Merge pull request #483 from erans/master

Feature: Updated more fine grained support for CORS in QueryResultAPI
getredash · Jul 13, 2015 · 3c9c146 · 3c9c146
2 parents 666e328 + 4a7c066
commit 3c9c146
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 10 deletions.
diff --git a/redash/controllers.py b/redash/controllers.py
@@ -489,20 +489,26 @@ def csv_response(query_result):
         return make_response(s.getvalue(), 200, headers)
 
     @staticmethod
-    def add_access_control_allow_origin_header(headers):
+    def add_cors_headers(headers):
         if 'Origin' in request.headers:
             origin = request.headers['Origin']
 
-            if origin in settings.QUERIES_RESULT_CORS:
+            if origin in settings.ACCESS_CONTROL_ALLOW_ORIGIN:
                 headers['Access-Control-Allow-Origin'] = origin
-                headers['Access-Control-Allow-Credentials'] = 'true'
-                if request.method == 'OPTIONS':
-                    headers['Access-Control-Request-Method'] = 'GET, POST, PUT'
-                    headers['Access-Control-Allow-Headers'] = 'Content-Type'
+                headers['Access-Control-Allow-Credentials'] = str(settings.ACCESS_CONTROL_ALLOW_CREDENTIALS).lower()
 
     @require_permission('view_query')
     def options(self, query_id=None, query_result_id=None, filetype='json'):
-        self.add_access_control_allow_origin_header(request.headers)
+        headers = {}
+        self.add_cors_headers(headers)
+
+        if settings.ACCESS_CONTROL_REQUEST_METHOD:
+            headers['Access-Control-Request-Method'] = settings.ACCESS_CONTROL_REQUEST_METHOD
+
+        if settings.ACCESS_CONTROL_ALLOW_HEADERS:
+            headers['Access-Control-Allow-Headers'] = settings.ACCESS_CONTROL_ALLOW_HEADERS
+
+        return make_response("", 200, headers)
 
     @require_permission('view_query')
     def get(self, query_id=None, query_result_id=None, filetype='json'):
@@ -535,8 +541,8 @@ def get(self, query_id=None, query_result_id=None, filetype='json'):
 
             headers = {}
 
-            if len(settings.QUERIES_RESULT_CORS) > 0:
-                self.add_access_control_allow_origin_header(headers)
+            if len(settings.ACCESS_CONTROL_ALLOW_ORIGIN) > 0:
+                self.add_cors_headers(headers)
 
             if filetype == 'json':
                 data = json.dumps({'query_result': query_result.to_dict()}, cls=utils.JSONEncoder)

diff --git a/redash/settings.py b/redash/settings.py
@@ -81,7 +81,13 @@ def parse_boolean(str):
 CLIENT_SIDE_METRICS = parse_boolean(os.environ.get("REDASH_CLIENT_SIDE_METRICS", "false"))
 ANALYTICS = os.environ.get("REDASH_ANALYTICS", "")
 
-QUERIES_RESULT_CORS = set_from_string(os.environ.get("REDASH_QUERIES_RESULT_CORS", ""))
+# CORS settings for the Query Result API (and possbily future external APIs).
+# In most cases all you need to do is set REDASH_CORS_ACCESS_CONTROL_ALLOW_ORIGIN
+# to the calling domain (or domains in a comma separated list).
+ACCESS_CONTROL_ALLOW_ORIGIN = set_from_string(os.environ.get("REDASH_CORS_ACCESS_CONTROL_ALLOW_ORIGIN", ""))
+ACCESS_CONTROL_ALLOW_CREDENTIALS = parse_boolean(os.environ.get("REDASH_CORS_ACCESS_CONTROL_ALLOW_CREDENTIALS", "false"))
+ACCESS_CONTROL_REQUEST_METHOD = os.environ.get("REDASH_CORS_ACCESS_CONTROL_REQUEST_METHOD", "GET, POST, PUT")
+ACCESS_CONTROL_ALLOW_HEADERS = os.environ.get("REDASH_CORS_ACCESS_CONTROL_ALLOW_HEADERS", "Content-Type")
 
 # Query Runners
 QUERY_RUNNERS = array_from_string(os.environ.get("REDASH_ENABLED_QUERY_RUNNERS", ",".join([