From d718ecf6d3dfc4656d262154c59672437c1ea075 Mon Sep 17 00:00:00 2001 From: pgjones Date: Wed, 5 Jun 2024 13:23:18 +0100 Subject: [PATCH] Provide a configuration option to control automatic option responses By default Flask will provide responses to OPTIONS requests that are automatically generated. These responses list the valid methods in the response headers. Whilst this is useful, it can be frowned on by auditors hence an ability to disable it wholesale is useful. --- CHANGES.rst | 3 ++- docs/config.rst | 10 ++++++++++ src/flask/app.py | 1 + src/flask/sansio/app.py | 2 +- 4 files changed, 14 insertions(+), 2 deletions(-) diff --git a/CHANGES.rst b/CHANGES.rst index a992fc6b..bffdbdce 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -1,7 +1,8 @@ Version 3.1.0 ------------- -Unreleased +- Provide a configuration option to control automatic option + responses. :pr:`5496` Version 3.0.3 diff --git a/docs/config.rst b/docs/config.rst index 7828fb92..12e62bb5 100644 --- a/docs/config.rst +++ b/docs/config.rst @@ -280,6 +280,12 @@ The following configuration values are used internally by Flask: ``4093``. Larger cookies may be silently ignored by browsers. Set to ``0`` to disable the warning. +.. py:data:: PROVIDE_AUTOMATIC_OPTIONS + + Set to ``False`` to disable the automatic addition of OPTIONS + responses. This can be overridden per route by altering the + ``provide_automatic_options`` attribute. + .. versionadded:: 0.4 ``LOGGER_NAME`` @@ -331,6 +337,10 @@ The following configuration values are used internally by Flask: .. versionchanged:: 2.3 ``ENV`` was removed. +.. versionadded:: 3.10 + Added :data:`PROVIDE_AUTOMATIC_OPTIONS` to control the default + addition of autogenerated OPTIONS responses. + Configuring from Python Files ----------------------------- diff --git a/src/flask/app.py b/src/flask/app.py index 7622b5e8..5124233c 100644 --- a/src/flask/app.py +++ b/src/flask/app.py @@ -198,6 +198,7 @@ class Flask(App): "PREFERRED_URL_SCHEME": "http", "TEMPLATES_AUTO_RELOAD": None, "MAX_COOKIE_SIZE": 4093, + "PROVIDE_AUTOMATIC_OPTIONS": True, } ) diff --git a/src/flask/sansio/app.py b/src/flask/sansio/app.py index 01fd5dbf..4c93c249 100644 --- a/src/flask/sansio/app.py +++ b/src/flask/sansio/app.py @@ -638,7 +638,7 @@ class App(Scaffold): ) if provide_automatic_options is None: - if "OPTIONS" not in methods: + if "OPTIONS" not in methods and self.config["PROVIDE_AUTOMATIC_OPTIONS"]: provide_automatic_options = True required_methods.add("OPTIONS") else: