7

I wrote this simple flask-socketio code:

from flask import Flask
from flask_socketio import SocketIO, send

app = Flask(__name__)
app.config['SECRET_KEY'] = 'mysecret'

socketio = SocketIO(app)


@socketio.on('message')
def handle_message(msg):
    print 'Message:' + msg
    send(msg, broadcast=True)


if __name__ == '__main__':
    socketio.run(app)

When I see chrome network analyzing, I can see the "Access-Control-Allow-Origin" value as null.

According to Flask-socketio documentation: (See API Reference @ http://flask-socketio.readthedocs.io/en/latest/)

Parameters:
...
cors_allowed_origins – List of origins that are allowed to connect to this server. All origins are allowed by default.

Another suggestion I found on searching is using flask-CORS:

app.config['SECRET_KEY'] = 'mysecret'
cors = CORS(app)

socketio = SocketIO(app)

I get the same result.

What is a way to allow Cross-Origin requests with flask-socketio?

Thanks in advance.

Billie
  • 8,938
  • 12
  • 37
  • 67

2 Answers2

21

Below solve it for me. Interaction from Angular app. 

socketio = SocketIO(app, cors_allowed_origins="*")
Roninio
  • 1,761
  • 1
  • 17
  • 24
0

Cross origin is enabled by default on Flask-SocketIO. My guess is that the way you are testing this is flawed. While running your example application, I can send a request to the main Socket.IO endpoint and I do get the Access-Control-Allow-Origin header in the response:

~ $ http http://localhost:5000/socket.io/
HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 119
Content-Type: application/octet-stream
Date: Fri, 01 Jun 2018 17:10:01 GMT
Set-Cookie: io=dd8d67788df54510830fea64bc82b1fd



+-----------------------------------------+
| NOTE: binary data not shown in terminal |
+-----------------------------------------+
Miguel Grinberg
  • 65,299
  • 14
  • 133
  • 152
  • Have you tried to access the server from Chrome browser? – Billie Jun 01 '18 at 22:29
  • When I serve an HTML client page from Xampp "localhost", I'm getting `Access-Control-Allow-Origin: http://localhost` – Billie Jun 01 '18 at 22:46
  • The HTTP client that you use makes no difference. What do you mean by "an HTML client page"? The application as you showed it in your question supports only one URL, the endpoint for the Socket.IO protocol. If you have another web server in front of your Flask app, then I suspect the problem is in that server. The only URL that you can send to your Flask app is `/socket.io/`, and this will return a binary response according to the Socket.IO protocol. – Miguel Grinberg Jun 01 '18 at 23:11
  • Yes you are right. When I debug on `Telerik Fiddler` and change the `origin: $origin` request field, then I get `Access-Control-Allow-Origin: $origin` . If I remove the `origin` field on the request, then I get `Access-Control-Allow-Origin: *`. Why it is like that? – Billie Jun 02 '18 at 15:41
  • If the client asks for a specific origin, then Flask-SocketIO responds with that origin explicitly. If the client does not ask for a specific origin, then the response allows all origins. – Miguel Grinberg Jun 02 '18 at 16:58
  • It's not specified on the documentation. What is the advantage of such behavior? Why not always allow all origins? – Billie Jun 02 '18 at 23:56
  • It comes from the idea that there is no need to tell the client more than what it wants to know, for security purposes. If the client asks "is Site X allowed?" it is sufficient to say "Yes, Site X is allowed". There is no need to reply with "Yes, and every other site is allowed too.". – Miguel Grinberg Jun 03 '18 at 00:51
  • Thank you so much! – Billie Jun 03 '18 at 07:38