Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[BUG] Content-Type header must be allowed explicitly, docs say otherwise

See original GitHub issue

Describe the bug

According to [1], Content-Type is always allowed for CORS requests. This is not true, see the test below.

[1] https://fastapi.tiangolo.com/tutorial/cors/#use-corsmiddleware

To Reproduce

Steps to reproduce the behavior with a minimum self-contained file.

Replace each part with your own scenario:

Create a file test_cors.py with:

Toggle to view

import pytest
from fastapi import FastAPI
from starlette import status
from starlette.middleware.cors import CORSMiddleware
from starlette.testclient import TestClient

app = FastAPI()

app.add_middleware(CORSMiddleware)


@app.post(path='/dummy')
def dummy():
    ...


@pytest.fixture
def client():
    yield TestClient(app)


def test_content_type_is_always_allowed_for_cors_requests(client):
    # arrange
    request_headers = {
        "Origin": "https://www.google.de",
        "Access-Control-Request-Method": "POST",
        "Access-Control-Request-Headers": "Content-Type",
    }

    # act
    response = client.options('/', headers=request_headers)

    # assert
    assert response.status_code == status.HTTP_200_OK

Run pytest test_cors.py

Expected behavior

The Content-Type header is whitelisted as per the documentation.

Screenshots

n/a

Environment

OS: macOS
FastAPI Version: 0.52.0
Python version: 3.7.6

Additional context

Issue Analytics

State:
Created 4 years ago
Comments:10 (5 by maintainers)

Top GitHub Comments

2reactions

tiangolocommented, Apr 13, 2020

The section:

The Accept, Accept-Language, Content-Language and Content-Type headers are always allowed for CORS requests.

It doesn’t mean that something will automatically return the Allow-X headers without a middleware, it means that browsers, the ones that actually do all the CORS dance, don’t require those headers to do CORS (cross-origin resource sharing). So, browsers don’t even trigger an OPTIONS request before one with those headers.

I think it would be useful for you to read the docs about CORS in MDN to understand how all that works: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

0reactions

tiangolocommented, Nov 4, 2022

Hey @paxcodes, yep, I would accept that change. 🤓

Sorry for the long delay! 🙈 I wanted to personally address each issue/PR and they piled up through time, but now I’m checking each one in order.

Top Results From Across the Web

Content-Type header must be allowed explicitly for CORS but ...

According to [1], "The Accept, Accept-Language, Content-Language and Content-Type headers are always allowed for CORS requests.

Configuring CORS - Apollo GraphQL Docs

You can enable credentials with CORS by setting the Access-Control-Allow-Credentials HTTP header to true . You must specify an origin to enable credentialed ......

Cross-Origin Resource Sharing (CORS) - MDN Web Docs

See bug 1733981. The only type/subtype combinations allowed for the media type specified in the Content-Type header are: application/ ...

Bad state: Cannot set the body fields of a Request with content ...

As you set the content-type header to JSON you must have to pass a "valid" JSON as the body. But you are passing...

Logic Apps: HTTP action block not sending "Content-Type ...

So in the request, I add a "Content-Type" header with a value of ... see "Omitted HTTP headers" here: https://docs.microsoft.com/en-us/azure ...