Add GraphQLView option to disable CORS headers

stropo · stropo · commit c316ce1d0ce9 · 2017-08-21T23:23:03.000Z
Use Sanic-CORS extension instead which is mature and flexible
diff --git a/README.md b/README.md
@@ -47,6 +47,7 @@ def init_graphql(app, loop):
 -   `jinja_env`: Sets jinja environment to be used to process GraphiQL template. If Jinja’s async mode is enabled (by `enable_async=True`), uses 
 `Template.render_async` instead of `Template.render`. If environment is not set, fallbacks to simple regex-based renderer.
 -   `batch`: Set the GraphQL view as batch (for using in [Apollo-Client] or [ReactRelayNetworkLayer])
+-   `cors`: If `True`, set basic CORS headers in response to CORS preflight requests, otherwise - don't set any CORS headers (It's recommended to use [Sanic-CORS] extension).
 
 You can also subclass `GraphQLView` and overwrite `get_root_value(self, request)` to have a dynamic root value per request.
 
@@ -73,4 +74,5 @@ This project is licensed under MIT License.
   [ReactRelayNetworkLayer]: https://github.com/nodkz/react-relay-network-layer
   [Sergey Porivaev]: https://github.com/grazor
   [sanic-graphql]: https://github.com/grazor/sanic-graphql
+  [sanic-cors]: https://github.com/ashleysommer/sanic-cors
 
diff --git a/sanic_graphql/graphqlview.py b/sanic_graphql/graphqlview.py
@@ -27,6 +27,7 @@ class GraphQLView(HTTPMethodView):
     middleware = None
     batch = False
     jinja_env = None
+    cors = False
     max_age = 86400
 
     _enable_async = True
@@ -168,15 +169,22 @@ def process_preflight(self, request):
         https://www.w3.org/TR/cors/#resource-preflight-requests """
         origin = request.headers.get('Origin', '')
         method = request.headers.get('Access-Control-Request-Method', '').upper()
+        headers = request.headers.get('Access-Control-Request-Headers', '')
 
         if method and method in self.methods:
-            return HTTPResponse(
-                status=200,
+            if self.cors:
                 headers={
                     'Access-Control-Allow-Origin': origin,
                     'Access-Control-Allow-Methods': ', '.join(self.methods),
-                    'Access-Control-Max-Age': str(self.max_age),
+                    'Access-Control-Allow-Headers': headers,
+                    'Access-Control-Allow-Age': str(self.max_age),
                 }
+            else:
+                headers = {}
+
+            return HTTPResponse(
+                status=200,
+                headers=headers,
             )
         else:
             return HTTPResponse(
