Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provide a configuration option to control automatic option responses #5496

Merged
merged 1 commit into from
Jun 7, 2024

Conversation

pgjones
Copy link
Member

@pgjones pgjones commented Jun 5, 2024

By default Flask will provide responses to OPTIONS requests that are automatically generated. These responses list the valid methods in the response headers. Whilst this is useful, it can be frowned on by auditors hence an ability to disable it wholesale is useful.

By default Flask will provide responses to OPTIONS requests that are
automatically generated. These responses list the valid methods in the
response headers. Whilst this is useful, it can be frowned on by
auditors hence an ability to disable it wholesale is useful.
@davidism
Copy link
Member

davidism commented Jun 6, 2024

Does this make sense as a config option? Lately I've been tending to use init params instead of config unless it actually makes sense to change something per deployment. (And you could still change it per deployment, you'd just have to do it manually in the app factory.) It seems like you'd either want automatic options or not.

How would this interact with Response CORS attributes/headers, the Flask-CORS extension, or OpenAPI extensions?

@pgjones
Copy link
Member Author

pgjones commented Jun 7, 2024

Does this make sense as a config option?

I would probably have different values in development and production given the information is useful in development. I do this via environment variables and the config.from_prefixed_env, so a config variable would be the easiest. I'd also argue it is more consistent with the other Flask options.

How would this interact with Response CORS attributes/headers, the Flask-CORS extension, or OpenAPI extensions?

I think these would manage the OPTIONS responses directly anyway and this could make it easier to turn off the Flask default, e.g. Flask-CORS.

@davidism davidism added this to the 3.1.0 milestone Jun 7, 2024
@pgjones pgjones merged commit d718ecf into pallets:main Jun 7, 2024
14 checks passed
@pgjones pgjones deleted the options branch June 7, 2024 19:04
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 22, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants