Skip to content

Instantly share code, notes, and snippets.

@davidism

davidism/cors_session.html

Last active March 11, 2022 17:23
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save davidism/f84b0ee5ddd88b747192d792086eda74 to your computer and use it in GitHub Desktop.
Save davidism/f84b0ee5ddd88b747192d792086eda74 to your computer and use it in GitHub Desktop.
Download ZIP
Flask WTF CSRF with CORS
Raw
cors_session.html
<!-- executing from http://localhost.localdomain:63342 -->
<script src="https://code.jquery.com/jquery-3.1.1.min.js"></script>
<script>
$.ajax({
url: 'http://localhost.localdomain:5000/',
xhrFields: {
withCredentials: true
},
success: function (data) {
$.post({
url: 'http://localhost.localdomain:5000/',
headers: {
'X-CSRFToken': data.csrf_token
},
xhrFields: {
withCredentials: true
}
});
}
});
</script>
Raw
cors_session.py
from flask import Flask, jsonify
from flask import session
from flask_wtf.csrf import generate_csrf, CsrfProtect
app = Flask(__name__)
app.secret_key = 'dev'
csrf = CsrfProtect(app)
@app.after_request
def add_cors(rv):
rv.headers.add('Access-Control-Allow-Origin', 'http://localhost.localdomain:63342')
rv.headers.add('Access-Control-Allow-Headers', 'X-CSRFToken')
rv.headers.add('Access-Control-Allow-Credentials', 'true')
return rv
@app.route('/', methods=['GET', 'POST'])
def index():
print(session)
csrf_token = generate_csrf()
return jsonify(csrf_token=csrf_token)
if __name__ == '__main__':
app.run('localhost.localdomain', use_reloader=True)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment