_origin='http://foo', allow_headers=['list', 'of', 'headers'],
                  expose_headers=..., max_age=..., allow_credentials=...)

@app.route('/', cors_config=cors)
def foo():
  ...

Optionally, I could just use a single args, cors, which could be one of True|False|CORSConfig.

Would those three cases cover most people's usage?

[chrisgilmerproj]

I like the above. One thing that I'd want is to ensure that the CORS headers are on all the response codes, not just 200. Otherwise I'll still have to go in and update 400, 403, 404, etc.

[jamesls]

Good point, I'll be sure to add this to all status codes.

[howardroark]

@jamesls Sounds like a good plan!

[DeviaVir]

@jamesls definitely looking good! I ran into this issue a while ago and was thinking about building this in. Any way I can help you, perhaps?

[jackrk]

The fact that CORS support here just automatically gives you '*' for allowed origins is a real problem. In the API Gateway console, there is a warning explaining what that means and it encourages the developer to use their own specific domain.

The above warning is not mentioned in the Chalice docs... do we trust every consumer to understand how CORS works and what Access-Control-Allow-Origin: '*' means?

CORS is just a best-intention spec anyway (you have to trust the browser), but I don't think CORS should have shipped without something like the cors_config suggested by @jamesls.

[jamesls]

@jackrk thanks for the feedback. We're working on adding the CORSConfig option.

cc @stealthycoin

[stealthycoin]

Implemented in #311

[dmulter]

The CORS support is nice, but I see that the cors=True wasn't made part of Chalice instantiation. I have lots of routes and it would be nicer if I could just turn it on for everything. Not sure what others think.

[russelldavies]

@dmulter I would like to turn it on for everything too via passing an option during instantiation of the app.

[rahulakash]

@jamesls @stealthycoin: We see that the support is now added for 3. Customized CORS configuration. Is there a plan to add support for 2. Enable CORs for the entire app? It would be really helpful to enable cors for all the endpoints.