From 82c613a74924447bbb211d55cd49ad1e1eed90ef Mon Sep 17 00:00:00 2001 From: wft-swas Date: Fri, 4 Apr 2025 13:25:57 +0200 Subject: [PATCH 1/2] Pass additional args to callable option cors_allowed_origins If option cors_allowed_origins is callable, pass additional args for default_origins and environ to it. Use try-except to still allow usage of a callback without these additional args. --- src/engineio/base_server.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/engineio/base_server.py b/src/engineio/base_server.py index bfb4165..7992b41 100644 --- a/src/engineio/base_server.py +++ b/src/engineio/base_server.py @@ -303,8 +303,13 @@ def _cors_allowed_origins(self, environ): allowed_origins = [self.cors_allowed_origins] elif callable(self.cors_allowed_origins): origin = environ.get('HTTP_ORIGIN') + try: + is_allowed = self.cors_allowed_origins( + origin, default_origins=default_origins, environ=environ) + except TypeError: + is_allowed = self.cors_allowed_origins(origin) allowed_origins = [origin] \ - if self.cors_allowed_origins(origin) else [] + if is_allowed else [] else: allowed_origins = self.cors_allowed_origins return allowed_origins From e73cc37a07c19482a61f2ddb873dbe507ff71b06 Mon Sep 17 00:00:00 2001 From: Miguel Grinberg Date: Sat, 12 Apr 2025 16:06:32 +0100 Subject: [PATCH 2/2] simplify cors allowed hosts logic --- src/engineio/base_server.py | 35 +++++++++++++++++------------------ 1 file changed, 17 insertions(+), 18 deletions(-) diff --git a/src/engineio/base_server.py b/src/engineio/base_server.py index 7992b41..d2312d0 100644 --- a/src/engineio/base_server.py +++ b/src/engineio/base_server.py @@ -282,21 +282,22 @@ def _unauthorized(self, message=None): 'response': message.encode('utf-8')} def _cors_allowed_origins(self, environ): - default_origins = [] - if 'wsgi.url_scheme' in environ and 'HTTP_HOST' in environ: - default_origins.append('{scheme}://{host}'.format( - scheme=environ['wsgi.url_scheme'], host=environ['HTTP_HOST'])) - if 'HTTP_X_FORWARDED_PROTO' in environ or \ - 'HTTP_X_FORWARDED_HOST' in environ: - scheme = environ.get( - 'HTTP_X_FORWARDED_PROTO', - environ['wsgi.url_scheme']).split(',')[0].strip() - default_origins.append('{scheme}://{host}'.format( - scheme=scheme, host=environ.get( - 'HTTP_X_FORWARDED_HOST', environ['HTTP_HOST']).split( - ',')[0].strip())) if self.cors_allowed_origins is None: - allowed_origins = default_origins + allowed_origins = [] + if 'wsgi.url_scheme' in environ and 'HTTP_HOST' in environ: + allowed_origins.append('{scheme}://{host}'.format( + scheme=environ['wsgi.url_scheme'], + host=environ['HTTP_HOST'])) + if 'HTTP_X_FORWARDED_PROTO' in environ or \ + 'HTTP_X_FORWARDED_HOST' in environ: + scheme = environ.get( + 'HTTP_X_FORWARDED_PROTO', + environ['wsgi.url_scheme']).split(',')[0].strip() + allowed_origins.append('{scheme}://{host}'.format( + scheme=scheme, host=environ.get( + 'HTTP_X_FORWARDED_HOST', + environ['HTTP_HOST']).split( + ',')[0].strip())) elif self.cors_allowed_origins == '*': allowed_origins = None elif isinstance(self.cors_allowed_origins, str): @@ -304,12 +305,10 @@ def _cors_allowed_origins(self, environ): elif callable(self.cors_allowed_origins): origin = environ.get('HTTP_ORIGIN') try: - is_allowed = self.cors_allowed_origins( - origin, default_origins=default_origins, environ=environ) + is_allowed = self.cors_allowed_origins(origin, environ) except TypeError: is_allowed = self.cors_allowed_origins(origin) - allowed_origins = [origin] \ - if is_allowed else [] + allowed_origins = [origin] if is_allowed else [] else: allowed_origins = self.cors_allowed_origins return allowed_origins