Skip to content

Remove CORS support from Talisman and related test cases #29

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ahosgood merged 1 commit into from
Apr 24, 2026
Merged

Remove CORS support from Talisman and related test cases #29

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Added

- Added option in Flask Talisman to add Adobe Typekit CSP rules with `allow_typekit_content_security_policy=True`
- Allow `Access-Control-Allow-Origin` header to be set in `Talisman` with `allow_cors_origin`

### Changed

Expand Down
12 changes: 0 additions & 12 deletions tests/test_flask_talisman.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -239,15 +239,3 @@ def test_talisman_force_https_permanent(self):
"https://localhost/foobar?test=1",
rv.headers["Location"],
)

def test_talisman_allow_cors_origin(self):
Talisman(self.app, force_https=False, allow_cors_origin="https://example.com")

rv = self.test_client.get("/")

self.assertEqual(rv.status_code, 200)

self.assertIn("Access-Control-Allow-Origin", rv.headers)
self.assertEqual(
"https://example.com", rv.headers["Access-Control-Allow-Origin"]
)
5 changes: 0 additions & 5 deletions tna_utilities/flask/talisman.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,6 @@ def init_app(
referrer_policy: str = "strict-origin-when-cross-origin",
force_https: bool = True,
force_https_permanent: bool = False,
allow_cors_origin: str | None = None,
):
"""
Initialises the Talisman extension for the Flask app.
Expand All @@ -88,7 +87,6 @@ def init_app(
:param referrer_policy: The Referrer-Policy header value to apply to responses. Defaults to "strict-origin-when-cross-origin".
:param force_https: If True, forces incoming requests to be redirected to HTTPS if they are not already secure and the application is not in debug mode. Defaults to True.
:param force_https_permanent: If True, uses a permanent redirect (HTTP 301) when forcing HTTPS, otherwise uses a temporary redirect (HTTP 302). Defaults to False.
:param allow_cors_origin: If specified, sets the Access-Control-Allow-Origin header to the given value. Defaults to None.
"""

content_security_policy = content_security_policy or {}
Expand All @@ -112,7 +110,6 @@ def init_app(
self.referrer_policy = referrer_policy
self.force_https = force_https
self.force_https_permanent = force_https_permanent
self.allow_cors_origin = allow_cors_origin

self.app.before_request(self._force_https_redirect)
self.app.after_request(self._apply_extra_headers)
Expand Down Expand Up @@ -161,8 +158,6 @@ def _apply_extra_headers(self, response):
)
response.headers.update(common_security_headers(**self.security_headers))
response.headers["Referrer-Policy"] = self.referrer_policy
if self.allow_cors_origin:
response.headers["Access-Control-Allow-Origin"] = self.allow_cors_origin
return response

def _csp(
Expand Down
Loading