github/datasette
1
0
Fork 0
mirror of https://github.com/simonw/datasette.git synced 2025-12-10 16:51:24 +01:00
Code Issues Projects Releases Packages Wiki Activity

--cors Access-Control-Max-Age: 3600, closes #2079

Browse source
This commit is contained in:
Simon Willison 2023-05-25 15:05:58 -07:00
commit b49fa446d6
3 changed files with 20 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

1
datasette/utils/__init__.py
View file

@ -1141,6 +1141,7 @@ def add_cors_headers(headers):
headers["Access-Control-Allow-Headers"] = "Authorization, Content-Type"
headers["Access-Control-Expose-Headers"] = "Link"
headers["Access-Control-Allow-Methods"] = "GET, POST, HEAD, OPTIONS"
headers["Access-Control-Max-Age"] = "3600"
_TILDE_ENCODING_SAFE = frozenset(

18
docs/json_api.rst
View file

@ -454,12 +454,28 @@ Enabling CORS
-------------
If you start Datasette with the ``--cors`` option, each JSON endpoint will be
served with the following additional HTTP headers::
served with the following additional HTTP headers:
.. [[[cog
from datasette.utils import add_cors_headers
import textwrap
headers = {}
add_cors_headers(headers)
output = "\n".join("{}: {}".format(k, v) for k, v in headers.items())
cog.out("\n::\n\n")
cog.out(textwrap.indent(output, ' '))
cog.out("\n\n")
.. ]]]
::
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: Authorization, Content-Type
Access-Control-Expose-Headers: Link
Access-Control-Allow-Methods: GET, POST, HEAD, OPTIONS
Access-Control-Max-Age: 3600
.. [[[end]]]
This allows JavaScript running on any domain to make cross-origin
requests to interact with the Datasette API.

2
tests/test_api.py
View file

@ -941,6 +941,7 @@ def test_cors(
assert (
response.headers["Access-Control-Allow-Methods"] == "GET, POST, HEAD, OPTIONS"
)
assert response.headers["Access-Control-Max-Age"] == "3600"
# Same request to app_client_two_attached_databases_one_immutable
# should not have those headers - I'm using that fixture because
# regular app_client doesn't have immutable fixtures.db which means
@ -951,6 +952,7 @@ def test_cors(
assert "Access-Control-Allow-Headers" not in response.headers
assert "Access-Control-Expose-Headers" not in response.headers
assert "Access-Control-Allow-Methods" not in response.headers
assert "Access-Control-Max-Age" not in response.headers
@pytest.mark.parametrize(