aws · hawflau · May 18, 2023 · Mar 31, 2023 · Mar 31, 2023 · Apr 8, 2023
@@ -640,6 +640,7 @@ def _request_handler(self, **kwargs):
 
         route: Route = self._get_current_route(request)
         cors_headers = Cors.cors_to_headers(self.api.cors)
+        cors_headers = self._response_cors_headers(request, cors_headers)
         lambda_authorizer = route.authorizer_object
 
         # payloadFormatVersion can only support 2 values: "1.0" and "2.0"
@@ -800,6 +801,31 @@ def _get_current_route(self, flask_request):
 
         return route
 
+    @staticmethod
+    def _response_cors_headers(flask_request, cors_headers):
+        if "Access-Control-Allow-Origin" not in cors_headers:
+            return cors_headers
+
+        cors_origins = cors_headers["Access-Control-Allow-Origin"]
+        # unset this header due to restrictive manner
+        del cors_headers["Access-Control-Allow-Origin"]
+
+        incoming_origin = flask_request.headers.get("Origin")
+        # Restrictive manner: do not allow any origin by default
+        response_allowed_origin = None
+        if incoming_origin:
+            if cors_origins == "*" and cors_headers.get("Access-Control-Allow-Credentials") is True:
+                response_allowed_origin = incoming_origin
+            else:
+                cors_origins_arr = cors_origins.split(",")
+                if incoming_origin in cors_origins_arr:
+                    response_allowed_origin = incoming_origin
+
+        if response_allowed_origin:
+            cors_headers["Access-Control-Allow-Origin"] = response_allowed_origin
+
+        return cors_headers
+
     @staticmethod
     def get_request_methods_endpoints(flask_request):
         """

@@ -1835,6 +1835,140 @@ def test_lambda_output_json_object_no_status_code(self):
         self.assertEqual(body, lambda_output)
 
 
+class TestService_cors_response_headers(TestCase):
+    def test_response_cors_no_origin(self):
+        request_mock = Mock()
+        headers_mock = Mock()
+        headers_mock.keys.return_value = []
+        request_mock.headers = headers_mock
+        request_mock.scheme = "http"
+
+        cors = Cors(allow_origin="*", allow_methods="GET,POST,OPTIONS")
+
+        response_cors_headers = Cors.cors_to_headers(cors)
+        response_cors_headers = LocalApigwService._response_cors_headers(request_mock, response_cors_headers)
+
+        self.assertTrue("Access-Control-Allow-Origin" not in response_cors_headers)
+
+    def test_response_cors_with_origin(self):
+        incoming_origin = "localhost:3000"
+
+        request_mock = Mock()
+        headers_mock = Mock()
+        headers_mock.keys.return_value = []
+        headers_mock.keys.return_value = ["Origin", "Content-Type"]
+        headers_mock.get.side_effect = [incoming_origin, "application/json"]
+        headers_mock.getlist.side_effect = [[incoming_origin], ["application/json"]]
+        request_mock.headers = headers_mock
+        request_mock.scheme = "http"
+
+        cors = Cors(allow_origin="*", allow_methods="GET,POST,OPTIONS", allow_credentials=True)
+
+        response_cors_headers = Cors.cors_to_headers(cors)
+        response_cors_headers = LocalApigwService._response_cors_headers(request_mock, response_cors_headers)
+
+        self.assertEqual(incoming_origin, response_cors_headers["Access-Control-Allow-Origin"])
+
+    def test_response_cors_with_origin_single_domain(self):
+        incoming_origin = "localhost:3000"
+
+        request_mock = Mock()
+        headers_mock = Mock()
+        headers_mock.keys.return_value = []
+        headers_mock.keys.return_value = ["Origin", "Content-Type"]
+        headers_mock.get.side_effect = [incoming_origin, "application/json"]
+        headers_mock.getlist.side_effect = [[incoming_origin], ["application/json"]]
+        request_mock.headers = headers_mock
+        request_mock.scheme = "http"
+
+        cors = Cors(allow_origin="localhost:3000", allow_methods="GET,POST,OPTIONS", allow_credentials=True)
+
+        response_cors_headers = Cors.cors_to_headers(cors)
+        response_cors_headers = LocalApigwService._response_cors_headers(request_mock, response_cors_headers)
+
+        self.assertEqual(incoming_origin, response_cors_headers["Access-Control-Allow-Origin"])
+
+    def test_response_cors_with_origin_multi_domains(self):
+        incoming_origin = "localhost:3000"
+
+        request_mock = Mock()
+        headers_mock = Mock()
+        headers_mock.keys.return_value = []
+        headers_mock.keys.return_value = ["Origin", "Content-Type"]
+        headers_mock.get.side_effect = [incoming_origin, "application/json"]
+        headers_mock.getlist.side_effect = [[incoming_origin], ["application/json"]]
+        request_mock.headers = headers_mock
+        request_mock.scheme = "http"
+
+        cors = Cors(
+            allow_origin="localhost:3000,localhost:6000", allow_methods="GET,POST,OPTIONS", allow_credentials=True
+        )
+
+        response_cors_headers = Cors.cors_to_headers(cors)
+        response_cors_headers = LocalApigwService._response_cors_headers(request_mock, response_cors_headers)
+
+        self.assertEqual(incoming_origin, response_cors_headers["Access-Control-Allow-Origin"])
+
+    def test_response_cors_with_origin_multi_domains_not_matching(self):
+        incoming_origin = "localhost:3000"
+
+        request_mock = Mock()
+        headers_mock = Mock()
+        headers_mock.keys.return_value = []
+        headers_mock.keys.return_value = ["Origin", "Content-Type"]
+        headers_mock.get.side_effect = [incoming_origin, "application/json"]
+        headers_mock.getlist.side_effect = [[incoming_origin], ["application/json"]]
+        request_mock.headers = headers_mock
+        request_mock.scheme = "http"
+
+        cors = Cors(
+            allow_origin="localhost:4000,localhost:6000", allow_methods="GET,POST,OPTIONS", allow_credentials=True
+        )
+
+        response_cors_headers = Cors.cors_to_headers(cors)
+        response_cors_headers = LocalApigwService._response_cors_headers(request_mock, response_cors_headers)
+
+        self.assertTrue("Access-Control-Allow-Origin" not in response_cors_headers)
+
+    def test_response_cors_not_allow_credentials(self):
+        incoming_origin = "localhost:3000"
+
+        request_mock = Mock()
+        headers_mock = Mock()
+        headers_mock.keys.return_value = []
+        headers_mock.keys.return_value = ["Origin", "Content-Type"]
+        headers_mock.get.side_effect = [incoming_origin, "application/json"]
+        headers_mock.getlist.side_effect = [[incoming_origin], ["application/json"]]
+        request_mock.headers = headers_mock
+        request_mock.scheme = "http"
+
+        cors = Cors(allow_origin="*", allow_methods="GET,POST,OPTIONS", allow_credentials=False)
+
+        response_cors_headers = Cors.cors_to_headers(cors)
+        response_cors_headers = LocalApigwService._response_cors_headers(request_mock, response_cors_headers)
+
+        self.assertTrue("Access-Control-Allow-Origin" not in response_cors_headers)
+
+    def test_response_cors_missing_allow_credentials(self):
+        incoming_origin = "localhost:3000"
+
+        request_mock = Mock()
+        headers_mock = Mock()
+        headers_mock.keys.return_value = []
+        headers_mock.keys.return_value = ["Origin", "Content-Type"]
+        headers_mock.get.side_effect = [incoming_origin, "application/json"]
+        headers_mock.getlist.side_effect = [[incoming_origin], ["application/json"]]
+        request_mock.headers = headers_mock
+        request_mock.scheme = "http"
+
+        cors = Cors(allow_origin="*", allow_methods="GET,POST,OPTIONS")
+
+        response_cors_headers = Cors.cors_to_headers(cors)
+        response_cors_headers = LocalApigwService._response_cors_headers(request_mock, response_cors_headers)
+
+        self.assertTrue("Access-Control-Allow-Origin" not in response_cors_headers)
+
+
 class TestServiceCorsToHeaders(TestCase):
     def test_basic_conversion(self):
         cors = Cors(