Flask-socketio: 'sessions.py' example makes 400 errors

You are doing a cross-origin connection to the server. This used to be allowed by default, but for security reasons it is not anymore. Now you have to configure your allowed origins, or if you don't care about security, allow all origins by passing cors_allowed_origins='*' when you create your Socket.IO server.

miguel,

Does your flask-socketio sessions example needs cors handling?
This code is yours as is.
It looked not requires cors.
You know that jQuery ajax calls '/session' and socket.io calls '/socket.io' on sessions.html.
The client sessions.html and serverside '/session' and '/socket.io' is same origin.

Please let me know how you recognize I'm doing a cross-origin connection?

miguel,

I added a line to handle cors issue like below.

if __name__ == '__main__':
    import flask_cors; flask_cors.CORS(app, resources={r"/*":{"origins":"*"}})
    socketio.run(app, host="0.0.0.0", port=10001, debug=True)

But the problem remains.
Please help me slightly more.

You are doing a cross-origin connection to the server. This used to be allowed by default, but for security reasons it is not anymore. Now you have to configure your allowed origins, or if you don't care about security, allow all origins by passing cors_allowed_origins='*' when you create your Socket.IO server.

Isn't that a breaking change?
My code works fine with 4.2.1 but not work with 4.3.0

@miguelgrinberg

Sorry, I didn't understand your answer for 'cors_allowed_origins'.
I didn't know flask-socketio initializer has this option and recognize it by @NateScarlet's reply.

I've tried this option and I got another server error.

app = Flask(__name__)
app.config['SECRET_KEY'] = 'top-secret!'
app.config['SESSION_TYPE'] = 'filesystem'
login = LoginManager(app)
Session(app)
socketio = SocketIO(app, manage_session=False, cors_allowed_origins='*')


class User(UserMixin, object):
    def __init__(self, id=None):
        self.id = id

• server log

$ python sessions.py
 * Restarting with stat
 * Debugger is active!
 * Debugger PIN: 447-673-972
172.31.13.180 - - [2019-08-06 07:11:25] "GET /status HTTP/1.1" 200 234 0.001716
172.31.13.180 - - [2019-08-06 07:11:29] "GET / HTTP/1.1" 200 6809 0.020376
172.31.13.180 - - [2019-08-06 07:11:32] "GET /session HTTP/1.1" 200 305 0.001329
172.31.13.180 - - [2019-08-06 07:11:32] "GET / HTTP/1.1" 200 6809 0.001107
172.31.13.180 - - [2019-08-06 07:11:37] "GET /session HTTP/1.1" 200 305 0.001283
172.31.13.180 - - [2019-08-06 07:11:40] "GET /session HTTP/1.1" 200 305 0.001264
172.31.13.180 - - [2019-08-06 07:11:41] "POST /session HTTP/1.1" 204 257 0.001342
172.31.13.180 - - [2019-08-06 07:11:43] "GET /session HTTP/1.1" 200 299 0.001278
172.31.13.180 - - [2019-08-06 07:11:45] "POST /session HTTP/1.1" 204 257 0.001149
172.31.13.180 - - [2019-08-06 07:11:46] "GET /session HTTP/1.1" 200 305 0.001286
Traceback (most recent call last):
  File "/usr/lib64/python2.7/site-packages/gevent/pywsgi.py", line 976, in handle_one_response
    self.run_application()
  File "/usr/lib64/python2.7/site-packages/gevent/pywsgi.py", line 923, in run_application
    self.result = self.application(self.environ, self.start_response)
  File "/usr/lib64/python2.7/site-packages/flask/app.py", line 2463, in __call__
    return self.wsgi_app(environ, start_response)
  File "/usr/lib64/python2.7/site-packages/flask_socketio/__init__.py", line 46, in __call__
    start_response)
  File "/usr/lib/python2.7/site-packages/engineio/middleware.py", line 60, in __call__
    return self.engineio_app.handle_request(environ, start_response)
  File "/usr/lib/python2.7/site-packages/socketio/server.py", line 526, in handle_request
    return self.eio.handle_request(environ, start_response)
  File "/usr/lib/python2.7/site-packages/engineio/server.py", line 411, in handle_request
    cors_headers = self._cors_headers(environ)
  File "/usr/lib/python2.7/site-packages/engineio/server.py", line 610, in _cors_headers
    headers = [('Access-Control-Allow-Origin', environ['HTTP_ORIGIN'])]
KeyError: 'HTTP_ORIGIN'
2019-08-06T07:11:47Z {'REMOTE_PORT': '7398', 'HTTP_HOST': 'dev-bridge.bridgelabs.io', 'REMOTE_ADDR': '172.31.13.180', (hidden keys: 29)} failed with KeyError

172.31.13.180 - - [2019-08-06 07:11:47] "GET /socket.io/?EIO=3&transport=polling&t=MnbnGY0 HTTP/1.1" 500 161 0.002029

What do you think about this?

Isn't that a breaking change?
My code works fine with 4.2.1 but not work with 4.3.0

Yes, it is a breaking change for some people. Never said that it wasn't. I had to address a security problem.

The error that you get with HTTP_ORIGIN is already fixed, please upgrade flask-socketio, python-socketio and python-engineio to their latest releases.

@miguelgrinberg

thank you.
I resolved my issue by upgrading python-engineio version to 3.9.3.
It was 3.9.0 before.

It works fine at my environment under flask-socketio==4.2.0, python-socketio==4.3.0 and python-engineio==3.9.3

always thank you very much, miguel.

Version number of this project look like a [semver] version.
According to [semver] spec, breaking change should cause a major version incrementation:
4.3.0 should be 5.0.0.
It's confusing to have a breaking change in minor version update.

@NateScarlet It's a security bug. Do you prefer that I leave the 4.x open to CSRF attacks?

why not just deprecate the 4.x, version number is cheap.

And break every person who has a 4.x listed in a requirements file? And by the way, this also affects the 3.x, 2.x and 1.x, the problem is actually a vulnerability in the WebSocket protocol that needs to be compensated with a server-side fix, not an actual bug in this package.

So basically you are suggesting that to comply with semantic versioning (which I never said I adhere to, anyway) I deprecate every single version of this package that has been released to date, and then release a 5.0? How is that not a much bigger problem that would break pretty much everybody? Sorry, but I don't think there is a great solution to this problem, and I as the maintainer have to choose what I believe is the less disruptive path to get everyone upgraded.

After the upgrade, I also encountered the same problem 。I reconfigured cors_allowed_origins='*' and it works fine now.

For anyone just adding cors_allowed_origins='*' I'd like to ask you to think about what you are doing. This is basically saying that your server will allow connections from any origins. Depending on how you do authentication, this can enable CSRF attacks against your users.

If you only receive requests from one or two origins, then don't allow all origins, just allow these explicitly. That's a much more secure configuration that does not leave you vulnerable to attacks.

Examples:

1) to configure a single allowed origin:

cors_allowed_origins='https://example.com'

2) to configure multiple allowed origins:

cors_allowed_origins=['https://example1.com', 'https://example2.com']

Hope this helps!