fix: cors middleware mirrors origin in case no initial cookie is present

encode · Aug 30, 2024 · 8c15a6a · 8c15a6a
1 parent c78c9aa
commit 8c15a6a
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 2 deletions.
diff --git a/starlette/middleware/cors.py b/starlette/middleware/cors.py
@@ -158,9 +158,9 @@ async def send(
         headers = MutableHeaders(scope=message)
         headers.update(self.simple_headers)
         origin = request_headers["Origin"]
-        has_cookie = "cookie" in request_headers
+        has_cookie = "cookie" in request_headers or "set-cookie" in headers
 
-        # If request includes any cookie headers, then we must respond
+        # If request or response includes any cookie headers, then we must respond
         # with the specific origin instead of '*'.
         if self.allow_all_origins and has_cookie:
             self.allow_explicit_origin(headers, origin)

diff --git a/tests/middleware/test_cors.py b/tests/middleware/test_cors.py
@@ -432,6 +432,29 @@ def homepage(request: Request) -> PlainTextResponse:
     assert "access-control-allow-credentials" not in response.headers
 
 
+def test_cors_credentialed_requests_return_specific_origin_without_initial_cookie(
+    test_client_factory: TestClientFactory,
+) -> None:
+    def homepage(request: Request) -> PlainTextResponse:
+        response = PlainTextResponse("Homepage", status_code=200)
+        response.set_cookie("mycookie", "myvalue", path=None)
+        return response
+
+    app = Starlette(
+        routes=[Route("/", endpoint=homepage)],
+        middleware=[Middleware(CORSMiddleware, allow_origins=["*"])],
+    )
+    client = test_client_factory(app)
+
+    # Test credentialed request
+    headers = {"Origin": "https://example.org"}
+    response = client.get("/", headers=headers)
+    assert response.status_code == 200
+    assert response.text == "Homepage"
+    assert response.headers["access-control-allow-origin"] == "https://example.org"
+    assert "access-control-allow-credentials" not in response.headers
+
+
 def test_cors_vary_header_defaults_to_origin(
     test_client_factory: TestClientFactory,
 ) -> None: