# asgi-cors
[](https://pypi.org/project/asgi-cors/)
[](https://circleci.com/gh/simonw/asgi-cors)
[](https://github.com/simonw/asgi-cors/blob/master/LICENSE)
ASGI middleware for applying CORS headers to an ASGI application.
## Installation
pip install asgi-cors
## Some background on CORS
CORS stands for Cross-Origin Resource Sharing. It is a web standard that allows applications to opt-in to allowing JavaScript running on other domains to make `fetch()` calls that can retrieve data from the application.
See [MDN's CORS article](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) for more background.
The easiest way to allow scripts running on other domains to access data from an application is to add the following HTTP header:
Access-Control-Allow-Origin: *
This will allow scripts running on ANY domain to make `fetch()` calls against the application. For public data this is often fine, but there are situations where this may not be what you want to do: one example might be code that runs behind a VPN and needs to allow specific, trusted hosts to load data without opening itself up to every site on the internet.
For these cases, the server needs to inspect the Origin header from the client and return that Origin in the above header. For example, an incoming request from `http://localhost:8000` might be judged as trusted - in which case the application server needs to reply like so:
Access-Control-Allow-Origin: http://localhost:8000
Note that the `Access-Control-Allow-Origin` header can only return a single value. This means that if you want to allow requests from multiple origins you need to dynamically whitelist those origins and return a different header value depending on the incoming request.
Additionally if specific HTTP methods should be allowed an application should add:
Access-Control-Allow-Methods: GET, OPTIONS
Here `GET` and `OPTIONS` are allowed.
Similarly specific headers can be allowed:
Access-Control-Allow-Headers: content-type, Authorization
In this case `content-type` and `Authorization` headers are allowed to be sent to the server in a CORS request.
## How to use this middleware
We will assume you have an existing ASGI app, in a variable called `app`.
First, import the `asgi_cors` function:
from asgi_cors import asgi_cors
To enable CORS headers for everywhere (by adding the `Access-Control-Allow-Origin: *` header to every request), do this:
app = asgi_cors(app, allow_all=True)
If you wish to only allow it from a specific host, use the following:
app = asgi_cors(app, hosts=[
"https://www.example.com"
])
Now JavaScript executing on https://www.example.com will be able to call your API. You can test this out by opening up example.com in your browser, opening your browser's devtools console and pasting in the following JavaScript:
fetch("https://your-api.com/").then(r => r.json()).then(d => console.log(d))
You can include multiple hosts in the list.
Finally, if you want to open your application up to requests from a wildcard-defined selection of hosts, use the following:
app = asgi_cors(app, host_wildcards=[
"http://localhost:800*",
"http://*.example.com"
])
This will enable access from any JavaScript running on a local host server on ports 8000 through 8009 - or from any subdomain of example.com.
If you need to do something more complicated that cannot be expressed using the `hosts=` or `host_wildcards=` parameters, you can use `callback=` to specify a custom function. For example:
def validate_origin(origin):
return origin.startswith("https://")
app = asgi_cors(app, callback=validate_origin)
Your callback function will be passed the `Origin` header that was passed in by the browser.
To add specific allowed headers or methods you can specify them with the `headers=` and `methods=` parameters:
app = asgi_cors(app, methods=[
"GET", "OPTIONS"
], headers=[
"Authorization","content-type"
])
## Using the middleware as a decorator
If you are defining your ASGI application directly as a function, you can use the `asgi_cors_decorator` function decorator like so:
from asgi_cors import asgi_cors_decorator
@asgi_cors_decorator(allow_all=True)
async def my_asgi_app(scope, recieve, send):
# Your app goes here
Raw data
{
"_id": null,
"home_page": "https://github.com/simonw/asgi-cors",
"name": "asgi-cors-graphql",
"maintainer": "",
"docs_url": null,
"requires_python": "",
"maintainer_email": "",
"keywords": "",
"author": "Simon Willison",
"author_email": "",
"download_url": "",
"platform": null,
"description": "# asgi-cors\n\n[](https://pypi.org/project/asgi-cors/)\n[](https://circleci.com/gh/simonw/asgi-cors)\n[](https://github.com/simonw/asgi-cors/blob/master/LICENSE)\n\nASGI middleware for applying CORS headers to an ASGI application.\n\n## Installation\n\n pip install asgi-cors\n\n## Some background on CORS\n\nCORS stands for Cross-Origin Resource Sharing. It is a web standard that allows applications to opt-in to allowing JavaScript running on other domains to make `fetch()` calls that can retrieve data from the application.\n\nSee [MDN's CORS article](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) for more background.\n\nThe easiest way to allow scripts running on other domains to access data from an application is to add the following HTTP header:\n\n Access-Control-Allow-Origin: *\n\nThis will allow scripts running on ANY domain to make `fetch()` calls against the application. For public data this is often fine, but there are situations where this may not be what you want to do: one example might be code that runs behind a VPN and needs to allow specific, trusted hosts to load data without opening itself up to every site on the internet.\n\nFor these cases, the server needs to inspect the Origin header from the client and return that Origin in the above header. For example, an incoming request from `http://localhost:8000` might be judged as trusted - in which case the application server needs to reply like so:\n\n Access-Control-Allow-Origin: http://localhost:8000\n\nNote that the `Access-Control-Allow-Origin` header can only return a single value. This means that if you want to allow requests from multiple origins you need to dynamically whitelist those origins and return a different header value depending on the incoming request.\n\nAdditionally if specific HTTP methods should be allowed an application should add:\n\n Access-Control-Allow-Methods: GET, OPTIONS\n\nHere `GET` and `OPTIONS` are allowed.\n\nSimilarly specific headers can be allowed:\n\n Access-Control-Allow-Headers: content-type, Authorization\n\nIn this case `content-type` and `Authorization` headers are allowed to be sent to the server in a CORS request.\n\n## How to use this middleware\n\nWe will assume you have an existing ASGI app, in a variable called `app`.\n\nFirst, import the `asgi_cors` function:\n\n from asgi_cors import asgi_cors\n\nTo enable CORS headers for everywhere (by adding the `Access-Control-Allow-Origin: *` header to every request), do this:\n\n app = asgi_cors(app, allow_all=True)\n\nIf you wish to only allow it from a specific host, use the following:\n\n app = asgi_cors(app, hosts=[\n \"https://www.example.com\"\n ])\n\nNow JavaScript executing on https://www.example.com will be able to call your API. You can test this out by opening up example.com in your browser, opening your browser's devtools console and pasting in the following JavaScript:\n\n fetch(\"https://your-api.com/\").then(r => r.json()).then(d => console.log(d))\n\nYou can include multiple hosts in the list.\n\nFinally, if you want to open your application up to requests from a wildcard-defined selection of hosts, use the following:\n\n app = asgi_cors(app, host_wildcards=[\n \"http://localhost:800*\",\n \"http://*.example.com\"\n ])\n\nThis will enable access from any JavaScript running on a local host server on ports 8000 through 8009 - or from any subdomain of example.com.\n\nIf you need to do something more complicated that cannot be expressed using the `hosts=` or `host_wildcards=` parameters, you can use `callback=` to specify a custom function. For example:\n\n def validate_origin(origin):\n return origin.startswith(\"https://\")\n\n app = asgi_cors(app, callback=validate_origin)\n\nYour callback function will be passed the `Origin` header that was passed in by the browser.\n\nTo add specific allowed headers or methods you can specify them with the `headers=` and `methods=` parameters:\n\n app = asgi_cors(app, methods=[\n \"GET\", \"OPTIONS\"\n ], headers=[\n \"Authorization\",\"content-type\"\n ])\n\n\n## Using the middleware as a decorator\n\nIf you are defining your ASGI application directly as a function, you can use the `asgi_cors_decorator` function decorator like so:\n\n from asgi_cors import asgi_cors_decorator\n\n\n @asgi_cors_decorator(allow_all=True)\n async def my_asgi_app(scope, recieve, send):\n # Your app goes here\n\n\n",
"bugtrack_url": null,
"license": "Apache License, Version 2.0",
"summary": "ASGI middleware for applying CORS headers to an ASGI application",
"version": "0.3",
"split_keywords": [],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "e64f377240eea7c89aaa86ad542265faeef0f7beca6bb37078a706b3aeab5398",
"md5": "1214b8cf24ec62ccea89d2dfd5bbd875",
"sha256": "474c0294d8ffbb1b71470d7dc0bb1d97d5792f2904923dacf0fee3281a45096e"
},
"downloads": -1,
"filename": "asgi_cors_graphql-0.3-py3-none-any.whl",
"has_sig": false,
"md5_digest": "1214b8cf24ec62ccea89d2dfd5bbd875",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": null,
"size": 8221,
"upload_time": "2023-01-30T05:36:02",
"upload_time_iso_8601": "2023-01-30T05:36:02.945232Z",
"url": "https://files.pythonhosted.org/packages/e6/4f/377240eea7c89aaa86ad542265faeef0f7beca6bb37078a706b3aeab5398/asgi_cors_graphql-0.3-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-01-30 05:36:02",
"github": true,
"gitlab": false,
"bitbucket": false,
"github_user": "simonw",
"github_project": "asgi-cors",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"circle": true,
"lcname": "asgi-cors-graphql"
}
JSON
