ryanahamilton opened a new pull request #13620: URL: https://github.com/apache/airflow/pull/13620
Employing the newly improved REST API from an independent web application is currently prohibited by browsers due to the lack of [CORS (Cross-Origin Resource Sharing) headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) in the API response. This PR adds 3 configuration options to add the following headers: - `Access-Control-Allow-Headers` via `AIRFLOW__API__ACCESS_CONTROL_ALLOW_HEADERS` - `Access-Control-Allow-Methods` via `AIRFLOW__API__ACCESS_CONTROL_ALLOW_METHODS` - `Access-Control-Allow-Origin` via `AIRFLOW__API__ACCESS_CONTROL_ALLOW_ORIGIN` This only covers a minimum of all potential headers that could be utilized, but the added `set_cors_headers_on_response` function establishes an obvious place for it to be further extended in the future if needed. We did look into utilizing [Flask-CORS](https://github.com/corydolphin/flask-cors) to add this functionality, but ultimately found it to be overkill given we only want to add this to the API endpoint and not the entire Webserver application. I've added documentation of this feature to Security/API and also cross-linked to that documentation from within the API documentation as well. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
