CorsPolicy
A CORS policy a registered sub-app applies to all of its own routes.
Passed to ApiRegistry.register_api(cors=...) to replace the lab-wide policy
for that app. Omit it and the app keeps the lab default: only the lab's own
sub-domains, with credentials — which is what an internal API wants.
A policy is deliberately per-app, not per-route: listing routes at registration
duplicated what the route decorators already say, and drifted from them. The
trade-off is that a policy opens every route on the app that its methods
allow. Hence the two guard rails below.
:param origins: exact origins allowed, or ["*"] for any. Beware: a list
containing "*" is treated by Starlette as fully open.
:param methods: methods the policy grants. Kept to GET by default: a
cross-origin write should be a deliberate act, not a side effect of opening
a read endpoint.
:param allow_credentials: honour cookies cross-origin. Defaults to False and
should stay there for any app opened to third-party origins — combined with
a permissive origins it would let those sites read cookie-authenticated
responses. The CORS spec also forbids pairing it with origins=["*"].
:param headers: request headers the policy allows (["*"] by default).
Security note: because the policy covers the whole app, every route on it that
matches methods becomes readable from origins. Do not mount a
cookie-authenticated route on an app whose policy is open to third parties.
allow_credentials: boolheaders: listmethods: listorigins: listInitialize self. See help(type(self)) for accurate signature.
listlist - <factory>bool - Falselist - <factory>Wrap app in a Starlette CORSMiddleware enforcing this policy.
CallableCORSMiddlewareThis policy as CORSMiddleware keyword arguments.
dict