代码实现
全局跳过 OPTIONS 逻辑
from flask import Flask, request, make_response
app = Flask(__name__)
# 定义允许跳过 OPTIONS 的域名白名单
WHITELIST_DOMAINS = ["https://example.com", "https://another-domain.com"]
@app.before_request
def skip_options_for_whitelisted_domains():
# 获取请求来源域名
origin = request.headers.get('Origin')
# 检查是否为白名单域名且请求方法为 OPTIONS
if origin in WHITELIST_DOMAINS and request.method == 'OPTIONS':
# 创建空响应并直接返回
response = make_response('')
response.status_code = 204
response.headers['Access-Control-Allow-Origin'] = origin
response.headers['Access-Control-Allow-Methods'] = 'GET, POST, PUT, DELETE, OPTIONS'
response.headers['Access-Control-Allow-Headers'] = 'Content-Type, Authorization'
response.headers['Access-Control-Allow-Credentials'] = 'true'
return response
蓝图中实现
如果你使用了蓝图,可以在蓝图的 before_request 钩子中实现类似逻辑:
from flask import Blueprint, request, make_response
api_views = Blueprint('api_views', __name__)
# 定义允许跳过 OPTIONS 的域名白名单
WHITELIST_DOMAINS = ["https://example.com", "https://another-domain.com"]
@api_views.before_request
def skip_options_for_whitelisted_domains():
origin = request.headers.get('Origin')
if origin in WHITELIST_DOMAINS and request.method == 'OPTIONS':
response = make_response('')
response.status_code = 204
response.headers['Access-Control-Allow-Origin'] = origin
response.headers['Access-Control-Allow-Methods'] = 'GET, POST, PUT, DELETE, OPTIONS'
response.headers['Access-Control-Allow-Headers'] = 'Content-Type, Authorization'
response.headers['Access-Control-Allow-Credentials'] = 'true'
return response
然后在主文件中注册蓝图:
from flask import Flask
from api_views import api_views
app = Flask(__name__)
app.register_blueprint(api_views)
if __name__ == '__main__':
app.run(debug=True)
注意事项
白名单域名格式
确保白名单中的域名格式和 Origin 头中的格式一致(包括协议 http:// 或 https://)。
例如:https://example.com 与 http://example.com 是不同的。
CORS 配置
即使跳过了 OPTIONS 请求,仍需保证实际请求(如 GET, POST 等)满足跨域要求。
安全性
确保白名单域名是可信的,以防止未授权的域名绕过验证。
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
