When building web applications, you may need to make HTTP requests from your Python code to APIs on different domains than your own. This is known as a cross-origin request. By default, browsers block these requests for security reasons in a policy known as same-origin.
However, servers can explicitly allow cross-origin requests using CORS (Cross-Origin Resource Sharing). To take advantage of this, we need to properly configure both the client and server sides.
On the client-side, Python's requests module sets certain CORS headers by default, but handles validation and errors for you. So making cross-origin requests in Python code is very simple:
The key thing to understand is that strict-origin-when-cross-origin is one of the security policies that applies to CORS requests.
What does "strict-origin-when-cross-origin" mean?
This policy states that whenever a cross-origin request is made, the server must check that the Origin header exactly matches the source domain making the request according to the same-origin policy. This prevents malicious sites from spoofing requests.
So if your Python client tries to access https://api.example.com from https://www.my site.com, the Origin header would be set to https://www.my site.com. The API server checks if this matches, and decides whether to allow the CORS request.
Practical Challenges
Servers must whitelist allowed origins, rather than allowing all domains.
Session cookies may not be sent by browsers in CORS requests, requiring alternatives like JSON web tokens.
Errors may not be readable by the client if server doesn't send CORS headers.
To handle the nuances of CORS in production systems, it's best to use a dedicated Python package like flask-cors. But understanding the core mechanisms helps debug issues when they do arise!
Browse by tags:
Browse by language:
The easiest way to do Web Scraping
Get HTML from any page with a simple API call. We handle proxy rotation, browser identities, automatic retries, CAPTCHAs, JavaScript rendering, etc automatically for you
