More flexible specification of CORS allowed origins

Suggested in miguelgrinberg/Flask-SocketIO#697 (comment)

engineio/server.py

@@ -47,9 +47,10 @@ class Server(object):
     :param cookie: Name of the HTTP cookie that contains the client session
                    id. If set to ``None``, a cookie is not sent to the client.
                    The default is ``'io'``.
-    :param cors_allowed_origins: List of origins that are allowed to connect
-                                 to this server. All origins are allowed by
-                                 default.
+    :param cors_allowed_origins: Origin or list of origins that are allowed to
+                                 connect to this server. All origins are
+                                 allowed by default, which is equivalent to
+                                 setting this argument to ``'*'``.
     :param cors_credentials: Whether credentials (cookies, authentication) are
                              allowed in requests to this server. The default
                              is ``True``.
@@ -463,9 +464,15 @@ def _unauthorized(self):
 
     def _cors_headers(self, environ):
         """Return the cross-origin-resource-sharing headers."""
-        if self.cors_allowed_origins is not None and \
-                environ.get('HTTP_ORIGIN', '') not in \
-                self.cors_allowed_origins:
+        if isinstance(self.cors_allowed_origins, six.string_types):
+            if self.cors_allowed_origins == '*':
+                allowed_origins = None
+            else:
+                allowed_origins = [self.cors_allowed_origins]
+        else:
+            allowed_origins = self.cors_allowed_origins
+        if allowed_origins is not None and \
+                environ.get('HTTP_ORIGIN', '') not in allowed_origins:
             return []
         if 'HTTP_ORIGIN' in environ:
             headers = [('Access-Control-Allow-Origin', environ['HTTP_ORIGIN'])]

tests/test_server.py

@@ -518,6 +518,35 @@ def test_connect_cors_not_allowed_origin(self):
         self.assertNotIn(('Access-Control-Allow-Origin', 'c'), headers)
         self.assertNotIn(('Access-Control-Allow-Origin', '*'), headers)
 
+    def test_connect_cors_headers_all_origins(self):
+        s = server.Server(cors_allowed_origins='*')
+        environ = {'REQUEST_METHOD': 'GET', 'QUERY_STRING': ''}
+        start_response = mock.MagicMock()
+        s.handle_request(environ, start_response)
+        headers = start_response.call_args[0][1]
+        self.assertIn(('Access-Control-Allow-Origin', '*'), headers)
+        self.assertIn(('Access-Control-Allow-Credentials', 'true'), headers)
+
+    def test_connect_cors_headers_one_origin(self):
+        s = server.Server(cors_allowed_origins='a')
+        environ = {'REQUEST_METHOD': 'GET', 'QUERY_STRING': '',
+                   'HTTP_ORIGIN': 'a'}
+        start_response = mock.MagicMock()
+        s.handle_request(environ, start_response)
+        headers = start_response.call_args[0][1]
+        self.assertIn(('Access-Control-Allow-Origin', 'a'), headers)
+        self.assertIn(('Access-Control-Allow-Credentials', 'true'), headers)
+
+    def test_connect_cors_headers_one_origin_not_allowed(self):
+        s = server.Server(cors_allowed_origins='a')
+        environ = {'REQUEST_METHOD': 'GET', 'QUERY_STRING': '',
+                   'HTTP_ORIGIN': 'b'}
+        start_response = mock.MagicMock()
+        s.handle_request(environ, start_response)
+        headers = start_response.call_args[0][1]
+        self.assertNotIn(('Access-Control-Allow-Origin', 'b'), headers)
+        self.assertNotIn(('Access-Control-Allow-Origin', '*'), headers)
+
     def test_connect_cors_no_credentials(self):
         s = server.Server(cors_credentials=False)
         environ = {'REQUEST_METHOD': 'GET', 'QUERY_STRING': ''}