2

I am having some trouble getting Flask CORS to whitelist certain domains from being able to do a POST request. I am making a curl request from www.google.com but making the domain googl.com to confirm the post.

Currently every single post is allowed in as my curl is "Access-Control-Allow-Origin: *"

I just want to be able to make sure only a set domain can make the POST request

@app.route('/api/userreset', methods=['POST'])
@cross_origin(origin='http://www.googl.com')
    def resetFunction():


   curl --header "Content-Type: application/json"   --request POST "Origin: http://www.google.com" --verbose  --data '{"email":"test@example.com"}'   http://0.0.0.0:8080/api/userreset

I also tried the below which did nothing:

cors = CORS(app, resources={r"/api/*": {"origins": "http://www.googl.com"}})

The reply from the POST is as follows:

    *   Trying 0.0.0.0...
* TCP_NODELAY set
* Connected to 0.0.0.0 (127.0.0.1) port 8080 (#0)
> POST /api/userreset HTTP/1.1
> Host: 0.0.0.0:8080
> User-Agent: curl/7.64.1
> Accept: */*
> Content-Type: application/json
> Content-Length: 219
> 
* upload completely sent off: 219 out of 219 bytes
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Content-Type: text/html; charset=utf-8
< Content-Length: 55
< Access-Control-Allow-Origin: *
< Server: Werkzeug/0.16.0 Python/3.8.0
< Date: Mon, 16 Dec 2019 02:21:49 GMT
learncodes123
  • 265
  • 1
  • 11

1 Answers1

2

The CORS headers tell the browser which domains it is permitted to access. This is not intended to restrict the access to the server completely, but tells the browser which domains it is allowed to access the server from. It is still up to the browser to obey that. If you do this from CURL it will always work because curl does not enforce CORS like a browser would.

Hippocrates
  • 2,448
  • 1
  • 17
  • 30
  • Ok, so i am using POSTMAN also with the same results. There is no way to limit to domain via flask_cors? or that ip whitelisting can be ignored anyway and is generally not 100% safe way to lock down to a single domain request? – learncodes123 Dec 16 '19 at 03:11
  • From my understanding after seeing your reply, curl ignores CORS as CORS is for browsers and really the API needs authentication to be secure, or like any open API any request can get a response or POST if i have POST open. – learncodes123 Dec 16 '19 at 03:47
  • Postman is basically a GUI for CURL. No I would not count on CORS to restrict access to a certain domain. There isn’t necessarily going to be reliable domain name incoming which you can validate, but there is an IP. It sounds like that would get you closest to what you’re looking for bit it’s not ideal unless you have control of the address space and are sure it will remain static. The best approach is to use some auth mechanism. There are too many to list, but basic auth, digest auth, api tokens, oauth, and two-way TLS are all common. – Hippocrates Dec 16 '19 at 03:49
  • Yeah unfortunately i don't control the domain that the request comes from, but that is an option i could try looking at. Thanks! – learncodes123 Dec 16 '19 at 03:52
  • 1
    Yes that’s right. Looking at your example again, if this user reset endpoint is to be hit by a browser, without authentication, and this api is on another domain than the page making the request, then you are on the right track. You need the cors headers for this to work, and the browser should block requests if the cors headers are not right. However, curl and postman are still gonna work and people can use the endpoint from code or by changing browser security settings etc. – Hippocrates Dec 16 '19 at 03:52
  • I was able to whitelist the domain and learned about how CORS covers browsers only. Thanks for the help. – learncodes123 Dec 16 '19 at 05:22