-
Notifications
You must be signed in to change notification settings - Fork 14.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Configurable API response (CORS) headers #13620
Configurable API response (CORS) headers #13620
Conversation
The Workflow run is cancelling this PR. Building images for the PR has failed. Follow the the workflow link to check the reason. |
Thanks for the input @mik-laj! Ash helped me work out the handler registration. re: |
Probably add it when we/someone have a use case for it then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CI just failed with a backfill job 137-error, unrelated.
The PR most likely needs to run full matrix of tests because it modifies parts of the core of Airflow. However, committers might decide to merge it quickly and take the risk. If they don't merge it quickly - please rebase it to the latest master at your convenience, or amend the last commit of the PR, and push it with --force-with-lease. |
Employing the newly improved REST API from an independent web application is currently prohibited by browsers due to the lack of CORS (Cross-Origin Resource Sharing) headers in the API response.
This PR adds 3 configuration options to add the following headers:
Access-Control-Allow-Headers
viaAIRFLOW__API__ACCESS_CONTROL_ALLOW_HEADERS
Access-Control-Allow-Methods
viaAIRFLOW__API__ACCESS_CONTROL_ALLOW_METHODS
Access-Control-Allow-Origin
viaAIRFLOW__API__ACCESS_CONTROL_ALLOW_ORIGIN
This only covers a minimum of all potential headers that could be utilized, but the added
set_cors_headers_on_response
function establishes an obvious place for it to be further extended in the future if needed.We did look into utilizing Flask-CORS to add this functionality, but ultimately found it to be overkill given we only want to add this to the API endpoint and not the entire Webserver application.
I've added documentation of this feature to Security/API and also cross-linked to that documentation from within the API documentation as well.