unnecessary list, leads to insecure CORS configurations

[chrisdlangton]

flask-cors/flask_cors/decorator.py

Line 33 in 24c45ce

:type origins: list, string or regex

The value for header Access-Control-Allow-Origin allows one origin, and only one.

When the value is zero origins, or more than 1 origin, produces Reason: CORS header 'Access-Control-Allow-Origin' missing in chrome because it is a malformed (and thus ignored) value for Access-Control-Allow-Origin header.

This means anything other than a single origin for origin attribute is an invalid CORS configuration, and results in the browser having evaluated the page without any valid Access-Control-Allow-Origin header values being sent and default to default same-origin policy without CORS.

[derek-adair]

I dont feel the list is unnecessary; I have a mailgun proxy app that I whitelist any domains that need access to mailgun. However, the app CAN CANT return more than one result (read the code here, it simply checks the request_origin against the list and returns the origin as the access-control-allow-origin header), and should certainly not work if a user fails to supply an origin at all.

Are you able provide steps to reproduce multiple header records. Even literally putting duplicate records in a list will not produce multiple header records.

As for not providing anything for origins, this is in fact still a bug.

Not sure what the owner would like to do but setting the default origins to wildcard seems like a bad idea but probably not that big of a deal. IMO just throwing a warning would suffice.