aiohttp-cors
CORS support for aiohttp
Stars: 211
The aiohttp_cors library provides Cross Origin Resource Sharing (CORS) support for aiohttp, an asyncio-powered asynchronous HTTP server. CORS allows overriding the Same-origin policy for specific resources, enabling web pages to access resources from different origins. The library helps configure CORS settings for resources and routes in aiohttp applications, allowing control over origins, credentials passing, headers, and preflight requests.
README:
aiohttp_cors library implements
Cross Origin Resource Sharing (CORS) <cors_>__
support for aiohttp <aiohttp_>__
asyncio-powered asynchronous HTTP server.
Jump directly to Usage_ part to see how to use aiohttp_cors.
Web security model is tightly connected to
Same-origin policy (SOP) <sop_>__.
In short: web pages cannot Read resources which origin
doesn't match origin of requested page, but can Embed (or Execute)
resources and have limited ability to Write resources.
Origin of a page is defined in the Standard <cors_>__ as tuple
(schema, host, port)
(there is a notable exception with Internet Explorer: it doesn't use port to
define origin, but uses it's own
Security Zones <https://msdn.microsoft.com/en-us/library/ms537183.aspx>__).
Can Embed means that resource from other origin can be embedded into
the page,
e.g. by using <script src="...">, <img src="...">,
<iframe src="...">.
Cannot Read means that resource from other origin source cannot be
obtained by page
(source — any information that would allow to reconstruct resource).
E.g. the page can Embed image with <img src="...">,
but it can't get information about specific pixels, so page can't reconstruct
original image
(though some information from the other resource may still be leaked:
e.g. the page can read embedded image dimensions).
Limited ability to Write means, that the page can send POST requests to
other origin with limited set of Content-Type values and headers.
Restriction to Read resource from other origin is related to authentication mechanism that is used by browsers: when browser reads (downloads) resource he automatically sends all security credentials that user previously authorized for that resource (e.g. cookies, HTTP Basic Authentication).
For example, if Read would be allowed and user is authenticated
in some internet banking,
malicious page would be able to embed internet banking page with iframe
(since authentication is done by the browser it may be embedded as if
user is directly navigated to internet banking page),
then read user private information by reading source of the embedded page
(which may be not only source code, but, for example,
screenshot of the embedded internet banking page).
Cross-origin Resource Sharing (CORS) <cors_>__ allows to override
SOP for specific resources.
In short, CORS works in the following way.
When page https://client.example.com request (Read) resource
https://server.example.com/resource that have other origin,
browser implicitly appends Origin: https://client.example.com header
to the HTTP request,
effectively requesting server to give read permission for
the resource to the https://client.example.com page::
GET /resource HTTP/1.1
Origin: https://client.example.com
Host: server.example.com
If server allows access from the page to the resource, it responds with
resource with Access-Control-Allow-Origin: https://client.example.com
HTTP header
(optionally allowing exposing custom server headers to the page and
enabling use of the user credentials on the server resource)::
Access-Control-Allow-Origin: https://client.example.com
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: X-Server-Header
Browser checks, if server responded with proper
Access-Control-Allow-Origin header and accordingly allows or denies
access for the obtained resource to the page.
CORS specification designed in a way that servers that are not aware of CORS will not expose any additional information, except allowed by the SOP.
To request resources with custom headers or using custom HTTP methods
(e.g. PUT, DELETE) that are not allowed by SOP,
CORS-enabled browser first send preflight request to the
resource using OPTIONS method, in which he queries access to the resource
with specific method and headers::
OPTIONS / HTTP/1.1
Origin: https://client.example.com
Access-Control-Request-Method: PUT
Access-Control-Request-Headers: X-Client-Header
CORS-enabled server responds is requested method is allowed and which of the specified headers are allowed::
Access-Control-Allow-Origin: https://client.example.com
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: PUT
Access-Control-Allow-Headers: X-Client-Header
Access-Control-Max-Age: 3600
Browser checks response to preflight request, and, if actual request allowed, does actual request.
You can install aiohttp_cors as a typical Python library from PyPI or
from git:
.. code-block:: bash
$ pip install aiohttp_cors
Note that aiohttp_cors requires versions of Python >= 3.4.1 and
aiohttp >= 1.1.
To use aiohttp_cors you need to configure the application and
enable CORS on
resources and routes <https://aiohttp.readthedocs.org/en/stable/web.html#resources-and-routes>__
that you want to expose:
.. code-block:: python
import asyncio
from aiohttp import web
import aiohttp_cors
@asyncio.coroutine
def handler(request):
return web.Response(
text="Hello!",
headers={
"X-Custom-Server-Header": "Custom data",
})
app = web.Application()
# `aiohttp_cors.setup` returns `aiohttp_cors.CorsConfig` instance.
# The `cors` instance will store CORS configuration for the
# application.
cors = aiohttp_cors.setup(app)
# To enable CORS processing for specific route you need to add
# that route to the CORS configuration object and specify its
# CORS options.
resource = cors.add(app.router.add_resource("/hello"))
route = cors.add(
resource.add_route("GET", handler), {
"http://client.example.org": aiohttp_cors.ResourceOptions(
allow_credentials=True,
expose_headers=("X-Custom-Server-Header",),
allow_headers=("X-Requested-With", "Content-Type"),
max_age=3600,
)
})
Each route has it's own CORS configuration passed in CorsConfig.add()
method.
CORS configuration is a mapping from origins to options for that origins.
In the example above CORS is configured for the resource under path /hello
and HTTP method GET, and in the context of CORS:
-
This resource will be available using CORS only to
http://client.example.orgorigin. -
Passing of credentials to this resource will be allowed.
-
The resource will expose to the client
X-Custom-Server-Headerserver header. -
The client will be allowed to pass
X-Requested-WithandContent-Typeheaders to the server. -
Preflight requests will be allowed to be cached by client for
3600seconds.
Resource will be available only to the explicitly specified origins.
You can specify "all other origins" using special * origin:
.. code-block:: python
cors.add(route, {
"*":
aiohttp_cors.ResourceOptions(allow_credentials=False),
"http://client.example.org":
aiohttp_cors.ResourceOptions(allow_credentials=True),
})
Here the resource specified by route will be available to all origins with
disallowed credentials passing, and with allowed credentials passing only to
http://client.example.org.
By default ResourceOptions will be constructed without any allowed CORS
options.
This means, that resource will be available using CORS to specified origin,
but client will not be allowed to send either credentials,
or send non-simple headers, or read from server non-simple headers.
To enable sending or receiving all headers you can specify special value
* instead of sequence of headers:
.. code-block:: python
cors.add(route, {
"http://client.example.org":
aiohttp_cors.ResourceOptions(
expose_headers="*",
allow_headers="*"),
})
You can specify default CORS-enabled resource options using
aiohttp_cors.setup()'s defaults argument:
.. code-block:: python
cors = aiohttp_cors.setup(app, defaults={
# Allow all to read all CORS-enabled resources from
# http://client.example.org.
"http://client.example.org": aiohttp_cors.ResourceOptions(),
})
# Enable CORS on routes.
# According to defaults POST and PUT will be available only to
# "http://client.example.org".
hello_resource = cors.add(app.router.add_resource("/hello"))
cors.add(hello_resource.add_route("POST", handler_post))
cors.add(hello_resource.add_route("PUT", handler_put))
# In addition to "http://client.example.org", GET request will be
# allowed from "http://other-client.example.org" origin.
cors.add(hello_resource.add_route("GET", handler), {
"http://other-client.example.org":
aiohttp_cors.ResourceOptions(),
})
# CORS will be enabled only on the resources added to `CorsConfig`,
# so following resource will be NOT CORS-enabled.
app.router.add_route("GET", "/private", handler)
Also you can specify default options for resources:
.. code-block:: python
# Allow POST and PUT requests from "http://client.example.org" origin.
hello_resource = cors.add(app.router.add_resource("/hello"), {
"http://client.example.org": aiohttp_cors.ResourceOptions(),
})
cors.add(hello_resource.add_route("POST", handler_post))
cors.add(hello_resource.add_route("PUT", handler_put))
Resource CORS configuration allows to use allow_methods option that
explicitly specifies list of allowed HTTP methods for origin
(or * for all HTTP methods).
By using this option it is not required to add all resource routes to
CORS configuration object:
.. code-block:: python
# Allow POST and PUT requests from "http://client.example.org" origin.
hello_resource = cors.add(app.router.add_resource("/hello"), {
"http://client.example.org":
aiohttp_cors.ResourceOptions(allow_methods=["POST", "PUT"]),
})
# No need to add POST and PUT routes into CORS configuration object.
hello_resource.add_route("POST", handler_post)
hello_resource.add_route("PUT", handler_put)
# Still you can add additional methods to CORS configuration object:
cors.add(hello_resource.add_route("DELETE", handler_delete))
Here is an example of how to enable CORS for all origins with all CORS features:
.. code-block:: python
cors = aiohttp_cors.setup(app, defaults={
"*": aiohttp_cors.ResourceOptions(
allow_credentials=True,
expose_headers="*",
allow_headers="*",
)
})
# Add all resources to `CorsConfig`.
resource = cors.add(app.router.add_resource("/hello"))
cors.add(resource.add_route("GET", handler_get))
cors.add(resource.add_route("PUT", handler_put))
cors.add(resource.add_route("POST", handler_put))
cors.add(resource.add_route("DELETE", handler_delete))
Old routes API is supported — you can use router.add_router and
router.register_route as before, though this usage is discouraged:
.. code-block:: python
cors.add(
app.router.add_route("GET", "/hello", handler), {
"http://client.example.org": aiohttp_cors.ResourceOptions(
allow_credentials=True,
expose_headers=("X-Custom-Server-Header",),
allow_headers=("X-Requested-With", "Content-Type"),
max_age=3600,
)
})
You can enable CORS for all added routes by accessing routes list in the router:
.. code-block:: python
# Setup application routes.
app.router.add_route("GET", "/hello", handler_get)
app.router.add_route("PUT", "/hello", handler_put)
app.router.add_route("POST", "/hello", handler_put)
app.router.add_route("DELETE", "/hello", handler_delete)
# Configure default CORS settings.
cors = aiohttp_cors.setup(app, defaults={
"*": aiohttp_cors.ResourceOptions(
allow_credentials=True,
expose_headers="*",
allow_headers="*",
)
})
# Configure CORS on all routes.
for route in list(app.router.routes()):
cors.add(route)
You can also use CorsViewMixin on web.View:
.. code-block:: python
class CorsView(web.View, CorsViewMixin):
cors_config = {
"*": ResourceOption(
allow_credentials=True,
allow_headers="X-Request-ID",
)
}
@asyncio.coroutine
def get(self):
return web.Response(text="Done")
@custom_cors({
"*": ResourceOption(
allow_credentials=True,
allow_headers="*",
)
})
@asyncio.coroutine
def post(self):
return web.Response(text="Done")
cors = aiohttp_cors.setup(app, defaults={
"*": aiohttp_cors.ResourceOptions(
allow_credentials=True,
expose_headers="*",
allow_headers="*",
)
})
cors.add(
app.router.add_route("*", "/resource", CorsView),
webview=True)
TODO: fill this
To setup development environment:
.. code-block:: bash
git clone https://github.com/aio-libs/aiohttp_cors.git .
python3 -m venv env source env/bin/activate
pip install -r requirements-dev.txt
To run tests:
.. code-block:: bash
tox
To run only runtime tests in current environment:
.. code-block:: bash
py.test
To run only static code analysis checks:
.. code-block:: bash
tox -e check
To run Selenium tests with Firefox web driver you need to install Firefox.
To run Selenium tests with Chromium web driver you need to:
-
Install Chrome driver. On Ubuntu 14.04 it's in
chromium-chromedriverpackage. -
Either add
chromedriverto PATH or setWEBDRIVER_CHROMEDRIVER_PATHenvironment variable tochromedriver, e.g. on Ubuntu 14.04WEBDRIVER_CHROMEDRIVER_PATH=/usr/lib/chromium-browser/chromedriver.
To release version vA.B.C from the current version of master branch
you need to:
-
Create local branch
vA.B.C. -
In
CHANGES.rstset release date to today. -
In
aiohttp_cors/__about__.pychange version fromA.B.Ca0toA.B.C. -
Create pull request with
vA.B.Cbranch, wait for all checks to successfully finish (Travis and Appveyor). -
Merge pull request to master.
-
Update and checkout
masterbranch. -
Create and push tag for release version to GitHub:
.. code-block:: bash
git tag vA.B.C git push --tags
Now Travis should ran tests again, and build and deploy wheel on PyPI.
If Travis release doesn't work for some reason, use following steps for manual release upload.
-
Install fresh versions of setuptools and pip. Install
wheelfor building wheels. Installtwinefor uploading to PyPI... code-block:: bash
pip install -U pip setuptools twine wheel
-
Configure PyPI credentials in
~/.pypirc. -
Build distribution:
.. code-block:: bash
rm -rf build dist; python setup.py sdist bdist_wheel
-
Upload new release to PyPI:
.. code-block:: bash
twine upload dist/*
-
-
Edit release description on GitHub if needed.
-
Announce new release on the aio-libs mailing list: https://groups.google.com/forum/#!forum/aio-libs.
Post release steps:
- In
CHANGES.rstadd template for the next release. - In
aiohttp_cors/__about__.pychange version fromA.B.CtoA.(B + 1).0a0.
Please report bugs, issues, feature requests, etc. on
GitHub <https://github.com/aio-libs/aiohttp_cors/issues>__.
Copyright 2015 Vladimir Rutsky [email protected].
Licensed under the
Apache License, Version 2.0 <https://www.apache.org/licenses/LICENSE-2.0>__,
see LICENSE file for details.
.. _cors: http://www.w3.org/TR/cors/ .. _aiohttp: https://github.com/KeepSafe/aiohttp/ .. _sop: https://en.wikipedia.org/wiki/Same-origin_policy
For Tasks:
Click tags to check more tools for each tasksFor Jobs:
Alternative AI tools for aiohttp-cors
Similar Open Source Tools
aiohttp-cors
The aiohttp_cors library provides Cross Origin Resource Sharing (CORS) support for aiohttp, an asyncio-powered asynchronous HTTP server. CORS allows overriding the Same-origin policy for specific resources, enabling web pages to access resources from different origins. The library helps configure CORS settings for resources and routes in aiohttp applications, allowing control over origins, credentials passing, headers, and preflight requests.
gemini-srt-translator
Gemini SRT Translator is a tool that utilizes Google Generative AI to provide accurate and efficient translations for subtitle files. Users can customize translation settings, such as model name and batch size, and list available models from the Gemini API. The tool requires a free API key from Google AI Studio for setup and offers features like translating subtitles to a specified target language and resuming partial translations. Users can further customize translation settings with optional parameters like gemini_api_key2, output_file, start_line, model_name, batch_size, and more.
neocodeium
NeoCodeium is a free AI completion plugin powered by Codeium, designed for Neovim users. It aims to provide a smoother experience by eliminating flickering suggestions and allowing for repeatable completions using the `.` key. The plugin offers performance improvements through cache techniques, displays suggestion count labels, and supports Lua scripting. Users can customize keymaps, manage suggestions, and interact with the AI chat feature. NeoCodeium enhances code completion in Neovim, making it a valuable tool for developers seeking efficient coding assistance.
agent-mimir
Agent Mimir is a command line and Discord chat client 'agent' manager for LLM's like Chat-GPT that provides the models with access to tooling and a framework with which accomplish multi-step tasks. It is easy to configure your own agent with a custom personality or profession as well as enabling access to all tools that are compatible with LangchainJS. Agent Mimir is based on LangchainJS, every tool or LLM that works on Langchain should also work with Mimir. The tasking system is based on Auto-GPT and BabyAGI where the agent needs to come up with a plan, iterate over its steps and review as it completes the task.
langserve
LangServe helps developers deploy `LangChain` runnables and chains as a REST API. This library is integrated with FastAPI and uses pydantic for data validation. In addition, it provides a client that can be used to call into runnables deployed on a server. A JavaScript client is available in LangChain.js.
cortex
Cortex is a tool that simplifies and accelerates the process of creating applications utilizing modern AI models like chatGPT and GPT-4. It provides a structured interface (GraphQL or REST) to a prompt execution environment, enabling complex augmented prompting and abstracting away model connection complexities like input chunking, rate limiting, output formatting, caching, and error handling. Cortex offers a solution to challenges faced when using AI models, providing a simple package for interacting with NL AI models.
mcpdoc
The MCP LLMS-TXT Documentation Server is an open-source server that provides developers full control over tools used by applications like Cursor, Windsurf, and Claude Code/Desktop. It allows users to create a user-defined list of `llms.txt` files and use a `fetch_docs` tool to read URLs within these files, enabling auditing of tool calls and context returned. The server supports various applications and provides a way to connect to them, configure rules, and test tool calls for tasks related to documentation retrieval and processing.
semantic-cache
Semantic Cache is a tool for caching natural text based on semantic similarity. It allows for classifying text into categories, caching AI responses, and reducing API latency by responding to similar queries with cached values. The tool stores cache entries by meaning, handles synonyms, supports multiple languages, understands complex queries, and offers easy integration with Node.js applications. Users can set a custom proximity threshold for filtering results. The tool is ideal for tasks involving querying or retrieving information based on meaning, such as natural language classification or caching AI responses.
magic-cli
Magic CLI is a command line utility that leverages Large Language Models (LLMs) to enhance command line efficiency. It is inspired by projects like Amazon Q and GitHub Copilot for CLI. The tool allows users to suggest commands, search across command history, and generate commands for specific tasks using local or remote LLM providers. Magic CLI also provides configuration options for LLM selection and response generation. The project is still in early development, so users should expect breaking changes and bugs.
invariant
Invariant Analyzer is an open-source scanner designed for LLM-based AI agents to find bugs, vulnerabilities, and security threats. It scans agent execution traces to identify issues like looping behavior, data leaks, prompt injections, and unsafe code execution. The tool offers a library of built-in checkers, an expressive policy language, data flow analysis, real-time monitoring, and extensible architecture for custom checkers. It helps developers debug AI agents, scan for security violations, and prevent security issues and data breaches during runtime. The analyzer leverages deep contextual understanding and a purpose-built rule matching engine for security policy enforcement.
gen.nvim
gen.nvim is a tool that allows users to generate text using Language Models (LLMs) with customizable prompts. It requires Ollama with models like `llama3`, `mistral`, or `zephyr`, along with Curl for installation. Users can use the `Gen` command to generate text based on predefined or custom prompts. The tool provides key maps for easy invocation and allows for follow-up questions during conversations. Additionally, users can select a model from a list of installed models and customize prompts as needed.
auto-playwright
Auto Playwright is a tool that allows users to run Playwright tests using AI. It eliminates the need for selectors by determining actions at runtime based on plain-text instructions. Users can automate complex scenarios, write tests concurrently with or before functionality development, and benefit from rapid test creation. The tool supports various Playwright actions and offers additional options for debugging and customization. It uses HTML sanitization to reduce costs and improve text quality when interacting with the OpenAI API.
phidata
Phidata is a framework for building AI Assistants with memory, knowledge, and tools. It enables LLMs to have long-term conversations by storing chat history in a database, provides them with business context by storing information in a vector database, and enables them to take actions like pulling data from an API, sending emails, or querying a database. Memory and knowledge make LLMs smarter, while tools make them autonomous.
hayhooks
Hayhooks is a tool that simplifies the deployment and serving of Haystack pipelines as REST APIs. It allows users to wrap their pipelines with custom logic and expose them via HTTP endpoints, including OpenAI-compatible chat completion endpoints. With Hayhooks, users can easily convert their Haystack pipelines into API services with minimal boilerplate code.
For similar tasks
aiohttp-cors
The aiohttp_cors library provides Cross Origin Resource Sharing (CORS) support for aiohttp, an asyncio-powered asynchronous HTTP server. CORS allows overriding the Same-origin policy for specific resources, enabling web pages to access resources from different origins. The library helps configure CORS settings for resources and routes in aiohttp applications, allowing control over origins, credentials passing, headers, and preflight requests.
For similar jobs
google.aip.dev
API Improvement Proposals (AIPs) are design documents that provide high-level, concise documentation for API development at Google. The goal of AIPs is to serve as the source of truth for API-related documentation and to facilitate discussion and consensus among API teams. AIPs are similar to Python's enhancement proposals (PEPs) and are organized into different areas within Google to accommodate historical differences in customs, styles, and guidance.
kong
Kong, or Kong API Gateway, is a cloud-native, platform-agnostic, scalable API Gateway distinguished for its high performance and extensibility via plugins. It also provides advanced AI capabilities with multi-LLM support. By providing functionality for proxying, routing, load balancing, health checking, authentication (and more), Kong serves as the central layer for orchestrating microservices or conventional API traffic with ease. Kong runs natively on Kubernetes thanks to its official Kubernetes Ingress Controller.
speakeasy
Speakeasy is a tool that helps developers create production-quality SDKs, Terraform providers, documentation, and more from OpenAPI specifications. It supports a wide range of languages, including Go, Python, TypeScript, Java, and C#, and provides features such as automatic maintenance, type safety, and fault tolerance. Speakeasy also integrates with popular package managers like npm, PyPI, Maven, and Terraform Registry for easy distribution.
apicat
ApiCat is an API documentation management tool that is fully compatible with the OpenAPI specification. With ApiCat, you can freely and efficiently manage your APIs. It integrates the capabilities of LLM, which not only helps you automatically generate API documentation and data models but also creates corresponding test cases based on the API content. Using ApiCat, you can quickly accomplish anything outside of coding, allowing you to focus your energy on the code itself.
aiohttp-pydantic
Aiohttp pydantic is an aiohttp view to easily parse and validate requests. You define using function annotations what your methods for handling HTTP verbs expect, and Aiohttp pydantic parses the HTTP request for you, validates the data, and injects the parameters you want. It provides features like query string, request body, URL path, and HTTP headers validation, as well as Open API Specification generation.
ain
Ain is a terminal HTTP API client designed for scripting input and processing output via pipes. It allows flexible organization of APIs using files and folders, supports shell-scripts and executables for common tasks, handles url-encoding, and enables sharing the resulting curl, wget, or httpie command-line. Users can put things that change in environment variables or .env-files, and pipe the API output for further processing. Ain targets users who work with many APIs using a simple file format and uses curl, wget, or httpie to make the actual calls.
OllamaKit
OllamaKit is a Swift library designed to simplify interactions with the Ollama API. It handles network communication and data processing, offering an efficient interface for Swift applications to communicate with the Ollama API. The library is optimized for use within Ollamac, a macOS app for interacting with Ollama models.
ollama4j
Ollama4j is a Java library that serves as a wrapper or binding for the Ollama server. It facilitates communication with the Ollama server and provides models for deployment. The tool requires Java 11 or higher and can be installed locally or via Docker. Users can integrate Ollama4j into Maven projects by adding the specified dependency. The tool offers API specifications and supports various development tasks such as building, running unit tests, and integration tests. Releases are automated through GitHub Actions CI workflow. Areas of improvement include adhering to Java naming conventions, updating deprecated code, implementing logging, using lombok, and enhancing request body creation. Contributions to the project are encouraged, whether reporting bugs, suggesting enhancements, or contributing code.