86
86
if EXTRA_CORS_ALLOWED_ORIGINS :
87
87
ALLOWED_CORS_ORIGINS += EXTRA_CORS_ALLOWED_ORIGINS .split ("," )
88
88
89
+ ACL_REQUEST_PRIVATE_NETWORK = "Access-Control-Request-Private-Network"
90
+ ACL_ALLOW_PRIVATE_NETWORK = "Access-Control-Allow-Private-Network"
91
+
89
92
LOG = logging .getLogger (__name__ )
90
93
91
94
@@ -97,17 +100,21 @@ class CorsEnforcer(Handler):
97
100
"""
98
101
99
102
def __call__ (self , chain : HandlerChain , context : RequestContext , response : Response ) -> None :
100
- if (
101
- not config . DISABLE_CORS_CHECKS
102
- and self .should_enforce_self_managed_service ( context )
103
- and not self . is_cors_origin_allowed ( context .request .headers )
103
+ if not self . should_enforce_self_managed_service ( context ):
104
+ return
105
+ if not config . DISABLE_CORS_CHECKS and not self .is_cors_origin_allowed (
106
+ context .request .headers
104
107
):
105
108
LOG .info (
106
109
"Blocked CORS request from forbidden origin %s" ,
107
110
context .request .headers .get ("origin" ) or context .request .headers .get ("referer" ),
108
111
)
109
112
response .status_code = 403
110
113
chain .terminate ()
114
+ elif context .request .method == "OPTIONS" and not config .DISABLE_PREFLIGHT_PROCESSING :
115
+ # we want to return immediately here, but we do not want to omit our response chain for cors headers
116
+ response .status_code = 204
117
+ chain .stop ()
111
118
112
119
@staticmethod
113
120
def should_enforce_self_managed_service (context : RequestContext ) -> bool :
@@ -177,6 +184,11 @@ def __call__(self, chain: HandlerChain, context: RequestContext, response: Respo
177
184
headers [ACL_ALLOW_HEADERS ] = "," .join ([h for h in requested_headers if h ])
178
185
if ACL_EXPOSE_HEADERS not in headers :
179
186
headers [ACL_EXPOSE_HEADERS ] = "," .join (CORS_EXPOSE_HEADERS )
187
+ if (
188
+ request_headers .get (ACL_REQUEST_PRIVATE_NETWORK ) == "true"
189
+ and ACL_ALLOW_PRIVATE_NETWORK not in headers
190
+ ):
191
+ headers [ACL_ALLOW_PRIVATE_NETWORK ] = "true"
180
192
181
193
for header in ALLOWED_CORS_RESPONSE_HEADERS :
182
194
if headers .get (header ) == "" :
0 commit comments